Category Archives: Incident Response

3 Keys to Building a Scalable Incident Response Automation and Orchestration Plan

Incident response (IR) automation and orchestration is crucial to operationalizing cybersecurity, giving overburdened security professionals relief by streamlining processes, maximizing the efficiency of their resources and increasing their organization’s overall security posture. As the volume of security alerts skyrockets and the skills gap widens, security teams are rapidly implementing IR automation and orchestration technologies to keep up: Nearly 85 percent of businesses have adopted or are currently adopting these solutions, according to Enterprise Strategy Group.

Craft a Robust Incident Response Plan That Works for You

Despite this growth, successfully implementing automation and orchestration isn’t as simple as deploying technology. Security teams need to start with a robust IR plan; if you’re going to streamline processes, you first need to define what those processes are.

The playbook — the exact tasks and actions your organization will take in response to various incident types — is the heart of the IR plan. Whether your organization is building an IR program from scratch or implementing advanced orchestration tools, your documented IR processes are the foundation. And with a few key considerations, your team can build IR playbooks that continue to pay dividends long into the future.

Here are three keys to building a robust, consistent incident response plan:

1. Build Your Initial Playbook Around Manual Actions

A good incident response playbook should be functional regardless of the efficiency afforded by external technologies. Focus on capturing and documenting the full extent of tasks analysts may need to perform during the IR process, and plan for future orchestration and automation that will aid and assist human analysts’ decisions and actions during an incident.

While creating these manual tasks, make them action-oriented and include a measured purpose and outcome for each. Give the analyst the “why” when you can, and make the task instructions as descriptive and detailed as possible. Doing so will allow for easy verification and validation and enable processes to be transferable up and down the team. You’ll also end up creating training opportunities and allowing for smooth internal and external audits.

2. Enable Continual Process Assessment and Refinement

Incident response is a process of continual improvement, and IR playbooks should enable maintenance and growth — such as the replacement or removal of certain tasks based on learnings from simulations and real-world experience.

Consider how your playbooks are stored, referenced and maintained. No matter the format — paper, electronic, tribal knowledge — updating and disseminating IR playbooks can be challenging. A centralized and secured platform, such as an internal wiki or document share, can enable better collaborative management, whereas an IR platform enables seamless collaboration before, during and after an incident.

A feedback loop, also known as a post-incident analysis process or an after-action review (AAR), is critical to the success and continual improvement of the organization’s response time and operational effectiveness. Additionally, to orchestrate and automate certain user tasks and actions to streamline response, you’ll need tried-and-true metrics to understand which of those processes should be automated and the ability to measure the impact and return on investment (ROI) of that automation. We’ll outline examples of these metrics in a future blog post.

3. Design Your Playbooks to Be Iterative and Scalable

As your incident response program grows, you’ll want the ability to quickly develop new playbooks for additional incident types or scenarios to both account for changes in the threat landscape and to change the scope of existing playbooks.

Try to identify common processes and tasks to group into modules and share across your playbooks, allowing for greater flexibility of their application and maintenance. Of course, where applicable, create and maintain the very specific and detailed work effort related to a discrete process. As there are changes in technologies, skills, requirements and resources, you can quickly adapt your now modular processes to account for them without the need to make finite edits to multiples of unrelated and potentially duplicate tasks.

Reuse these common tasks and modular processes to avoid the cumbersome and inefficient effort of developing new playbooks from scratch.

Build Today for Future Success

A robust, documented incident response plan is the foundation of a successful automation and orchestration program. By focusing on the right details today and enabling agility and growth, your solid and scalable IR playbooks will deliver benefits for years.

Six Steps for Building a Robust Incident Response Function

The post 3 Keys to Building a Scalable Incident Response Automation and Orchestration Plan appeared first on Security Intelligence.

SecurityWeek RSS Feed: Rhode Island Sues Alphabet Over Google+ Security Incidents

A government organization in Rhode Island announced on Wednesday that it has filed a lawsuit against Google’s parent company, Alphabet Inc., over the recent security incidents involving the Google+ social network.

read more



SecurityWeek RSS Feed

Why You Need a Concrete Incident Response Plan (Not Strategy)

Recently, I had the privilege to be part of a four-person discussion panel at a security event in London where the topic was about incident response. The panel was hosted by another security professional, and over 50 professionals from the industry were present in the audience. I’ve worked in information security for 15 years, and […]… Read More

The post Why You Need a Concrete Incident Response Plan (Not Strategy) appeared first on The State of Security.

The State of Security: Why You Need a Concrete Incident Response Plan (Not Strategy)

Recently, I had the privilege to be part of a four-person discussion panel at a security event in London where the topic was about incident response. The panel was hosted by another security professional, and over 50 professionals from the industry were present in the audience. I’ve worked in information security for 15 years, and […]… Read More

The post Why You Need a Concrete Incident Response Plan (Not Strategy) appeared first on The State of Security.



The State of Security

Personal Details of 120 Million Brazilians Exposed

Misconfigured databases with poor or absent access controls on both cloud and in-house servers is a known and common problem. Where these databases are exposed to the internet, anybody -- with or without cyber expertise -- can access the database and its content. While there is no 'hack' involved, such instances should still be called a breach since there is often no way of knowing whether the data contained has been accessed by malicious actors.

read more

Advance Your Blue Teaming Skills with IHRP

The Incident Handling & Response Professional (IHRP) training course is now available for enrollment. Discover this course’s details and see how you can benefit from it to better your defensive skills and become the IR professional companies wish they had.

In today’s hyper-connected world where everyone is a target to cybercriminals, organizations are fighting tooth and nails to find skilled cybersecurity professionals. While it’s a great asset to have red-teaming skills, companies expect their IT Security teams to not only know how to defend and assist in cases of malicious intrusions but also to have the right skills to hunt and secure them from such events in the first place. If you’re reading this because you’re interested in learning more and/or switching to the blue side of security, then IHRP might just be the right training course for you.

Incident Handling & Response Professional (IHRP) 

The Incident Handling & Response Professional (IHRP) training course is self-paced and highly hands-on. Here are some of the benefits of this course modules:

  • Documents how to set up an incident handling & response capability
  • Analyzes in-detail how attackers operate and how to detect each Technique, Tactic, and Procedure they use
  • Covers detecting intrusions or intrusion attempts during all stages of the Cyber Kill Chain
  • Showcases a variety of different intrusion detection techniques such as: analyzing traffic, flows, and endpoints, as well as performing correlations and endpoint or protocol analytics
  • Covers how to effectively utilize and fine-tune open-source IDS solutions (Snort, Bro, Suricata etc.)
  • Makes students capable of making the best of open-source SIEM solutions (ELK stack, Splunk, Osquery etc.)
  • Showcases how tactical threat intelligence can enhance your detection capabilities
  • Documents how to leverage baselines for effective intrusion detection
  • Provides students with real-life incident response scenarios

Want to know more? Discover the detailed syllabus here.

