STE WILLIAMS

A large piece of the dark web’s spine has been broken: German investigators announced on Friday that they’ve excavated the CyberBunker.

The so-called bulletproof hosting provider, located five floors underground in a heavily fortified, Cold War-era, former NATO bunker in Germany is a data center with around 2,000 servers, dedicated to shielding illegal activity from the eyes of law enforcement.

Thirteen suspects connected to CyberBunker – seven arrested and the rest still at large – are being investigated in connection to the websites hosted by the data center, which involved arms trafficking, trafficking in child abuse imagery and drugs, selling fake documents, marketing stolen data, conducting large-scale cyber attacks, or, as described by a spokesman for the Rhineland-Palatinate State Office of Criminal Investigation (LKA):

Anything you can imagine on the Darknet.

Prosecutor Jürgen Brauer and regional criminal police chief Johannes Kunz said in a press conference on Friday that the countrywide, nearly five-year, complex investigation is the first time that German police have managed to break the operations of a bulletproof hosting provider.

The accused include 12 men and one woman, aged between 20 and 59. Police have arrested seven men and have issued warrants for the rest of the men and the one woman. Four of the suspects are Dutch, one is Bulgarian and two are German. As well, 18 search warrants have been issued.

Wall Street Market crumbles

So far, investigators have determined that the darknet marketplaces and forums hosted by CyberBunker servers included, for one, the Wall Street Market (WSM): the second-largest marketplace of its kind in the world. An e-commerce site, it was something like an eBay for drugs, police said. They say it handled 250,000 transactions for a total of more than 41 million euros (USD $44.66m, £36.28m).

WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April 2019, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday 26 April, and which said that the “maintenance” would last a week.

WSM, along with the Valhalla Market (better known by its Finnish name, Silkkitie), were busted by an international police force in May 2019.

Other forums run on CyberBunker servers included:

• Cannabis Road. Investigators said that 87 sellers of illegal drugs of all kinds were registered on this site. Several thousand retail sales of cannabis products were processed on this platform.
• Fraudsters. Another underground forum for drug sales.
• Flight Vamp 2.0. Investigators said that this is the largest Swedish darknet marketplace for drugs, with some 600 sellers and about 10,000 buyers.
• Orangechemicals, acechemstore, lifestylepharma. Other platforms marketing synthetic drugs, distributed throughout Europe.

During the press conference, Brauer also said that one of the servers inside CyberBunker was at the heart of the Mirai distributed denial of service (DDoS) botnet attack on German telecommunications company Deutsche Telekom in late November 2016. That attack knocked out some 900,000 customers’ routers, affecting close to 1 in 20 users.

Busy cybercrime beehive

CyberBunker has even more history: it served as a host for the file-sharing site (and crypto-mining CPU plunderer) The Pirate Bay and as one of the many WikiLeaks mirrors.

It’s also suspected of hosting spammers, botnet command-and-control servers, malware and online scams and was part of the March 2013 DDoS attack launched against Spamhaus – an attack of unprecedented ferocity against an international nonprofit dedicated to fighting spam.

Barbed wire, surveillance cameras

Kunz said that police had to overcome both digital defenses as well as the physical security of the site: a 5,000-square meter, former military bunker located in the picturesque town of Traben-Trabach on the Mosel River in western Germany. To keep people outside of its perimeter, the area is surrounded by a fence topped with barbed wire, and video cameras monitor third-party activity.

According to local news outlets, the facility was acquired in 2013 from the Office for Geoinformation of the unified armed forces of Germany – the Bundeswehr – by a now 59-year-old Dutchman. He’s the main suspect and reportedly has ties to organized crime in the Netherlands.

The LKA said that several hundred emergency services were involved. According to the Mayor of Traben-Trarbach, Patrice Langer, that included a helicopter. The search of the buildings on the former military site turned up about 200 servers, written documents, mobile phones and a large sum of cash.

Business must have been going well. Police reportedly found empty racks, already mounted, waiting for new servers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mdF0Y34b2RU/

Stop bragging about how many megapixels your snazzy new prosumer DSLR camera has – China has beaten you to it. Researchers there have just announced a 500mp camera. Rather than taking stunning vacation photos, though, one of the most likely uses for this wide-angle, beer crate-sized device is for identifying people dozens of meters away using facial recognition.

