Category Archives: Threats

Bromium: Application Isolation in the Spotlight

  • Two major announcements bring application isolation into the spotlight
  • Microsoft and HP elevate the importance of isolation in the endpoint security stack
  • Isolate risky browser activity, but don’t forget files are risky too

This week, two major announcements came out highlighting the need for application isolation in the security stack for endpoint security – HP DaaS Proactive Security and Microsoft Windows Defender extensions for Chrome and Firefox. The spotlight on application isolation is an excellent way to raise awareness for this technology, and I applaud HP and Microsoft for going all out with isolation as a way to boost endpoint security. Here is a closer look at what both announcements are highlighting.

Microsoft Defender Application Guard (WDAG)

Microsoft Windows Defender Application Guard (WDAG) was announced over a year ago, it introduced client virtualization on Windows. The initial release was designed to redirect untrusted (or not explicitly trusted) Edge browser activity into a VM. The end-user would surf the web using Edge, and if they typed in a URL or were redirected to a site that was untrusted, the website would open in a separate instance of Edge that was running isolated inside a VM. The end-user would have two instances of Edge running and the protected instance was noted with a red background.

Everyone was excited when WDAG came out, as browsers continue to be a major attack vector, and we even wrote a blog supporting Microsoft entering the isolation market. As any security specialist will tell you, the safest way to stop malware is to keep end-users from opening emails or surfing the web altogether. However, while true, this is clearly not practical, but isolation is the technology that can change the game.  Unfortunately for Microsoft, it was not practical to expect users to abandon Chrome and Firefox for Edge. You win some and you lose some, and Microsoft did not win the browser market. BUT they also didn’t lose sight of the importance of isolating potentially risky browser activity, which brings us to their announcement this week.

Microsoft releases Windows Defender Application Guard for Chrome and Firefox

Microsoft WDAG now allows users to surf the web using their browser of choice. When a user types in or is redirected to an untrusted site, the Chrome or Firefox extension directs opening of the website to Edge, which is running inside a VM. WDAG is still about client virtualization aiming to isolate risky websites into a separate VM on the user’s PC, but now the user is not required to use Microsoft Edge as their default browser. The end-user will have most of their browser activity take place in their default browser. However, when the user encounters an untrusted site, they will access that website in an isolated instance of Edge. Welcome back to browser isolation, Microsoft, and thank for you validating the application isolation market!

The second announcement this week that validates application isolation was from HP.

HP DaaS Proactive Security

HP and Bromium have enjoyed a productive relationship for over two years, since HP launched HP Sure Click, which uses Bromium Secure isolation technology for hardware-enforce browser isolation. Our relationship continues to grow and evolve, and this week HP announced the next step –including Bromium Secure isolation for browsing and files in their HP DaaS Proactive Security powered by HP Sure Click Advance. This announcement further validates that major players in the hardware and software market are recognizing the need to move the responsibility for endpoint security away from the end-user. Microsoft and HP are choosing to rely on application isolation as the way to prevent malware from invading Windows endpoints and spreading onto corporate networks.

Isolate Only Browsers?

While we applaud Microsoft’s decision to use isolation for surfing the web and for links that come in emails, there’s an obvious gap in their coverage. What about emails with attachments? And how about files that users download from the Internet? Browsers are indeed a major attack vector, but files are equally a major attack vector.  If you don’t think files are a threat, you might want to visit some of our latest Threat Intelligence posts below.

What do you think of this week’s announcements? Share your thoughts and questions in the comments section. Happy reading!

See Bromium threat intelligence in action:

The post Application Isolation in the Spotlight appeared first on Bromium.



Bromium

Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE!

Microsoft's products are still a leading source of exploitable security vulnerabilities used by hackers, according to a report by the firm Recorded Future.

The post Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE! appeared first on The Security Ledger.

Related Stories

Norsk Hydro Hit with ‘Severe’ LockerGoga Ransomware Attack

Global aluminum manufacturer Norsk Hydro was hit with an alleged ransomware attack Tuesday. The attack is having a major impact on the company's global business and production.

The post Norsk Hydro Hit with ‘Severe’ LockerGoga Ransomware Attack appeared first on The Security Ledger.

Related Stories

Pro-Brexit Camp Wages Active ‘Fake News’ Twitter Campaign

Suspicious activity on Twitter is trying to sway public opinion in favor of Brexit as the United Kingdom continues its struggle to reach a deal to withdraw from the European Union, according to a new report.

The post Pro-Brexit Camp Wages Active ‘Fake News’ Twitter Campaign appeared first on The Security Ledger.

Related Stories

Podcast Episode 137 Sponsored by Code42: GirlScouts to the Rescue and Rethinking Enterprise DLP

In this week's episode (#137): Hewlett Packard Enterprise (HPE) Chief Information Security Officer Elizabeth Joyce joins us to talk about HPE's collaboration with Girl Scouts of America to bolster teenagers cyber security chops and encourage more young women to explore cyber security as a profession. Also: we talk with Vijay Ramanathan about the...

Read the whole entry... »

Related Stories

Report: China, Like Russia, Uses Social Media to Sway U.S. Public Opinion

Russia isn’t the only nation using social media sites like Facebook, Twitter and Instagram to spread its political message across in the United States; China also is using social media–albeit in different ways–to sway public opinion and make the Communist country look favorable to the American public, research has found....

Read the whole entry... »

Related Stories

Devices’ UPnP Service Emerges as Key Threat to Home IoT Networks

Home connected device users are putting their IoT networks at risk by leaving exposed a common service devices use to seamlessly connect and communicate with each other, according to cybersecurity firm Trend Micro. Hackers recently have been found to exploit the Universal Plug and Play (UPnP) service of poorly configured routers and home...

Read the whole entry... »

Related Stories

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

The DFIR Hierarchy of Needs & Critical Security Controls

As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, consider Matt Swann's Incident Response Hierarchy of Needs. Likely, at some point in your career (or therapy 😉) you've heard reference to Maslow's Hierarchy of Needs. In summary, Maslow's terms,  physiological, safety, belongingness & love, esteem, self-actualization, and self-transcendence, describe a pattern that human motivations generally move through, a pattern that is well represented in the form of a pyramid.
Matt has made great use of this model to describe an Incident Response Hierarchy of Needs, through which your DFIR methods should move. I argue that his powerful description of capabilities extends to the whole of DFIR rather than response alone. From Matt's Github, "the Incident Response Hierarchy describes the capabilities that organizations must build to defend their business assets. Bottom capabilities are prerequisites for successful execution of the capabilities above them:"

The Incident Response Hierarchy of Needs
"The capabilities may also be organized into plateaus or phases that organizations may experience as they develop these capabilities:"

Hierarchy plateaus or phases
As visualizations, these representations really do speak for themselves, and I applaud Matt's fine work. I would like to propose that a body of references and controls may be of use to you in achieving this hierarchy to its utmost. I also welcome your feedback and contributions regarding how to achieve each of these needs and phases. Feel free to submit controls, tools, and tactics you have or would deploy to be successful in these endeavors; I'll post your submission along with your preferred social media handle.
Aspects of the Center for Internet Security Critical Security Controls Version 6.1 (CIS CSC) can be mapped to each of Matt's hierarchical entities and phases. Below I offer one control and one tool to support each entry. Note that there is a level of subjectivity to these mappings and tooling, but the intent is to help you adopt this thinking and achieve this agenda. Following is an example for each one, starting from the bottom of the pyramid.

 INVENTORY - Can you name the assets you are defending?  
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Family: System
Control: 1.4     
"Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc.  The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network." 
Tool option:
Spiceworks Inventory

 TELEMETRY - Do you have visibility across your assets?  
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Family: System
Control: 6.6      "Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.  Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts."
Tool option:  
AlienVault OSSIM

 DETECTION - Can you detect unauthorized actvity? 
Critical Security Control #8: Malware Defenses
Family: System
Control: 8.1
"Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers."
Tool option:
OSSEC Open Source HIDS SECurity

 TRIAGE - Can you accurately classify detection results? 
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation
Family: System
Control: 4.3
"Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable."
Tool option:
OpenVAS         

 THREATS - Who are your adversaries? What are their capabilities? 
Critical Security Control #19: Incident Response and Management
Family: Application
Control: 19.7
"Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team."
Tool option:
Security Incident Response Testing To Meet Audit Requirements

 BEHAVIORS - Can you detect adversary activity within your environment? 
Critical Security Control #5: Controlled Use of Administrative Privileges
Family: System
Control: 5.1
"Minimize administrative privileges and only use administrative accounts when they are required.  Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior."
Tool option: 
Local Administrator Password Solution (LAPS)

 HUNT - Can you detect an adversary that is already embedded? 
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs       
Family: System
Control: 6.4
"Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings."
Tool option:
GRR Rapid Response

 TRACK - During an intrusion, can you observe adversary activity in real time? 
Critical Security Control #12: Boundary Defense
Family: Network
Control: 12.10
"To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions."
Tool option:
Bro

 ACT - Can you deploy countermeasures to evict and recover? 
Critical Security Control #20: Penetration Tests and Red Team Exercises       
Family: Application
Control: 20.3
"Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively."
Tool option:
Red vs Blue - PowerSploit vs PowerForensics


 Can you collaborate with trusted parties to disrupt adversary campaigns? 
Critical Security Control #19: Incident Response and Management       
Family: Application
Control: 19.5
"Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an e-mail address of security@organization.com or have a web page http://organization.com/security)."
Tool option:
MISP

I've mapped the hierarchy to the controls in CIS CSC 6.1 spreadsheet, again based on my experience and perspective, yours may differ, but consider similar activity.

CIS CSC with IR Hierarchy mappings


My full mapping of Matt's Incident Response Hierarchy of Needs in the
CIS CSC 6.1 spreadsheet is available here: http://bit.ly/CSC-IRH

I truly hope you familiarize yourself with Matt's Incident Response Hierarchy of Needs and find ways to implement, validate, and improve your capabilities accordingly. Consider that the controls and tools mentioned here are but a starting point and that you have many other options available to you. I look forward to hearing from you regarding your preferred tactics and tools as well. Kudos to Matt for framing this essential discussion so distinctly.