Browsing category

Cybercriminals

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

January 11, 2019
Attribution, Cyberattacks, Cybercriminals, Cyberthreats, Threat Detection, threat hunting, Threat Management, Threat Monitoring,

The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence

Given that the most serious threats in cyberspace are other state actors and their proxies, traditional thinking is focused on deterrence. Yet there are significant challenges for cyber deterrence.

The concept of deterrence was originally developed during the rise of nuclear technology. It relies on second-strike capabilities of opponents and complete certainty of who the opponent is, that it can survive the first strike and that it can strike back. This is known as mutually assured destruction (MAD).

Deterrence strategies have worked well throughout history to deter nuclear proliferation because only nation-states have access to the resources and technologies to get in the game. Of those actors, a basic self-interest in survival underpins the effectiveness of MAD.

There are many methods available for monitoring the mining and use of nuclear materials and technologies, and we have a fairly accurate inventory. In the cyber theater, however, the cyber attribution dilemma essentially nullifies the traditional model of deterrence as previously applied to military strategies in conventional warfare. As mentioned, MAD depends on knowing who your opponent is and understanding their capabilities for a second strike. In the cyber theater, both of these requirements are virtually impossible to fulfill.

What Are the Top Challenges to Cyber Deterrence?

Because of the inherent architecture of the internet and threat actors’ ability to obfuscate the source of an attack, it is nearly impossible to attribute attacks with a high degree of certainty. This results in a cyber attribution dilemma whereby the need to impose the costs necessary for cyber deterrence is juxtaposed with the potential costs of misattribution.

1. Misattribution

Many are concerned about the dangers of misattribution in cyber warfare and the potential escalations it could cause. The current deterrence paradigm of mutually assured disruption — the equivalent of MAD in the cyber arena — has a high risk of escalating into a tit-for-tat exchange as a result of a false accusation.

2. False Flags

Adversaries have historically used false flag operations to make an operation appear as though it was perpetrated by someone else. Because of the cyber attribution dilemma, false flags are much easier to execute in cyberspace, where the challenge of attribution already exists. False flags in cyberspace exploit this existing uncertainty and further compound doubt by casting suspicion on other actors.

3. Plausible Deniability

The attribution dilemma also gives threat actors the benefit of plausible deniability, further reducing the risks and costs associated with cyber actions. If you can’t be certain who is responsible, once again, you can’t impose costs without risking imposing the costs on the wrong actor.

In the Absence of Attribution, Resilience Is Critical

The stakes are high in cyberspace and growing daily. Deterrence rests on enterprises’ ability to impose costs or deny gains. Without the ability to impose costs while avoiding misattribution and escalation, denying gains and surviving cyberattacks through resilience is hypercritical.

Advanced attacks executed by sophisticated actors who know how to stay under the radar often cause the most damage. Adopting threat hunting in your security operations center (SOC) can help reduce dwell time as well as the cost and impact of attacks.

Read the SANS threat hunting survey

The post The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jan Dyment

December 28, 2018
Computer Security, Cyber Attack, Cyber Security News, Cybercriminals, Malware, Ransomware, SamSam Ransomware, Security Hacker,

Targeted SamSam Ransomware Attacks Continues to Breaking & Lock 67 Different Organizations Network

SamSam Ransomware

Cybercriminals group behind the SamSam Ransomware continuously targeting various organizations network which is located in different countries in order to encrypt the sensitive data. This is one of the ransomware which is highly active in 2018 to break down the 67 different types of organization network across the world especially in the U.S. Mainly targeting […]

The post Targeted SamSam Ransomware Attacks Continues to Breaking & Lock 67 Different Organizations Network appeared first on GBHackers On Security.

November 4, 2018
Advanced Threats, Cybercriminals, IBM X-Force Incident Response and Intelligence Services, Incident Response, Malware, Point-of-Sale (POS) Malware, Point-of-Sale (POS) Systems, POS Malware, Retail, Threat Intelligence, X-Force,

X-Force IRIS Identifies FIN6 Activity on POS Networks

IBM X-Force Incident Response and Intelligence Services (IRIS) identified malicious actors using the FrameworkPOS and GratefulPOS malware to harvest massive amounts of payment card data from point-of-sale (POS) systems in 2017 and 2018. Based on the alignment of tactics, techniques and procedures (TTPs) with those previously identified in similar attacks, X-Force IRIS assessed that the cybergang known as FIN6, which was first identified in April 2016, is behind the attack. This is only the second time that FIN6 activity has been publicly documented and attributed to the group since FireEye’s initial discovery in 2016.

Our team also identified several additional TTPs that will help organizations identify and respond to FIN6 attacks. Let’s take a closer look at FIN6’s history, tactics and indicators of compromise (IoCs) and outline actionable intelligence to assist in strengthening defenses against this threat actor.

Who Is FIN6?

FIN6 is an organized gang of cybercriminals that specializes in stealing payment card data from organizations in the retail and hospitality sectors. The group has stolen data on millions of payment cards, which it then monetized by selling the information on the dark web. While it is unclear how much money FIN6 has made in this manner, we estimate the group’s profit to be in the millions of dollars from 2015 to 2018.

FIN6 targets organizations that process a significant number of POS transactions, such as retail outlets and hotels. It typically uses commercial POS malware to harvest payment card data. According to data on the group’s activity, its focuses on retailers in the U.S. and Europe.

Attribution: Why FIN6?

According to X-Force IRIS research, the recent activity we observed on POS machines is attributable to FIN6, based on an alignment of over 90 percent of the TTPs our team observed with TTPs previously attributed to FIN6 activity.

In addition to commonalities with past TTPs, we observed FIN6 employing additional tactics, such as leveraging IT management software to deploy malware and using Windows Management Instrumentation Command (WMIC) to automate the remote execution of PowerShell commands and scripts.

While many of the TTPs associated with this threat group are publicly available and widely used, either individually or in small groupings, the strong correlation between observed activity and alignment of specific behavior patterns led us to make the attribution.

New TTPs Observed in This Investigation

Our investigation identified TTP’s that were not previously attributed to FIN6. Of these, we consider the following to be among the most noteworthy:

  • Deploying the FrameworkPOS malware via an enterprise software deployment application.
  • Using WMIC to automate the remote execution of PowerShell commands and scripts.
  • Metasploit-like behavior:
    • Randomly generating service names in Windows event logs associated with service installations and service starts or stops (7035, 7036, 7045, etc.).
    • Dynamically generating file names for binaries on disk (usually a backdoor installed as a service).
    • Dynamically generating hostnames in event logs.
  • Injecting malicious Meterpreter code into legitimate Windows processes.
  • Obfuscating PowerShell commands with base64 encoding and gzip compression (often base64-encoded, gzip compressed, base64-encoded PowerShell script).
  • Exclusion of specific processes for FrameworkPOS targeting.
  • Filename of memsniff_dll.dll for Framework POS.
  • Using a winhlp.dat file as a cover file name for a malicious PowerShell script designed to inject FrameworkPOS into “lsass.exe.”
  • Using specific PowerShell parameters to attempt to avoid detection and bypass antivirus application whitelisting.
  • Using “1.txt”, “services.txt” and “.csv” files as reconnaissance output names.

While some of these TTPs may be side effects of tools FIN6 actors were using or specific to the environment in which the actors were operating, we believe many represent new TTPs that could become characteristic of evolved FIN6 standard operating procedures.

Of the TTPs that aligned with previously identified FIN6 activity, the most notable include:

  • Widely deploying FrameworkPOS on compromised POS systems;
  • Collecting compromised data in numbered “.dll” files;
  • Extensive use of Metasploit and PowerShell to move laterally and deploy malware;
  • Frequent use of Windows Scheduled Tasks to maintain persistence;
  • Heavy SQL database reconnaissance and data theft;
  • Using Secure Shell (SSH) tunnels for SQL database exfiltration;
  • Compromising the Active Directory Database (ntds.dit), allowing for credential harvesting and password cracking offline; and
  • Using a specific Metasploit-like downloader that generates a random 15-character filename. It is possible this is the SHIPBREAD or HARDTACK downloader previously attributed to FIN6’s use.

