Category Archives: Threat Intelligence Insights

RSA Preview: Compromised Credentials are STILL Your Organization’s Worst Nightmare

RSA, the industry’s biggest (arguably) conference, starts this week. Before you get blinded by all of the shiny new technology and product and acquisition announcements, remember that having clean cybersecurity hygiene begins with the basics – patch and routinely update your systems, educate your employees, protect your passwords.

LookingGlass has access to a lot of places on the Internet, including the Deep and Dark Web where most data dumps and passwords leaks occur. Armed with this information, we are able to maintais a proprietary Data Breach Detection System (DBDS) that continuously scours underground forums, hacker channels, and the dark web to uncover the latest data breaches and identify compromised accounts. Adding an average of several million findings per week, this system contains almost 5 billion records that are connected to approximately 3.5 billion unique username/password pairs.

As we see cyber attacks increase in size and sophistication, we often forget that some of the biggest attacks started with basic password cracking, or phishing/social engineering scheme. Analyzing compromised credentials can reveal a lot about the cybersecurity practices of organization’s across verticals, and of all sizes. LookingGlass reviewed all compromised credentials within our DBDS from 2017 for the Fortune 100 companies and discovered that the most heavily-impacted business sectors were Technology, Financial, Insurance, and Telecommunications. The below chart compares the unique credentials LookingGlass uncovered in 2017 for the Fortune 100 companies by sector.

In addition, across all Fortune 100 companies, an average of 33% of all employees reused their login credentials. Organizations within the Telecommunications sector represented the highest percentage of reused login credentials, with nearly 45% of employees reusing usernames and passwords across multiple IT systems and web applications.

Credential reuse is a significant concern to organizations across all business sectors because threat actors routinely use lists of these compromised credentials to gain access to business networks via web applications and other public-facing network infrastructure.  For example, it is simple for a threat actor to check for Web-based email services associated with each domain, potentially allowing a hacker to access the user’s work email account and to view or exfiltrate any sensitive information it may contain.

Assuming that the LookingGlass sample for Fortune 100 companies is a reflection of global organizational trends in credential security hygiene, we judge that at least one-third to one-half of the compromised credentials could likely facilitate illicit access, or cause otherwise negative repercussions, to many organizations. This threat is further exacerbated if an organization is unaware of credential compromises relevant to them or does not have other security measures in place to mitigate the risk of compromised credentials, such as two-factor authentication.

3 Steps Organizations Can Take to Protect User Credentials

  1. Encourage and Enforce Password Hygiene Best Practices – Educate employees on best practices associated with password hygiene (i.e. frequently change credentials, diversify passwords across account, etc.). Require employees to routinely update their passwords and avoid repeated use across multiple platforms.
  2. Manage Your Third Party Risks – Consistently monitor who is accessing your network and hardware. Are they trying to access areas of the network they shouldn’t be? Limit third parties’ access to specific portions of the network instead of allowing them to roam free.
  3. Back Up Your Data! – If your credentials are compromised, it will be easier to replace than to start from scratch.
  4. Educate Your Employees – Phishing attacks are still one of the biggest ways organizaiton’s are breached. Don’t give away confidential information, like your password.


How Can LookingGlass Help These Steps?

LookingGlass offers tiered solutions to help organizations deal with the risks compromised credentials pose to you and your key vendors:

  • The LookingGlass Baseline Attack Surface Report™ is a cost-effective first step in determining which of your vendors pose the most risk to your organization. Your report will not only provide a historical analysis but also help you meet compliance and regulatory requirements when the occasion arises.
  • The LookingGlass Cyber Attack Surface Analysis™ is a deep-dive assessment of vendors that may have access to your organization’s networks and sensitive data. It not only provides a historical analysis of potential compromise, but may also assist your organization in meeting compliance and regulatory requirements. In addition, the Cyber Attack Surface Analysis can evaluate the cybersecurity hygiene of a company when conducting M&A activity.
  • The LookingGlass Third Party Risk Monitoring service delivers continuous visibility into the risk exposure and attack surface of your organization’s key vendors. This is an outsourced way to analyze your third party vendors’ risk impact to your organization. Our managed service keeps a watchful eye on your vendors’ networks 7/24/365, helping you to make informed, intelligent decisions about the cyber safety of your organization.


