STE WILLIAMS

One of the main takeaways from IBM’s latest annual data breach report, released this week, is that a strong incident response capability can help organizations reduce breach costs by more than 25% on average.

IBM’s study of over 500 data breach victims — conducted by the Ponemon Institute — shows that businesses with a formal incident response team and well-tested response plans spent $3.51 million on average on breach costs compared with $4.74 million by those who had neither.

The study shows that organizations on average took 206 days after initial intrusion to first identify a data breach and another 73 days to remediate it. But companies that were able to detect and contain a breach in fewer than 200 days spent $1.23 million less in breach costs.

“When it comes to data breaches, time is money, and the longer it takes to contain and remediate, the longer the organization keeps bleeding, so to speak,” says Limor Kessem, global executive security advisor at IBM Security.

The IBM-Ponemon study — now in its 15th year — considered four core categories of expenses when computing breach costs: lost business, detection and escalation, notification, and post-breach, Kessem says.

“We found that lost business has remained the highest cost factor over the past five years,” Kessem says. This includes things such as the costs of business disruption, revenue losses from system downtime, damage to a company’s reputation, and the cost of lost customers, she says. The global average customer turnover rate caused by a data breach was 3.9%, an increase from last year’s rate of 3.4%, she says.

Quick detection and response are critical to reporting the exact scope of a breach, figuring out what might have been compromised, and complying with regulatory breach notification requirements. A fully drilled incident response team can help speed up restoration and repair, Kessem notes. “[Organizations] are in a better place on reporting and can save costs on everything from operational downtime, employee productivity, and regulatory fines to reputational damage.”

Joseph Carson, chief security scientist at Thycotic, says the reason why companies are having a harder time detecting breaches is because attackers are getting better at hiding their tracks by abusing privileged accounts and other measures to remove traceable digital footprints. Many security researchers have noted a recent increase in attacks that employ legitimate remote admin tools and other utilities to hide on a compromised network for extended durations. “A strong incident response plan can be useless if you’re not actively threat hunting” as well, Carson says.

The IBM-Ponemon study shows that other measures could help organizations reduce breach costs, too. Companies that had deployed security automation technologies, for instance, generally spent just half of what organizations without such tools spent on a data breach. Similarly, total breach costs were about $360,000 lower on average for companies that employed encryption effectively.

“Encryption, business continuity management, DevSecOps, and threat intelligence sharing are cost mitigators, while cloud migration, IT complexity, and third-party breaches are major cost amplifiers,” says Jonathan Deveaux, head of enterprise data protection at comforte AG.

Increasingly, companies are talking about a “cloud-first” strategy for some projects and about “multicloud” configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. “What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches.”

“Long-Tail” Costs

As in previous years, the latest IBM-Ponemon report shows that data breach costs are continuing to climb for organizations across the board, but none more so than healthcare companies. The global average cost for a data breach is now $3.92 million — or 12% higher than what it was five years ago. For organizations in the US, the average costs are more than double, at $8.19 million.

The data shows that healthcare companies last year spent a stunning $439 per lost record at an average of nearly $6.5 million for a data breach. That figure is some 60% higher than what organizations in any other industry pay for a data breach. “[These] breaches are simply calamitous to organizations in the sector,” Kessem notes. It speaks to the need of the healthcare sector to pay more attention to all those cost reduction strategies that extend beyond a security program that’s already in place, she says.

The biggest cost factor for breaches in the US stemmed from lost business, such as customer turnover, system downtime, and business disruption. More than half ($4.5 million) of the total cost of a breach in the US, in fact, was tied to lost business — double that for organizations in other countries. “In general, we expect increasing data privacy standards and regulation like GDPR will increase regulatory and compliance costs for companies who experience a breach,” Kessem notes.

Generally, data breaches caused by malicious cyberattacks cost businesses in the IBM-Ponemon study about $1 million more on average than data compromises caused by an accident. The data shows the percentage of companies in the study that experienced a malicious external data breach was 51% compared with 42% six years ago. Forty-nine percent of the breaches were caused by human error and system problems and cost victims $3.5 million and $3.24 million on average, respectively.

The study shows that breach costs can escalate sharply depending on the number of records that are breached. The projected final cost for companies in the IBM-Ponemon study that experienced a breach of more than 1 million records — a relatively rare occurrence — was $42 million. The figure skyrocketed to $388 million for breaches involving more than 50 million records.