Why You Should Consider IHRP
  • Hands-on and real-life scenario labs: There is no substitute for learning IT Security hands-on, just like learning how to drive a car. You have to sit in it to fully learn the skills. All the labs of this training course simulate real-life scenarios.
  • Hours of video course materials: Videos help illustrate and understand complicated topics from the course slides more easily
  • Thousands of course slide materials: Interactive learning at your own speed, skipping back and forth to fully understand each topic before practicing labs and/or taking your exam. Slides will always be available to you in your member’s area.
  • Lifetime access to the course materials: Nobody can remember everything, you can always come back to double check on something you learned.
  • Exam voucher to get certified included: There is no additional cost or headache to get certified. Your course content in the Full and Elite Editions covers everything that is needed to pass the exam.
  • Online learning: You can obtain both the theoretical and practical skills from the comfort of your own home or office. A major benefit is that you can decide when to learn, and you can do so at your own speed. This also saves time and additional cost for travel and accommodation.

Get Early Access & 50% Off Your Course Fees

Interested in learning everything blue-team? Enjoy 50% off the new IHRP training course fees in Elite Edition when you enroll before December 31, 2018.  This early access offer will grant you immediate access to the first two modules, ‘Incident Handling Process’ and ‘Intrusion Detection by Analyzing Traffic’, and hands-on labs in which you will be tasked with detecting real-world attacks and malware. New content will be added automatically in your member’s area every two weeks, as it becomes available. Enrollments after January 1st will be closed until the final release of this training course in March.

Interested in this blue teaming course? Enroll before December 31st and get 50% off your course fees discounted automatically on the checkout page 😉

> GET STARTED NOW FOR ONLY $899

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Why You Need a BGP Hijack Response Plan

The vast majority of computer security incidents involve some sort of phishing or malware. Typically, this is the type of incident that receives the most attention from organizations, and for which security controls are established. And rightfully so — malware that exploits a vulnerability or human error can cause significant damage to an organization.

However, attacks targeting an organization’s network or internet infrastructure components — such as Border Gateway Protocol (BGP) — have been generally overlooked, even as they gain traction. BGP hijack attacks are still far less common than distributed denial-of-service (DDoS) attacks, but several recent events have turned this unusual method into headlines.

What Is BGP?

Some consider BGP the glue that ties the internet together. Purists might argue that it is the Domain Name System (DNS) that plays this role, given that there can be glue records in a zone file. However, without BGP, your packets would not arrive at their intended destinations.

BGP is the routing protocol of the internet. It is used to determine the most efficient way to route data between independently operated networks, known as autonomous systems (AS). In technical terms, an AS is a collection of IP prefixes that are assigned an Autonomous System Number (ASN).

Put simply, BGP is the road map to the internet, whereas DNS is the phone book.

How BGP Routing Works

A BGP router uses a large table called the routing information base (RIB), which describes the networks it can reach and what the most efficient paths to these networks are. BGP peers are systems (or neighbors) from which the router receives information (networks or prefixes). These are configured manually.

Basically, BGP peers tell the router that it should process or include the information received by other manually entered peers. By combing the information coming from different peers, the router can then work out the most efficient path to a destination.

What Is BGP Hijacking?

In short, a BGP attack is a configuration of an edge router to announce prefixes that have not been legitimately assigned to it. If the injected announcement is more specific (meaning more efficient) than the legitimate one, then the traffic will be rerouted to the injected announcement. In this way, an attacker can broadcast false prefix announcements, polluting the routing table of all its connected peers.

Because of the propagation of routes through connected networks, if one peer includes the malicious information in its routing table, this information can be quickly propagated to other peers. Routing announcements are accepted almost without any validation, making a successful BGP hijack relatively easy.

There are two primary types of attacks: A complete hijack attack overtakes a specific IP prefix, whereas in a partial hijack, the attacker competes with the legitimate source by announcing the same prefix with the same efficiency.

There are also unintentional cases. Human error can cause the same effect as a BGP hijack attack. This is often referred to as a route leak.

Recognize the Impact

The most obvious impact of BGP hijacking is that packets do not take their most optimal route, slowing down users’ connections to the network.

Far worse, attackers can black hole an entire network, including the organization’s services, thus resulting in an outage resembling a DDoS attack. Similarly, attackers can censor certain sources of information by black holing specific networks.

The rerouting makes the attacker a middleman of the network flow — meaning he or she can eavesdrop on certain parts of the communication, or in some cases even alter the traffic. They can also redirect traffic from your customers or users to malicious sites pretending to be part of your network. This can result in the theft of information or credentials or delivery of malware that exploits weaknesses.

In addition, spammers can abuse the good reputation of your ASN to conduct spam runs. This can have a negative effect on your network if it gets blocked by spam filters.

Watch for a Secondary Attack

In some cases, the BGP hijack might not be the attacker’s final objective. The goal might be to steal credentials or divert your users to sources that could potentially exploit their systems.

During the incident response phase, it’s important to be aware of this possibility and try to gather as much material as possible that could help you analyze these attacks. Valuable data sources include passive DNS, Secure Sockets Layer (SSL) certificate history and full packet captures.

How to Detect a BGP Hijack

One of the problems with BGP attacks is that they do not always last very long, so by the time you know an attack is taking place, the situation can already be restored to normal. This stresses the importance of implementing monitoring tools and establishing an efficient alerting workflow.

Start by monitoring the BGP routes that relate to your AS. You can set up your own monitoring solutions, but you can just as well rely on publicly available sources, such as BGPMon and Oracle Dyn, to do the heavy lifting for you.

Build an Incident Response Plan

Proper reaction to a BGP hijack starts with an incident response plan. Unfortunately, this isn’t the type of incident for which you can set up a simple fallback solution or defensive security control. Nor is it one that you can easily detect.

That’s because BGP attacks take place outside the network of an organization. A well-conducted BGP hijack can intervene with traffic without your users ever noticing something was wrong. You might be able to convince your ISP to remove the false route or request it to convince its peers to drop these announcements.

For BGP hijack attacks, the containment, eradication and recovery phases of an incident response plan glue together. Because the route announcements will spread very quickly, containment might be a real challenge.

If you can’t free up the resources to develop a dedicated incident response plan, then you can reuse parts of your plan for combating DDoS attacks.

