STE WILLIAMS

It is difficult, if not impossible, to keep what we do online or on an electronic device private. Every action creates digital forensic artifacts — residual forensic evidence left behind when users or applications interact with an operating system. Nevertheless, the privacy myth lives on: browsers offer “anonymous modes,” users can clear their history, or apps provide guarantees of “disappearing” content. Yet forensic experts have a wide range of tools at their disposal to uncover the various pieces of evidence and piece together what happened. The first attempt to put forensic research in the mainstream of security research will be a shocker to many.

While forensics has historically gone unremarked by the media, Guidance Software (recently acquired by OpenText) on Wednesday announced the winners of its inaugural Forensic Research Awards Program. These researchers include digital detectives who exposed a popular antivirus product that left behind users’ long-term Web history, regardless of users’ attempts to clear histories or use private browsing modes. Other research revealed IP addresses of anonymous users exposed by peer-to-peer software often deployed for pirating. There was also a major encryption vendor that left keys behind that could be recovered by law enforcement.

Vulnerability versus Forensic Research
Forensic research is a close cousin to vulnerability research. Vulnerabilities typically allow malicious code to execute or security controls to be bypassed. Forensics concentrate on the digital evidence that operating systems and applications leave behind. Both forms of research expose privacy concerns, but forensics shatters the illusion of privacy altogether. Everything leaves forensic residue: running applications, clicking files, accessing data, opening email attachments, and surfing the Internet.

Vulnerability research typically embarrasses software vendors, and gag orders are common. Vendors pay bounties to control the disclosure and patch before vulnerabilities become public. Forensic examiners don’t work for bounties. They do what is required to catch criminals, pedophiles, or corporate embezzlers. Their findings are often public record in court cases — but not widely recognized in the media or elsewhere.   

The Forensic Research Awards Program was created to recognize the importance of forensics and reward researchers for their work. Consider the winner of OpenText’s top research prize, Justin Bartshe, a longtime forensic examiner and an investigator with the United States Naval Criminal Investigative Service (NCIS). One of Bartshe’s cases involved searching all of a user’s data, encoded or not, including every system file and every nook and cranny of a user’s operating system. Bartshe found URLs related to his case in a SQLite database left behind by a popular open source AV product. Despite the fact that the suspect cleared the browsing history many times, much of the long-term history still existed in the database. The AV product even records most of the browsing done in private or incognito mode.

Privacy the Future of Forensics
An examiner at NCIS typically needs to present findings in court and defend them. Many people don’t know this, but forensics is a science; defense teams often conduct their own forensic analysis to challenge prosecutors as well. Findings must be reproducible or they will be shot down in court. 

Bartshe wasn’t attempting to embarrass the AV vendor or collect a bounty. His job required him to reverse engineer the AV platform’s previously unknown SQLite DB to prove the conditions where it records browsing. Depending on the case, these findings can go into public record as part of prosecution. In this instance, Bartshe’s research was used in a case to protect children from abuse.

Related Content

• Comprehensive Endpoint Protection Requires the Right Cyber Threat Intelligence
• Why Hackers Are in Such High Demand, and How They’re Affecting Business Culture
• Mobile Device Makers Increasingly Embrace Bug Bounty Programs

Paul Shomo is a senior technical manager for third party technologies at OpenText. A veteran of cybersecurity, Paul Shomo has spent more than 15 years as a software engineer with experience working in security and forensics, networking, and storage. Paul has spent several … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/digital-forensics-and-the-illusion-of-privacy/a/d-id/1330696?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fancy Bear, the Russian advanced persistent threat group associated with the infamous intrusion at the Democratic National Committee last year among numerous other break-ins, may have become just a little bit more dangerous.

The group — also referred to as Sednit, APT28, and Sofacy — appears to have recently refurbished its primary malware tool, Xagent, and added new functionality to make it decidedly stealthier and harder to stop, security vendor ESET said in an advisory Thursday.

The modular backdoor has been a central component of Fancy Bear’s campaigns for several years. Initial versions of the tool were designed to break into Windows and Linux systems. But it has been updated in the past two years to include support for iOS, Android, and, since the beginning of this year, OS X.

The fourth and latest version of the malware comes with new techniques for obfuscating strings and all run-time type information. The techniques, according to ESET, have significantly improved the malware’s encryption abilities. The Fancy Bear/Sednit group also has upgraded some of the code used for command and control (CC) purposes and added a new domain generation algorithm (DGA) feature for quickly creating fallback CC domains.