FIN6 Returns to the POS Attack Arena

In the recent activity investigated by X-Force IRIS, the FIN6 gang demonstrated its ability to gain systemic footholds in targeted networks, advance laterally and eventually achieve its objective of exfiltrating valuable data from the victim organization’s infrastructure.

FIN6’s Easy Does It: Unsophisticated Yet Effective

FIN6 uses a variety of publicly available tools for reconnaissance and lateral movement. For example, it deploys the FrameworkPOS malware for the phase of harvesting payment card data from POS endpoints’ memory.

Most of FIN6’s tools are either simplistic or publicly available, and the group’s encoding mechanisms are relatively easy to decipher. The malware used to steal the card data is available commercially on dark web markets. While it might seem that the group is not highly sophisticated, this is not the case.

FIN6’s skill lies in its ability to bypass security controls and employ stealthy techniques, which allows the group to steal large amounts of data and sell at least some of it for a profit in dark web markets.

X-Force IRIS’s investigation into the destination of the stolen cards harvested by FIN6 found that the group most likely used the dark web forum Joker’s Stash to advertise and collect payments for batches of credit card data. Various reports on the value of payment card data on the dark web estimate the price of a newly stolen card at about $20 per card.

Breach and Internal Reconnaissance

Available evidence did not conclusively confirm how FIN6 gained the initial access to systems it compromised, although previous publications on its techniques noted that the group appears to use legitimate login credentials. The use of these credentials — either stolen or bought — is a plausible scenario in this case.

Once within an environment, FIN6 uses several reconnaissance techniques to locate the data it wishes to exfiltrate. In particular, X-Force IRIS observed the group running WMIC queries, which were then used to automate the remote execution of PowerShell commands and scripts, among other functions designed to run queries, search databases, access directories and connect to systems of interest.

We observed the attackers extensively targeting internal SQL databases during the attack. They then dumped the database’s contents using output filenames that were often named “1.txt” and “services.txt” for reconnaissance on the processes and services running on the system, as well as various .csv files for database tables.

In addition, the attackers compromised the majority of domain controllers in the environments they accessed and probably collected the Active Directory Database (ntds.dit), which would provide access to password hashes that they could then crack offline or attempt pass-the-hash attacks to expand their access and privilege levels.

Lateral Movement

To move laterally inside the breached networks, the attackers made extensive use of PowerShell and Metasploit throughout their operation.

To avoid detection and bypass antivirus application whitelisting, the attackers used PowerShell scripts with parameters such as:

PowerShell Script

The “-w hidden” and “-noni” parameters prevent PowerShell windows from popping up on victim systems or accepting any interaction, while “-ep bypass” allows PowerShell scripts to run even on systems that limit PowerShell use.

In addition, FIN6 used PowerShell to create backdoors by leaving a running PowerShell process on a system with a base64 encoded payload. The attackers then used SSH and Remote Desktop Protocol (RDP) for access and lateral movement.

The Metasploit framework was another favorite tool in the FIN6 arsenal, probably selected for several purposes, including creating backdoors that downloaded or listened on a particular port for shellcode to execute.

X-Force IRIS observed FIN6 using Metasploit to inject the Meterpreter payload into legitimate Windows processes, including “services.exe” and “WinLogon.exe.” We also observed several examples of the actors using Metasploit modules for lateral movement within the environment.

POS Malware Deployment

Once the attackers identified POS systems in the target environment, they deployed the FrameworkPOS malware as well as its variant, GratefulPOS, on those systems. In some cases, the actors employed an enterprise software deployment application to place the malware on a system.

The attackers deployed the FrameworkPOS malware with its original filename, “memsniff_dll.dll.” Our forensic experts observed the actors using the name “winhlp.dat” for a PowerShell script that injected FrameworkPOS into the “lsass.exe” process, using a component of the PowerSploit framework.

The contents of the file “winhlp.dat” shown in the figure below revealed that the attackers were running a base64-encoded instruction set within PowerShell to inject the FrameworkPOS malware into the lsass.exe process via Invoke-RPEInj.

Contents of winhlp.dat file

Figure 1: Contents of winhlp.dat file

To evade detection by antivirus solutions, which may only look for malware on the disk, the instructions were converted into a memorystream, compressed, injected and then eventually executed into the “lsass.exe” memory space. It is also worth noting that Invoke-RPEInj, or Invoke-ReflectivePEInjection, is a PowerSploit module that injects an executable into a PowerShell or remote process.

Find and Amass Card Data

FrameworkPOS’s functionality has been well-documented in existing security literature, and most of what we observed with this malware aligns with previous observations about it.

Once executed on the system, FrameworkPOS searched running processes for track 1 and track 2 payment card data, and then wrote a string (;<;MachineName>;runOK64) to a log file called “Perflib_perfdata_f44.dat” in “%WINDIR%temp” on the POS terminal.

When writing data, the malware marked track 1 data with tt1 and track 2 data with tt2. The malware also used a simple XOR encoding mechanism to obfuscate the payment card information.

Of note, the FrameworkPOS malware targets all running processes — with the exception of the process it is injected into. It will further ignore processes with fewer than five characters of module path and processes with the following names:

Hardcoded Processes Where FrameworkPOS Does Note Search for Payment Card Data

Figure 2: List of hardcoded processes where FrameworkPOS does not search for payment card data

Data Exfiltration

To exfiltrate the stolen data, the attackers employed scheduled tasks with innocuous names such as “WindowsSys” from compromised servers to collect and put the data into numbered .dll files.

Previous studies have detailed FrameworkPOS’s use of Domain Name System (DNS) tunneling for data exfiltration, and the 2016 attribution of FIN6 noted that the group had used FTP command lines for exfiltration. X-Force IRIS did not observe a particular exfiltration methodology in the cases we researched; however, we consider DNS tunneling to be a plausible method based on tactics used by other groups that operate the FrameworkPOS malware.

Similar to previous cases in which the GratefulPOS variant was used, we observed communications with a command-and-control (C&C) domain the malicious actors created to appear as a legitimate security vendor’s website. Once we identified the domain in the samples we analyzed, we sinkholed it to help prevent further criminal use.

Attack Flow Illustration

The graphic below illustrates FIN6’s attack flow according to the activity X-Force IRIS observed. This attack behavior corresponds with the steps X-Force IRIS observed and are characteristic of most attackers. This is illustrated in more detail in our Cyberattack Preparation and Execution Frameworks, which were released in July 2018.

FIN6 Cyberattack Execution Framework

Figure 3: X-Force IRIS observed FIN6 activity establishing a foothold in the environment, escalating privileges, moving laterally, conducting internal reconnaissance, maintaining persistence and meeting its objective by exfiltrating payment card data.

Dig Deeper to Enhance Defenses

FIN6’s skill at acquiring legitimate login credentials, bypassing antivirus systems, and quietly exfiltrating data on millions of credit cards underscores the value of digging deeper into threat data to identify and eradicate potential POS malware. Basic antivirus services are unlikely to provide sufficient protection against cybercriminal groups who specialize in POS Malware operations, particularly in high-risk verticals such as the retail sector.

By continuing to track and share the TTPs of POS malware groups, X-Force IRIS aims to identify additional security measures to help organizations mitigate the threat to both their networks and their valued customers.

