Following on the heels of an active 2015, where eight states enacted changes to their data breach notification laws, another five states amended their statutes in 2016, adding complexity to the current “patchwork” system of breach notification legislation.
Several trends have emerged from these recent enactments. States are broadening the definition of “personal information,” redefining content and timing requirements for notification, clarifying the role of encryption in providing a safe harbor, and providing carve-outs for entities compliant with other privacy regulations.
The amendments enacted in Nebraska, Tennessee, and Arizona all took effect in 2016, while the updates in California and Illinois became effective on January 1, 2017.
Learn More
Michael R. Overly, Esq., Partner at Foley & Lardner LLP, will be speaking at the next Inland Southern California Cyber Security Summit (#ISCCS) 2017 in Riverside. Follow us on Twitter @IntelliFlexTeam to receive updates on this event or visit our website at www.iflex.com/events.
Summary of Amendments to State Data Breach Notification Laws in 2016
Source: Foley & Lardner LLP
State of the Network
Monday, February 6, 2017
Tuesday, December 13, 2016
Web Applications & Cybersecurity Protection
You Asked the Questions, We’re Giving You the Answers!
Overview
In a series of responses to a yearlong survey, we heard all sorts of cybersecurity related questions and we’d like to help our community by digging into these questions and providing some insight and answers. Naturally, we had to do some “sorting out” but one main topic of conversation was Web Application Security and how to protect our most valuable resources and private information. We took some of your questions and have answered them in a way that we hope addresses your concerns but also provides you with a path to consider when taking steps on your own to resolve these highly important cybersecurity concerns.So, how can we win the battle for secured web application delivery? In today’s application-centric world, there’s truly an app for everything. Organizations offer applications with data access to employees and consumers to drive greater productivity, meet business demands, and ultimately achieve a competitive advantage. But as organizations deliver more and more sensitive data through applications, they’re also introducing ever-increasing risk. That’s because today’s users are everywhere—frequently outside the corporate network—and the apps they rely on can be anywhere, from private data centers to the public cloud. The result is less visibility and control for the organization. It’s no surprise that cybercriminals are taking advantage of this exposure by targeting these applications, which exist largely outside the sphere of traditional security protections like firewalls, antivirus software, and TLS/SSL encryption.
What are the greatest threats facing us today? Whether it’s a volumetric denial-of-service (DoS) attack, browser-based malware, or an advanced persistent threat, today’s application attacks are really gambits to obtain or compromise corporate data. As more and more data is encrypted traffic, the majority of today’s security tools are running blind, unable to decrypt that data to ensure it’s not malicious. Traditionally, the approach to application security has been focused on the software development lifecycle (SDLC), trying to ensure developers are following best practices for secure coding. While secure code is still a core piece of the overall security puzzle, it’s not the whole picture. The old security perimeter continues to dissolve as more endpoints and networks fall outside of conventional enterprise network footprints, while the risks to applications and sensitive corporate data continue to evolve. Security measures must be enhanced to ensure apps are secured everywhere.
The vast majority of attacks today target the application level—but enterprises are not making corresponding security investments at that level. It’s time for organizations to come to terms with a new reality: Security needs to be more focused at the app level. We are dedicated to elevating the awareness level and this article will provide you with much of the needed data points which will help you articulate these facts management and secure the budget necessary to accomplish your objectives.