“The previous version of Xagent modular backdoor was already very complex, but the new version is even more,” says Thomas Dupuy, malware researcher at ESET.

ESET is still completing its analysis of the new features in Xagent, but the new encryption algorithm and DGA implementation are significant, he says. “The former makes the malware analysis more difficult while the latter makes domain takeover more challenging, as there are more domains to take down or seize,” Dupuy says.

In addition to the encryption and DGA, Fancy Bear also has some internal improvements such as new commands that can be used for hiding malware configuration data and other data on a target system. The authors of the malware have redesigned and refactored some existing components so it has become harder to recognize previously discovered mechanisms. Xagent also now has the ability to take screenshots of the target’s desktop.

The new version of Xagent has improved Fancy Bear/Sednit’s ability to stay under the radar, Dupuy says. “Some of these changes are definitely related to the fact that they are trying to avoid too much attention while others are to make security researchers’ jobs harder,” he notes.

Otherwise, Fancy Bear/Sednit’s tactics and techniques have remained largely unchanged. The group still relies heavily on the use of very cleverly crafted phishing emails to try and get targets to click on links that lead to malicious domains or to download malware.

It has largely stopped using Sedkit, an exploit kit used in numerous previous attacks, and has increasingly begun using a platform called DealersChoice to initially breach systems.

DealersChoice, according to ESET, can generate documents with embedded Adobe Flash Player exploits. One version of the platform is designed to first check which version of Flash Player a target system might be running and then exploit it. Another variant first contacts a CC server and then deliver a selected Flash exploit.

Like the previous Sedkit exploit kit, DealersChoice is designed to scour international news stories and include references to relevant ones in the malicious emails it generates and sends to potential targets.

From a targeting standpoint, Fancy Bear/Sednit still appears to be focused on the same objectives, Dupuy says. It’s still attacking government departments and embassies all over the world, with a particular interest in Eastern Europe, where the group regularly targets individuals and organizations involved in geopolitics.

Generally, Fancy Bear’s tactics, techniques, and procedures have not changed a whole lot, Dupuy says. But the group has shown a tendency to vary its infection techniques, he adds. “The new version is more complex to analyze, which slows down ability to defend against the malware,” he notes.

Related content:

• FBI, DHS Report Implicates Cozy Bear, Fancy Bear In Election-Related Hacks
• APT28 Uses EternalBlue to Spy on Hotel Wifi Networks
• OceanLotus APT Group Unfolds New Tactic in Cyber Espionage Campaign
• 8 Active APT Groups To Watch

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russias-fancy-bear-apt-group-gets-more-dangerous/d/d-id/1330702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Tech companies closed 2017 with cloud-focused acquisitions that demonstrate an industry-wide trend that refuses to slow down. VMware, McAfee, and Trend Micro all have announced plans to buy cloud businesses within the past month.

Earlier this month, VMware finalized its purchase of VeloCloud Networks. It plans to add VeloCloud’s software-defined wide area network (SD-WAN) tool to its lineup so it can help users run, manage, connect, and secure applications in the cloud, Jeff Jennings, senior vice president and general manager of VMware’s networking and security business, wrote in a blog post.

The SD-WAN tool will boost performance and availability for enterprise and cloud applications with “full visibility, metrics, control and automation of all endpoints,” he added.

McAfee Buys Skyhigh
Less than eight months after its spinoff from Intel, McAfee purchased cloud access security broker (CASB) provider Skyhigh Networks. In a post on the news, McAfee CEO Christopher Young called it “an ideal complement” to McAfee’s strategy going forward.

“Cloud security has historically been an afterthought of, or impediment to, cloud adoption,” he pointed out. Indeed, this year has proven time and again the dangers of rushing to cloud without putting the right safeguards in place, as demonstrated by a series of AWS data leaks affecting major organizations including TigerSwan, Dow Jones, and, most recently, Alteryx.

Skyhigh will “accelerate” McAfee’s strategy, says Raja Patel, vice president and general manager of corporate products at McAfee. He calls endpoint and cloud “architectural control points” that address threats targeting data, applications, and infrastructure.

Security operations teams need automation and orchestration to address a higher number of threats with fewer resources, Patel continues. The CASB space is maturing: by 2020, 85% of large businesses will use a CASB product, he says, citing data from Gartner.