To help lower the risk of mass credit card data theft from POS machines, organizations that deploy point-of-sale endpoints can consider the following security practices:

  • Decrease the potential for login credential theft by enhancing employee education of credential harvesting techniques, ensuring robust physical security, employing software to detect phishing emails and implementing a strong password policy.
  • Allow Domain Administrator accounts for POS systems to interact only with Domain Controllers to segregate these accounts from internet-facing systems and reduce their risk of credential compromise.
  • Use additional segregation techniques to isolate POS systems from the rest of the network, including firewalls and separate login accounts for authorized users.
  • Strictly limit the number of individuals with access to the POS portion of the network based on job duty and necessity. Implement careful audit logging and multifactor authentication (MFA).
  • Harden internet-facing systems by disabling unused ports, unused accounts and other functionalities not necessary for system operations.
  • Whitelist processes and not just applications, such as allowing the execution of only signed PowerShell scripts.
  • Employ threat hunting to proactively discover advanced threats that often evade traditional detection techniques.
  • Follow threat intelligence on the POS malware threat and incorporate up-to-date IoCs into internal security mechanisms to improve the likelihood of identifying known FIN6-related activity on the network.
  • Contract periodic penetration testing services for both software and hardware of the POS installations used across the business.

Indicators of Compromise

Below are the indicators of compromise (IoCs) associated with this attack.

File Hashes and File Size

  • First Stage PowerShell Script
    • MD5 : 0d30c2748e70246acbfa726e9d5ae289
    • SHA1 : 3fc9c9826a454bb121787f6b5b8849cf323e93ba
    • SHA256 : 3e745df7511308b18bab51a08e929bbf96aa69df91c077497db33a6390b09493
    • Size : 354,391 bytes
  • Second Stage PowerShell Script
    • MD5 : b793c45911b99f6bb1be8cb6e9403e7a
    • SHA1 : 98aab54447f182f98d4c2f1a71162dabd62189f2
    • SHA256 : 864af4f3e9e9e77bfcc443fcacd1a478c511fd997cd4b76a937e6903ce8a8c02
    • Size : 1,050,557 bytes
  • FrameworkPOS Malware (32bit)
    • MD5 : b8dfbdd7b8d23295bb800804ec8d5fe6
    • SHA1 : a493c58aa8b931bbc9dd6f2919e47aac89d8e590
    • SHA256 : 81e870caebc9b4e6e886a9bb0c9c03c117275c9bf377fd6d9fa3f1fa15cb29e4
    • Size : 111,104 bytes
  • FrameworkPOS Malware (64bit)
    • MD5 : 964f6b08a5bd0c4455262b20e07cb4b7
    • SHA1 : 0ae937fdb26b08e3878c0301676329f7189bcb8e
    • SHA256 : 3d9ef7a0a768aff27301606b60d72b6c43f06f2003f81f477b8163a82183ffed
    • Size : 133,632 bytes
  • GratefulPOS
    • MD5 : 117df747e05bfcf5b522de28b8d0193a
    • SHA1 : 4828103a4e37442a54376d92e852029def2a661e
    • SHA256 : 60b2d56e71cfb46ec98576eaa5f8d5649fd73bfa792c9e8412b70dfc8bb97bde
    • Size : 155,136 bytes
  • Shellcode Loader (via an open TCP port)
    • MD5 : 93c1efc5ae0932cdbf89778d4414168c
    • SHA1 : 01c40a7b571ea8452cab9009802f93a1bb22a3f1
    • SHA256 : f5c7910327299ca1fdb8cfe6e56f4e978964207730318e08fb0c17ea29417803
    • Size : 115,200 bytes
  • Downloader
    • MD5: d07592865f601d5238535fc4500479b7
    • SHA1: 22d665e25cd00d3d16b0b97b040d74d40ec75be3
    • SHA256: fde15da4af0e966bba2988dbeb7787f4547a7338054053bb532c82ce275b88fc
    • Size: 128,730 bytes
  • Stager Shellcode
    • MD5: 316c9547c7568b8c8b77642aa06b533c
    • SHA1: d338285aabbb15e3efa802eed1bac16cb4451a07
    • SHA256: 506c9c7817409c9706f100d1bf2d24862bf1ea2ebb766c106d8d90fb03ee01a3
    • Size: 471 bytes
  • Downloader
    • MD5 : 117df747e05bfcf5b522de28b8d0193a
    • SHA1 : 4828103a4e37442a54376d92e852029def2a661e
    • SHA256 : 60b2d56e71cfb46ec98576eaa5f8d5649fd73bfa792c9e8412b70dfc8bb97bde
    • Size : 155,136 bytes

File Information (Respectively)

  • 1st Stage PowerShell Script: PowerShell script
  • 2st Stage PowerShell Script: PowerShell script
  • FrameworkPOS Malware (32bit): Win32 DLL
  • FrameworkPOS Malware (64bit): Win64 DLL
  • Shellcode Loader: Win32 EXE
  • Downloader: Win32 PE
  • Stager Shellcode: Binary blob
  • Downloader: Win32 EXE, File name: bodvbhjg.exe

The post X-Force IRIS Identifies FIN6 Activity on POS Networks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: X-Force IRIS

September 5, 2018
Cybercrime, Cybercriminals, Cybersecurity Training, Incident Response, Incident Response (IR), insider threat, Security Awareness, Security Training,

Security Gamification Engineer Richard Moore Proves That Anyone Can Be a Hacker

Richard Moore makes his living literally building games.

Richard’s work as a security gamification engineer seems to be the stuff of legend, which is why he must often stress to people that it’s very much a real job. As he sees it, he’s not just playing games all day — he’s building engaging challenges to help teach the next generation of professionals about cybersecurity.

For Richard, one critical aspect of building these gamified scenarios is learning to think like a hacker. You may be picturing the Hollywood hacker stereotype, but the reality is that anyone can be a hacker in the real world. This is why understanding how threat actors work can be so intricate.

“A lot of people have this idea of a hacker in a basement in a hoodie, and it’s really dark — and they’re furiously typing away, coding,” Richard said. “That’s not quite how it happens, so being able to raise awareness through these scenarios helps people learn.”

Indeed, it’s Richard’s job to introduce this line of thinking to businesses and students at the IBM X-Force Command Center and Cyber Range in Cambridge, MA.

A Lifelong Passion for Technology

Having shown a knack for technology since childhood, Richard built his first computer at age 14 and learned a lot by continually losing data and having to start again from scratch. Those experiences taught him how to look at the whole system rather than at isolated pieces.

While he knew early on that technology was his passion, he wasn’t always sure about his focus. After briefly dabbling in web design, Richard finally found his calling when he discovered computer programming.

An opportunity at IBM arose when Richard was fresh out of college, and he seized it with open arms. He’s been at IBM ever since — getting into the minds of malicious actors and showing people how to build more robust systems through security gamification.

Unlocking the Competitive Spirit of Security

Richard wants to bring out the competitive streak in everyone and believes that competition is a “huge motivator” that adds an edge to learning.

“We’ve all seen presentations from people trying to teach us something about a subject, but there’s only so much you can consume through that method of delivery,” Richard said. “Challenging people to really think about the problem gains better results, and learning on your own does not yield as much as learning with other people.”

Richard’s seen it all at his capture the flag (CTF) challenges at IBM, where security teams compete by taking turns hacking and defending a network. During these competitions, he’s witnessed everything from competitors shouting across the room and hurling insults to name-calling — and even shushing and waving people away when they’re trying to help.

“It’s so interesting to see people who are in that mode,” he chuckled. “They are so deep into it.”

By taking on the role of a malicious actor in one of these scenarios, a security professional can gain valuable insights into the motivations and tactics of cybercriminals. In order to make the games and challenges as believable as possible, it’s Richard’s job to think of how a company would build a secure system — and how a cybercriminal would attack those systems.

“A developer might develop code and know to look out for things like Cross-Site Scripting (XSS), but they’ve never actually tried to trigger one of those exploits themselves,” Richard said. “Giving them that perspective is a really interesting way for them to learn — being able to execute the exploits, being able to see what a hacker sees when they’re hacking.”

If hacking is a battle of wits between humans and machines, Richard must outwit them all.