Significantly, the financial impact of a data breach can last for years, Kessem says. Most organizations incur only about two-thirds (67%) of their data breach costs in the first 12 months. They spend 22% in the second year and the remaining 11% more than two years after the incident.

Such “long-tail” costs tend to be higher in regulated industries such as healthcare, financial services, and energy. A lot of it has to do with the fact that compliance and regulatory processes tend to be complex and often move slower as well. Therefore, fines and legal fees accumulate in the years following a breach, and not in the immediate aftermath of one, she says.

Related Content:

• Equifax to Pay Up to $700M for Data Breach Damages
• The State of IT Operations and Cybersecurity Operations
• Most Expensive Data Breaches Start with Third Parties: Report
• 7 Stats That Show What It Takes to Run a Modern SOC

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/with-data-breach-costs-time-is-money/d/d-id/1335336?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As strange as it might sound, a single-stage malware attack might be considered almost old-fashioned in the near future. An organization or user can be attacked with relatively straightforward ransomware that immediately threatens a cryptolock on data if payment is not forthcoming. Nowadays, these single-stage malware attacks have been supplemented and sometimes replaced with far more sophisticated multistage attacks that include an initial downloader, the main component of the malware, and additional modules delivered over a period of days, weeks, or more. 

However, what used to be advanced has now been commoditized. Multistage attack kits and associated malware is now available either at open source code communities or at malware-as-a-service sites that provide downloads to criminals, rogue nations, and other bad actors.   

Trickbot and Emotet
Recent examples of commodity multistage malware include Trickbot and Emotet. Trickbot is a banking Trojan that targets users’ financial information and can act as a dropper for other malware. An attacker can leverage TrickBot’s modules to steal banking information such as passwords and credit card numbers, conduct system and network reconnaissance, and propagate additional malware across networks or other areas.

Emotet, another banking Trojan, is often used in untargeted “watering hole” attacks ─ everyone who goes to the well gets infected. After systems are compromised, attackers will survey the infected system or network to determine what value the target has. The program can then be used to inject code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be monitored, corrupted via ransomware, or the access can be sold to a third party depending on the motivations of the attacker and the value of the compromised asset.

Increased Dwell Time
One of the reasons that multistage malware poses such a risk to targets is the extended dwell time between when a hack occurs and when it’s detected. Between the first and final stages of the attack, the malware has time to move across systems and networks, communicate with the entity behind the attack, and better prepare for an eventual incident involving data theft, espionage, or infrastructure damage.

Although dwell time is a common topic in malware discussions, we believe that current estimates of dwell time need to be revised upward. According to a report by the Ponemon Institute, US companies took an average of 206 days to detect a data breach. However, Infocyte recently conducted a deep analysis of 5 million system scans using our technology and found an average dwell time of 798 days. You read that right. Dwell time of over two years, with some hacks going back to 2011.

Aside from the fact that multistage attacks are orchestrated over a period of time, dwell time with multistage malware is driven by a number of other factors. In some cases, the criminals who originally planted the malware and were waiting to deploy them have been intercepted by law enforcement agencies, so the malware is never activated; no one is left to pull the trigger. In other cases, the malware was never intended to affect the first target organization but to leverage its networks to attack other organizations that contain more valuable assets. In every case, the longer the dwell time, the greater the cost of identifying the breach and addressing the consequences of the attack. 

Three Recommended Actions
How should you respond to the growing proliferation of multistage malware that can be readily acquired and easily customized to target organizations like yours?

1. The first step is to assume you’ve already been compromised. Malware may not be actively affecting your business, but that doesn’t mean it’s not there, capable of stealing passwords, dropping other malware files in other systems, or enabling unauthorized access to your networks that can be sold later to criminal bidders. Assume that malware has, can, and will breach your existing defenses. This means that your IT components cannot be trusted until proven otherwise and should be validated on a regular basis.

2. Second, fighting infections should always involve more than a single system. Don’t play whack-a-mole. You might have detected and eliminated the originating system, but maybe the originating system isn’t where the attacker lives now. Eliminate the attacker in one place, and it might pop up in another. Think in terms of your entire IT infrastructure, from endpoints to data stores. 