This acquisition is “fortifying the cloud control point,” he explains. The ultimate goal for McAfee is to strengthen endpoint and cloud security, and it believes Skyhigh will drive this forward. “More and more of us are transient in and out of environments with our devices, and more and more of the services we access are outside the enterprise in the cloud,” Patel says.

The Skyhigh brand name will remain in the market following the transaction. McAfee will “consider opportunities” to endorse it, Patel says, given its strong reputation for cloud security.

Trend Micro Acquires Immunio
Around the same time McAfee bought Skyhigh, Trend Micro snapped up Immunio. The goal is to expand its hybrid cloud security tool with a combination of purchased capabilities and in-house development, the company explained. Trend Micro will acquire Immunio’s application security technology and talent.

“As organizations move to the cloud and adopt a more modern approach to applications delivery — generally falling under the ‘DevOps’ term — traditional approaches to security, such as bolting it on at the end of development or trying to form a strong perimeter, just don’t work,” says Mark Nunnikhoven, vice president of cloud research for Trend Micro.

Immunio integrates with application code to analyze its behavior and protect against threats in a way other approaches don’t, he adds. Trend Micro’s goal is to build a platform that can integrate with DevOps culture. It’s focusing on automation for customer applications, building its Deep Security platform, and ramping up internal RD to focus on container image scanning.

The acquisition will bring Immunio’s early detection, protection against app vulnerabilities, and container image scanning into these projects.

“You can protect all stages of application delivery, from the time the code is written all the way through to production,” says Nunnikhoven. “To do that, you have to apply the right security technique at the right time in the application lifecycle.”

Related Content:

• US Census Bureau: Data Exposed in Alteryx Leak Already Public
• Why Network Visibility Is Critical to Removing Security Blind Spots
• Security Worries? Let Policies Automate the Right Thing
• Microsoft Office Docs New Vessel for Loki Malware

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/businesses-go-on-pre-holiday-cloud-acquisition-spree--/d/d-id/1330701?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The recently released F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” unearthed some disconcerting results about CISO effectiveness. In particular, the survey asked specifically: Are security operations aligned with business objectives? The answer:

• Fully – 26%
• Partially – 34%
• Not – 40%

If security isn’t aligned with the business objectives of the organization, then how can the security program function effectively? Security always exists in context to something else, and that context is the organization’s business objectives. If you’re one of those 40% not aligning at all with your business goals, here are X things you can do.

Step 1: Understand the Business
To build a security program that matches business objectives, you first have to understand the business. How do you do this? By asking questions and doing your homework, and not just about your organization but about your industry sector, as well.

• You should clearly understand your organization’s reason for existing. What is unique about your organization? Who does your organization serves as part of its mission? Who are the biggest customers and what do they want? What do they expect? Who are the key partners? What do they expect? How does your business compare in these aspects to others in your industry sector?
• The next important issue is to understand how revenue flows in. Is it constant, cyclical, or tied to sales? How does it lose revenue? Are there cash reserves for rainy days?
• From there, determine what assets you need to protect. What does the organization want to keep secret? What parts of the organization must never be tampered with? What functions must always keep running? Is it critical that the website is always up? What do employees need to do their job? What information do they need; what systems? What happens if they don’t get those things? Also, what regulations must the organization abide by? What critical contracts must be fulfilled?
• Next, be sure you understand the biggest challenges the organization faces. Is it growth? Survival? New markets? Changing regulations? Competition? Shrinking customer base? Shrinking budget?
• What are the major organizational processes? How does the organization circulate information internally?
• What physical locations does the organization use? Not just the offices and factories, but warehouses, offsite storage, parking lots, and rented temporary offices.
• What technology is in use now? Before? Planned for later? What problem is each of them intended to solve? Are they working effectively? Do they need to be upgraded or replaced?

Step 2: Leverage the Business Understanding
Use this information to get buy-in on risk reduction programs. Remember that when a security incident occurs, it can have many different kinds of impacts: loss of customer confidence, reduction in sales advantage, regulator fines, operational overhead, and loss of competitive advantage due to breached trade secrets. Find the hot buttons and push them.

Step 3: Break Down Barriers
The F5 Ponemon survey also touched on how much silo and turf issues can impede a security program’s effectiveness with the question: Do turf and silo issues diminish security strategy? The response:

• Yes, significant influence – 36%
• Yes, some influence – 39%
• Yes, minimal influence – 15%
• No influence – 10%

To help break through the silos, you need to work with each group towards the common company goal of protecting the business of the business. This means you will need to explain your message in terms of each department’s critical processes and requirements. By tying back to the common goal of furthering the organization’s strategic goals, you can help get everyone moving in the same direction and build cooperation.