A Risk-Based Approach to Application Security
Is there a process for evaluating your web application for risk instead of vulnerability? Looking at application security from this risk-based perspective enables organizations to focus on component failures and helps provide the most robust security for the data that’s the ultimate target of most attacks. By analyzing all the components that make up an application, organizations can develop a strategy that delivers the strongest, most appropriate security to the app as a whole. Because compromising one component of an app or the network delivering it —whether a code vulnerability, network availability, or DNS—endangers the entire application, as well as the data it houses.Critical Components of Application Security
When do hackers chose an alternate target in their effort to attack and why? It’s vital for organizations to deploy the strongest possible set of application security controls to reduce the risk of sensitive data being compromised by an application-level attack. Key components of a proactive, defense-in-depth security posture for the application perimeter include application security testing, firewall services, access controls, and specific protection against various types of threats. A consistent approach to these assessments and processes make it more difficult to be compromised and far less attractive to the “would be bad-guys.” So, do the right thing, get the vulnerability assessment first and understand the finding before spending a single dime. Any money thrown at resolving a problem before getting the data need to validate and prioritize criticality is simply not best business practice and could be considered grounds for termination. In an effort to avoid such unpleasantries, let’s take a look at these following areas of concern.Application Security Testing
What can we do as Administrators to be better prepared and automate processes that will lessen the likelihood of being compromised? Software security is still a cornerstone of an overall application protection strategy. Organizations must ensure that new websites and software are coded securely, but they must also address the countless vulnerabilities already present in existing websites that were built without a secure software development lifecycle. It’s important to remember that finding and fixing vulnerabilities isn’t an academic exercise; it’s all about keeping a sentient attacker out of enterprise systems and away from the data those systems protect. But without a clear picture of the adversaries and their tactics, security professionals will have a difficult time developing effective strategies to defeat them. Going forward, it will be imperative that more people working in the security community better understand software—and software security. US ProTech offers US DOC Validated vulnerability scanners to help identify and mitigate software issues, whether they are found before or after new websites and web applications go live online. Organizations can obtain the best protection, however, by integrating a robust vulnerability scanner service with a full proxy web application firewall coupled by regular penetration testing which should be done (at a minimum) once a year for all the correct reasons.Web Application Firewall
Speaking about Firewalls, how can we benchmark Good, Better and Best in the growing world of options for Next-Generation Firewalls before we make the wrong recommendation to our superiors? Today, a robust and agile web application firewall (WAF) isn’t a luxury—it’s a necessity. The growth of cloud-hosted web applications has been accompanied by increasingly sophisticated security attacks and risks that threaten enterprise data. A hybrid web application firewall can help enterprises defend themselves against OWASP Top 10 threats, application vulnerabilities, and zero-day attacks—no matter where applications are located. Strong layer 7 distributed denial-of service (DDoS) defenses, detection and mitigation techniques, virtual patching, and granular attack visibility can thwart even the most sophisticated threats before they reach network servers. In addition, having the ability to detect and block attackers before they access an enterprise data center provides a major advantage. A powerful web application firewall that can stop malicious activity at the earliest stage of a potential attack allows organizations to significantly reduce risk as well as increase data center efficiency by eliminating the resources spent processing unwanted traffic.Enterprises Should Look for a Web Application Firewall That:
1. Provides a proactive defense against automated attack networks.
2. Identifies suspicious events by correlating malicious activity with violations.
3. Delivers easy-to-read reports to help streamline compliance with key regulatory standards such as the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and Sarbanes-Oxley.
4. Integrates with leading dynamic application security testing (DAST) scanners for immediate patching of vulnerabilities.
SSL Inspection and the Race to Encryption
What major technology adoption trends will happen in 2017 that you won’t want to miss? Today, SSL is everywhere. Analysts predict that encrypted traffic will jump to nearly 64 percent of all North American online traffic in 2016, up from just 29 percent in 2015. Organizations are scrambling to encrypt the majority of traffic, including everything from email and social media to streaming video. The level of security provided by SSL is enticing, but at the same time, it has become a vulnerability vector as attackers use SSL as a way to hide malware from security devices that cannot see encrypted traffic.Stealth Networking and Inspecting Encrypted Packets
Is there a way to use encryption in a way that still allows for deep packet inspection? Yes, it called Stealth Networking and it’s available right now through US ProTech and Intelli-Flex. Enterprise security solutions must gain visibility into this encrypted traffic to ensure that it is not bringing malware into the network. One way to battle these encrypted threats is to deploy an SSL “air gap” solution, which consists of placing an Application Delivery Controller (ADC) on either side of the visibility chain. The ADC closest to the users decrypts outbound traffic and sends the decrypted communications through the security devices. These devices, which can now see the content, apply policies and controls, detecting and neutralizing malware. At the other end of the chain, another ADC re-encrypts the traffic as it leaves the data center. This solution provides the flexibility of keeping security devices in line while ensuring that they can do the job they were built for.DDoS Protection