3. Finally, consider a thorough compromise assessment from a reputable third-party vendor. (Full disclosure: Infocyte is one of a number of companies offering such a service.) The assessment should identify intrusions, ensure that current endpoints and systems are “clean,” determine weaknesses, and gauge the risk of future compromises.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 7 Malware Families Ready to Ruin Your IoT’s Day
• For Real Security, Don’t Let Failure Be Your Measure of Success
• How Attackers Infiltrate the Supply Chain What to Do About It

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Chris Gerritz is Co-Founder and Chief Product Officer of Infocyte, Inc., developer of the only agentless detection and incident response solution. Chris is a pioneer in defensive cyberspace operations, having established the US Air Force’s elite Defensive Counter Cyber … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-commoditization-of-multistage-malware-attacks/a/d-id/1335290?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock ( Gorodenkoff)

As the nerve center for most cybersecurity programs, the security operations center (SOC) can make or break an organizations’ ability to detect, analyze, and respond to incidents in a timely fashion. According to a new study from SANS Institute, today’s SOCs are treading water when it comes to making progress on maturing their practices and improving their technical capabilities. Experts say that may not be such a bad thing considering how quickly the threats and the tech stacks they monitor are expanding and changing.

“Going strictly by the numbers, not much changed for SOC managers from 2018 to 2019,” wrote Chris Crowley and John Pescatore in the SANS 2019 SOC Survey report. “However, just staying in place against these powerful currents is impressive, considering the rapid movement of critical business applications to cloud-based services, growing business use of ‘smart’ technologies driving higher levels of heterogeneous technology, and the overall difficulties across the technology world in attracting employees.”

Dark Reading explores the statistics from this study, as well as a recent State of the SOC report from Exabeam, to get some understanding about what it takes to run a SOC today and some of the major challenges security teams face in getting the most out of their SOC investments.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/7-stats-that-show-what-it-takes-to-run-a-modern-soc/d/d-id/1335306?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new challenge at this year’s DEF CON will let kid hackers take aim at simulated election campaign financial disclosure portals and use their findings to stage disinformation campaigns.

DEF CON’s Voting Village and AI Village have teamed up with r00tz Asylum, a nonprofit dedicated to educating kids about white-hat hacking, to teach budding infosec enthusiasts ages 8–16 about digital threats to democracy. Like the Voting Village, which lets adults explore flaws in election infrastructure, r00tz Asylum gives kids a chance to poke holes in election security.

Last year, r00tz Asylum made its first foray into election security. Kids used SQL injection to access and manipulate synthetic state election results websites, where they could change the candidates and displayed vote counts. It took two 11-year-old hackers just 15 minutes to crack a replica of the Florida Secretary of State’s website and change its vote count reports.

This year’s event puts a new spin on election security by letting kids explore bugs in simulated campaign financial disclosure portals using SQL injection code and other tactics. They’ll then take fraudulent financial reports and attempt to spread them via disinformation campaigns.

“We are trying to teach kids about the vulnerabilities that still exist in our election ecosystem,” says Morgan Ryan, an organizer of the r00tz Asylum and adviser with the University of Chicago’s Cyber Policy Initiative. “The more they know, the more exposure they gain, the more they can contribute and be civically engaged. This is about education and finding solutions.”

Campaign finance portals represent a point in which campaigns and candidates must interact with the secretary of state or other election official online, Ryan explains. They’ve been “relatively unexplored to date,” she adds, and absent from the larger discussion on election security despite a critical role in election infrastructure. The public relies on secretary of state or Federal Election Commission websites as factual sources; if financial disclosure reports can be manipulated, who can we trust?

This is why r00tz Asylum organizers are adding a new challenge to teach kids how fake news can spread online, tying the hacking of websites to a social media disinformation campaign.

The hacking station and disinformation campaign challenge will be side-by-side in the r00tz village, Ryan explains. As kids from the election hacking station manipulate financial disclosure pages, those changes will be highlighted on a projector at the disinformation station. There, kids can view the fraudulent data and use it to create social media campaigns. They’ll be able to use some of the same “bot” methods used by Russian hackers in election interference.

News of this year’s r00tz challenge arrives the same day Robert Mueller, former special counsel for the US Department of Justice, testifies on Capitol Hill about Russia’s interference in the 2016 US elections. The Mueller report found hackers used SQL injection to hack real election sites, which Ryan says taught r00tz its 2018 challenge “was squarely on point.” R00tz had received skepticism about whether its synthetic sites accurately represented real state websites.