Step 4: Empathetic Listening
A key to building cooperation is to develop the skill of empathetic listening to engage your ears before you start hammering a message into people. You listen with the goal of understanding the other person’s point of view and acknowledging how they feel about the situation. Listen to people’s complaints. Users work in different contexts than IT and security. They have work that needs to get done that has nothing to do with your security policy. Listen carefully to their problems and then, once they’ve had their say, you can connect their jobs to the security mission.

Step 5: Leverage Contextual Business Knowledge
To break down barriers and silos, you’ll need to align users’ daily practices with security. Hopefully your examination of organizational processes and goals provides the information you needed for this. It also is useful for framing your security messages in the language of the organization’s culture, not in terms of security culture. This leads to a key part of making this work: giving people understandable reasons why a security process is in place.

Step 5: Talk about Threats and Impacts
Using the institutional knowledge, you’ve gathered, explain why you’re implementing particular security processes. Be specific and detailed about what you’re trying to prevent, and clarify how the process will control it. This will also help get people on your side when a process doesn’t work perfectly. For example, if you explain that customer social security numbers should always be encrypted, then users can let you know when they see them displayed in plain view. In this way you can quickly zero in on security incidents and fix problems.

Another big motivator is explaining how security incidents directly affect the organization’s ability to function and meet its business objective by measuring risk in terms of the loss of operational efficiency and business capability. This is a powerful technique, especially if you’ve got a strong grasp on what the organization cares about.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/be-a-more-effective-ciso-by-aligning-security-to-the-business-/a/d-id/1330618?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware attackers in the past year have begun to launch small, targeted campaigns, seeking a better return on their investment of time and money.

Cybercriminals are expanding beyond ransomware “spray and pray” attacks delivered by spam, and focusing instead on specific industries, geographies, or companies of a particular size with ransomware phishing campaigns, according to security experts.

“For most of 2016, ransomware campaigns were sent by spam. On some days, tens of millions of emails were sent out,” says Patrick Wheeler, director of threat intelligence for Proofpoint. He says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.

Ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method, says Anton Ivanov, lead malware analyst with Kaspersky Lab. Attackers behind ransomware campaigns have gone as far as creating special teams with specific developer skills to penetrate networks and language skills to write phishing emails that appear more convincing, too, he says.

Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.

“We find when ransomware targets specific verticals, it is usually healthcare and higher education. We don’t know why these verticals, but maybe because there is a large user base,” says Wheeler.

A previously undocumented strain of the Defray ransomware was used in one attack against healthcare companies and educational institutions, while another Defray attack targeted manufacturing and technology companies, according to a Proofpoint report.

PetrWrap, a Petya-based ransomware variant, targeted financial organizations across the globe, according to Kaspersky.

Wheeler says the Philadelphia ransomware authors initially targeted healthcare companies, while Petya’s authors concentrated on regions within Germany during the spring. Other ransomware campaigns also targeted specific geographies: Serpent’s authors focused their campaign on the Netherlands then Belgium, while Crysis targeted German organizations, he says.

Company size also factors into targeted ransomware attacks. Mamba ransomware authors target large organizations with more than 1,000 endpoints, Ivanov says, citing the high-profile attack against the San Francisco Municipal Transportation Agency as one example.

“They are focusing on big organizations because with ransomware, [the payout] is based on how many endpoints you can compromise,” Ivanov says, adding that Mamba is still active and targeting organizations in the Middle East.

Evolution

Meantime, while the Philadelphia and Petya authors started out with targeted campaigns, their strategy eventually shifted. “Once ransomware goes global, it is not used as a targeted campaign. That’s what happened with Philadelphia and Petya,” Wheeler says.

Philadelphia targeted healthcare companies before it later become a commodity and was sold as a ransomware-as-a-service (RaaS), a situation similar to Petya, which initially targeted companies in Germany, explains Wheeler.

Defending against targeted or spray-and-pray ransomware attacks is similar: each require backing up data frequently, dedicating a team to analyze the organization’s endpoint security and activity, and ensuring all control processes are in place on the network, Ivanov says.

“Targeted ransomware attacks will continue to evolve,” Ivanov warns, so companies need to take steps to reduce the impact.