Are old cybersecurity threats that have been around for decades - still a threat? Yes, indeed they are! Today, most apps are Internet based, so a volumetric DDoS attack can cripple—or even take down—an application. DDoS attacks are increasing in scale and complexity, threatening to overwhelm the internal resources of enterprises around the world. These attacks combine high-volume traffic clogging with stealthy, application-targeted techniques—all with the intent of disrupting service for legitimate users. Organizations must ensure they have a robust DDoS protection strategy in place to ensure the availability of their critical applications. Consider solutions that offer comprehensive, multi-layered L3 through L7 protection and can stop DDoS attacks in the cloud before they reach the network and the data center.DNS Security
What can I do to help hide my environments and is there value in 3rd party offerings to do so? While not a part of the traditional, secure-coding view of application security, an enterprise’s DNS strategy plays a huge role in the security and availability of its applications. DNS is the backbone of the Internet, as well as one of the most vulnerable points in an organization’s network. Organizations must protect against an ever-growing variety of DNS attacks, including DNS amplification query floods, dictionary attacks, and DNS poisoning. An enterprise can ensure that customers—and employees—can access critical web, application, and database services whenever they need them with a solution that intelligently manages global traffic, mitigates complex threats by blocking access to malicious IP domains, and integrates seamlessly with third-party vendors for implementation such as with US ProTech, they even offer centralized management, and secure handling of DNSSEC keys. US ProTech solutions also deliver high-performance DNS, which can scale quickly to better absorb DDoS attacks.Web Fraud Detection
Can someone please show me a better way to capture, monitor and implement corrective action plans against anomalies linked to massive fraud? Fifty years ago, if you wanted to rob a bank, you had to actually go to the bank. Now, you can rob a bank from 5,000 miles away. The global nature of the Internet means that everything is equidistant to the adversary, and financial institutions are some of the highest-value targets on the Internet. To effectively combat the perils of fraud, organizations that offer financial services over the Internet must defend their businesses with a combination of security technologies. Consider a US ProTech solution that helps protect against a full range of fraud threat vectors, preventing attackers from spoofing, disabling, or otherwise bypassing security checks. Organizations can thereby reduce the risk of financial and intellectual property loss—and feel secure with proactive protection against emerging web threats and fraud.Access Controls
“I AM” is the shortest sentence in the English language. But failing to deploy Identity Access Management may be the fastest way to get “fired.” Some of the most recent and damaging security breaches have been due to compromised user and administrator credentials. These breaches may have been thwarted by authenticating and authorizing the right people to the right information and ensuring secure connectivity to applications with single sign-on and multi-factor authentication technologies. Furthermore, identity and access controls centralized by the enterprise can provide secure authentication between the enterprise network and applications based in the cloud or as Software as a Service (SaaS).Conclusion:
The Future of Application Protection
Application protection is fraught with complexity, and with the exponential growth of the Internet of Things and the applications that go along with it, the issues are only growing. In 2010, there were 200 million web apps; today, there are nearly a billion. In 2020, that could easily be five billion. All those applications are vulnerability vectors—and many of them contain critical data that could be the target of attackers. By enhancing existing security portfolios with solutions and services focused on the application level, organizations can better protect the applications that can expose their sensitive data. Ensuring that applications are protected no matter where they reside is critical—and the stakes are high. It’s time to broaden the view of application security so that organizations are in a better position to effectively secure all the components that make up their critical apps, safeguard their data, and protect their businesses. In an effort to make these recommendations a reality for our clients, prospects and readers of our whitepapers, US ProTech and Intelli-Flex offers a complimentary consultation coupled with two complimentary vulnerability scans (one internal & one external) so you can gain a baseline from which to start. Because remember, making technology decisions before gathering the knowledge of what your vulnerability poster is – is not a recommended cybersecurity remediation process. So please, give us a call and get started today on the path to knowledge.Acknowledgements: Intelli-Flex thanks US ProTech, their partners and guest contributors who assisted in the development of this Whitepaper, namely, the U.S. Department of Commerce, the SANS Institute, UCLA, Lockheed Martin and F5.
Monday, November 14, 2016
Mirai or Mirage? The True Story Behind the DDOS Attack.
The true story behind the October 20th massive DDOS attack on the IoT
It was a Test and a Distraction, just as planned.
Yes, the latest DDOS attack was a test. It was a test of capabilities, wits and the weaponization of US ProTech has spent years in the field of Cyber and related wargames and this use of targeted IP based devices was in one manor simple, which is also why it was successful. This attack, while seemingly massive, is nothing short of a distraction where you get to see what one hand is doing, while the other magically hides another quarter behind a child’s ear. Imagine the chaos this attack created, now imagine how it what likely used to hide its real purpose. US ProTech and the Cyber community will quickly be searching for clues… and will likely find all the usual suspects. Other firms such as Flashpoint traced Friday’s widespread internet outage to the IoT, according to another industry expert, Brian Krebs.
malware. It was a test in America’s ability to respond and deal with this ever growing threat, a reality which is sure to be us for a very long time.