Fudan University worked with the Changchun Institute of Optics, Fine Mechanics and Physics of Chinese Academy of Sciences to develop the camera, which takes both pictures and video in unparalleled detail. ABC’s story suggests that this is five times the resolution of the human eye, but scientific imaging specialist Roger Clark says that the human eye has an effective resolution of around 576mp.

Whichever figure you believe, 500 megapixels (or 0.5 billion pixels) is more than enough to pick out faces in a stadium or on a street corner with the camera’s built-in facial recognition techniques.

This should have your privacy alarm bells ringing, but that’s just one part of the story. There’s also the possibility of a link with China’s emerging social credit system (SCS). Designed for a full national rollout in China next year, it assigns points for activities deemed socially acceptable, like donating blood and doing volunteer work, while subtracting them for negative actions like jaywalking or not showing up for restaurant reservations.

Apparently, in some local prototypes, telcos show you a message when calling someone on the social credit system’s blacklist telling you that the person you’re calling is dishonest. We didn’t think that we’d find ourselves living in Black Mirror’s excellent Nosedive episode for a while yet, but oh well, here we are.

A camera like this would be a boon for such a system. You could theoretically spot someone jaywalking, littering on the street, or doing anything else that you deemed inappropriate, and decrease their score. Excuse me while I go and find an old lady to help across the road.

Commentators have remarked that actually processing these images would be problematic because of the difficulty in beaming massive files back to a data centre for processing. However, edge computing, in which people place the computing power next to the sensor at the edge of the network, is already gaining traction, and could conceivably support a high-volume processing activity like this.

It isn’t just China that’s interested in identifying people from far away. The Intelligence Advanced Research Projects Activity (IARPA), an organisation that encourages innovation to tackle tricky problems for the US intelligence community, recently put out a request for information under the heading Biometric Recognition and Identification at Altitude and Range (BRIAR). It asks for “research efforts and datasets that may be useful in planning a program focused on advancing the state-of-the-art of biometric recognition and identification at altitude and range”.

Spotting people from a long way away opens up more possibilities for recognition algorithms using other characteristics such as gait recognition (and yes, the Chinese are already doing this). What next? 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GeYEe_eqh_k/

It’s still child’s play to pick apart election systems that will be used in the 2020 US presidential election, as ethical hackers did, once again, over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August.

The results are sobering. This is the third year they’ve been at it, and security is still abysmal.

On Thursday, Voting Village organizers went to Capitol Hill to release their findings, in an event attended by election security funding boosters Sen. Ron Wyden and Rep. Jackie Speier.

In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called “trivial attacks” that required “no sophistication or special knowledge on the part of the attacker.” They didn’t get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.

From the Voting Village press release:

In too many cases physical ports remain unprotected, passwords remain unset or left in default configurations and security features of the underlying commercial hardware are left unused or even disabled.

Same old, same old

During the three years that Voting Village has tested voting system security, there’s been no shortage of warnings about the potential for tampering with any election systems connected to the internet or to any network. The state of election non-security is serious enough that the Defense Advanced Research Projects Agency (DARPA) is working on it: it’s hoping to create an electronic voting system that it hopes will prevent tampering with voting machines at the polls.

In 2017, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine at Voting Village. In 2018, an 11-year-old changed election results on a replica of Florida’s state website… in under 10 minutes.

And in 2019, Voting Village participants once again found new ways, or replicated already known techniques, to compromise machines so as to alter vote tallies, change ballots displayed to voters, or tinker with the machines’ internal software.

They did it all with precious little, at that. They didn’t have the resources of a professional lab, and many of the participants were testing systems with which they had no familiarity, working with any tools they could find.

As has been noted by Matt Blaze, a co-founder of the election testing project and a Georgetown University cryptography professor, the meager resources of the Voting Village – a tiny room and eBay – are readily available to foreign adversaries or anyone who seeks to subvert elections:

We bought a bunch of surplus voting machines on eBay and put them in a room. I believe many of our foreign adversar… twitter.com/i/web/status/1…

—
matt blaze (@mattblaze) August 27, 2018

With scant resources, the participants found that in most cases, the vulnerabilities could be exploited surreptitiously, via exposed external interfaces accessible to voters, precinct poll workers or to anybody who has brief physical access to the machines. Many of the machines also have vulnerabilities that leave them persistently open to threats over the long term:

In particular, many vectors for so-called “Advanced Persistent Threat (APT)” attacks continue to be found or replicated. This means that an attack that could compromise an entire jurisdiction could be injected in any of multiple places during the lifetime of the system.

Not surprising, but disappointing

The Voting Village report notes that none of this is surprising, but the results are disappointing, given that we’ve known about many of the specific vulnerabilities for over a decade.

As the Washington Post reports, lawmakers who are pressing legislation to get more funding for election security embraced the results, promising to use them to make it personal for every sitting member of Congress. The newspaper quoted Rep. Speier:

The best way we can make the case is by scaring the living bejesus out of every member of Congress that the system can be fixed against them.

Sen. Wyden, a major backer of boosting election security funding and a lawmaker who chimes in on all things cybersecurity, said the results prove that it’s “basically a piece of cake for a relatively savvy hacker to compromise an election and alter votes.”

What would fix this?

Voting system security experts say the only real fix is paper ballots. Or, to be more precise, there’s an urgent need to ensure that there’s a paper trail for every vote. With solely digital voting machines, there’s no way to audit the results.

But as Blaze has repeatedly emphasized, paper ballots can’t fix this on their own. They have to be backed up with rigorous post-election audits:

Why? Because even the most rigorously voter-verified paper ballots don’t help if the process that uses them is comp… twitter.com/i/web/status/1…

—
matt blaze (@mattblaze) September 27, 2019

There’s a slew of bills seeking to secure elections, but they’re being blocked by Senate Majority Leader Mitch McConnell that would mandate the fixes recommended by Blaze and other security experts… in exchange for cash.

As the Post reports, McConnell recently endorsed delivering an additional $250 million in federal money to state election officials, but it’s a far cry less than the $600 million Democrats are looking for, and his proposal lacks mandates about how states must spend the money.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/buAZK9dzyQA/

As promised in April, Cloudflare has finally launched Warp, a consumer mobile privacy app that looks a lot like a VPN without actually being one.

That sounds confusing so let’s start by describing the service itself, which can be accessed via a free Android and iOS app called Warp, and a $4.99 per month subscription app called Warp+.

The first, Warp, is a development of the 1.1.1.1 service and mobile apps launched in 2018 as an alternative DNS resolver that headlined on the theme of privacy – i.e. we don’t log the sites you visit.

More recently, the 1.1.1.1 app added support for the emerging encrypted DNS standards, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which hide the domains people visit from ISPs and anyone else listening in (Mozilla recently integrated this service into Firefox).

Now 1.1.1.1 has become ‘1.1.1.1 with Warp’ by adding the ability to encrypt all traffic from the mobile device and not just DNS queries, hence the similarity to a full VPN.

What does the Warp+ subscription add to this? Despite being limited to one device, the user gets unlimited bandwidth and 30% better performance thanks, Cloudflare says, to Warp+ traffic being routed over its global network in an optimised way.

Note that if you signed up for the Warp waiting list via the 1.1.1.1 app, you also get the chance to try Warp+ free of charge with an initial 10GB of data.

If Warp isn’t a VPN, what is it?

Traditional VPNs route a user’s network traffic to a trusted, internet-connected server, via an encrypted ‘tunnel’. The security benefit of a VPN is that it lets a user send traffic via a provider they trust (the VPN company) while hiding it from others they don’t trust (ISPs, Wi-Fi snoopers and bad actors, which can’t).

The privacy benefit of a VPN is that a user’s traffic appears to originate from the trusted server rather than their own device. The server may be in a different country to the user and some commercial VPNs allow users to choose which country they appear to be browsing from.

This is why VPNs have become a popular way to dodge geographic restrictions placed on streaming content such as Netflix or the BBC.

Warp is different

Warp creates a VPN-like encrypted tunnel between the user and Cloudflare using an open-source protocol called WireGuard, which encapsulates TCP inside UDP.

Once connected, Warp behaves more like an optimised global routing network based on what Cloudflare calls ‘Argo Smart Routing’.

To make this fast, the traffic always enters Cloudflare at the nearest server to the user and exits from the network at a point closest to where the website is hosted.

However, the site is careful not to claim it can spoof or hide IP addresses as a VPN would. Websites visited see the real IP address of the user, which they wouldn’t with a true VPN.

In addition, Warp also excludes traffic to certain “over-the-top content provider websites, as determined by Cloudflare in its sole discretion,” from its network, which presumably refers to services such as Netflix, Hulu or Amazon.

In summary: if you don’t want your ISP to monitor which websites you visit, or want an extra layer of security when using public Wi-Fi, Warp is a simple way to ensure that for most sites – even if HTTPS and browsers such as Firefox and Opera already do much the same job.

What you don’t get is complete anonymity. Some apps can still see what you’re doing, as can websites and Cloudflare itself.

Anything else?

Warp might stop some apps from working (Google’s Play store and mobile data connections to name two), but it does allow apps to be excluded on an individual basis.

Similarly, Cloudflare is still working to get captive portals working when Warp is turned on. Some will work, some won’t.

In these cases, you can temporarily turn the app off.

As for using Warp with a laptop or PC, because Warp uses WireGuard, in principle there should be a way to make it work with these platforms with some fiddling.

Who can you trust?

1.1.1.1 with Warp follows hot on the heels of Firefox’s collaboration with Cloudflare on its experimental Firefox Private Network – a similar sort of VPN-that-isn’t-a-VPN for your desktop web browser.

In at least one important respect, both of these things don’t do something you might expect a VPN to do: 1.1.1.1 with Warp doesn’t hide your IP address and Firefox Private Network doesn’t encrypt all of your network traffic. That’s got some people worried that naive consumers who use them end up with less privacy or security than they’re expecting.

On the other hand, both are aimed at incrementally improving the security of people who aren’t already using a VPN and both position themselves as being like a VPN, rather than a VPN proper.

The common factor in both is CloudFlare. Through these and other projects, the company is now shepherd to a vast amount of our internet traffic, which requires that we place a great deal of trust in it.

Of course choosing not to trust your traffic to CloudFlare just means trusting it to somebody else: another VPN provider, your ISP or your mobile provider, for example.

Interestingly, because Warp+ is purchased through the Google Play store, the user doesn’t hand any personal data to Cloudflare itself.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IXc1HLdLZ1Y/

Almost 100 staff at UK tax collector HMRC faced disciplinary action for computer misuse in the previous two full financial years.

This is according to a Freedom of Information request by the Parliament Street think tank which discovered 92 employees were probed and rapped for the abuse in fiscal ’18 and ’19.

The most prevalent cases pertained to misuse of email, with 11 employees given a written warning in fiscal ’19, which ended March this year, compared to 15 in the prior year. In many of these cases, the punished employees were repeat offenders and had already received a final written warning for computer misuse.

The responses from HMRC also show that nine staff members in the most recent full financial year were hit with a warning over misuse of social media, including Facebook and Instagram – versus no cases in the previous 12 months.

UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs

READ MORE

Some 13 were penalised for misuse of telecommunications over the two financial years, and 19 for wider misuse of computers or HMRC systems, of which eight were fired – the only case of sackings over the 24 months.

HMRC has some 58,700 full-time employees on the payroll (PDF) so the figures highlighted by the FoI equate to a relatively small number. Nevertheless, there is a degree of concern that misuse of HMRC systems could pose a more serious threat.

“Tackling employee misuse of IT systems should be a top priority for all public sector organisations, particularly those which handle the financial data of millions of people,” claimed Christy Wyatt, CEO at Absolute Software.

“This kind of activity often involved individuals abusing access to personal information and in some cases sharing it, leading to a potential data breach.”

The Register has asked HMRC to comment. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/01/hmrc_disciplined_almost_100_employees_for_computer_misuse_over_24_months/

Nearly seven in eight CTOs and CIOs have admitted to their businesses suffering a data breach, according to a survey.

Threat intel biz Carbon Black reckons that of the 250 CTOs, CIOs and CISOs it surveyed earlier this year, 84 per cent admitted to some form of security breach within their organisation.

This compares with 88 per cent in January and 84 per cent answering “yes” to the same question in July last year. Details of exactly what constituted a “breach” were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services.

Most frequently breached were local councils, government orgs and retail businesses. Carbon Black reckoned that of the breached organisations, a shade under three-quarters said they had suffered reputational harm from the breach – with a third adding that they had “suffered financial impact” on top of that.

Healthcare and financial services, two traditional targets of online criminals, said they had seen attacks of “increasing sophistication” targeted at them over the past year. Although growth in sophistication is claimed to be growing, this appears to be a subjective judgment.

Malware tops the list of bad things happening, with one in five surveyed CIOs claiming to have been hit by custom malware. Around 27 per cent, in contrast, said “generic malware” was at fault for causing them problems.

While Carbon Black’s survey didn’t break out what malware was and wasn’t seen, it fits the general pattern of ransomware crooks broadly targeting smaller, often public-sector organisations. With limited technical and financial resources to help them mitigate or overcome attacks on their IT infrastructure, such targets are relatively obvious and potentially lucrative if the targets give in and pay up.

Encouragingly for industry, 93 per cent of those 250 surveyed agreed to say that they were increasing their corporate spending on infosec.

Rick McElroy, Carbon Black’s head of security strategy, opined: “We found that companies are tightening up on the factors they can control, such as process weaknesses and out-of-date security technology, making incremental gains that improve their security posture from within.

“Nevertheless, phishing appears to remain the root cause of the majority of breaches, emphasising that businesses still have much work to do to get their employees on board and alert to phishing and social engineering.”

It’s generally not the high-tech, crafted malware attack from a sophisticated and determined attacker that pwns you. It’s Doris in HR clicking an email link and it doesn’t matter whether that results in a personal data leak or your trade secrets becoming public knowledge. Keep training your staff, folks. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/01/carbon_black_threat_report/

CrowdStrike threat hunting data shows major increase in targeted financially motivated attacks in the first six months of 2019.

When it comes to targeted attacks, the volume of cybercrime campaigns actually overshadowed state-sponsored ones in the first half of this year. But that doesn’t mean nation-state attacks declined.

New data published today from CrowdStrike’s OverWatch threat-hunting service team shows that targeted cybercrime made up 61% of the targeted attacks CrowdStrike saw between January and June of 2019, a major spike from 2018, when it made up just 25% for the year. Nation-state attacks comprised 39% of the targeted attack campaigns in the first half of this year, versus 75% for all of last year.

“We saw an uptick in the second half of last year [with targeted cybercrime] as big game hunting was on the rise. And this year so far has lent itself to a major uptick,” says Jennifer Ayers, senior director of OverWatch and security response at CrowdStrike. There were more targeted cybercrime attack campaigns in the first half of the year, and “an increase in hands-on keyboard activity,” she says, as they burrowed through their victims’ networks.

Part of the reason for the surge in targeted cybercrime was the well-documented rise in ransomware attacks going after commercial businesses and organizations in order to net bigger ransom fees, aka “big-game hunting.” The attackers also have gotten more savvy about which critical servers to lock down in those attacks, ensuring bigger payouts. But the increase also had to do with cybercriminals doubling down on various types of data-stealing tools such as TrickBot, Ayers notes.

Overall, organizations report a surge in cyberattacks. A new global survey of CIOs, CTOs, and CISOs, by CrowdStrike rival Carbon Black shows that 84% of organizations have seen an increase in cyberattacks overall in the past 12 months, with 88% saying they suffered a data breach in that period. More than 80% report that attacks have gotten more advanced.

Nearly 45% suffered some financial damage from their breach, and 12% described the damage as “severe.”

China, according to CrowdStrike’s new data, remains the most prolific of nation-state players, a trend that CrowdStrike and other security research teams have seen for some time. OverWatch analysts spotted Chinese groups targeting the chemical, gaming, healthcare, hospitality, manufacturing, pharmaceutical, technology, and telecommunications industries in the first half of the year.

Telecommunications was one of the hottest targets for both state-sponsored hackers and cybercriminals. “Telecommunications is the new financial services” when it comes to being a big target, Ayers notes. “They are being hit really hard by multiple actors, but very interestingly, those actors all have different objectives.”

While China’s nation-state groups are after intellectual property as well as some telecom customer targets, cybercriminals are all about both stealing from telecom vendors for monetary gain but also using them as a stepping-stone to reach lucrative customer targets.

Meanwhile, the attackers are customizing legitimate IT tools such as CobaltStrike and Mimikatz, and employing tools like PC Hunter and Process Hacker to blend in and evade detection. They also are using legit tools to help them disable features of security tools in their targets’ networks. “Security tools being targeted is not a new thing,” Ayers notes, but since some newer-generation security tools are more difficult to disable, attackers are getting more aggressive in killing security tool processes and editing registries, or any other disruption to sneak past the tool.

What to Do About It

CrowdStrike recommends the usual security best practices for defense, including properly enabling the features in security tools such as machine learning and quarantining, and blocking known indicators of compromise. “Too often, due to uncertainty associated with potential false positives and business interruption, preventative features are left disabled or set in ‘monitor’ mode. As a result, attacks that could easily have been blocked get through,” CrowdStrike said in its report today.

Behavioral analysis also can help catch nefarious activity that sneaks past traditional security controls, the company said.

Related Content:

• 8 Microsegmentation Pitfalls to Avoid
• Chinese Group Built Advanced Trojan by Reverse Engineering NSA Attack Tool
• US Mayors Commit to Just Saying No to Ransomware
• 19 Minutes to Escalation: Russian Hackers Move the Fastest

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Why Clouds Keep Leaking Data“

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/targeted-cybercrime-on-a-tear-/d/d-id/1335954?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Everything about IT has changed, but our security measures are still built around how we used to design software and systems. Where does security need to catch up with digital transformation – and how?

With the C-suite laying the gauntlet down for digital transformation in the enterprise — tying swift software delivery and market-adaptable tech services directly into core value propositions — many IT departments are entering an enlightenment period. CIOs, chief digital officers, DevOps visionaries, and plenty of collaborative tech industry luminaries have spurred on drastic changes in the past few years in how software is delivered, how infrastructure is run, and what IT architecture looks like.

These changes are already starting to be felt by security teams. But most in the industry have managed to muddle through some of the earliest stages of these transformative shifts clinging tentatively to the status quo. It’s uncertain how long it will take, but those in that old guard are headed toward a wall of disruption.

“Every single aspect of how we conceive of, build, write, deploy, run, and operate software has changed drastically in the last 10 years. We’ve gone from monolithic to microservices, waterfall to agile, on-premises to cloud, and so on,” says Brendan Hannigan, CEO and co-founder of Sonrai Security. “But everything we do in the security world was built around how we used to build software.”

As pilot projects in areas like containerization start to scale out and organizations move to cloud-first deployment policies, the same old, same old will quickly grow untenable. In fact, a number of trends are on track to seriously disrupt traditional security thinking and technology.

These trends will require CISOs and their teams to rethink security architectures, question old assumptions, rip-and-replace completely outdated security platforms, and invest in new security categories. Most importantly, these trends will demand security leaders work more collaboratively than they’ve ever have before to ensure they’re in lockstep with the breathtaking pace of change that’s remaking IT architecture and software delivery models today.

Here’s a closer look at five trends putting the most pressure on security.

{page 1 of 6, continued on next page}

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/edge/theedge/5-disruptive-trends-transforming-cybersecurity/b/d-id/1335949?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How machine learning and artificial intelligence are changing the game of acting on large volumes of network data in near real time.

It’s a great time to be a security analyst, but those who serve in the role today are facing much higher expectations from their organizations compared with when I started out. Many are teetering on the edge of burnout because their companies need to get to the truth sooner, leaving analysts stuck with traditional approaches and tactics associated with full packet capture as the high-speed network’s bandwidth increases by the day.

The state of full packet capture — fundamental to enabling security analysts to hunt for threats, discover anomalies, or respond to incidents — has seen a few incremental advancements over the several decades but nothing that has allowed the analyst to allocate less time to it because there is still a bit of heavy lifting required.

As a security analyst in the military, my first experience with full packet capture in the late ’90s was the SHADOW system, an open source project dubbed an intrusion-detection system but really a full packet capture system designed for retrospective analysis, also known as threat hunting. The project was essentially a framework built with tcpdump and a collection of Perl scripts. However, SHADOW lacked any form of indexing, so mining the data was quite painful.

The next breakthrough in full packet capture was Time Machine, which introduced the notion of connection cutoff and indexing for faster search and retrieval. A sister project to Zeek (formerly known as Bro), Time Machine was an interesting project with lots of promise. Unfortunately, Time Machine did not scale beyond a few gigabits per second. Finally, there is Moloch, a full packet capture and search application integrated with advanced visualization that scales to 10Gbps and more. Moloch represents the state-of-the-art in open source, full packet capture, but it is yet to be determined if it can scale to 100Gbps.

These incremental improvements were made in the background while the high-speed network expanded and has grown in importance within the organization. While the number of servers on-premises might have decreased, the quantity of mobile devices, Internet of Things sensors and cloud applications that organizations are utilizing today to improve operations is increasing to create an even more complex network environment, making the traditional approaches to full packet capture even more impractical.

Adding to the problem is the recent rise in overall traffic. which is forecasted to continue. According to Cisco, companies can expect to see their network traffic triple by 2022. This will require organizations to make a proportional increase in data storage and maintain a brute force, record-everything approach for network forensics that will cost companies significantly more in terms of time and money. This runs counter to most companies’ digital transformation journeys where the bigger objective is to save on operational costs, increase IT agility, and improve responsiveness.

Fortunately, full packet capture is finally entering the age of practicality because of the introduction of AIOps. Gartner defines AIOps as the application of machine learning (ML) and data science to IT operations problems. The firm also predicts that large enterprises use of AIOps tools will reach 30% by 2023. The adoption of AIOps will pave the way to security automation like intelligent packet capture. This is an exciting development that our company is pursuing, along with others in the industry, to enable security analysts to utilize AIOps for network forensics.

The advancement of machine learning (ML) and artificial intelligence (AI) is enabling new innovations in full packet capture to bring some needed relief to the security analyst. When a machine learning engine ‘learns’ to classify packets to predict those that need to be recorded, the security analyst benefits by having data with higher fidelity allowing he or she to conduct more meaningful and expedient forensics. As noted security analyst and trainer, Chris Sanders says in his blog post, “if you can distill a PCAP down to key events then you’ll have a much more manageable set of data points to aid your investigation.”

Thanks to AIOps, security analysts now have an opportunity to utilize more open source technologies and experiment with ML and AI to make packet capture work better for them and their organizations. Before it was unrealistic to expect a group of analysts in a security operations center to proactively ferret through petabytes of data in search of an anomaly or indicator of compromise in a timely manner. Normally, this would be — at best — a week-long exercise without ML or AI. Access to these enabling technologies represent a significant improvement in the state of full packet capture, making them practical and invaluable resources for security analysts.

Related Content:

• 7 Stats That Show What It Takes to Run a Modern SOC
• Metasploit Creator HD Moore’s Latest Hack: IT Assets
• Overburdened SOC Analysts Shift Priorities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Disruptive Trends Transforming Cybersecurity.”

Randy Caldejon leads the company’s innovation and product development. Prior to CounterFlow, Randy was the CTO of Enterprise Forensics at FireEye. He is a widely-respected authority in network security monitoring and sensor technology. A military veteran, engineer, and serial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/aiops-the-state-of-full-packet-capture-enters-the-age-of-practicality/a/d-id/1335902?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Promo Hosted by the UK government’s National Cyber Security Centre (NCSC) and training specialist SANS Institute, the two-day CyberThreat Summit 2019 in London this autumn is a highly informative technical event bringing together security practitioners from the UK and Europe.

SANS CTO James Lyne, who will speak at this year’s summit, shared why he thinks security professionals should attend: “CyberThreat is so important because it brings together people of all ages, of all backgrounds, who spend their time reverse engineering malware, finding exploits, and doing hands-on work to get better together. When I started as a security researcher, I wasn’t doing it as a job, I was a fourteen year old who was interested in binary exploitation and finding flaws – I didn’t know I could get paid for this!”

A packed two-day schedule, spanning Monday, November 25 to Tuesday, November 26, encompasses inspiring presentations and case studies from top industry experts covering the full range of the latest attack methods, security tools, and defensive techniques.

Here are some of the detailed presentations listed on the agenda so far:

Need for Plead: BlackTech pursuit A technical analysis by PwC of how espionage threat actor BlackTech has become more sophisticated using samples of the Plead malware family.

DNS: from hijacking to intelligence apparatus building NCSC insiders look at the techniques and tactics of a DNS espionage campaign in 2018 and 2019.

APT Bingo: Mapping the DNA of the Bronze Union threat group Secureworks presents a blueprint of China-based Bronze Union’s network intrusions from its clashes with the group during a period of nearly three years.

Tactics, techniques and procedures of the world’s most dangerous attackers The talk includes an analysis of the tactics, techniques, and procedures of Sednit, the group reportedly responsible for the Democratic National Committee hack that affected the US 2016 elections.

The case of the great firewall The Sherlock Holmes-themed story of how Cisco investigated a customer’s lack of connectivity, and the tools and methods it used.

In addition to presentations from world-renowned cyber-security experts and rising industry stars, CyberThreat 2019 features many hands-on opportunities for delegates in the form of CTF events, team problem solving and “hackathon” challenges against some of the latest devices and products. Attendees will also attempt the interactive hackable badge challenge, designed to test one’s skills across a variety of disciplines. The CyberThreat badge is also your guide for the duration of the event containing schedules, speaker bios, and more.

You can find more information, including additions to the schedule as they appear right here.

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/01/sans_cyberthreat_summit/