Be Prepared

Most organizations do not have their own ASN and must rely on the measures of their upstream internet service provider (ISP). But there are ways to prepare:

  • Understand which network providers your organization uses. Does it rely on one single network provider or multiple? An AS relation model can give you insight on this.
  • Once you have listed your network providers, reach out and ask them what precautions or response plans they have with regard to BGP security. You could start by asking for a high-level overview of the peering policy and what agreements toward protection they have in place.
  • Build good working communication channels with your network providers. Next to the normal abuse contact, these should also include escalation paths.
  • Establish out-of-band communication channels via another network provider. Use these channels to inform your customers in case of an attack. Possible options would be social media or a communication page hosted at a cloud provider (take into account phishing).

If you own an ASN, there are some additional measures to take:

  • Write down your peering policy and make sure everyone understands the BGP interconnection policy.
  • Implement the BGP-peering BCPs.
  • Review and implement the best practices from Mutually Agreed Norms for Routing Security (MANRS).
  • Specify an AS path. Be aware that this can quickly backfire since the intent of the system is to find the best path automatically. Introducing manual paths will weaken the system.
  • Limit the amount of prefixes that can be received to prevent being flooded with announcements.
  • Implement route filtering.
  • Filter bogons, the IP prefixes that should not be allowed on the internet.
  • Use a form of authentication before accepting announcements.
  • Implement BGP time to live (TTL) checks, rejecting updates from routers located further away from you.

If you want to exercise your plan, you can, for example, make use of a virtual machine (VM) with the option to load +500k BGP routes.

Consider Automated Response Tools

A key element in fighting BGP hijacking is accurate and fast detection that enables flexible and equally fast mitigation of these events. This is where the Automatic and Real-Time dEtection and MItigation System (ARTEMIS) can provide future help.

ARTEMIS, presented in a research paper by the Center for Applied Internet Data Analysis (CAIDA), is a self-operated and unified detection and mitigation approach based on control-plane monitoring. Although still in development, the project shows potential to help network providers address these attacks.

The last phase in incident response — learning lessons — calls for collecting the necessary information to update and improve your plan, especially for the preparation and detection phases. Review whether all the communication channels worked as expected, the escalation paths gave the expected results and you were able to detect the attack in time. The best response plan is prevention.

The post Why You Need a BGP Hijack Response Plan appeared first on Security Intelligence.

Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019

As 2018 draws to a close, it’s time to reflect on the strides the cybersecurity industry made over the past year, and how far companies around the world still have to go to improve their security posture. Throughout the year, businesses were plagued by cybersecurity risks and hit with massive data breaches. In the lead-up to the holiday season, security leaders across industries are wishing for a quiet 2019 with no negative data breach headlines.

5 Cybersecurity Missteps That Put Enterprises at Risk in 2018

What lessons did we learn in 2018? And as we look forward, what best practices can we implement to improve defenses in the new year? We asked industry experts where they observe the worst security practices that still leave enterprises exposed to cybersecurity risks, and they offered advice to help companies and users enjoy a merrier, brighter, more secure 2019.

1. Poor Password Policies

Although passwords are far from perfect as a security mechanism, they are still used pervasively in the enterprise and in personal life. Yet password policies are still rife with problems around the globe.

Idan Udi Edry, CEO of Trustifi, said the most foundational — and also most disregarded — cybersecurity practice is maintaining a strong password.

“A unique password should be utilized for every account and not reused,” said Edry. “It is important to update passwords every 30–90 days. Passwords should never include a significant word, such as a pet’s name, or a significant date, such as a birthdate.”

Deploying devices and appliances and then leaving default passwords in place is also still a shockingly common practice. A threat actor with knowledge of a manufacturer or service provider’s default password conventions can do a lot of damage to an organization with factory settings still in place.

Edry advised enterprises to employ two-factor authentication (2FA) to add more security to their access strategy. Douglas Crawford, digital privacy adviser for BestVPN, meanwhile, recommended encouraging employees to use a password manager.

“It is hard to remember strong passwords for every website and service we use, so people simply stop bothering,” said Crawford. “Use of ‘123456’ as a password is still scarily common. And then we use the same password on every website we visit. This [is] particularly irksome, as this entire security nightmare can be easily remedied through use of password manager apps or services, which do the heavy lifting for us.”

2. Misconfigured Cloud Storage

Earlier this year, researchers from Digital Shadows uncovered more than 1.5 billion sensitive files stored in publicly available locations, such as misconfigured websites and unsecured network-attached storage (NAS) drives.

“Unfortunately, many administrators misconfigure [these buckets] rendering the contents publicly-accessible,” wrote Michael Marriott, senior strategy and research analyst with Digital Shadows.

The information uncovered included a treasure trove of personal data, such as payroll, tax return and health care information — all available to prying eyes thanks to overlooked security best practices in cloud storage.

“With the rise of mobility and cloud usage in enterprises, one of the worst security practices is leaving critical cloud services and SaaS applications open to the internet,” said Amit Bareket, co-founder and CEO of Perimeter 81.

It’s time to get proactive to analyze potential exposures in storage and then devise a plan to address cloud data risks to your organization. It’s also important to remember that with any connected service, it is often better not to deploy than to deploy insecurely.

3. Ineffective Cyber Awareness Training

Security begins and ends with your employees — but how much do they know about security? Specifically, how much do they know about the risks they are facing and how their actions could set your business up for a potential incident?

“At this time of the year, it’s critically important to ensure proper employee awareness of the risks related to travel,” said Baan Alsinawi, president and founder of TalaTek, a Washington-based risk management firm. “Using public Wi-Fi at airports or hotels to access corporate data, possible loss of personally-held devices such as an iPad, iPhone or corporate laptop, especially if not encrypted, talking to strangers about work issues or projects over a glass of wine can expose confidential information.”

Of course, a robust awareness program needs to be in place year-round. Data from London-based advisory and solutions company Willis Towers Watson found that employees are the cause of 66 percent of all cyberbreaches, either through negligence or deliberate offense.

Employees should be regularly educated on phishing, social engineering techniques and other attack vectors that could put corporate data at risk. If awareness training isn’t part of your security strategy, 2019 is the time to learn what an effective awareness program looks like and implement one to promote security best practices in your organization.

4. Poor Oversight of Third-Party Cybersecurity Risks

Third-party vendors and partners can be a source of compromise if criminals can access your organization’s sensitive information through their poorly secured systems. If you’re working with third-party vendors and partners, your security is only as good as theirs. If their systems are breached, your data is also at risk.

“Attackers seeking access to hardened company systems can pivot to breaching an integrated third party, establishing a beachhead there and then leveraging the trust implicit in the integration to gain access,” explained Ralph R. Russo, director of applied computing programs and professor of practice of IT management and cybersecurity at Tulane University School of Professional Advancement.

In 2019, evaluate the state of your third-party risk management. Make it a priority to identify gaps that may put you at risk if you are working with less-than-secure vendors. Implement a vigorous vetting process to determine the security level of your trusted partners.

5. Lack of an Incident Response Plan

A formal, regularly tested cybersecurity incident response plan is essential, yet many organizations continue to operate without one. In fact, 77 percent of companies do not have any formal plan.

Without a written and tested incident response plan, you’re unprepared for the worst-case scenario. It is not enough to focus on prevention; it is essential to establish a comprehensive incident response plan that is clear, detailed, flexible, includes multiple stakeholders, and tested and updated regularly.

Improve Your Security Posture in 2019 and Beyond

If your organization engages in any of these poor practices, it may be time to brush up on your basic cyber hygiene best practices. By following the recommendations outlined here, you can confidently resolve to close gaps in risk mitigation and establish more effective strategies to improve your company’s security posture in 2019 and beyond.

The post Avoid Coal in Your Digital Stocking — Here’s How to Improve Your Security Posture in 2019 appeared first on Security Intelligence.

SecurityWeek RSS Feed: How to Reduce False Positives and Move Faster on What Matters

A quick Google search reveals instances of false positives happening every day. A signal from NASA’s Opportunity rover that remained unresponsive for months after experiencing a dust storm on Mars, turned out to be a “ghost signal.” Blue cotton candy that initially tested positive as methamphetamine turned out to be, well, blue cotton candy. Numerous articles on false positive medical test results that subject individuals to unnecessary follow-up, treatments, cost and worry. 

read more



SecurityWeek RSS Feed

How to Reduce False Positives and Move Faster on What Matters

A quick Google search reveals instances of false positives happening every day. A signal from NASA’s Opportunity rover that remained unresponsive for months after experiencing a dust storm on Mars, turned out to be a “ghost signal.” Blue cotton candy that initially tested positive as methamphetamine turned out to be, well, blue cotton candy. Numerous articles on false positive medical test results that subject individuals to unnecessary follow-up, treatments, cost and worry. 

read more

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

The 4 Steps Of Incident Handling & Response

An estimated 3.6 billion records were breached in the first 9 months of 2018 alone. While these numbers show some improvement, cyber incidents will inevitably continue to happen. For that, security professionals need to know the Incident Handling and Response processes.

According to NIST’s Computer Security Incident Handling Guide, the Incident Response (IR) life cycle is made of 4 phases, as shown below.

1. Preparation

In this initial phase, organizations plan to handle incidents and attempt to limit the number of potential incidents by selecting and implementing a set of controls based on the results of risk assessments. This step involves outlining everyone’s responsibility, hardware, tools, documentation, etc. and taking steps to reduce the possibility of an incident happening.

2. Detection & Analysis

In this phase, the IR team analyzes all the symptoms reported and confirms whether or not the situation would be classified as an incident.

3. Containment, Eradication, and Recovery
In this phase, The IR team now gathers intel and create signatures that will help them identify each compromised system. With this information, the organization can mitigate the impact of incidents by containing them and countermeasures can be put in place to neutralize the attacker and restore systems/data back to normal.
4. Post-incident Activities

This is more of a ‘lesson learned’ phase. Its goal is to improve the overall security posture of the organization and to ensure that similar incidents won’t happen in the future.

When incidents happen, we tend to panic and wonder “what now?”. It’s important to remain calm and follow best practices and company procedures. For this reason, NIST has published its Computer Security Incident Handling Guide to lead you through the preparation, detection, handling, and recovery steps of Incident Handling & Response.

Interested in learning more about this topic? Join us on December 11 to discover a preview of the Incident Handling and Response Professional (IHRP) training course and take part in an exciting live demonstration.
> JOIN PREVIEW WEBINAR

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

House GOP Campaign Arm Targeted by ‘Unknown Entity’ in 2018

Thousands of emails were stolen from aides to the National Republican Congressional Committee during the 2018 midterm campaign, a major breach exposing vulnerabilities that have kept cybersecurity experts on edge since the 2016 presidential race.

read more

Fight Evolving Cybersecurity Threats With a One-Two-Three Punch

When I became vice president and general manager for IBM Security North America, the staff gave me an eye-opening look at the malicious hackers who are infiltrating everything from enterprises to government agencies to political parties. The number of new cybersecurity threats is distressing, doubling from four to eight new malware samples per second between the third and fourth quarters of 2017, according to McAfee Labs.

Yet that inside view only increased my desire to help security professionals fulfill their mission of securing organizations against cyberattacks through client and industry partnerships, advanced technologies such as artificial intelligence (AI), and incident response (IR) training on the cyber range.

Cybersecurity Is Shifting From Prevention to Remediation

Today, the volume of threats is so overwhelming that getting ahead is often unrealistic. It’s not a matter of if you’ll have a breach, it’s a matter of when — and how quickly you can detect and resolve it to minimize damage. With chief information security officers (CISOs) facing a shortage of individuals with the necessary skills to design environments and fend off threats, the focus has shifted from prevention to remediation.

To identify the areas of highest risk, just follow the money to financial institutions, retailers and government entities. Developed countries also face greater risks. The U.S. may have advanced cybersecurity technology, for example, but we also have assets that translate into greater payoffs for attackers.

Remediation comes down to visibility into your environment that allows you to notice not only external threats, but internal ones as well. In fact, internal threats create arguably the greatest vulnerabilities. Users on the inside know where the networks, databases and critical information are, and often have access to areas that are seldom monitored.

Bring the Power of Partnerships to Bear

Once you identify a breach, you’ll typically have minutes or even seconds to quarantine it and remediate the damage. You need to be able to leverage the data available and make immediate decisions. Yet frequently, the tools that security professionals use aren’t appropriately implemented, managed, monitored or tuned. In fact, 44 percent of organizations lack an overall information security strategy, according to PwC’s “The Global State of Information Security Survey 2018.”

Organizations are beginning to recognize that they cannot manage cybersecurity threats alone. You need a partner that can aggregate data from multiple clients and make that information accessible to everyone, from customers to competitors, to help prevent breaches. It’s like the railroad industry: Union Pacific, BNSF and CSX may battle for business, but they all have a vested interest in keeping the tracks safe, no matter who is using them.

Harden the Expanding Attack Surface

Along with trying to counteract increasingly sophisticated threats, enterprises must also learn how to manage the data coming from a burgeoning number of Internet of Things (IoT) devices. This data improves our lives, but the devices give attackers even more access points into the corporate environment. That’s where technology that manages a full spectrum of challenges comes into play. IBM provides an immune system for security from threat intelligence to endpoint management, with a host of solutions that harden your organization.

Even with advanced tools, analysts don’t always have enough hours in the day to keep the enterprise secure. One solution is incorporating automation and AI into the security operations center (SOC). We layer IBM Watson on top of our cybersecurity solutions to analyze data and make recommendations. And as beneficial as AI might be on day one, it delivers even more value as it learns from your data. With increasing threats and fewer resources, any automation you can implement in your cybersecurity environment helps get the work done faster and smarter.

Make Incident Response Like Muscle Memory

I mentioned malicious insider threats, but users who don’t know their behavior creates vulnerabilities are equally dangerous — even if they have no ill intent. At IBM, for example, we no longer allow the use of thumb drives since they’re an easy way to compromise an organization. We also train users from myriad organizations on how to react to threats, such as phishing scams or bogus links, so that their automatic reaction is the right reaction.

This is even more critical for incident response. We practice with clients just like you’d practice a golf swing. By developing that muscle memory, it becomes second nature to respond in the appropriate way. If you’ve had a breach in which the personally identifiable information (PII) of 100,000 customers is at risk — and the attackers are demanding payment — what do you say? What do you do? Just like fire drills, you must practice your IR plan.

Additionally, security teams need training to build discipline and processes, react appropriately and avoid making mistakes that could cost the organization millions of dollars. Response is not just a cybersecurity task, but a companywide communications effort. Everyone needs to train regularly to know how to respond.

Check out the IBM X-Force Command Cyber Tactical Operations Center (C-TOC)

Fighting Cybersecurity Threats Alongside You

IBM considers cybersecurity a strategic imperative and, as such, has invested extensive money and time in developing a best-of-breed security portfolio. I’m grateful for the opportunity to put it to work to make the cyber world a safer place. As the leader of the North American security unit, I’m committed to helping you secure your environments and achieve better business outcomes.

The post Fight Evolving Cybersecurity Threats With a One-Two-Three Punch appeared first on Security Intelligence.

SecurityWeek RSS Feed: Kaspersky’s U.S. Government Ban Upheld by Appeals Court

The U.S. government’s ban on software made by Russia-based cybersecurity firm Kaspersky Lab remains in place, a federal appeals court in Washington, DC, ruled on Friday.

The court said Kaspersky had failed to demonstrate that the ban was an unconstitutional legislative punishment.

read more



SecurityWeek RSS Feed

Kaspersky’s U.S. Government Ban Upheld by Appeals Court

The U.S. government’s ban on software made by Russia-based cybersecurity firm Kaspersky Lab remains in place, a federal appeals court in Washington, DC, ruled on Friday.

The court said Kaspersky had failed to demonstrate that the ban was an unconstitutional legislative punishment.

read more

Introducing Incident Handling & Response Professional (IHRP)

We are introducing the Incident Handling & Response Professional (IHRP) training course on December 11, 2018. Find out more and register for an exciting preview webinar.

No matter the strength of your company’s defense strategy, it is inevitable that security incidents will happen. Poor and/or delayed incident response has caused enormous damages and reputational harm to Yahoo, Uber, and most recently Facebook, to name a few. For this reason, Incident Response (IR) has become a crucial component of any IT Security department and knowing how to respond to such events is growing to be a more and more important skill.

Aspiring to switch to a career in Incident Response? Here’s how our new Incident Handling & Response Professional (IHRP) training course can help you learn the necessary skills and techniques for a successful career in this field.

Incident Handling & Response Professional (IHRP) 

The Incident Handling & Response Professional course (IHRP) is an online, self-paced training course that provides all the advanced knowledge and skills necessary to:

  • Professionally analyze, handle and respond to security incidents, on heterogeneous networks and assets
  • Understand the mechanics of modern cyber attacks and how to detect them
  • Effectively use and fine-tune open source IDS, log management and SIEM solutions
  • Detect and even (proactively) hunt for intrusions by analyzing traffic, flows and endpoints, as well as utilizing analytics and tactical threat intelligence

This training is the cornerstone of our blue teaming course catalog or, as we called it internally, “The PTP of Blue Team”.

Discover This Course & Get An Exclusive Offer

Take part in an exciting live demonstration and discover the complete syllabus of our latest course, Incident Handling & Response Professional (IHRP), on December 11. During this event, all the attendees will get their hands on an exclusive launch offer. Stay tuned! 😉

Be the first to know all about this modern blue teaming training course, join us on December 11.
> RESERVE YOUR SEAT

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

How Can Industry Leaders and Academia Help Improve Cybersecurity Education?

Just as the field of cybersecurity grew out of information technology, cybersecurity education is evolving as an offshoot of the computer science field. The current state of cybersecurity course offerings as an underdeveloped computer science footnote is allowing the skills gap to grow. To change this, higher education has to address the theoretical and hands-on skills students need to do their jobs post-graduation.

Without sufficient expert staffing, security teams lack the resources necessary to do their jobs effectively; in this way, the skills gap itself is a significant security risk. How, then, can the industry educate the next generation at scale? While there is no one answer, let’s take a look at what’s going on in classrooms across colleges and universities to see how higher education can evolve to meet the needs of the industry.

How to Recognize Shortcomings in Cybersecurity Education

By taking a closer look at the actual cybersecurity training programs higher education currently provides, industry leaders can help draw the road map of where it needs to go. How can they improve its offerings without bankrupting students who are already spending tens of thousands of dollars on degrees that fail to prepare them for the real-world problems they will face?

Bo Yuan, professor and chair of the Department of Computing Security at Rochester Institute of Technology (RIT), acknowledged that many undergraduate degree programs in cybersecurity start out with common introductory courses in computing and mathematics, such as Computer Science I and II and Calculus, eventually ramping up to more specialized training.

“As they get further into the program, students at RIT take more cybersecurity-focused courses, including Introduction to Cryptography and Cyber Security Policy and Law,” Yuan said. “In master’s degree programs, courses often focus on the theoretical foundations of computing security and how to become leaders in the implementation of computing security and information assurance policies and practices.”

To ensure that graduates are able to successfully transition from the classroom to the security operations center (SOC), cybersecurity education leaders should expand and more deeply integrate their hands-on learning opportunities.

Why Student Outreach Is Crucial

With the hefty price tag on degrees these days, students need to be judicious in the programs they choose. But it’s also up to industry leaders to reach out to their future recruits and help connect them with opportunities. Although one-to-one engagement across school districts is impossible, any role security professionals can play is a significant investment in long-term cybersecurity strategy.

Steering students cybersecurity training programs that offer them the chance to detect, identify and respond to existing threats in a simulated environment will yield the best returns. Unfortunately, those opportunities are not equally available to all students, and many won’t have the exposure they need to recognize their specialized interests within computer science early enough to plan effectively to get there.

Collaborate to Offer Experiential Learning

Hands-on learning opportunities are essential for cybersecurity students, and many academic institutions, including RIT, enable students to gain experience through simulated real-world exercises. But the students need to know what’s out there before making career-defining decisions to specialize one way over another.

To that end, some security companies have already parterned with educational organizations to extend opportunities for such immersive training.

“We have a heavy hands-on component to the degree programs with labs and project assignments,” Yuan explained. “Additionally, RIT computing security students are required to do two terms of co-ops (paid internships) before graduation.”

Yuan noted that RIT students have engaged in cooperative educational experiences with organizations such as IBM, Eaton Corporation and government agencies. These experiences often lead to job offers before graduation; both students and recruiters are reaping the benefits of these arrangements.

Why It’s Important to Make Connections Early

Through internships and co-ops, students can develop strong cybersecurity skills in the field, which hiring organizations desperately need to keep up with the evolving threat landscape. The Advanced Cyber Security Center (ACSC) and the University of Massachusetts created the Cybersecurity Education and Training Consortium (CETC) to bring industry leaders and students together. According to a press release, “The CETC will connect higher education leaders with business leaders to promote academic programming in cybersecurity that aligns with the needs of Massachusetts employers.”

Higher education programs around the world should partner with the cybersecurity industry to learn more about the needs of students and professionals. Through these innovations, students and enterprises can gain efficient access to both learning opportunities and talent. By working together with institutions of higher learning, businesses can ensure that students come out of learning programs armed with an understanding of the existing threat landscape and how to monitor its constant change so that they are fully equipped to do their jobs.

The post How Can Industry Leaders and Academia Help Improve Cybersecurity Education? appeared first on Security Intelligence.

A Day In The Life Of A Purple Teamer

Considering the ruthless tactics attackers will use to gain access to an organization’s assets, security professionals are now seeking to have both red and blue teaming skills. We asked Dimitrios Bougioukas, our training director, a few questions about the challenges and opportunities that come with being a purple teamer.

What are your main responsibilities as a Training Director & Purple Teamer?

My main responsibilities include directing eLearnSecurity’s course development activities, leading the IT security research endeavors of the company and constantly monitoring the threat landscape as well as the latest technology advancements in order to create new courses that cover new and emerging IT security segments.

What part of this job do you personally find most satisfying? Most challenging?
As a Training Director, my upper goal is to create the next generation of complete and up-to-date IT security professionals. We take our students’/clients’ education seriously and we strive towards providing the most practical and up-to-date IT security courses in the market. As you can imagine, when I see students passing our challenging exams and applying the knowledge they obtained to effectively secure their organization, it is the most fulfilling and satisfying feeling in the world. On the other hand, the most challenging part of my job is conducting IT security research, discovering new attack vectors, security bypasses etc. To do so, understanding the underpinnings and full capabilities of each technology is required and this is just the beginning. Countless attempts of trying to subvert each technology’s normal flow by supplying all kinds of imaginative input is also required and this is equally demanding.
What are the most important skills for Purple Teamers?
To become a purple teamer, you will have to be equally skilled at (web app, infrastructure, mobile, cloud) penetration testing and at incident response/threat hunting. Reverse engineering and/or information security management skills are also nice to have. Especially the information security management skills are of great importance, since on enterprise environments technical skills and skilled personnel is nothing without properly implemented IT security processes, planning, and management.
What jobs can you get with purple teaming skills?
To be honest, when you have mastered both Red and Blue team skills, the job possibilities are endless. And I don’t just mean that you can fill a penetration testing or an incident response/threat hunting position with ease. I mean that you will be in the position to even fill an IT security management position with minimum effort (of course some information security management and/or risk management skills will be required to do so).
What advice would you give to someone aspiring to become a successful purple teamer?

I am sure that you have figured by now, that becoming a Purple Teamer is a demanding endeavor. I would recommend being methodical, patient and passionate while developing your skillset. The danger of  “educational fatigue” is high during this journey, so, take it easy and enjoy every destination.

 

Find out how to develop proficiency in both advanced penetration testing and threat intelligence with our Purple Team Member training path:
    >  DISCOVER THIS TRAINING PATH

 

Connect with us on Social Media

LinkedIn | Facebook | Twitter  | Instagram

Security newsround: October 2018

We round up interesting research and reporting about security developments from around the web. This month: data breaches are up (again), help with hacks, incident response, attacks on trust providers and a numbers game.

Breach over troubled water

More than 4.5 billion data records were compromised in the first half of 2018. That’s a 133 per cent increase from last year and a staggering 1,751 per cent up on the first half of 2015. And if those stats aren’t scary enough, try this one: the total number of breached records equates to 291 every second, on average.

The findings come from Gemalto’s 2018 Breach Level Index. The company also found that the average records per incident is growing at an alarming rate. In 2015, the average was 276,936 records; by this year, the average stands at 4.8 million records per incident. The arrival of GDPR has cast a fresh spotlight on the risk of data breaches.

Common hacks and how to stop them

A new report throws the spotlight on commonly used hacking tools and ways of stopping them. The report is a joint collaboration between the cybersecurity authorities of Australia, Canada, New Zealand, the UK, and the US. The report gives an overview of tools that attackers are known to have used in recent incidents. They give the ability to plant backdoors or exfiltrate data, gain remote admin control of web servers or move laterally in compromised networks.

“The intel is designed to give enterprises a better awareness of what they’re up against so they are better positioned to prepare defences,” The Register reported. The report is for network and systems administrators, and anyone involved in incident response. It’s available free here.

Best practice incident response

Stuck for ideas to develop an incident response plan? The cybersecurity unit at the US Department of Justice might be able to help. It has updated its guide to best practice for victim response and reporting cyber incidents. The 25-page document includes sections covering pre- and post-event actions, as well as advice on what not to do. Also included: threat education for senior management, plus advice on engaging with law enforcement and with incident response specialist firms. It’s available to download at this link.

Breakdown of trust

ENISA has published its first full-year annual report about significant security incidents at trust service providers in the EU. The document covers all of the incidents during 2017 involving services that make electronic transactions more secure, like digital signatures and certificates, or electronic seals and timestamps. The report found that half of the security incidents rated as ‘severe’ and a similar number had impact across borders. The most affected services were e-signatures and e-seals. System failures and third-party failures were the most common root causes, each with 36 per cent. The report summary is here and the full report is free to download here.

Security’s search for meaningful metrics

Better security starts with knowing what you need to defend against; data beats anecdotes every time. The problem is, cybersecurity metrics suffer from inconsistency. An article in Defense One reports that NATO member governments have different ways of counting what constitutes a cyber attack. That’s a problem, says the article’s author Stefan Soesanto. “Without published standards and discernable metrics … warnings are of no real value to the public. We simply do not know whether 6,000 annual attacks against NATO’s infrastructure is a lot or whether any of the 24,000 attacks against the French MoD were serious.”

John Pescatore of SANS Institute compared this to the retail sector, which uses revenue loss from shrinkage as a more reliable figure than the number of attempted thefts. “That is why reports looking at actual damage like the Verizon Data Breach Investigation Report and Microsoft’s Security Intelligence report [well, parts of it], are much more useful than the numerous ‘billions and billions of attacks are being observed’ reports,” he wrote.

Better security through privacy audits?

Here’s one interesting fact to emerge from the news that Google was finally killing off Google+. (Not counting the fact that Google+ still existed, surprising many of us who assumed it disappeared years ago). Up to 500,000 Google+ user accounts were potentially at risk of exposing their data to external developers. Here’s the kicker: Google reportedly discovered the exposure during GDPR and privacy checks as part of its Project Strobe initiative.

Some reports led with Google’s decision not to disclose the flaw because the company feared it would lead to closer regulatory scrutiny. But would this have actually happened? Stripe’s Tommy Collison noted that although the data was exposed, it’s not technically a breach since Google claims no-one has misused the information.

Things we liked

ISACA has introduced a new programme to help people to acquire and prove skills in auditing cybersecurity processes, policies and tools. MORE

Why return on investment calculations might not tell the whole story when it comes to cybersecurity investments. MORE

Brian Krebs interviews Tony Sager, former NSA bug hunter and now VP at the Center for Internet Security about a very timely subject: supply chain security. MORE

Finland’s data protection authority has some great guides for data subjects, including this English-language document about how to make a subject access request. MORE

A new Irish initiative aims to put 5,000 people to work in the field of cybersecurity over the next three years by upskilling them. MORE

IBM launched a free cybersecurity learning resource aimed at girls, called ‘’Securing the Internet of Things’. MORE

 

 

The post Security newsround: October 2018 appeared first on BH Consulting.

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain trends and predictions from the past have been confirmed or even reconfirmed.

Our 9th edition of M-Trends draws upon the findings of one year of incident response investigations across the globe. This data provides us with insights into the evolution of nation-state sponsored threat actors, new threat groups, and new trends and attacker techniques we have observed during our investigations. We also compare this data to past observations from prior M-Trends reports and continue our tradition of reporting on key metrics and their development over time.

Some of the topics we cover in the 2018 M-Trends report include:

  • How the global median time from compromise to internal discovery has dropped from 80 days in 2016 to 57.5 in 2017.
  • The increase of attacks originating from threat actors sponsored by Iran.
  • Metrics about attacks that have retargeted or even recompromised prior victim organizations, a topic we previously discussed in our 2013 edition of M-Trends.
  • The widening cyber security skills gap and the rising demand for skilled personnel capable of meeting the challenges posed by today’s more sophisticated threat actors.
  • Frequently observed areas of weaknesses in security programs and their relation to security incidents.
  • Observations and lessons we have learned from our red teaming exercises about the effectiveness and gaps of common security controls.

By sharing this report with the security community, we continue our tradition of providing security professionals with insights and knowledge gained from recent breaches. We hope that you find this report useful in your work to strengthen your security posture and defend against the ever evolving threats.

Detection and recovery of NSA’s covered up tracks

Part of the NSA cyber weapon framework DanderSpritz is eventlogedit, a piece of software capable of removing individual lines from Windows Event Log files. Now that this tool is leaked and public, any criminal willing to remove its traces on a hacked computer can use it. Fox-IT has looked at the software and found a unique way to detect the use of it and to recover the removed event log entries.

Introduction

A group known as The Shadow Brokers published a collection of software, which allegedly was part of the cyber weapon arsenal of the NSA. Part of the published software was the exploitation framework FuzzBunch and post-exploitation framework DanderSpritz. DanderSpritz is a full-blown command and control server, or listening post in NSA terms. It can be used to stealthy perform various actions on hacked computers, like finding and exfiltrating data or move laterally through the target network. Its GUI is built on Java and contains plugins written in Python. The plugins contain functionality in the framework to perform specific actions on the target machine. One specific plugin in DanderSpritz caught the eye of the Forensics & Incident Response team at Fox-IT: eventlogedit.

DanderSpritz with eventlogedit in action

Figure 1: DanderSpritz with eventlogedit in action

eventlogedit

Normally, the content of Windows Event Log files is useful for system administrators troubleshooting system performance, security teams monitoring for incidents, and forensic and incident response teams investigating a breach or fraud case. A single event record can alert the security team or be the smoking gun during an investigation. Various other artefacts found on the target system usually corroborate findings in Windows Event Log files during an investigation, but a missing event record could reduce the chances of detection of an attack, or impede investigation.

Fox-IT has encountered event log editing by attackers before, but eventlogedit appeared to be more sophisticated. Investigative methods able to spot other methods of event log manipulation were not able to show indicators of edited log files after the use of eventlogedit. Using eventlogedit, an attacker is able to remove individual event log entries from the Security, Application and System log on a target Windows system. After forensic analysis of systems where eventlogedit was used, the Forensics & Incident Response team of Fox-IT was able to create a Python script to detect the use of eventlogedit and fully recover the removed event log entries by the attacker.

Analysing recovered event records, deleted by an attacker, gives great insight into what an attacker wanted to hide and ultimately wanted to achieve. This provides security and response teams with more prevention and detection possibilities, and investigative leads during an investigation.

Before (back) and after (front) eventlogedit

Figure 2: Before (back) and after (front) eventlogedit

eventlogedit in use

Starting with Windows Vista, Windows Event Log files are stored in the Windows XML Eventlog format. The files on the disk have the file extension .evtx and are stored in the folder \Windows\System32\winevt\Logs\ on the system disk, by default. The file structure consists of a file header followed by one or more chunks. A chunk itself starts with a header followed by one or more individual event records. The event record starts with a signature, followed by record size, record number, timestamp, the actual event message, and the record size once again. The event message is encoded in a proprietary binary XML format, binXml. BinXml is a token representation of text XML.

Fox-IT discovered that when eventlogedit is used, the to-be-removed event record itself isn’t edited or removed at all: the record is only unreferenced. This is achieved by manipulation of the record header of the preceding record. Eventlogedit adds the size of the to-be-removed-record to the size of the previous record, thereby merging the two records. The removed record including its record header is now simply seen as excess data of the preceding record. In Figure 3 this is illustrated. You might think that an event viewer would show this excess or garbage data, but no. Apparently, all tested viewers parse the record binXml message data until the first end-tag and then move on to the next record. Tested viewers include Windows Event Viewer as well as various other forensic event log viewers and parsers. None of them was able to show a removed record.

Untouched event records (left) and deleted event record (right)

Figure 3: Untouched event records (left) and deleted event record (right). Note: not all field are displayed here.

Merely changing the record size would not be enough to prevent detection: various fields in the file and chunk header need to be changed. Eventlogedit makes sure that all following event records numbers are renumbered and that checksums are recalculated in both the file and chunk header. Doing so, it makes sure that obvious anomalies like missing record numbers or checksum errors are prevented and will not raise an alarm at the system user, or the security department.

Organizations which send event log records on the fly to a central log server (e.g. a SIEM), should be able to see the removed record on their server. However, an advanced attacker will most likely compromise the log server before continuing the operation on the target computer.

Recovering removed records

As eventlogedit leaves the removed record and record header in its original state, their content can be recovered. This allows the full recovery of all the data that was originally in the record, including record number, event id, timestamps, and event message.

Fox-IT’s Forensics & Incident Response department has created a Python script that finds and exports any removed event log records from an event log file. This script also works in the scenario when consecutive event records have been removed, when the first record of the file is removed, or the first record of a chunk is removed. In Figure 4 an example is shown.

Recovering removed event records

Figure 4: Recovering removed event records

We have decided to open source the script. It can be found on our GitHub and works like this:

$ python danderspritz_evtx.py -h
usage: danderspritz_evtx.py [-h] -i INPUT_PATH [-o OUTPUT_PATH]
 [-e EXPORT_PATH]

danderspritz_evtx.py - Parse evtx files and detect the use of the danderspritz
module that deletes evtx entries

optional arguments:
 -h, --help show this help message and exit
 -i INPUT_PATH, --input INPUT_PATH
 Path to evtx file
 -o OUTPUT_PATH, --output OUTPUT_PATH
 Path to corrected evtx file
 -e EXPORT_PATH, --export EXPORT_PATH
 Path to location to store exported xml records

The script requires the python-evtx library from Willi Ballenthin.

Additionally, we have created an easy to use standalone executable for Windows systems which can be found on our GitHub as well.

Danderspritz_evtx.exe

Hashes:
md5    c07f6a5b27e6db7b43a84c724a2f61be 
sha1   6d10d80cb8643d780d0f1fa84891a2447f34627c
sha256 6c0f3cd832871ba4eb0ac93e241811fd982f1804d8009d1e50af948858d75f6b

 

Recommendations

To detect if the NSA or someone else has used this to cover up his tracks using the eventlogedit tool on your systems, it is recommended to use the script on event log files from your Windows servers and computers. As the NSA very likely changed their tools after the leaks, it might be farfetched to detect their current operations with this script. But you might find traces of it in older event log files. It is recommended to run the script on archived event log files from back-ups or central log servers.

If you find traces of eventlogedit, and would like assistance in analysis and remediation for a possible breach, feel free to contact us. Our Forensics & Incident Response department during business hours or FoxCERT 24/7.

Wouter Jansen
Fox-IT Forensics & Incident Response

Richard Bejtlich on His Latest Book, “The Practice of Network Security Monitoring”

Practice of Network Security MonitoringThe Practice of Network Security Monitoring

Everyone wants to know how to find intruders on their networks. I learned one approach when I served in the Air Force Computer Emergency Response Team (AFCERT) as a captain from 1998 to 2001. When I left the service and brought my refinements of network security monitoring (NSM) to the commercial world, I decided that at some point I would explain what I knew in book form for the good of the computer network defense community.

In July 2004, I published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . Although I had published material on NSM in 2002 in Hacking Exposed, 4th Edition and in 2003 in Incident Response, 2nd Edition, the Tao was my first major contribution to the field of detecting and responding to intrusions using network-centric tools and tactics. I wrote two other books in the following two years, namely Extrusion Detection and Real Digital Forensics, the latter as a co-author. I wrote for the intermediate-to-advanced level audience, and people seemed to find the works useful.

I began teaching multi-day classes on NSM and related subjects in 2004, and in 2007 brought new classes on NSM to Black Hat. Over the years I kept my material at the intermediate-to-advanced level because I thought that sort of viewpoint was most needed. In late 2012, however, teaching for Black Hat in Dubai, I realized that for every intermediate-to-advanced student in my class, there were probably 100 or more introductory-level students trying to better understand security and their networks. By writing for people who I thought already "got" NSM, I ignored thousands of deserving readers and students.

In late December 2012 I decided it was time to a write a book for people who knew something about computers, networking, and security, but little to nothing about NSM or incident detection and response. I submitted a proposal to No Starch and began writing a new book the first week of January 2013, with the goal of having it in print for Black Hat in July 2013. Thanks to the fine work of No Starch's team and my editors and contributors, The Practice of Network Security Monitoring arrived in time for Black Hat last month.

If you want to know how to use network-derived evidence to detect and respond to intrusions, my new book is for you. I teach you why NSM matters, where and how to obtain visibility, how to collect and analyze traffic, and what to do when you find something suspicious or malicious. Although you may be able to use your existing tools and data to accomplish these goals, I demonstrate NSM using the amazing open source NSM distro Security Onion by Doug Burks and Scott Runnels. With nothing more than the investment in some reading time and downloading free software, you can start learning how intruders are abusing your network.

In addition to writing the new book for those at the introductory level of NSM practice, I also wrote a new class titled "NSM 101." I taught the material at Black Hat last month, and feedback was positive. I intend to teach the same course in Seattle for Black Hat on December 9-10, 2013 and again in 2014 in Vegas and elsewhere with Black Hat. I find that my network-centric approach nicely complements the powerful endpoint- and log-centric tools and capabilities available from Mandiant's products and services.

If you have questions about how NSM can help defend your organization, please feel free to send me a tweet via @taosecurity. I am happy to respond to thoughtful questions.