When Russian hackers employed SQL injection to breach election websites, they did far more than deface the sites, as r00tz participants did in 2018. After breaching the sites, they accessed voter registration databases — a far more malicious act, Ryan said in a statement, given arguments said voter registration databases were air-gapped or could not be accessed via the Internet.

The synthetic campaign finance portals for the 2019 challenge are designed and built by Aries Security. Founder and CEO Brian Markus previously adapted his Capture the Packet simulator so the US Department of Defense could use it training and vetting cybersecurity professionals.

“More than anything, we hope [kids] will see that they are future voters and, therefore, soon to be critical participants in our democracy,” Ryan says. “Perhaps if they see they can have an impact and improve not only the infrastructure of our election ecosystem, but truly the bedrock of this democracy, then we’ve done a good thing.”

Related Content:

• The 10 Essentials of Infosec Forensics
  
• The State of IT Operations and Cybersecurity Operations
• Malware-based Attacks Dropped 20% Worldwide
• Bug Bounties Continue to Rise as Google Boosts Its Payouts
• How Cybercriminals Break Into the Microsoft Cloud

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/def-con-invites-kids-to-crack-campaign-finance-portals/d/d-id/1335329?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A collection of more than 400,000 connected devices – mainly home routers – for 13 days leveled a powerful application-layer attack on a online entertainment-service provider.

The attack used packets designed to appear as valid requests to the targeted application with the aim of chewing up bandwidth and server resources and reached a peak rate of 292,000 requests per second, according to a report released on July 24 by security firm Imperva, which blocked the attack.

The distributed denial of service (DDoS) attack, also known as an application-layer or layer-7 attack, came from devices compromised by the attackers and likely aimed to take down the company’s service, says Vitaly Simonovich, a security researcher for Imperva.

“This is not the first time this customer got attacked,” he says. “In the past, we witnessed this customer get attacked via network-layer DDoS attacks and also attackers have tried to steal their service, or use it without paying them.”

Distributed denial-of-service attacks are now considered the cost of doing business online, and companies need to plan for the attacks. In a survey released on July 24, data-center services firm US Signal found that 83% of organizations had suffered a DDoS attack in the past two years, and the average downtime caused by such an attack was 12 hours. The survey also found that 81% of organizations had their web application targeted in a cyberattack. 

“The number of respondents that have experienced DDoS and application attacks is jarring, demonstrating that there is always room for improvement in keeping up with modern cyberthreats,” Trevor Bidle, vice president of information security and compliance officer at US Signal, said in a statement.

Yet, network packet floods continue to set new records in terms of volume and sustained traffic. 

The attack on Imperva’s client is not the largest, but represents one of the most significant application-layer attacks. Volumetric attacks, which try to overload a target’s network bandwidth and infrastructure with a massive deluge of data, have exceeded 500 million packets per second, according to Imperva. For comparison, the DDoS attack against GitHub in 2018 exceeded 1.35 terabits per second, or about 130 million packets per second, the company said.

In 2016, the original Mirai malware, along with several variants, were used to conduct massive DDoS attacks against a variety of targets. More than one attack peaked at more than 600 gigabits per second and the attack against infrastructure provider Dyn in October 2016 exceeded 1 terabit per second.

Volumetric and application attacks are different and target different parts of a company’s online infrastructure. Web applications can typically handle tens or hundreds of gigabits of legitimate traffic, but typical Web servers handle perhaps 25,000 requests per second, says Imperva’s Simonovich.

“Today, customers that use cloud services can scale up in no time,” he says. “This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider.”

Routers Located in Brazil

Imperva tracked much of the traffic in the latest attack back to compromised home routers in Brazil. While the company does not believe that the attacks came from the Mirai botnet because the code to the malicious software had been released some time ago, underground developers have modified Mirai to incorporate a variety of attacks.

Because of the large number of Internet-of-things devices — tens of billions of network-connected devices by most accounts — and the lack of security concerns of most manufacturers and consumers, the population of vulnerable devices will only likely continue to grow, Imperva said.

“Botnets of IoT devices will only get larger,” the company said. “We live in a connected world, so the number of IoT devices continues to grow fast and vendors still do not consider security a top priority.”