Richard Moore's job is to outwit hackers

Security Gamification Shows That Anyone Can Be a Hacker

At the 2018 IBM Think conference in Las Vegas, Nevada, his team ran a booth that featured a two-minute hacking challenge. Visitors were tasked with breaking into an unpatched system, and many people were amazed at how easy it was to run and execute remote commands on the target network.

“One of the major problems right now is script kiddies,” Richard said. “These are people who just download open source tools that are meant for good, and they point them at whatever they want, press ‘Go,’ and it fires a suite of exploits at a system hoping one of them will work.”

Although 99 percent of these attempts fail, Richard emphasized, a script kiddie only needs to be right once.

“These people don’t fully understand what they’re doing— they have no awareness — but they want to boast on forums that they took down this website or managed to find an exploit in this website,” he added.

Script kiddies are just a nuisance, though. The biggest problem Richard sees these days is insider threats — the fact that anyone can easily become an unwitting accomplice to cybercrime.

“A company spends millions on defensive software to stop hacks coming in through the internet, but if one guy with a USB stick walks through the door and plugs in some malware, all those millions have been bypassed, and all that software is useless,” Richard said. “Now there’s a backdoor into the network while the security monitors the front door.”

Why Lack of Cyber Awareness Is the True Enemy

While most big companies are already working to remediate these risks, it’s the smaller businesses, charities and nonprofits that most worry Richard. These organizations don’t have money to throw at user education and are more likely to assign dual roles to one person. For example, the web designer might also be responsible for security simply because he or she is well-versed in technology.

“We need more people in security, there’s no doubt about that,” Richard said. “But on top of that, it’s ordinary people with lack of awareness. Security is not taught in schools unless you’re on a specific course, so the majority of people who get into jobs don’t know how easy it is to hack things and get at data, and how easy it is to manipulate people.”

Emphasizing that being manipulated by a hacker “is not about intelligence,” Richard noted that data could be harvested from anywhere — especially in an age when we share so many personal details online. Cybercriminals can use any of that data to trick unsuspecting users into opening the door to enterprise networks, and dedicated threat actors will persist until they hit the payload.

“It’s very much a human-versus-human battle: You can’t just write something and think ‘I’m now protected,’” Richard said. “You have to think of what they’re going to do to counteract what you’ve come up with. It’s a circle of counteracting the counteraction to your counteraction.”

And here we circle back to the theme of competitiveness driving an outcome: Whether it’s in a gamified scenario or the very real cyberthreat landscape, we need more security specialists like Richard to help us arm ourselves with a battle cry.

Meet IBM distinguished engineer and master inventor Mike Spisak

The post Security Gamification Engineer Richard Moore Proves That Anyone Can Be a Hacker appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lauren McMenemy

August 24, 2018
Advanced Threats, Cyberattacks, Cybercriminals, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response, Incident Response (IR), Phishing, Security Framework, Security Intelligence & Analytics, Social Engineering, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, X-Force,

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 4

This article is the final installment in a four-part series that examines how the X-Force IRIS cyberattack frameworks can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out the entire series for the full scoop.

Even after an organization’s network has been compromised, the security team still has opportunities to find and dispel the attackers before they can expand their access within the network and achieve other objectives. Attackers, particularly advanced attackers who are good at evading detection, may spend a significant amount of time in a network, giving defenders time to foil their schemes.

The IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework helps security practitioners understand how a cyberattack occurs and provides a model to identify opportunities to lower the risk of a successful breach.

IBM IRIS Cyberattack Preparation Framework — Schematic View

IBM IRIS Cyberattack Preparation Framework — Schematic View

Since we’ve already recommended actions to help identify and subvert attackers throughout their preparation and the early stages of an attack, we can now explore the final opportunities a security team has to thwart an attack before it can cause financial, reputational and other types of damage.

By dissecting the phases of the framework in which attackers conduct internal reconnaissance, move laterally, escalate privileges and meet their objective, security teams can determine what steps they must take to help reduce the risk of attackers moving around the network and stealing privileged data.

Read the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Beyond the Initial Compromise: Expand Access Stage

Advanced attackers often spend significant time and effort in the expand access stage, gaining the required visibility and searching for proprietary information that accomplishes their mission.

Attackers’ activities during this phase can mimic the commands and actions of typical users, and it can be difficult to distinguish the activities of the “expand access phase” from normal operations. Still, finding and mitigating against an attack at these stages represents defenders’ final opportunity to prevent further harm.

Internal Reconnaissance

Once attackers enter the network, they may collect additional information about users and groups on the network, examine the access levels used and identify available files or databases before determining the next steps to gain greater access.

Security teams don’t always have a smoking gun to alert them to internal reconnaissance activities because attackers often use commands inherent to the operating system rather than malware, which makes this activity harder to detect with traditional controls.

However, security teams can help detect malicious activity by building a baseline for typical user behavior and threat hunting for anomalies. To enrich information about legitimate user patterns, security teams can use machine learning for behavioral biometrics and equip their logging and analysis platform with artificial intelligence (AI)-enabled applications.

Another option to help detect internal reconnaissance is to set up honeypots. A honeypot is a deceptive file or system designed to trick attackers into accessing it. A honeypot can be as simple as a file that contains false information disguised as lucrative data that an attacker would be likely to search for. It could also be a false subnetwork that an attacker might spend a lot of time filtering through.

If an attacker accesses a honeypot, the system will send an immediate alert to security teams with details regarding the activity on the honeypot, including user information and logged keystrokes. Although it is not guaranteed that attackers would ever access a honeypot even if after compromising the network, a honeypot can be both simple to implement and low-cost.

An Attacker Moves Through the Network

During the “move laterally” and “escalate privileges” phases, the attacker gains access to more resources within the compromised network by moving to additional hosts with different or greater access, such as an administration account. This process can include obtaining additional credential information, stealing public key infrastructure (PKI) certificates, and accessing privileged accounts or computers.

Impede Attackers’ Steps With the Principle of Least Privilege

The principle of least privilege can limit the attacker’s ability to easily move throughout the network. We had previously considered least privilege in terms of system access authorizations, but the principle is best applied to user account access when discussing lateral movement and privilege escalation.

Attackers often seek multiple user credential sets to gain additional access to other parts of the network. By restricting all user access to only the resources required for their daily tasks, security teams can limit what an attacker would be able to achieve with the same credentials. In addition to role-based privilege restrictions, access restrictions can also be made based on the expected context of the activity, such as restrictions on the time of day that remote access is allowed and what users from certain geographic locations are able to do.

When it comes to administration accounts and the principle of least privilege, administrators should also have a standard user account. The administration account should only be accessed for specific, required tasks with the standard account used for the bulk of daily activities.

The administration accounts should be monitored for anomalies, such as a user spending an unusually large amount of time on it. If possible, use the separation of duties and rotation principles to divide administration tasks among several accounts to limit the access that an attacker would have with one set of administrator credentials.

The principle of least privilege also applies to the network. Segment the network into logical components where trust and communication between the segments is strictly controlled. Segmenting the network is akin to creating several mini-networks under the larger network umbrella. In this sense, an attacker would need to invest the same amount of effort to compromise each segment as the initial compromise, slowing or restricting the attacker’s ability to gain access to the full environment. At the same time, defenders would have a better chance to identify the intrusion through threat hunting and other security controls.

Harden Password Policies

Finally, security teams and administrators should enforce strong user password policies. Enabling multifactor authentication (MFA) can help limit an attacker’s ability to access additional user accounts with a stolen username and password. If employees use multiple systems to perform their job duties, restrict the ability to use the same password across systems. At the administrative level, protect against pass the hash and other password-stealing methods by storing password hashes in secured locations.

The Attacker Accomplishes the Goals of the Cyberattack

By completing some or all of the phases in the cyberattack framework, attackers hope to complete their objective of the intrusion. Threat actors’ end goals can range from reconnaissance to theft of data or finances to destruction of victims’ assets.

Often advanced attackers will exfiltrate privileged information as their goal or as a step toward achieving their goal. This information can be used for espionage purposes in the case of state-sponsored cyberintelligence groups or corporate competitors or sold for a profit by financially motivated adversaries.

Learn more about the X-Force IRIS Cyberattack Preparation and Execution Frameworks

Look for Data in Transit

To identify attackers beginning the final stage of the cyberattack, security teams can monitor or restrict unusual data transfers, such as:

  • Creation of RAR files: It is common for attackers hoping to exfiltrate large amounts of data quickly to compress and encrypt the information. To accomplish this, attackers typically convert the data into RAR files, although other archives can be used. Security teams can monitor for and inspect the creation of RAR files.
  • High volume of email to external addresses: An attacker using valid employee credentials may use an employee’s email account to exfiltrate data from a network. Security teams should investigate spikes in emails to external addresses, particularly if these emails contain attachments.
  • Creation of auto-forwarding rules or delegated email accounts: To steal emails, attackers may create email forwarding rules or account delegates to access emails from their own accounts. Security teams should monitor for the creation of auto-forward rules and new email delegates or prohibit this activity.
  • Increase in uploads to websites: Security teams can also look for spikes in the volume of employee uploads to non-corporate websites. Attackers may use a valid user account to upload proprietary data to an attacker-controlled website or cloud storage service.
  • Unsanctioned port activity: Attackers can use a variety of ports and protocols to exfiltrate data, including file transfer protocol (FTP) and Domain Name Server (DNS). Security teams can monitor for excessive traffic leaving through these protocols. To take proactive action, security teams can use dedicated servers for these protocols and close these ports on other servers.

A Defender’s Work Isn’t Over

If defenses are insufficient or unable to track and stop attackers from accomplishing their mission, the organization’s security team and business leaders still have a lot of work to do to contain and remedy the compromise.

A breached organization would likely activate its incident response team and procedures and may require additional expertise from a specialized security vendor. After a security compromise, the organization needs to explore what happened, what the damage consisted of, how to mitigate the damage and, finally, how to prevent it from happening again.

Organizations can prepare for an attack by building a dedicated team and training it to respond to security incidents. To practice relevant attack scenarios, the response team can participate in tabletop exercises or simulations that mimic a cyberattack to find shortcomings in their mitigation and remediation processes. Simulations can help security leaders establish quick-action response processes and communication policies in anticipation of a breach. Continuous training can help prepare the team to act quickly and efficiently during a real-world event.

Even after attackers have accomplished their objectives, they will often leave their backdoors in the network open to return to the environment at a later date. For this reason, an effective incident response must include finding and closing those security gaps.

Forensic analysis is part of understanding the attack and learning from it. A thorough examination of available forensics can help security teams understand details of the attack, which can aid in establishing mitigation priorities, providing data to law enforcement and planning risk reduction strategies to protect against future threats.

Learn More About the IBM X-Force Cyberattack Framework

By dissecting each phase of the IBM X-Force cyberattack preparation and execution framework, security leaders can create a prioritized and cost-effective collaborative-defense strategy that can help minimize the attack surface and reduce the risk of an attack succeeding.

To learn more, read the X-Force IRIS cyberattack preparation and execution frameworks white paper and listen to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 4 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Alexandrea Berninger

August 9, 2018
Cyberattacks, Cybercriminals, Fraud Protection, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response, Incident Response (IR), Phishing, Security Framework, Security Intelligence & Analytics, Social Engineering, threat hunting, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, X-Force,

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 3

This article is the third installment in a four-part series that examines how the X-Force IRIS cyberattack framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out part 1 and part 2 for the full scoop.

Any determined attacker has a good chance of being able to infiltrate a network. However, just because an attacker makes it through the front door, that doesn’t mean they will walk away with the organization’s proprietary data. While the first two posts in this series recommended actions to hinder an attacker’s ability to plan and launch an attack, this post will explore how to subvert an attacker already in a network.

The IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework helps organizations understand how cyberattackers achieve their objectives and provides a model for identifying actions security practitioners can take to lower the risk of a successful breach.

The process for defenders to find and halt the activities of attackers already in the network begins with recognizing and mitigating the initial compromise and then covers opportunities to find and track attackers as they establish a foothold in the network.

Read the Complete White Paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

IBM IRIS Cyberattack Execution Framework

IRIS Cyberattack Preparation Framework — Schematic View

Beyond Perimeter Defense

Although the goal may be to stop an attack from occurring, the reality is that perimeter defense — such as antivirus solutions and firewalls designed to stop malware from entering the network — is not a failproof solution and cannot be relied on as the only defense. Perimeter defense has value as one of several defense layers and can be effective at stopping opportunistic attacks, those where an attacker uses known vulnerabilities, and malware against multiple organizations hoping to breach the least-prepared target.

Perimeter defense is less likely to stop a targeted attack where a persistent and adaptive attacker has tailored an attack to circumvent defenses and can adapt their tactics to changes or roadblocks.

There are countless opportunities for an attacker to breach a network and there is no single solution that will stop them from compromising the organization’s network if they are motivated to find a way inside. Instead, defenders need to consider how to prioritize controls that can increase the odds of finding and stopping an attacker from achieving their goal.

Organizations have a finite amount of resources to devote to security, and using a cyberattack framework to analyze attacker techniques can aid in finding the defensive strategy that will give the most significant return on investment.

Initial Compromise (Think: Phishing Attacks!)

The IBM X-Force IRIS cyberattack framework initiates after an cyberthreat actor has launched an attack, beginning with a successful initial compromise. The initial compromise occurs when the attacker has gained access to at least one host on the network or has otherwise gained access to the network — perhaps via logging on with stolen or brute-forced credentials.

Phishing emails are the most common threat vector for attackers to gain network access. Therefore, focusing resources to harden this initial attack surface can help reduce the risk of initial compromise.

In a phishing or spear phishing attack, a fraudulent email or electronic communication is sent to users within an organization, luring them into revealing network credentials, clicking a link or downloading a legitimate-looking attachment with hidden malware. Depending on the attacker’s techniques and goals, phishing attacks can occur with or without the use of malware.

Implementing the following security features, educating employees, and revisiting internal security and reporting processes can reduce the risk of a phishing email being successful:

  • Disable macros: Windows macros are programs that are embedded within other programs to automate repetitive tasks. Although Windows’ security features now include an automatic pop-up that requires the user to enable macros in many productivity files, users can still be fooled into doing so after receiving a well-crafted phishing scam. Disabling macros as a policy can help prevent malicious attachments from running the embedded malware and reduce chances of infection.
  • Enforce policies that prevent users from running untrusted code: Macros are not the only option for attackers who want to embed malicious code within phishing emails or attachments. Since attackers use a variety of other methods, preventing users from running any untrusted code can further mitigate this threat.
  • Create banners that identify emails coming from external addresses: Easily identifiable banners could alert employees to typo-changed email addresses. These are designed to look like trusted emails but are actually crafted by attackers, making them hard to spot visually.
  • Configure intrusion prevention systems (IPS) and intrusion detection systems (IDS) to alert on potential phishing emails: IPS and IDS solutions monitor network traffic, and can either alert (in the case of an IDS) or block (in the case of an IPS) malicious traffic. These systems can be configured to alert on known or suspected malicious emails.

Both solution types are valuable defense layers. IDS can be configured to alert on a broader set of signatures, while IPS detection signatures should be based on higher confidence of malicious activity. To enhance protection, make a point of maximizing storage and retention policies for data collected from an IDS or IPS. This data can be valuable forensic evidence for incident response teams looking to analyze, contain and mitigate a breach.

  • Employ protection platforms on email servers: A malicious email detection solution implemented at the email gateway can further help defenders identify and block fraudulent emails. These services can blacklist known sources of ransomware and phishing attacks and will analyze all attachments or URLs sent via email in a sandbox before users access them. Making sure email content is “clean” means employees are less likely to fall prey to a phishing attempt.
  • Ensure hosts are equipped with solutions to identify and prevent malware from running: Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) platforms are additional layers that can help detect indicators of an attack and may help stop malicious files from running. They can also alert the security team to a potential attack.

In addition to phishing attacks, which target the operating systems employees use (also known as client-side attacks), cyber adversaries can also employ server-side attacks that target servers and can include web compromise or exploit a network vulnerability to infiltrate servers the organization operates. Good network hygiene — such as securing open ports, performing input validation and ensuring effective patch management — is one way to reduce the risk of server-side attacks.

Attackers Establish a Foothold and Maintain Persistence

In the next phase in the framework, the attacker establishes a foothold by ensuring access and control of at least one host or user account within the organization’s network. An attacker can accomplish this by having gained access to network credentials, installing remote control malware on endpoints or installing a backdoor on the network. Typically, attackers will establish a link to their command and control (C2) infrastructure and use it to control endpoints they have infected remotely.

To maintain persistence, an attacker will work to strengthen their foothold in the target environment by securing redundant and overlapping access to the network in case the system is restarted or rebuilt, an access point fails or stolen credentials are reset.

Often, actions to maintain persistence occur simultaneously when the attacker establishes a foothold. For example, an attacker may reference the initial backdoor in a Windows Registry location that could ensure it will run each time the host is restarted. Moreover, actions to maintain persistence can continue to occur throughout the remainder of the attack as the attacker moves deeper into the organization’s networks.

Actions taken by attackers, both for establishing a foothold and for maintaining persistence, can be visible and mitigated. In some cases, malicious activities can be flagged by an IDS/IPS platform or an EPP/EDR platform, which can be configured to search for known threats.

Defenders Go Threat Hunting

While detecting known threats is part of protecting against attacks, when it comes to threats and attacker methodologies that are not yet known, a well-established and effective threat-hunting program can aid in threat identification and mitigation. A new or existing threat-hunting program can be scoped and augmented to help reduce the operational burden on security teams — all while adding value to the overall ability of the organization to find intruders before they can do any harm.

Building a threat profile, as described in the first part of this blog series, can aid in prioritizing threat-hunting requirements around an organization’s most valuable assets and the likely threats most relevant to those assets. To scope a threat-hunting program, it can be helpful to start with a “crawl, walk, run” approach. A narrow focus can begin by examining networks for signs of specific activities of an attacker — for example, establishing a foothold and maintaining persistence — particularly if those actions are against the highest priority assets.

As a threat-hunting team succeeds in these aspects, the scope can be expanded to include more types of activities attackers are likely to take and to search across additional environments and assets.

Once an unknown threat is discovered through threat hunting, the associated indicators of the threat can be migrated as signatures into the detection and protection platforms, and any other instances will be identified automatically.

Additionally, investment in a centralized logging and analysis platform can automatically prioritize data, setting it into tiers ranging from benign activities to those likely indicating maliciousness. Understanding and labeling telemetry data that is likely due to normal business operations as benign can be just as important at identifying suspicious activity. Whitelisting and creating a baseline for normal activity, as well as performing frequency analysis, can aid in detecting anomalies. Performing this analysis, however, is difficult without some type of centralized logging and analysis platform.

Related to this Article
Cyberattack preparation concept
podcastsFight Back with the X-Force IRIS Cyberattack Preparation and Execution…

Take Defensive Actions to Mitigate Risk

Examining the IBM X-Force IRIS cyberattack framework and the steps attackers take to initially compromise, establish a foothold and maintain persistence can help in identifying prioritized avenues to increase security.

The final post in this blog series will examine defensive actions that can help identify attackers as they move through an organization’s network, escalate their access and exfiltrate proprietary data.

Read the Complete White Paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 3 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Alexandrea Berninger

August 1, 2018
Advanced Threats, Cyberattacks, Cybercriminals, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response (IR), Network, Security Framework, Security Intelligence & Analytics, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, Vulnerabilities, X-Force,

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 2

This article is the second installment in a four-part series that examines how the X-Force IRIS framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to read part one for the full scoop.

Attackers are continually researching companies that are vulnerable to attack and refining their attack plan. However, there are opportunities to undermine a threat actor’s attack preparation and ability to compromise your organization successfully.

IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to better understand, track and defend against patterns of malicious behavior used by various adversarial actors.

The IBM X-Force IRIS cyberattack preparation framework focuses on implementing security procedures applicable to an organization’s internet-facing environment. Increasing network infrastructure security to guard against the attacker’s external reconnaissance and launch attack phases can help reduce the risk of a successful system compromise.

IRIS Cyberattack Preparation Framework

IRIS Cyberattack Preparation Framework — Schematic View

External Reconnaissance: How Attackers Gain Visibility Into Internal Networks

During the external reconnaissance phase of the framework, the attacker will research the target organization and look for exploitable access points, such as unsecured vulnerabilities, unpatched applications and open ports.

Attackers may search forums for usernames and passwords that could give them remote access to the organization’s internal network. They may also reach out to employees to try to convince them to provide their network access credentials or other information the attacker could use.

Finally, attackers seek opportunities to access organizations indirectly. For example, attackers may compromise companies that have third-party access to an organization’s network. This type of attack is known as a supply chain attack. Several publicly known data breaches involved an attacker exploiting an entry point through a third party with weaker security controls than the target company.

Read the complete white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Stop Attackers in Their Tracks

On the defender’s side, there are opportunities to increase visibility on the organization’s internet-facing networks to help analysts find the anomalous or malicious activity that may indicate that an attacker is conducting external reconnaissance. The key to risk reduction during the attacker’s external reconnaissance is understanding the organization’s networks and hardening the attack surface.

First, security teams should examine the organization’s online exposure and opportunities customers have to interact with it via the internet — since a malicious actor can misuse these.

Defenders can gain visibility into an attacker’s actions during the external reconnaissance phase by closely monitoring for unusual browsing of the organization’s external-facing websites. Additionally, an organization can hunt for signs that employee authentication credentials are posted on darknet forums.

Monitoring for unusual activity on public domains can include:

  • Identify the top users on company domains: Identify the most active users on an organization’s customer-facing web pages, and determine whether there are any abnormalities in their account use. Traffic from geographic regions that the company doesn’t operate in or an unusual amount of traffic coming from one internet service provider (ISP) may warrant further investigation. Often, unusual traffic can be more easily spotted after a baseline is established for what is normal.
  • Be cognizant of unusual browsing of web page directories: An attacker may map the organization’s website directories and subdirectories in search of common structures that can be exploited. For example, an attacker may try to use a directory traversal attack to attempt to gain access to restricted directories. To map directories, the attacker will follow the site’s directory tree starting at the parent directory and then drill down to all subfolders and files. When monitoring network traffic, directory mapping appears unusual when compared to how a typical user would browse a webpage. For example, user activity tends to involve less systemic page accesses with highly varying amounts of time spent on any given page.
  • Limit opportunities for attackers to take advantage of input validation vulnerabilities: Attackers may test input fields and search queries to determine whether there are opportunities to inject malicious code into the website. One example of an input validation vulnerability is an SQL injection attack, where malicious SQL statements are inserted into query fields for execution, potentially resulting in database information exposure or execution of malicious code on the server. Attackers may also try this path to obtain user credential sets from the underlying database.
  • Monitor for abnormal user-agent strings: Attackers can also look for vulnerabilities in the web server by sending code in the user-agent string. The user-agent string is a field in the HTTP header that indicates the platform, operating system and software being used to access the web page. When a web browser requests a page from a web server, it sends the user-agent string. Defenders can whitelist typical user-agent strings and create automatic alerts to highlight any abnormal or rare user-agent strings. Finally, because this is a user-controlled input, hackers can attempt to insert malicious code into the string with the hope it will execute on the receiving system.