In addition, protect your organization’s attack surface with one of the LookingGlass “as-a-Service” offerings: Information Security, Brand Security, or Physical Security Monitoring:

  • Information Security-as-a-Service™: Protect your organization’s network and sensitive data. LookingGlass analysts monitor and identify information security threats such as phishing, malware, ransomware, and more.
  • Brand Security-as-a-Service™: Protect your organization’s brand, trademarks/logos, intellectual property, and online reputation.
  • Physical Security Monitoring-as-a-Service™: LookingGlass analysts monitor for risks to your organization’s most valuable physical assets, such as imposter social media accounts, unauthorized domain names, and threats against employees, executives, and facilities.

Interested in learning more about any of our offerings, or want to chat with one of our security experts? Find us at RSA – Booth 100 in the South Hall.

The post RSA Preview: Compromised Credentials are STILL Your Organization’s Worst Nightmare appeared first on LookingGlass Cyber Solutions Inc..

Elevating Your Security Posture with Threat-Intelligence-as-a-Service

Every enterprise organization is in a security arms-race that they must win. As technology becomes ever-more intertwined into every business process and every element of the customer experience, the impact of a security breach becomes catastrophic.

Of course, every enterprise already knows this.

The question, however, is what to do about it when the organization must also evolve and expand its technology stack to meet the insatiable needs of its customers and the market.

As the attack surfaces continue to proliferate, enterprises cannot turn away or let their guard down. Instead, they must find a way to continually elevate their security posture and get ahead of the bad actors who are, likewise, continually seeking a vulnerability that will give them an opening.

A more efficient and effective way of approaching cybersecurity promises to help enterprises get the upper hand in this game of cat-and-mouse by identifying emerging threats before an attack begins — and delivering this intelligence in an actionable form without the overhead. The approach? Threat-intelligence-as-a-service.

The Losing Battle for Containment

When it comes to an organization’s security posture, there’s a natural evolution that occurs. The first stage of evolution is all about containment and perimeter security.

In this first stage, the focus is on establishing a perimeter, securing it and then containing any further exposure. This need for containment is so that organizations can define the theater of engagement — ensuring that what’s inside is safe so they can focus resources on protecting the perimeter.

This type of first-stage security posture has been the predominant focus of IT organizations. But this kind of security posture only works when you can effectively define and contain your perimeter — or, as it is also called, your attack surface.

As your attack surface expands or changes, especially when it is doing so at a rapid rate, containment becomes almost impossible. In these situations of an uncontainable attack surface — precisely what is happening now in the era of digital transformation —  the organization must evolve its security posture to the next level. The question is how?

Why Threat Intelligence is in Your as-a-Service Future

The natural response to dealing with an expanding attack surface is to keep doing the same things – just faster and more expansively. This approach, however, is not only exhausting, it’s ineffective.

It’s a bit like trying to keep all the plates spinning on their poles – it’s only a matter of time before it all comes crashing down.

Organizations must, therefore, find a way to identify threats before they ever reach their dynamic and expanding perimeter and then respond preemptively. We call this concept of identify threats before a security event has happened, threat intelligence.

On the surface, employing threat intelligence sounds like the next logical step to proactively protect the organization’s hard-to-contain perimeter. But doing so is much harder than it sounds.

Identifying emerging threats to the enterprise, without creating a debilitating surge of false-positive alerts, requires equal measures of intelligence information, triage capabilities, and expertise to identify indicators that represent a threat to the enterprise.

Delivering effective threat intelligence is a mixture of science and art – and a capability that many enterprises are finding difficult and expensive to build in-house.

Threat Intelligence-as-a-Service, however, promises to deliver the threat intelligence capabilities that enterprises need, without the cost and overhead of building it themselves. Utilizing a managed service for threat intelligence will help enterprises develop this now-essential capability while minimizing the resource impact to the organization.

The Intellyx Take

It may be discomforting for enterprise executives to hear that they need to elevate their security posture and expand their already resource-strapped security operations further afield.

Creating a threat intelligence capability is not the core business of most enterprises. It is nevertheless essential for enterprise leaders to take an active response posture and engage threats far beyond their continuously evolving perimeter. Doing so, however, requires intelligence about those threats and the skills and expertise to make sense from the intelligence data.

This need for intelligence, but the counter-desire to not build and manage a threat intelligence capability is why enterprises are now turning to industry pioneers such as LookingGlass and their threat-intelligence-as-a-service offerings to strike this balance by outsourcing this critical capability.

There is no question that the security arms-race is continuing to escalate. The bad actors are well-funded, organized and ambitious. Enterprise organizations must respond in-kind, but must do so intelligently.

While an enterprise can never outsource its security responsibility, it can and should seek to leverage outside resources that can extend its capabilities in the most resource-efficient manner possible. As the fight between enterprises and those who wish to do them harm continues, enterprise leaders will need every advantage they can muster.


Copyright © Intellyx LLC. LookingGlass is an Intellyx client. Intellyx retains full editorial control over the content of this paper.

The post Elevating Your Security Posture with Threat-Intelligence-as-a-Service appeared first on LookingGlass Cyber Solutions Inc..

NotPetya’s Challenge? Re-Prioritize Your Information Security

The damaging wiper attack last June carried a clear message for global organizations: you need to re-prioritize your security spending.

About a month after the NotPetya malware outbreak in late June, 2017, I was on the phone with someone I’ll call “Stacy,” who worked for a freight forwarding firm in the U.S. At the time we spoke, Stacy was desperate to locate a very important piece of equipment known as a “blow out preventer” (or BPO) that her company had contracted to ship to a customer in Norway for use on one of the offshore oil platforms there.  At the time, the BPO had gone missing. That is surprising, if you’ve ever seen one. They’re massive pieces of equipment that get trucked around on 40-foot flatbed trucks.

Stacy knew where her shipment was: sitting on the dock in Bremerhaven, Germany, where it had landed right around the time NotPetya, began spreading on June 27th. The problem was that her shipping company, A.P. Møller-Maersk, didn’t. Instead, it was scrambling to respond to the attack.

We now know that, behind the scenes, Maersk’s IT staff mounted a heroic effort: reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017, according to statements by that company’s CEO at the World Economic Forum in Davos in January. The virus cost Maersk more than $300 million dollars to recover.   But the effects of the crippling attack rippled out to companies large and small, as well. Stacy’s firm had to spend money having the blowout preventer surveyed in Bremerhaven to make sure it was not damaged by sitting on the dock. Firms that were lined up to transport the part to the offshore rig in late June also lost business. The oil rig the part was destined for was kept idle waiting for the part’s arrival. The cost to the global economy are unknown – but are certain to total billions – if not hundreds of billions of dollars.

What is the moral of this story for executives at firms like Stacy’s? Not falling for the next NotPetya means figuring out what those weaknesses were and addressing them. But it also requires firms to stay ahead of threats so that they can anticipate new attacks, not merely respond to them.

What were NotPetya’s lessons? Here are some to consider:

Reimagine your risk

Conventional wisdom has been that cyber attacks – though disruptive- are manageable. Outbreaks like NotPetya and WannaCry challenge that established wisdom.

Both attacks were not merely disruptive but destructive: wiping out systems they infected, rather than simply hijacking them or holding their data ransom. The operational impact on the affected companies was severe. Maersk, for example, was forced to revert to pen and paper to run its business for days while it rebuilt its IT systems from scratch.

“Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT,” CEO Snabe said at Davos.

The lesson for your firm is clear: you need to reimagine the risks to your firm and its operations. In addition to formulating clear contingency plans for major outbreaks (robust, offsite backup and recovery plans certainly beat pen and paper), your firm should re-evaluate its assumptions about worst case scenarios as it weighs current and future information security investments and add some zeros to the “cost of doing nothing.”

Think holistically about threats to your organization

Maersk wasn’t the only global firm affected by NotPetya. FedEx suffered by way of its TNT Express acquisition. US-based Mondelez candy and the drug giant Merck were also hit hard by the virus.  What’s interesting is that none of these firms were intended targets of NotPetya. Rather: they were collateral damage of an attack that experts believe was a Russian-backed campaign designed to disrupt Ukraine’s government and economy.

The moral? Instability in one part of the world (say: the rolling cyber conflict between Russia and Ukraine) can easily spill over national borders in ways that are unpredictable. Maersk’s CEO called his company an “accidental victim” of a nation-state attack. And that’s just about right. The consequence of this is that organizations cannot be too narrowly focused on known threats.

Quality threat intelligence from a reliable provider can help, but you also need to be able to integrate that threat intelligence into your IT operations and information security workflow. An example: NotPetya spread rapidly within corporate networks because it was married to powerful, Windows based exploits known as “Eternal Romance” and “Eternal Blue.” Threat intelligence noting that both nation-state actors and cyber criminal “ransomware” groups were actively leveraging those exploits should have escalated patching and remediation efforts internally. Better patching would have stopped or limited the spread of NotPetya, greatly reducing its operational impact.

Prioritize third party risk

A clear lesson of NotPetya is that third party risk is real and that companies and Boards of Directors need to pay a lot more attention to it.

How so? One of NotPetya’s initial avenues of infection was via a Ukrainian maker of financial software, M.E. Docs. That company, which had been compromised by hackers, unwittingly distributed a signed software update that installed the malware. More than 2,000 firms in Ukraine alone found themselves infected.

Should the presence of an application by a Ukrainian firm on your network raise alarms? Possibly. Especially when coupled with threat intelligence about similar efforts by nation-state actors to infiltrate and disrupt Ukrainian firms. A more holistic approach would merely be to assess the many software and hardware supply chains your firm relies on and the risk and possible consequences of any supply chain attack, then introduce processes that mitigate such risks internally.


Paul Roberts is the Editor in Chief at The Security Ledger. You can follow him online at: @paulfroberts and @securityledger.

The post NotPetya’s Challenge? Re-Prioritize Your Information Security appeared first on LookingGlass Cyber Solutions Inc..

Thwart Cyber Attackers by Inverting Your Strategy

When it comes to your organization’s cybersecurity, there is no “one size fits all” solution. In the face of today’s dynamic threats – bad actors constantly find new and innovative ways to circumvent existing security apparatuses – many organizations are struggling to get ahead of an attack.

Yes, the more you know – what adversaries are operating in the space, the techniques and procedures leveraged by them, and the tools and vulnerabilities used and exploited to ensure that their efforts yield success – the better positioned you are to defend your assets. However, have you ever thought about approaching this from what we call an “effects-based” approach – looking at the end game of an action as your starting point? By doing so, you’ll better understand the larger cyber threat landscape, and where your organization falls within it.

Initially a military concept, Effects-Based Operations (EBOs) systemically evaluate incidents (such as a major hack) through the lens of strategic centers of gravity — leadership, key essentials, infrastructure, population and military forces. EBOs look at the totality of the system being acted upon and determine the most effective means to achieve the desired end state.

It puts the attackers’ “bottom line” – in this case, their intended consequence – upfront with the purpose of analytically working back from that point to the perpetrator rather than the other way around. This allows network defenders to investigate how current tactics employed by hackers would work against their organization. In addition, security teams can explore other venues not yet compromised (but could be) to identify future threat trending.

Toward this end, security teams can look at the impact of cyber incidents within their respective industries and verticals to begin understanding how and why hostile actors are implementing specific attacks – and what they may look for in targeting their organization.

Recognizing the latter (i.e. data exfiltration or disruptive attacks), rather than focusing on the means and manners in which these objectives are carried out, enable network defenders to identify the causal linkages between such incidents, adding to their core knowledge base of attackers and their operations.

Examples of effects-based trends include infrastructure impedance such as those resulting from distributed denial-of-service (DDoS) attacks; influence schemes (e.g. the suspected Russian hacking of the Democratic National Convention and state voter registration systems); data aggregation typically associated with cyber espionage; “false flag” operations in which adversaries purposefully leave data to implicate another source; and cyber-informed kinetics.

In a domain that continues to favor attackers, network defenders must find any advantage they can to compete against an adversary. An Effects-Based Operation for cybersecurity complements conventional strategies. With this, security teams sift through the volume of looming threats, identifying those that are most pertinent to their enterprise’s interests. This prepares them not only for the near term, but the future as well.

At LookingGlass, we provide clients with a suite of products and services that deliver unified threat protection against sophisticated cyber attacks. If you’d like to learn more about what we can do for your organization, please contact us.


The post Thwart Cyber Attackers by Inverting Your Strategy appeared first on LookingGlass Cyber Solutions Inc..