Consequently, the cyber-attacks which affected popular websites from Twitter to Reddit are the result of malware called “Mirai”, which manipulated smart technology to take the sites offline. The malware used vulnerable technology to launch a Distributed Denial of Service attack, overwhelming the web service DYN with traffic resulting in slow Internet speeds and offline sites. You’re going to ask questions so here are 5 things you need to know about ‘Mirai’:
1. IoT Botnet ‘Mirai’ Targets Vulnerable ‘Smart’ IoT Technology and Turns Them into ‘Bots’
Like a parasite, ‘Mirai’ will use a host to launch cyber-attacks. The botnet scans the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, according to Kreb’s blog KrebsOnSecurity. Botnets can exploit weak security measures such as standard password and username combination (eg admin, 1111) across devices. These systems are infected with malware, which directs them to a central control system, where they are prepared to launch an attack to take websites offline. Here is a list of the services that were down.
According to HackRead, ‘Mirai’ can break into a wide range of IoT devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots’. There are nearly half a million Mirai-powered bots worldwide, according to telecommunications company and internet service provider (ISP) Level 3 Communications. Here are the countries with the highest concentrations of IoT devices:
• United States: 29 percent
• Brazil: 23 percent
• Colombia: 8 percent
2. ‘Mirai’ Took Out Amazon, Spotify, Twitter and More Websites in a DDOS Attack
The morning of October 21 saw widespread internet outages caused by a massive DDOS attack, which overwhelmed the web service with traffic. Krebs reported that cybersecurity firm Flashpoint traced the hack to Mirai. The journalist’s own website, krebsonsecurity.com, was taken down by Mirai-powered DDOS attack. The cyber-attack on Friday targeted Internet traffic company DYN, which provides services for websites like Amazon, Spotify and Twitter. Other botnets may have been behind the attack reports Politico’s cybersecurity reporter Eric Geller.
In an interview with CNBC, DYN said that the attacks were “well planned and executed, coming from tens of millions IP addresses at same time.” The Department of Homeland Security and White House are also looking into the attack. NBC News reports that one official ruled out North Korea as a suspect.
3. ‘Mirai’s Author Has an Avi of Anime Character Anna Nishikinomiya and Mirai Means “Future” in Japanese
The person who created the botnet is nicknamed ‘Anna-Senpai’ and has an avi of the anime figure Anna Nishikinomiya. Anna appears in the Japanese novel series Shimoseka, which is set in a dystopian future filled with morality police.
As the student council president of a prominent ‘morality school’ Anna is the enforcer of public morality laws according to MyAnimeList. The word ‘Mirai’ also has Japanese origins meaning ‘future’ in Japanese. A manga series called ‘Future Diary’ also describes a dystopian society modeled after the battle royale (think Hunger Games) where each contestant has a diary with notes written from the future.
‘Mirai’ is also part of a family of malware that infects IoT devices through default usernames and passwords. The other malware that has been used to create an IoT device army is called “Bashlight”. While these two strains of malware compete with each other, research from Level 3 suggests that they target some of the same devices. Currently, “Bashlight” is creating an army of a million IoT devices.
“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer told KrebsOnSecurity.
4. You Can Wipe Off the Malware from an IoT System but Recurrence is Likely
It’s possible to clean an IoT system infected by ‘Mirai’, but the botnet scans systems so often that there’s a high chance of recurrence. You can destroy the malicious code by rebooting the computer, but experts warn that vulnerable IoT devices can be re-infected in minutes.
This is bad news for cybersecurity as the IoT devices market heats up as people buy into the smart, automated systems. Gartner Inc. projects connected devices to rise to 6.4 billion worldwide in 2016 with almost 5.5 million devices being connected daily.
Telecommunications company Level 3 advised users to upgrade devices and set strong passwords, according to the Wall Street Journal. For a more sustainable solution to DDOS attacks, Krebs says ISPs will need to protect their networks from spoofing, where the attacker sends messages as the victim website and generates a huge amount of traffic. He added that the lack of these safeguards could lead to online censorship.
5. Source Code for ‘Mirai’ Botnet was Released Publicly Which Opens the Door for Future Botnet Attacks
After weathering an attack from the ‘Mirai’ botnet, KrebsOnSecurity reported that the code that powers ‘Mirai’ was made publicly available on HackForums. The hacking community has access to information they can use to infect millions of smart devices. The source code for the scanner is also located on Github and has been copied at least 700 times as of this posting.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
Special thanks to Edward Cox of Heavy and assistance in the compilation of data.
About US ProTech:
Intelli-Flex partner, US ProTech offers clients Certified Technical Security Engineers with a wide background of specialization including experts from every branch of the United States military. Their vulnerability assessment process has been independently evaluated, tested and has received U.S. Government (USGCB) Configuration Baseline validation by the U.S. Dept. of Commerce; it exceeds NIST High-Impact (military-grade) standards and is SCAP Approved.
As a result of it US Government Approved process, US ProTech offers a broad range of award winning cyber-security assessment and management services and today holds significant contracts throughout America, Canada, Mexico and Western Europe. “We maintain a focus on clients who seek demonstrable cyber-security and business process improvement”, says Goetsch “We have saved our clients hundreds of millions of dollars in Cyber-Liabilities and do so with an expert staff and a proprietary set of tools.”
Monday, October 10, 2016
The Final Steps in the Cybersecurity Kill Chain
Are You Concerned About a Potential Backdoor?
Better still…. Are You Ready to Do Something About It?
Take Action
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold! (But Not Before Gathering the Highly Prized Intelligence they want)
Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information. It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.
We are going to run this in this series of 3 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s. We've already covered steps one through four.
1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.
2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.
3. DELIVERY
a. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the US ProTech Computer Incident Response Team (USPT-CIRT) for the years 2005-215, are email attachments, websites, and removable media such as a USB stick.
4. EXPLOITATION
a. At this stage exploiting a vulnerability to execute code on victim’s system command channel for remote manipulation of victim is the objective.
Today, let’s discuss the final steps:
5. INSTALLATION
a. At this stage the installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. Installing malware on the asset requires end-user participation by unknowingly enabling the malicious code. Taking action at this point can be considered critical. One method to effect this would be to deploy a HIPS (Host-Based Intrusion Prevention System) to alert or block on common installation paths, e.g. NSA Job, RECYCLER. It’s critical to understand if malware requires administrator privileges or only user to execute the objective. Defenders must understand endpoint process auditing to discover abnormal file creations. They need to be able to compile time of malware to determine if it is old or new. Answers to the following questions should be consider mandatory: How does it last, survive, etc. Does it use Auto run key, etc. Does Backdoor need to run to provide access. Can you identify any certificates and extract any signed executables?
REAL LIFE EXAMPLE:
a. A Watering Hole Attack on Aerospace Firm
b. Exploits CVE-2015-5122 to Install IsSpace Backdoor
i. See: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5122
Case Study: http://bit.ly/cybersecuritycase
6. COMMAND AND CONTROL
This stage is the defender’s “last best chance” to block the operation: by blocking the Command and Control channel. If adversaries can’t issue commands, defenders can prevent impact. Typically, compromised hosts must beacon outbound to an Internet controller server to establish a Command & Control (aka C2) channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders effectively have “hands on the keyboard" access inside the target environment. Let’s remember that seldom is Malware automated, normally this command channel is manual. The general practice of intruders is: Email – in, Web = Out. The trick for them is to have established the control over many work stations in an effort to “exfiltrate” data without setting off any anomalies or other monitoring applications based upon content, quantity, frequency, etc. Hence, the reason it is essential to have the proper tools in place that can identify, track, observe, stop and destroy these campaigns within your arsenal of capabilities.
7. ACTIONS ON OBJECTIVES
The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which will enable them to collect forensic evidence. One example would include network packet captures, for damage assessment. Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, the objective of data ex-filtration involves collecting, encrypting and extracting information from the victim(s) environment; violations of data integrity or availability are potential objectives as well. Alternatively, and most commonly, the intruder may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the highest ranking official or governing Board, the deployment of end-point security tools to block data loss and preparation for briefing a CIRT Team. Having these resources well established in advance is a “MUST” in today’s quickly evolving landscape of cybersecurity threats.
5. INSTALLATION
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES
CONTACT US for a demonstration
REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)
ISCCS ARTICLE
Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS
Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients. Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries. As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol). Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.
Better still…. Are You Ready to Do Something About It?
Take Action
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold! (But Not Before Gathering the Highly Prized Intelligence they want)
Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information. It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.
We are going to run this in this series of 3 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s. We've already covered steps one through four.
1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.
2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.
a. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the US ProTech Computer Incident Response Team (USPT-CIRT) for the years 2005-215, are email attachments, websites, and removable media such as a USB stick.
4. EXPLOITATION
a. At this stage exploiting a vulnerability to execute code on victim’s system command channel for remote manipulation of victim is the objective.
Today, let’s discuss the final steps:
5. INSTALLATION
a. At this stage the installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. Installing malware on the asset requires end-user participation by unknowingly enabling the malicious code. Taking action at this point can be considered critical. One method to effect this would be to deploy a HIPS (Host-Based Intrusion Prevention System) to alert or block on common installation paths, e.g. NSA Job, RECYCLER. It’s critical to understand if malware requires administrator privileges or only user to execute the objective. Defenders must understand endpoint process auditing to discover abnormal file creations. They need to be able to compile time of malware to determine if it is old or new. Answers to the following questions should be consider mandatory: How does it last, survive, etc. Does it use Auto run key, etc. Does Backdoor need to run to provide access. Can you identify any certificates and extract any signed executables?
REAL LIFE EXAMPLE:
a. A Watering Hole Attack on Aerospace Firm
b. Exploits CVE-2015-5122 to Install IsSpace Backdoor
i. See: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5122
Case Study: http://bit.ly/cybersecuritycase
6. COMMAND AND CONTROL
This stage is the defender’s “last best chance” to block the operation: by blocking the Command and Control channel. If adversaries can’t issue commands, defenders can prevent impact. Typically, compromised hosts must beacon outbound to an Internet controller server to establish a Command & Control (aka C2) channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders effectively have “hands on the keyboard" access inside the target environment. Let’s remember that seldom is Malware automated, normally this command channel is manual. The general practice of intruders is: Email – in, Web = Out. The trick for them is to have established the control over many work stations in an effort to “exfiltrate” data without setting off any anomalies or other monitoring applications based upon content, quantity, frequency, etc. Hence, the reason it is essential to have the proper tools in place that can identify, track, observe, stop and destroy these campaigns within your arsenal of capabilities.
7. ACTIONS ON OBJECTIVES
The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which will enable them to collect forensic evidence. One example would include network packet captures, for damage assessment. Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, the objective of data ex-filtration involves collecting, encrypting and extracting information from the victim(s) environment; violations of data integrity or availability are potential objectives as well. Alternatively, and most commonly, the intruder may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the highest ranking official or governing Board, the deployment of end-point security tools to block data loss and preparation for briefing a CIRT Team. Having these resources well established in advance is a “MUST” in today’s quickly evolving landscape of cybersecurity threats.
900,833,392+ Records Breached During 5,063 Reported Data Breaches**Explanation about this total
Coming Soon:5. INSTALLATION
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES
CONTACT US for a demonstration
REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)
ISCCS ARTICLE
Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS
Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients. Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries. As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol). Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.
Wednesday, September 14, 2016
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold!
Are You Concerned About a Potential Backdoor?
Better still…. Are You Ready to Do Something About It?
Take Action
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold! (But Not Before Gathering the Highly Prized Intelligence they want)
Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information. It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.
We are going to run this in this series of 4 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s.
Today, let’s discuss steps three and four in the process of seven:
1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.
2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.
3. DELIVERY
a. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the US ProTech Computer Incident Response Team (USPT-CIRT) for the years 2005-215, are email attachments, websites, and removable media such as a USB stick.
The transmission and delivery of weaponized bundles to the victim’s targeted environment is the objective but these efforts arrive with some digital fingerprinting. This stage represents the first and most important opportunity for defenders to block an operation; however, doing so defeats certain key capabilities and other highly prized data. At this stage we measure of effectiveness of the fractional intrusion attempts that are blocked at the delivery point.
4. EXPLOITATION
a. At this stage exploiting a vulnerability to execute code on victim’s system command channel for remote manipulation of victim is the objective.
Here traditional hardening measures add resiliency, but custom defense capabilities are necessary to stop zero-day exploits at this stage. After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code. In recent years this has become an area of expertise in the hacking community which is often demonstrated at events such as Blackhat, Defcon and the like.
5. INSTALLATION
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES
CONTACT US for a demonstration
REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)
Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS
Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients. Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries. As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol). Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.
Better still…. Are You Ready to Do Something About It?
Take Action
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold! (But Not Before Gathering the Highly Prized Intelligence they want)
Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information. It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.
We are going to run this in this series of 4 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s.
Today, let’s discuss steps three and four in the process of seven:
1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.
2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.
3. DELIVERY
a. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the US ProTech Computer Incident Response Team (USPT-CIRT) for the years 2005-215, are email attachments, websites, and removable media such as a USB stick.
The transmission and delivery of weaponized bundles to the victim’s targeted environment is the objective but these efforts arrive with some digital fingerprinting. This stage represents the first and most important opportunity for defenders to block an operation; however, doing so defeats certain key capabilities and other highly prized data. At this stage we measure of effectiveness of the fractional intrusion attempts that are blocked at the delivery point.
4. EXPLOITATION
a. At this stage exploiting a vulnerability to execute code on victim’s system command channel for remote manipulation of victim is the objective.
Here traditional hardening measures add resiliency, but custom defense capabilities are necessary to stop zero-day exploits at this stage. After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code. In recent years this has become an area of expertise in the hacking community which is often demonstrated at events such as Blackhat, Defcon and the like.
900,833,392+ Records Breached During 5,063 Reported Data Breaches**Explanation about this total
Coming Soon:5. INSTALLATION
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES
CONTACT US for a demonstration
REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)
Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS
Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients. Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries. As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol). Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.
Wednesday, August 31, 2016
900,833,392+ Records Breached During 5,063 Reported Data Breaches*
Are You Concerned About a Potential Backdoor?
Better still…. Are You Ready to Do Something About It?
Take Action
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold! (But Not Before Gathering the Highly Prized Intelligence they want)
Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information. It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.
We are going to run this in this series of 4 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s.
Today, let’s discuss the first two steps in the process of seven:
1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.
Depending on the motive(s) of the APT actor, the victim could be any company or person with information the attacker(s) sees as valuable. Attackers “fingerprint” the target to create a blueprint of IT systems, organizational structure, relationships, or affiliations and search for vulnerabilities—both technical and human— to exploit and breach the network. As large organizations tend to invest in multiple layers of security, this step could take weeks, even months. However, the more knowledge the APT actor acquires on its target, the higher the success rate of breaching the network.
2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.
Depending on the needs and abilities of the attacker, the malware may exploit previously unknown vulnerabilities, aka “zero-day” exploits, or some combination of vulnerabilities, to quietly defeat a network’s defenses. By re-engineering the malware, attackers reduce the likelihood of detection by traditional security solutions. This process often involves embedding specially crafted malware into an otherwise benign or legitimate document, such as a press release or contract document, or hosting the malware on a compromised domain.
*Explanation about this total
Coming Soon:
3. DELIVERY
4. EXPLOITATION
5. INSTALLATION
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES
CONTACT US for a demonstration
REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)
Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS
Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients. Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries. As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol). Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.
Better still…. Are You Ready to Do Something About It?
Take Action
This 7-Step Cybersecurity Kill-Chain Will Stop Your Enemy Cold! (But Not Before Gathering the Highly Prized Intelligence they want)
Intelli-Flex partner US ProTech has Mastered the Cybersecurity Kill Chain framework 1st developed with the DOD and in preparation for the CyberSecurity Summit, we wanted to share this information. It’s part of a process they have termed the “Intelligence Driven Defense model” for the identification and prevention of cybersecurity intrusion activity. The model identifies what 7-steps the adversaries must complete in order to achieve their objective and more importantly how and when to kill their presence.
We are going to run this in this series of 4 blog posts, that will provide you the critical info needed to take action against the greatest threat of our time – Hackers using APT’s.
Today, let’s discuss the first two steps in the process of seven:
1. RECONNAISSANCE
a. Harvesting email addresses, conference information, etc.
b. The first step of any APT attack is to select a target.
Depending on the motive(s) of the APT actor, the victim could be any company or person with information the attacker(s) sees as valuable. Attackers “fingerprint” the target to create a blueprint of IT systems, organizational structure, relationships, or affiliations and search for vulnerabilities—both technical and human— to exploit and breach the network. As large organizations tend to invest in multiple layers of security, this step could take weeks, even months. However, the more knowledge the APT actor acquires on its target, the higher the success rate of breaching the network.
2. WEAPONIZATION
a. Coupling exploit with backdoor into deliverable payload
b. Next, attackers will re-engineer some core malware to suit their purposes using sophisticated techniques.
Depending on the needs and abilities of the attacker, the malware may exploit previously unknown vulnerabilities, aka “zero-day” exploits, or some combination of vulnerabilities, to quietly defeat a network’s defenses. By re-engineering the malware, attackers reduce the likelihood of detection by traditional security solutions. This process often involves embedding specially crafted malware into an otherwise benign or legitimate document, such as a press release or contract document, or hosting the malware on a compromised domain.
*Explanation about this total
Coming Soon:
3. DELIVERY
4. EXPLOITATION
5. INSTALLATION
6. Real-Life Example “IsSpace Backdoor”
7. COMMAND & CONTROL
8. ACTIONS ON OBJECTIVES
CONTACT US for a demonstration
REGISTER TODAY for the Inland Southern California Cybersecurity Summit (#ISCCS)
Guest Blogger - Jonathan Goetsch, Speaker and Panelist at ISCCS
Jonathan Goetsch is the CEO of US ProTech, Inc., a highly recognized Cybersecurity services company that has been established since 1999 serving thousands of clients. Based in Las Vegas, NV with operations in California, Texas and Belgium, US ProTech’s Cyber-Expertise serves mid-market to large enterprise business and Governmental agencies in six countries. As an Offensive-Side Red-Team Cyber Penetration Testing Team, US ProTech specializes in cybersecurity processes that are approved by the U.S. Government, validated by the U.S. Department of Commerce to exceed US Military Standards under NIST (National Institute of Standards and Technology) and accommodates SCAP (Security Content Automation Protocol). Jonathan’s work in the Cybersecurity community spans the past 20+ years and he’s regularly recognized by the media and his peers for exceptional industry insight, contributions to the community and has been named to The Top 20 List as Global Providers of Cyber Security Services each of the past two years.
Monday, June 27, 2016
SD-WAN – a.k.a. A Three Stranded Cord Is Not Easily Broken
Many of us have heard the adage: "A Three Stranded Cord is Not Easily Broken." Inherently, we understand that this is true. We see this in demonstrated for example when we purchase rope: lots of strings intertwined. Over the years as the cords weaken, one may break but the rope still holds. With this basic explanation, you now understand SD-WAN.
Now let me explain a little further.
Whenever a new technology solution arrives on the scene it takes a while before its widespread adoption. Part of the reason is that new terms are created and blended with our existing vocabulary creating confusion. SD-WAN is a new technology born out of a recognition that one of the major expenses for many organizations is their bandwidth. Over the years numerous technologies have been introduced to reduce these cost:
- MUXes
- Voice over Frame-Relay
- VoIP
- WAN Optimizers
Just to name a few.
The carriers have also been trying to stretch and maximize their investments. For most of us the network has become a utility. We expect an always on network and use it constantly. Just look around, the proliferation of hand held mobile devices with a plethora of applications that allow non-stop communication, entertainment, and access to information (Maps, Google, Starbucks) has created a demand for bandwidth that is frankly challenging to meet. Each of the respective carriers is adding bandwidth daily. I work with a number of them and Time Warner, AT&T and others are laying fiber all over metropolitan areas. Private companies have cropped up that lay and sell both dark and lit fiber.
We also see that the cellular companies are adding and upgrading cell sites and working to partner with other cellular companies to exchange bandwidth. The appetite for bandwidth is so high that 3rd party companies are building cell sites and selling or renting them to the highest bidder.
Enough said, back to SD-WAN.
This demand for higher amounts bandwidth is a challenge for most, if not all, organizations. Every CIO is faced with the need to increase the amount of bandwidth, while trying to maintain costs. IT Budgets are consistently flat¹ and 80% of the IT budget is spent just maintaining the status quo. The reality of today is that the network IS a utility and if it goes down, most organizations come to a grinding halt. “All the while, of course, the IT department is expected to deliver value for money by minimizing capital expenditure and operational costs wherever possible.” ² My focus is SDN over SPB, and while I seek to build secure, resilient, "always on" infrastructures that are easy to manage and deploy, eventually we have to leave the premise and traverse the WAN. Whenever I have to extend my network fabric over the WAN I am faced with the reality that the single MPLS pipe they pay for becomes my single point of failure. It doesn’t matter that my SDN network built on SPB has sub-second failover, if that WAN link is the only link, my network is down. Those virtual servers and applications are cutoff from the users. I now bring in my carriers and help the customers to create a more resilient WAN.
Enter in SD WAN.
Talari and other companies have developed technologies and algorithms that allow the bonding together of multiple lower costs links from different carriers into a single, higher aggregate bandwidth pipe, that has higher availability and throughput than a traditional more expensive MPLS network. In addition, because we have spread the bandwidth over different medium (cable, fiber, G4, etc), and different companies, the failure of any one link does not bring the network down and is therefore more resilient. So, the adage: A three stranded cord… applies.
There are a number of organizations that are offering SD-WAN³, and there are a number of great white papers available⁴ for those of you that would like to get a better understanding of what, how, who, etc. Most traditional router/WAN Optimize vendors have begun to develop products in this area, so make sure, when investigating them to do your research. I work with a number of carriers and they are starting to include this as part of their service. They provide multiple connections over different technologies and incorporate the SD-WAN service as a bundle. I suspect that this trend will become common place. It seems like a win-win to me. As with most technologies today, there are hosted and premise offerings and many include firewalls, etc. Make sure if you opt for a hosted solution, that behind the scenes, they are not creating a single point of failure. As always: Caveat Emptor a.k.a. get references.
Good luck.
¹ http://www.zdnet.com/article/it-budgets-2016-surveys-software-and-services/ Data source: Gartner
Subscribe to:
Posts (Atom)