Related Content:

• Mirai Groups Target Business IoT Devices
• Insecure Home IoT Devices a Clear and Present Danger to Corporate Security
• Another Massive DDoS Closes Out 2016, But Mirai Not To Blame
• 2016 DDoS Attack Trends By The Numbers

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/mirai-like-botnet-wages-massive-application-layer-ddos-attack/d/d-id/1335331?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The National Security Agency announced plans to form a cybersecurity directorate later this year as part of a larger initiative to fuse its offensive and defensive operations, a years-long ongoing integration that has broadened under the leadership of General Paul Nakasone.

As the NSA has undergone reorganizations in recent years, it has lost its emphasis on cybersecurity, said Gen. Nakasone during the International Conference on Cyber Security at Fordham University, the Wall Street Journal reports. The new directorate is intended to once again make security a priority by combining it with the NSA’s foreign intelligence projects and increasing its focus on both national security networks and the defense industrial base.

Anne Neuberger has been appointed head of the new directorate, which will reportedly leverage more signals intelligence from operations against US adversaries. Its goal is to strengthen national security by sharing intel with other federal agencies and private companies. The directorate will take the place of the NSA’s current information assurance directorate.

Neuberger, who currently sits on the NSA board of directors, was its first chief risk officer and part of the team that helped build Cyber Command. In the past year she has overseen the NSA’s election security efforts leading up to, and during, the 2018 midterms, which the WSJ says saw more aggressive efforts from the NSA and the US Cyber Command to defend against Russian interference and share more information with agencies including the FBI and DHS.

In her new role, Neuberger will report to Gen. Nakasone. Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/nsa-to-form-new-cybersecurity-directorate/d/d-id/1335333?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More signs that cybercriminals and nation-state hackers now operate as stealthily as possible to accomplish their missions: so far in 2019, malware and phishing are down and encrypted attacks are up.

Specifically, malware attacks decreased by 20% with 4.78 billion of them, phishing attacks, by 18% with 8.3 million, and encrypted attacks jumped 76% at 2.4 million, according to new data to be released today by SonicWall, which gathered attack data from its security sensors sitting in more than 200 countries. Ransomware, meanwhile, is still hot thanks to the broad availability of ransomware-as-a-service offerings, rising 15% worldwide, and up a whopping 195% in the UK.

“There are only so many bad guys coding, so they are recoding and repackaging” now, says Bill Conner, CEO of SonicWall. “Malware might be down, but it’s getting more malicious and nefarious in terms of the type of malware and how it’s coming in.”

Much of the malware decline has to do with the popularity of so-called fileless attacks and attackers using legitimate Windows and security tools to drill down deeper into their victim’s network. Some regions had very different stats, the study found: the US experienced the most dramatic drop in malware attacks – 17% – while Switzerland was hit with a 72% jump in malware attacks.

They’re also abusing encrypted channels such as HTTPS and SSL-based VPN channels to camouflage their traffic and malicious code. SonicWall has seen some 1,100 encrypted attack attempts per day per customer, Conner says. Many organizations mistakenly assume encrypted traffic is legit traffic, he notes.

The attackers are able to place malware in a file and “come through that Web channel and via that VPN,” he explains. “They either go to the HTTPS site or right to the end user’s desktop.”

Encryption abuse long has been a worry for organizations unsure how to efficiently monitor encrypted traffic. Gartner previously estimated that half of cyberattacks using malware in 2019 would employ some type of encryption, and 70% will do so by 2020. Meanwhile, many security tools cannot detect malware hidden in SSL.

SonicWall’s sensors spotted 13.5 million attack attempts on Internet of Things devices the first of half of this year, a nearly 55% increase, and cryptojacking attacks jumped by 9% after a temporary lull, according to the report. Cryptojacking isn’t going anywhere now that the price of bitcoin and Monero digital currencies is on the rise, Conner notes.

The drop in phishing attacks is really more about these campaigns becoming more targeted and sophisticated. “Now they’re going after the C suite, finance, and HR people,” he says.

Related Content:

• Open Source Hacking Tool Grows Up 
• 8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
• BitPaymer Ransomware Operators Wage Custom, Targeted Attacks
• US Mayors Commit to Just Saying No to Ransomware

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/malware-based-attacks-dropped-20--worldwide/d/d-id/1335328?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple