Category Archives: Network Protection

Why You Need a BGP Hijack Response Plan

The vast majority of computer security incidents involve some sort of phishing or malware. Typically, this is the type of incident that receives the most attention from organizations, and for which security controls are established. And rightfully so — malware that exploits a vulnerability or human error can cause significant damage to an organization.

However, attacks targeting an organization’s network or internet infrastructure components — such as Border Gateway Protocol (BGP) — have been generally overlooked, even as they gain traction. BGP hijack attacks are still far less common than distributed denial-of-service (DDoS) attacks, but several recent events have turned this unusual method into headlines.

What Is BGP?

Some consider BGP the glue that ties the internet together. Purists might argue that it is the Domain Name System (DNS) that plays this role, given that there can be glue records in a zone file. However, without BGP, your packets would not arrive at their intended destinations.

BGP is the routing protocol of the internet. It is used to determine the most efficient way to route data between independently operated networks, known as autonomous systems (AS). In technical terms, an AS is a collection of IP prefixes that are assigned an Autonomous System Number (ASN).

Put simply, BGP is the road map to the internet, whereas DNS is the phone book.

How BGP Routing Works

A BGP router uses a large table called the routing information base (RIB), which describes the networks it can reach and what the most efficient paths to these networks are. BGP peers are systems (or neighbors) from which the router receives information (networks or prefixes). These are configured manually.

Basically, BGP peers tell the router that it should process or include the information received by other manually entered peers. By combing the information coming from different peers, the router can then work out the most efficient path to a destination.

What Is BGP Hijacking?

In short, a BGP attack is a configuration of an edge router to announce prefixes that have not been legitimately assigned to it. If the injected announcement is more specific (meaning more efficient) than the legitimate one, then the traffic will be rerouted to the injected announcement. In this way, an attacker can broadcast false prefix announcements, polluting the routing table of all its connected peers.

Because of the propagation of routes through connected networks, if one peer includes the malicious information in its routing table, this information can be quickly propagated to other peers. Routing announcements are accepted almost without any validation, making a successful BGP hijack relatively easy.

There are two primary types of attacks: A complete hijack attack overtakes a specific IP prefix, whereas in a partial hijack, the attacker competes with the legitimate source by announcing the same prefix with the same efficiency.

There are also unintentional cases. Human error can cause the same effect as a BGP hijack attack. This is often referred to as a route leak.

Recognize the Impact

The most obvious impact of BGP hijacking is that packets do not take their most optimal route, slowing down users’ connections to the network.

Far worse, attackers can black hole an entire network, including the organization’s services, thus resulting in an outage resembling a DDoS attack. Similarly, attackers can censor certain sources of information by black holing specific networks.

The rerouting makes the attacker a middleman of the network flow — meaning he or she can eavesdrop on certain parts of the communication, or in some cases even alter the traffic. They can also redirect traffic from your customers or users to malicious sites pretending to be part of your network. This can result in the theft of information or credentials or delivery of malware that exploits weaknesses.

In addition, spammers can abuse the good reputation of your ASN to conduct spam runs. This can have a negative effect on your network if it gets blocked by spam filters.

Watch for a Secondary Attack

In some cases, the BGP hijack might not be the attacker’s final objective. The goal might be to steal credentials or divert your users to sources that could potentially exploit their systems.

During the incident response phase, it’s important to be aware of this possibility and try to gather as much material as possible that could help you analyze these attacks. Valuable data sources include passive DNS, Secure Sockets Layer (SSL) certificate history and full packet captures.

How to Detect a BGP Hijack

One of the problems with BGP attacks is that they do not always last very long, so by the time you know an attack is taking place, the situation can already be restored to normal. This stresses the importance of implementing monitoring tools and establishing an efficient alerting workflow.

Start by monitoring the BGP routes that relate to your AS. You can set up your own monitoring solutions, but you can just as well rely on publicly available sources, such as BGPMon and Oracle Dyn, to do the heavy lifting for you.

Build an Incident Response Plan

Proper reaction to a BGP hijack starts with an incident response plan. Unfortunately, this isn’t the type of incident for which you can set up a simple fallback solution or defensive security control. Nor is it one that you can easily detect.

That’s because BGP attacks take place outside the network of an organization. A well-conducted BGP hijack can intervene with traffic without your users ever noticing something was wrong. You might be able to convince your ISP to remove the false route or request it to convince its peers to drop these announcements.

For BGP hijack attacks, the containment, eradication and recovery phases of an incident response plan glue together. Because the route announcements will spread very quickly, containment might be a real challenge.

If you can’t free up the resources to develop a dedicated incident response plan, then you can reuse parts of your plan for combating DDoS attacks.

Be Prepared

Most organizations do not have their own ASN and must rely on the measures of their upstream internet service provider (ISP). But there are ways to prepare:

  • Understand which network providers your organization uses. Does it rely on one single network provider or multiple? An AS relation model can give you insight on this.
  • Once you have listed your network providers, reach out and ask them what precautions or response plans they have with regard to BGP security. You could start by asking for a high-level overview of the peering policy and what agreements toward protection they have in place.
  • Build good working communication channels with your network providers. Next to the normal abuse contact, these should also include escalation paths.
  • Establish out-of-band communication channels via another network provider. Use these channels to inform your customers in case of an attack. Possible options would be social media or a communication page hosted at a cloud provider (take into account phishing).

If you own an ASN, there are some additional measures to take:

  • Write down your peering policy and make sure everyone understands the BGP interconnection policy.
  • Implement the BGP-peering BCPs.
  • Review and implement the best practices from Mutually Agreed Norms for Routing Security (MANRS).
  • Specify an AS path. Be aware that this can quickly backfire since the intent of the system is to find the best path automatically. Introducing manual paths will weaken the system.
  • Limit the amount of prefixes that can be received to prevent being flooded with announcements.
  • Implement route filtering.
  • Filter bogons, the IP prefixes that should not be allowed on the internet.
  • Use a form of authentication before accepting announcements.
  • Implement BGP time to live (TTL) checks, rejecting updates from routers located further away from you.

If you want to exercise your plan, you can, for example, make use of a virtual machine (VM) with the option to load +500k BGP routes.

Consider Automated Response Tools

A key element in fighting BGP hijacking is accurate and fast detection that enables flexible and equally fast mitigation of these events. This is where the Automatic and Real-Time dEtection and MItigation System (ARTEMIS) can provide future help.

ARTEMIS, presented in a research paper by the Center for Applied Internet Data Analysis (CAIDA), is a self-operated and unified detection and mitigation approach based on control-plane monitoring. Although still in development, the project shows potential to help network providers address these attacks.

The last phase in incident response — learning lessons — calls for collecting the necessary information to update and improve your plan, especially for the preparation and detection phases. Review whether all the communication channels worked as expected, the escalation paths gave the expected results and you were able to detect the attack in time. The best response plan is prevention.

The post Why You Need a BGP Hijack Response Plan appeared first on Security Intelligence.

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

Why You Should Act Now to Prevent Peer-to-Peer Payments Network Fraud

Consumers flock to opportunities for instant gratification. They want their coffee orders ready when they arrive, their purchases delivered today, their movies to play the instant the mood strikes. So, naturally, they bring these same expectations to day-to-day financial transactions, such as sending money to friends on their smartphones — even at the cost of security, and at the risk of peer-to-peer (P2P) network fraud.

That demand has driven rapid global adoption of P2P payments. Almost 60 percent of U.S. consumers use P2P platforms, according to Mercator Advisory Group. In the U.S., payment volume through the third quarter of 2018 for market leaders Zelle and Venmo already exceeded last year’s totals, according to American Banker.

Unfortunately, P2P payment network fraud is popularizing right along with it, according to USA Today. But with a holistic, layered prevention and detection program, financial institutions can capture P2P payment market share while protecting themselves and their customers.

The Rapid Growth of Adoption Is Driving Fraud

Experts expect P2P payments to continue their frenetic growth, with even more providers likely to emerge. Unfortunately, like any new payment vehicle, fraudsters quickly hauled their efforts into finding and exploiting holes in P2P network defenses.

Many cybercriminals have succeeded because of the nature of P2P transactions. Since they are in near-real time, the opportunity to safeguard and verify the legitimacy of all parties to the transaction using legacy banking tools is severely limited. Banks vary widely in their P2P network fraud protection, with some moving ahead with no protection at all, according to the New York Times. As a result, some financial institutions and customers are seeing big losses; one bank experienced a 90 percent fraud rate on Zelle transactions.

What Is P2P Network Fraud?

P2P payment fraud affects multiple victims and variations that financial institutions should understand when building protections against attacks. Consumers are often tripped up in P2P payments when they send funds to the wrong phone number or email or to someone who doesn’t hold up his or her end of a deal. But one of the biggest sources of fraud is account takeover.

An account takeover is initiated when a victim with an account at Bank A has his or her personal or account credentials stolen through a previous data theft or phishing attack. The fraudster verifies that there is money in the account, then sends funds via P2P payment to a co-fraudster at Bank B, who withdraws the cash. The accomplice at Bank B might be part of the fraud ring, or perhaps her or she has been promised a share of the proceeds. The fraudster may use a dormant account or set up a new account in the name of another identify theft victim to receive the funds.

Both Bank A and Bank B have some culpability for the loss. Right now in the U.S., the Electronic Fund Transfer Act (EFTA) requires Bank A to make the victim whole by restoring the funds. However, it’s likely that regulators will soon hold Bank B accountable for preventing this type of activity as well, so financial institutions should learn how to detect account takeover sooner rather than later.

How to Detect Account Takeover

The challenge for financial institutions is to keep P2P payments appealing and easy for the customer while ensuring that both the customer and the bank are protected from fraud. Global P2P payment momentum will only grow, so to participate, financial institutions will need a holistic, multilayered security approach to detect and prevent fraudulent transactions.

A key piece involves detecting questionable behaviors on the part of any party to the transaction — for example:

  • A dormant account suddenly moving cash in and out;
  • An unusually high dollar amount sent to a new recipient; or
  • A contact center update to personal data, quickly followed by a new device accessing the account and then a P2P payment to a new payee.

Detecting those behaviors requires active monitoring via a digital fraud detection tool that spots mobile and online activity outside the norm for a user, such as a new device, location, transaction size or login pattern.

These work by tapping both internal and external data, such as the customer’s cell carrier — how long has the victim had this device and mobile number? Email is another resource — is this email address suddenly sending or receiving a lot of P2P payments? Examining transaction patterns, such as a low dollar amount followed by a high dollar transaction, adds to the picture.

Balancing Speed and Protection

A holistic view is key; any one action might be normal, but as part of a series of activities can reveal a suspicious pattern. A well-designed fraud detection engine profiles the behavior of any entity and delivers best-fit analytics to quickly screen for suspicious patterns — all while enabling legitimate transactions to flow rapidly and smoothly.

Advanced capabilities such as artificial intelligence (AI) and machine learning mean these solutions learn as they go, taking into account digital, transactional and other data to discover new patterns and apply that learning to future transactions. This complements the fraud trend sharing that financial institutions must undertake to advance security across the industry.

Putting this holistic, multilayer detection and prevention layer in place is critical as P2P payments move beyond friends and family into their transactions with businesses, like landscapers and veterinarians. It starts with a well-rounded risk evaluation, ensuring layered controls all the way from customer login through to transaction fulfillment.

When financial institutions fills in those gaps with a multilayered solution, they enable P2P payments to flow in a way that balances risk mitigation with a fast, easy experience for customers — an invaluable arrangement for all parties involved.

The post Why You Should Act Now to Prevent Peer-to-Peer Payments Network Fraud appeared first on Security Intelligence.