Although monitoring for unusual browsing may not provide conclusive evidence of a pending attack, it’s part of the overall risk picture and can provide an avenue for further research and monitoring.

Remove Excess Privileges

Attackers may search for vulnerable access points into a network using a port scanner or an exploit kit. For defenders, the best practice is to follow the principle of least privilege, meaning that a user or system should only receive the access privileges that correspond with their role. Although cyberdefense strategies most commonly reference this concept when establishing user access controls, it also applies to systems, applications and processes. Removing excess privileges can reduce the attack surface and make it more difficult for the attacker to enter and move around the network.

First, security teams should map the organization’s network and identify ports that are accessible from the internet. These open ports act as doors to confidential data on the network and threat actors can exploit ports left unlocked to gain unauthorized entry. Mapping the network properly (and periodically) can help identify risky ports to close or monitor.

When applying the concept of least privilege to servers, only allow each server to perform the roles for which it’s authorized. Ideally, for example, a domain controller should only allow traffic and protocols required for domain administration and should not directly access the internet.

By contrast, a web server should only interact with the internet in the specific way that was intended by the business and network administrators. In reality, when servers are set up with default settings, more ports are open than are required for that server’s vocation, which can result in unmonitored security gaps.

The Launch Attack Phase: Hardening the Attack Surface

Once the attacker has completed the phases of the IBM X-Force IRIS cyberattack preparation framework, he or she may choose to launch an attack against the target. However, if an attacker failed to complete some of the prepare attack phases, he or she may choose to postpone an attack until more information is garnered or move on to another, more vulnerable target.

Therefore, one of the defender’s goals is to harden the attack surface and deter most attackers from viewing the organization as an easy target.

An attacker could use stolen credentials with remote access to directly infiltrate a network, or the attacker could also choose to exploit a server. Attacks to infiltrate an internal server can take many shapes and can be as diverse as domain name system (DNS) poisoning or the use of a self-propagating worm delivered from an external network.

Closing the Gaps by Patching

Efficient and timely patch management can help reduce the risk of a successful compromise. Although patching is a basic security practice, an alarming number of companies have suffered breaches due to unpatched vulnerabilities.

According to a Ponemon Institute study of 3,000 companies, 48 percent of respondents admitted they had suffered a data breach within the past two years — and of those respondents, 57 percent of the breaches were due to an unpatched vulnerability. A 2016 study by software company Symantec found that over 75 percent of legitimate websites have unpatched vulnerabilities.

Despite this, many organizations struggle to build an efficient recurring process due to operational complexities, outdated systems and business priorities. One reason systems may go unpatched is a concern — whether perceived or legitimate — that it may result in performance tradeoffs or disruption to operations during patch testing and implementation.

To make the right decisions for the business, security teams need to be aware of business trade-offs and weigh them against the risks of continuing to operate with an unpatched system.

One way to encourage patch management is to include security and patch management performance metrics as part of the system administration processes for service, application and system owners. This strategy will incentivize operations teams to include patch management in their operations — whereas most teams are only incentivized to ensure that there is no disruption to operations.

Also, developing clear procedures to test patch implementation can help to assuage concerns that the patch will break critical business processes. Creating and using a virtual environment is one option to test patches before deploying them in the live environment. Alternatively, segmenting the network and patching in batches can limit the potential negative consequences.

The second reason that patch management often fails is that it’s a manual process where teams have difficulty prioritizing and implementing the most important patches. Ensuring that IT teams have an up-to-date inventory of every asset and automated checks for patches can help identify when and what needs to be patched.

Also, building a centralized platform that automates certain processes will create a more organized and efficient patch-management program that can result in fewer security vulnerabilities.

Attackers Come Prepared: Take Defensive Actions to Mitigate the Risk of a Cyberattack

Although there is no way to guarantee that an organization’s network will not be compromised, implementing cost-effective security recommendations can help minimize the attack surface and reduce the risk of an attack occurring.

The next installments in this series will analyze the X-Force cyberattack execution framework, which models the activities an attacker takes after compromising the network. We will provide recommendations to help defenders increase their visibility of attackers lurking in their networks and best practices to decrease the likelihood of attackers being able to accomplish their mission.

You can also learn more by reading the X-Force IRIS cyberattack preparation and execution frameworks whitepaper or listening to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”

View the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 2 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Alexandrea Berninger

July 25, 2018
Advanced Threats, Cyberattacks, Cybercriminals, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response, Incident Response (IR), Network, Phishing, Security Framework, Security Services, Social Engineering, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, X-Force,

How the IBM X-Force IRIS Cyberattack Framework Helps Security Teams Reduce Risk at All Levels

This article is the first installment in a three-part series about cyberattack preparation and execution. Stay tuned to learn more.

Security teams need guidance to better understand, track and defend against patterns of malicious behavior, which will help them contend with today’s evolving — and increasingly sophisticated — threat landscape.

This is why IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to help organizations predict the steps an adversary might take to infiltrate corporate networks. The IBM X-Force IRIS cyberattack preparation and execution frameworks are designed to help security analysts understand malicious actors’ objectives, track threat data and communicate security intelligence more clearly.

Defenders can further dissect the threat model to preemptively build defenses and tracking capabilities to help identify and protect against attacks before they occur.

Break Down the X-Force IRIS Cyberattack Preparation Framework

While many of the phases described in the preparation framework are undetectable to targets and defenders, the early stages of a cyberattack offer opportunities to increase visibility into cybercriminal operations. Often, these measures can be undertaken relatively cheaply and with little to no reduction in operations.

The IRIS framework includes two key phases: The first phase is the point in time when threat actors determine their objectives. The second phase is when threat actors prepare their attack infrastructure.

IBM X-Force Cyberattack Preparation Framework

IRIS Cyberattack Preparation Framework — Schematic View

Read the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Phase One: Know Your Enemy

In the first phase of the framework, the attacker determines the target and defines initial mission objectives. On the defenders’ side, analysts can take steps to safeguard the assets attackers are likely to target, such as determining what and where their most valuable data is and whether cybercriminals are actively pursuing the organization.

Security teams should also integrate threat intelligence into the organization’s cybersecurity program. By building a threat profile of adversarial actors who are likely to target the company, security teams can focus on the most relevant cybercriminal groups instead of applying generic coverage to the entire pool of active cybergangs. This strategy is also in line with best practices suggested by the National Institute of Standards and Technology (NIST)’s framework for improving critical infrastructure cybersecurity.

Threat profiles help provide the contextual background for these malicious actors, such as their capabilities and tactics, which defenders can use to prioritize their responses.

To establish a threat profile, security analysts must answer the following questions:

Have Threat Actors Targeted the Organization?

Determine whether cybercriminals have breached the network in the past. If not, are there any indications that they may be interested in your company?

For example, has senior management received any spear-phishing emails? These clues can provide valuable insight into the type of actors that may be targeting the organization. Unusual network traffic on the company’s internet-facing ports is another clue. Large amounts of traffic originating from countries that your company doesn’t operate in could also indicate potentially malicious activity.

What Type of Attacker Might Go After Your Crown Jewels?

By understanding past attacks against companies in the same industry, security teams can assess the types of actors that are likely to target the organization and profile familiar capabilities and modus operandi.

For example, do these threat groups have the means and technical knowledge to perform an advanced intrusion? Do they typically compromise networks by exploiting known vulnerabilities? The best way for analysts to prioritize the most impactful areas for security investments is to anticipate the adversary’s entry path.

Where Are These Threat Groups Located?

Security teams can gain insight into cybercriminals’ motives, mission and tactics by understanding contextual information about potential threat actors, such as where they are located. This data can help analysts determine which vectors pose the most significant threat to the organization.

What Are the Attackers’ Goals?

Understanding what threat groups are after can help organizations protect digital assets and data. Attackers target a variety of data — from financial information, which can be sold on the darknet, to intellectual property, which can be sold for profit or used in corporate espionage. Some threat actors may seek to destroy data or harm critical infrastructure.

Understanding the organization’s key assets and predicting which ones are most appealing to cybercriminals can help security teams determine governance, controls and best practices to help protect and secure their digital environments.

Phase Two: Prepare the Attack Infrastructure

During the preparation of the attack infrastructure phase, cybercriminals often establish command-and-control (C&C) servers and build infrastructure that can be used to craft web pages, emails and domains that look legitimate to unsuspecting targets. Although threat actors typically operate in a stealthy manner, security teams can take steps to uncover and mitigate their actions.

Attackers often buy, register or gain illegal ownership of domains, servers, secure sockets layer (SSL) certificates, web service accounts and other network resources to orchestrate their campaigns. They then use their C&C network of servers and web resources to drop, execute, access and control the malware with which they infect their hosts.

During the setup process, attackers who mount malicious domains for their infrastructure’s communication schemes may use legitimate or typo-changed domains to fool target users into interacting with their sites or emails. Such email spoofing is often very subtle and can trick even the most observant users into clicking malicious links.

To mitigate this threat — and make it harder for attackers to typosquat domains — defenders can purchase all the likely typo-changed domains associated with their company name or monitor for suspicious domain registrations that resemble official domains.

Keep Social-Engineering Schemes at Bay With Education

Of course, threat actors have more tricks up their sleeves. Depending on the target, attackers may use social-engineering schemes to make it seem like activity is legitimate. For example, fraudsters can create more believable, personalized phishing messages by befriending targets online via fake online profiles.

To prevent these types of communications from succeeding, defenders should educate employees about the current trends in spam and spear phishing and describe the dangers of interacting with fraudulent online personas. Security teams should also establish proper governance to help employees respond and react appropriately when they fall victim to social-engineering schemes.

It’s also imperative to ensure that employees have positive experiences when reporting potential security incidents — and that security leaders do not punish or shame them for falling victim to phishing or social-engineering schemes.

To learn more, stay tuned for the next article in this series, which will examine the external reconnaissance and launch attack phases of the framework. You can also download the IBM white paper and listen to the podcast for more insights.

Read the complete white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

The post How the IBM X-Force IRIS Cyberattack Framework Helps Security Teams Reduce Risk at All Levels appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: X-Force IRIS

July 17, 2018
CISO, Cognitive, Cyberattacks, Cybercrime, Cybercriminals, Cybersecurity, Cybersecurity Jobs, Cyberthreats, Dark Web, Fraud Protection, IBM, IBM Security, IBM X-Force Command Center, Incident Response (IR), New Collar, Security Awareness, Security Leadership, Security Professionals, X-Force,

As Seen on TV: Important Lessons for Winning the Fight Against Cybercrime

In recent years, we’ve seen ample evidence of our collective cybersecurity failures. But we still haven’t learned the most important lessons.

To start, there is no silver bullet — no single technological fix. What’s more, while cybercriminals have been coordinating in organized groups, we have been trying to fight cybercrime in silos. If we are going to beat back the advances of cybercrime, we need better collaboration within the cybersecurity industry, with shared intelligence across public and private sectors.

We must focus more on responding to the inevitable “boom moments” after a breach occurs, not just what comes “left of the boom,” the prevention and detection of threats. Furthermore, we need a drastic elevation of cybersecurity skills and awareness.

On that last point, we need to raise the level of cybersecurity awareness — not just to protect our businesses, but among the general population. Our families and friends must understand what we’re up against and become knowledgeable of security hygiene to deny cybercrime organizations the victims they need to finance their operations.

That’s why I’m so proud that IBM Security teamed up with Atomic Entertainment and Science Channel to create a documentary special that explains, in provocative detail, what we’re up against.

Go Behind the Scenes of the Fight Against Cybercrime

Dark Web: Fighting Cybercrime” — airing on Science Channel at 5 p.m. EST on Thursday, July 19 and available afterward on-demand — brings to a mass audience a close encounter with the dark corners of the internet and offers insights into the history of cybercrime and where it’s headed. Better yet, the film goes behind the scenes of the fight against cybercrime, bringing you right inside a security operations center (SOC) to witness a simulation of a cyberattack and the challenges of responding in the moment to stop the “bleeding” and mitigate further damage.

Take a peek inside the dark world of cybercrime

I’ve been a part of hundreds of these simulations in our IBM Security X-Force Command Centers, and I have seen many accomplished and smart executives grappling with a kind of pressure few have experienced before.

When you watch the Science Channel special, you’ll see why practice runs are essential for security teams and business leaders to understand how to respond to an attack. While first responders and military service members train rigorously to deal with threats, the same can’t be said about organizations under threat of cyberattacks.

Just think about the training and preparation a military pilot goes through — hundreds of hours in simulators and in classroom training. But business leaders today are taught to be deliberate in their decisions, to pause and collect all the data before acting. That’s about the worst thing you can do when there’s a breach. After the boom, you need to act right away to prevent a bad situation from becoming worse.

Learn How to Keep Calm in the Face of a Cyberattack

Many of the people who go through the simulations in our command centers can become flustered and discouraged, despite being highly capable leaders. When the CEO who normally acts with confidence when making business decisions is suddenly thrust into the unknown of a cyberattack, the fight-or-flight adrenaline makes decision-making extremely difficult, and he or she starts to make mistakes.

It’s like trying to learn a new sport: You are bound to fail at first, but it’s by failing that you learn. And it’s far better to strike out or miss a tackle in practice than in a real game.

For many of our clients, it’s very apparent that rehearsing these situations is essential to honing their crisis leadership. By experiencing a simulated cyberattack, teams build muscle memory of what to do and with whom to communicate. By incorporating what they’ve learned, leaders can go back to their organizations and script their responses to automate as much of the decision-making process as possible. You can act faster and more effectively when the rules are written down, processes are established and everyone understands their job.

As the Science Channel special demonstrates, there’s a common thread among successful teams in our cyber ranges, and that’s the calm and collected leadership of people with backgrounds in the military or first responder jobs.

We need more of these disciplined and quick-acting men and women in cybersecurity. But the traditional way of recruiting cybersecurity staff — finding experienced professionals with a background in cybersecurity, college degrees and information security certifications — can overlook nontraditional candidates who can nonetheless do the job. At IBM Security, we’ve advocated and put into practice a “new collar” approach to recruiting professionals. It means looking beyond credentials to find individuals with the skills, aptitude and attributes to adapt to new cybersecurity roles.

Why I’m Optimistic About the Future of Cybersecurity

Unfortunately, there’s a lot of pessimism right now about the acceleration of threats, mounting breaches and exploding costs of incorporating a wide array of disparate and disconnected security technologies into IT environments. Yet, I am optimistic, because we do not have to fight alone.

By collaborating across organizations and within the security industry, we can limit the spread of threats through shared insights and intelligence. Together, the cybersecurity industry and our partners can simplify security by integrating our solutions, because complexity is the enemy of security.

We also have a new partner that can help turn the tide in the fight against cybercrime: artificial intelligence (AI). By advancing the security applications of AI, we create a force multiplier, because automating tasks and limiting false positives frees up human analysts to make critical decisions faster.

Finally, it bears repeating that we must create more allies in this fight by educating our employees and the general public about threats to their online privacy and security. I think “Dark Web: Fighting Cybercrime” does a standout job of doing just that.

Whether you’re a security professional, business executive or concerned citizen of our digital world, you’ll gain valuable perspective from this fascinating documentary. Check out the trailer below to get a taste of the action, and watch “Dark Web: Fighting Cybercrime” on Science Channel at 5 p.m. EST on Thursday, July 19, and later on-demand. Get your friends and family members to watch too — after all, we’re all in this fight together.

Take a peek inside the dark world of cybercrime

The post As Seen on TV: Important Lessons for Winning the Fight Against Cybercrime appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Caleb Barlow

July 16, 2018
Older Posts