Related Content:

• 10 Scariest Ransomware Attacks of 2017
• Ransomware Numbers Continue to Look Abysmal
• How to Make a Ransomware Payment – Fast

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/smalltargeted-ransomware-attacks-emerge/d/d-id/1330662?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s an axiom used by security professionals that states: “You can’t secure what you can’t see.” This rather simplistic statement actually has many different meanings when it comes to securing a business because of the rapidly growing number of network blind spots that exist in today’s information technology infrastructure.

I recently ran across a post on network visibility that did a nice job of describing how greater visibility enables better security. This is something I have been preaching for years. Below are what I consider the four top blind spots in networking, and the role that visibility plays to shine a light on them. But first a definition: network visibility is being able to “see” all endpoints and traffic that traverse the company network, which now extends to the public cloud.

Blind Spot 1: East-West Data Center Traffic
In the client-server era, all traffic went from a computer, into the data center, to the core, and back. This is known as north-south traffic. Securing this type of traffic flow means putting big firewalls and other tools in the core of the network where traffic would be inspected as it passed through. Over time the folks at VMware figured out a way to virtualize workloads and send traffic between them, even if they are in another location of the data center. This is known as east-west traffic. 

The challenge in securing east-west traffic is that it never passes through the core, so it bypasses all your traditional (and expensive) tools, as well as new ones such as behavioral analysis. Organizations could try to deploy security tools at every possible east-west junction, but that would be ridiculously expensive and complicated. Network visibility tools allow security managers to see every east-west flow and then individually direct them to specific security tools instead of sending all traffic to all tools. This enables organizations to move forward with initiatives that drive up the amount of east-west traffic, such as cloud, container, and virtualization initiatives, without putting the business at risk.  

Blind Spot 2: Internet of Things (IoT)
The IoT era has arrived and businesses are connecting non-IT devices at a furious rate. Building facilities, factory floor equipment, medical equipment, and other IoT endpoints are now connected to the company network. One of the challenges is that the majority of IoT devices, 60% according to ZK Research, are connected by an operational technology (OT) group and not by information technology teams. Network visibility can help IT discover these devices, infer what they are, and spot malicious traffic.  

For example, a connected device that sends traffic to Lutron Electronics every day is likely an LED lighting system. If the lights suddenly start communicating with the accounting server, a breach can be assumed and the device immediately quarantined. Without visibility, this could take months to find. With visibility, this breach could be found almost instantly.

Blind Spot 3: Insider Threats
Malicious users or infected devices can be very difficult to spot as they are typically “trusted.” For example, a worker on vacation might have his or her laptop compromised when connected to free Wi-Fi service in a coffee shop. The person then returns to work, passes the authentication tests, and spreads the malware across the company. What’s more, with traditional perimeter security, there is no way for a company to know that a disgruntled employee is stealing the entire customer database and selling it to a competitor because the traffic never goes through the firewall. In both cases, a good baseline of traffic helps security professional understand the norm, so if a worker’s devices start exhibiting odd behavior, it can be flagged, quarantined, and inspected, minimizing the damage. 

Blind Spot 4: Cloud Traffic
The use of public cloud services such as Amazon Web Services and Azure has skyrocketed over the past several years and will continue to grow as more businesses move on-premises data and technology to a cloud model. One of the security problems with the cloud is that, by definition, cloud technology is located outside of the business’s secure perimeter. Consequently, conventional wisdom asserts that data in the cloud can’t be secured locally.

The truth is, almost all cloud providers offer tools that provide basic telemetry information, and some of the more advanced visibility vendors/network packet brokers now provide pervasive visibility into AWS, Azure, and other cloud service providers. This effectively makes the cloud an extension of the enterprise network. In addition to security, this data can be used for analytics, performance monitoring, or machine learning. 

We live in a world today where literally everything in a company is being connected, virtualized, mobilized, and pushed into the cloud, making data significantly more difficult to secure. If you can’t secure what you can’t see, then invest in network visibility tools that shine a light on security blind spots. Then shut them down!

Related Content:

• NIST Releases New Cybersecurity Framework Draft
• Google Sheds Light on Data Encryption Practices
• The Rising Dangers of Unsecured IoT Technology
• DevOps Security: Butting Heads for Years but Integration is Happening

Zeus Kerravala provides a mix of tactical advice and long term strategic advice to help his clients in the current business climate. Kerravala provides research and advice to the following constituents: end user IT and network managers, vendors of IT hardware, software and … View Full Bio

Article source: https://www.darkreading.com/perimeter/why-network-visibility-is-critical-to-removing-security-blind-spots-/a/d-id/1330686?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple