Anomali Provides Threat-Sharing Expertise Before Congress

Cyber Threat Intelligence provider Anomali appeared before Congress on Wednesday, November 15th to provide threat-sharing expertise before the U.S. House of Representatives Homeland Security Committee. The purpose of this hearing was to discuss methods for improving the value of cyber threat information shared by the government and increasing participation of threat-sharing with the private sector.

Anomali was the first company to automatically share threat intelligence with the Department of Homeland Security’s Automated Indicator Sharing program (AIS), and the only cybersecurity vendor invited by the Homeland Security Committee to testify before Congress. Anomali was represented by Patricia Cagliostro, Federal Solutions Architect Manager.

Ms. Cagliostro began by explaining the current state of cyber threat intelligence sharing in the private sector, citing the 2017 Ponemon Institute Report, The Value of Threat Intelligence: A Study of North American and United Kingdom Companies that included over 1000 respondents. According to the report, 80% of organizations use threat intelligence, with 84% identifying threat intelligence as essential to a strong security posture.

Ms. Cagliostro continued by describing two key factors noted within the study that deter cyber threat intelligence sharing, excessive volumes of threat data (70% of respondents) and a lack of threat intelligence expertise. In regard to the first issue, Ms. Cagliostro noted the benefits of utilizing a threat intelligence platform to manage mass quantities of data and streamline the process of sharing. The second issue, a lack of threat intelligence expertise, was identified as the primary reason organizations do not share intelligence. The following statistics from the report detail a concerning trend for government-led initiatives such as the DHS’ AIS.

Organizations that reported sharing intelligence – 62%
Organizations that reported sharing intelligence with trusted security vendors – 50%
Organizations that reported sharing with trusted peer groups – 43%
Organizations that reported sharing with the government – 30%

Organizations are often unaware of what constitutes useful intelligence, Ms. Cagliostro explained, and are afraid of looking immature for sharing irrelevant information. This is especially true in the small and mid-sized market. Many are concerned with providing “net-new indicators,” although providing additional context for existing indicators could prove useful for companies within the same industry verticals. Many organizations already participate in same-industry or region sharing initiatives such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Anomali acts as the trusted partner for many of these ISACs and Information Sharing and Analysis Organizations (ISAOs).

In regard to the DHS’ sharing program, Ms. Cagliostro explained that “the level of effort to share intelligence within the program and lack of expertise in threat intelligence act as barriers to entry through AIS.”

Organizations connecting to AIS must:

1) Sign a terms of use document
2) Set up a TAXII client
3) Purchase a PKI certificate from a commercial provider
4) Provide their IP address to the DHS
5) Sign an Interconnection Security Agreement

This process can take private organizations weeks to complete due to legal reviews and change control processes. In the public sector this can be even more time consuming because additional processes and requirements can cause delays due to the time required to get new technologies online.

Once connected to AIS, organizations often find it difficult to share intelligence. There are a variety of methods available for sharing within the program, but each adds an additional task for overburdened analysts outside of their typical workflow. Organizations that already struggle with limited resources are not likely to expend further time and effort to stand up additional technology for little perceived gain.

Beyond the operational aspects, these analysts and security personnel such as Chief Information Security Officers (CISOs) must justify sharing intelligence to executives. Ms. Cagliostro explained, “Information sharing is a cost like any other process, new tool, or technique that is brought online. In order for that cost to make sense we have to empower organizations with the answer for the ROI question.”

The answer to that ROI could one of the government’s unique advantages – unmatched visibility. This is something that cannot be developed by companies internally, nor bought from a vendor. Up until now though the DHS has struggled to supply large quantities of high-quality and high-context indicators. Information is declassified at a slow rate, and context that would make intelligence actionable is often missing. Ms. Cagliostro offered the acceleration and increase of declassification of information as a possible solution for the DHS, as well as conversion of the process from manual to machine-to-machine. Part of accelerating the declassification process could include aggregating publicly available information to determine what indicators currently exist in the public domain. Such intelligence (barring more sensitive information such as the association to an actor and how the information was obtained) could then be released.

Throughout her testimony and responses, Ms. Cagliostro encouraged the DHS to make threat sharing as simple and mutually beneficial a process as possible.  

“When I first started at Anomali, people often asked how we forced people to share intelligence.  People assumed that when we talked about sharing, we had to be forcing people because no one would choose to share unless they had to.  Our approach wasn’t to force people to share, but to create an environment where sharing was easy and organizations received value.

The AIS program has come a long way since its inception and, as the barriers to entry are reduced, more organizations will participate and increase the quality of the data provided.”   


Source: Honeypot Tech

Death of the Tier 1 SOC Analyst

Say goodbye to the entry-level security operations center (SOC) analyst as we know it.
Source: Cyber Monitoring

Deception Technology: Prevention Reimagined

How state-of-the-art tools make it practical and cost-effective to identify and engage attackers in early lateral movement stages to prevent them from reaching critical systems and data.
Source: Cyber Monitoring

WTB: New Banking Trojan IcedID Discovered

The intelligence in this week’s iteration discuss the following threats: Business Email Compromise, Financial theft, Malspam, Phishing, Ransomware, Threat group, Trojan, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Banking Trojan IcedID Discovered (November 13, 2017)
IBM X-Force researchers have published information regarding a newly identified banking trojan, dubbed “IcedID,” that was first found in September 2017. Researchers note that the malware has similar banking trojan capabilities as the notorious “Zeus Trojan.” At the time of this writing, the malware is targeting banks, mobile services providers, payment card providers, payroll, in addition to ecommerce and webmail websites. IcedID has been observed being distributed via the “Emotet” trojan, which is distributed via malspam emails that typically contain files with malicious macros.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Malware, Emotet, Banking trojan, IcedID

Windows Movie Maker Scam Spreads Massively due to High Google Ranking (November 13, 2017)
Threat actors are distributing malicious versions of the “Windows Movie Maker,” Windows free video editing software, with the objective of stealing money, according to ESET researchers. The actors are distributing the malicious Movie Maker, which was discontinued in January 2017, via search engine optimization of the actor’s website in Google search results. As of this writing, the website responsible for distributing the malicious Movie Maker version appears on the first page of a Google search for “movie maker,” and is also located on the first page of results from the “Bing” search engine. If the fake Movie Maker is downloaded, users receive a functioning product, however, this version claims that the user needs to upgrade to the full version for $29.95 USD.
Recommendation: Any free product should be researcher carefully prior to installation, thus features that should not be in the product, such as a paid version of Movie Maker, will be easier to identify. Furthermore, search engine results should not be taken at face value because as this story portrays, search engine results can sometimes display malicious locations. User should navigate to the official website of the creator/owner of the product for download and installation.
Tags: Impersonation, Microsoft Movie Maker, Financial theft

New Cobra Crysis Ransomware Variant Released (November 10, 2017)
Researchers have found what appears to be a new variant of the “Crysis/Dharma” ransomware. As of this writing, it is unknown how the actors are distributing this malware. However, researchers note that previous Crysis variants were distributed by compromising Remote Desktop Services and a subsequent manual installation of the ransomware. Encrypted files have an extension appended in the format “.id-[unique_id].[cranbery@colorendgrace[.]com].cobra”. It will also encrypt mapped network drives and unmapped network shares.
Recommendation: As shown in this story, it is important to make sure corporate network shares are locked down and only those who need files have access. Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be created to assist in dealing with ransomware infections.
Tags: Ransomware, Cobra Crysis, Remote Desktop Services

Eavesdropper: The Mobile Vulnerability Exposing Millions of Conversations (November 9, 2017)
Appthority researchers have identified a vulnerability, dubbed “Eavesdropper,” that affects approximately 700 applications. The vulnerability resides in developers hard coding credentials in applications that use the “Twilio Rest API” or “Twilio SDK.” Researchers state that “the developers have effectively given global access to the text/SMS messages, call metadata, and voice recording from every app they’ve developed with the exposed credentials.” The applications affected by this vulnerability consist of 44% Android, and 56% iOS and are associated with 85 Twilio developer accounts. The credentials in vulnerable apps were found by using YARA to find the string “twilio” which was listed beside the plaintext account ID and token.
Recommendation: This vulnerability is worrying because it has the potential to expose sensitive information that could be stolen and subsequently sold by threat actors, or potentially lead to an information ransom scenario. This vulnerability arose because of developers failing to follow the documented guidelines set out by Twilio. Developers should always follow secure guidelines and avoid hard coding any form of credentials in an application. This vulnerability affects many applications, of which 33% are business related. Companies should identify applications that are used internally, and cease the use of the applications until the vulnerability has been addressed. Furthermore, companies should have policies that disallow employees from using applications for company-related work that have not been approved by the company.
Tags: Vulnerability, Mobile, Data leak

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks (November 9, 2017)
The threat actors behind the ransomware “LockCrypt,” which was first discovered in June 2017, have increased their malicious activity to target business-owned servers, according to Alien Vault researchers. At the time of this writing, LockCrypt has infected businesses in India, South Africa, the U.K., and the U.S. One business reported that it was infected via a Remote Desktop Protocol (RDP) brute-force attack from a compromised mail/VPN server. The actors are demanding anywhere from 0.5 (approximately $3,443 USD) to 1 (approximately $6,887 USD) Bitcoin for the decryption key per server.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
Tags: Brute-force attacks, RDP, Ransomware, LockCrypt

Toast Overlay Weaponized to Install Several Android Malware (November 9, 2017)
Trend Micro researchers have discovered a new Android malware family, dubbed “TOASTAMIGO,” that is capable of installing other malware via the “Toast Overlay” attack. Toast is a feature in Android used to display notifications over other applications. The Toast Overlay vulnerability, registered as “CVE-2017-0752,” was issued a patch in September 2017 and affects all Android versions except “Oreo.” The malware that exploits the vulnerability was discovered inside applications impersonating legitimate application lockers that protect apps with a PIN code, one of which was found to have been downloaded approximately 500,000 times, as of this writing. The malicious applications request Accessibility permissions upon installation which will allow it to download additional malware.
Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. The two malicious applications on the app store had a high number of positive, fake reviews. When choosing an application to download, check the reviews with substantive wording in it, as it is common for the fake positive reviews to have little context in support of a positive rating. Also check the application description for correct grammar and spelling, the malicious applications in this case had many errors in their descriptions.
Tags: Android, Vulnerability, Toast Overlay

OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan (November 8, 2017)
The threat group “OilRig” is using a new version of their malicious “Clayside” delivery document to distribute a new custom trojan dubbed “ALMA Communicator,” according to Unit 42 researchers. The Clayside document was also observed to drop the credential stealing tool “Mimikatz.” This Clayside version is similar to past iterations in that if opened, it will display a worksheet that states that the file was created with a newer version of Excel. The document requests that the user clicks “Enable Content” to properly view the document. If Enable Content is clicked, a malicious macro will run to display the content of the decoy document, while also creating an HTML Application (.HTA) file in which HTML will run a VBScript to download ALMA Communicator.
Recommendation: Files that request content to be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown sender should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Tags: Threat group, OilRig

Hijackers Deface 800 School Websites with Pro-Islamic State Messages (November 8, 2017)
Jim Brogan, the director of technology services for school in Gloucester County, Virginia, has confirmed that approximately 800 school websites were directing users to an iFramed YouTube page depicting an Islamic State recruitment video. The attack was accomplished by injecting a file into one of the web hosting company’s, SchoolDesk, websites. The redirection caused the user to see a picture of Saddam Hussein, and an audible message in Arabic.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites, Defacement

Linux Has a USB Driver Security Problem (November 7, 2017)
Google security researcher, Andrew Konovalov, has discovered 79 Linux USB-related vulnerabilities. The vulnerabilities can be exploited via a maliciously crafted USB device. Some of the vulnerabilities can be exploited for Denial-of-Service (DoS) attacks, and others can be exploited to allow an actor to elevate privileges and execute arbitrary code. Researchers note that not all of the 79 vulnerabilities have been reported or patched.
Recommendation: Vulnerabilities that can be exploited via a USB drive are in a state of increasing demand because of the corresponding increase the use of air-gapped systems. Therefore, the use of USB drives is a security risk, and the use of such devices should be limited to only the appropriate personnel who may need to use such equipment.
Tags: Vulnerability, Linux, USB

BEC Scammer Stealing Millions From Home Buyers (November 7, 2017)
In early May 2017, the U.S. Federal Bureau of Investigation (FBI) warned homebuyers that threat actors were targeting their email accounts, and now the agency reports that throughout 2017 threat actors have diverted or attempt to divert approximately $1 billion USD. This malicious activity was accomplished by compromising real estate email accounts, monitor them until a transaction was underway, and then send a fraudulent request to change the payment type. The payment type was typically changed from check to wire transfer, or change the account to one controlled by the actors.
Recommendation: It is important that your employees use different password for business-related accounts because actors will often test other accounts with previously stolen passwords. In addition, it is crucial that business accounts use a form of two-factor, or multi-factor authentication to make it difficult for actors to compromise accounts.
Tags: Business Email Compromise, Theft

KRACK Whacked, Media Playback Holes Packed, Other Bugs Go Splat in Android Patch Pact (November 7, 2017)
Google has released it security update for November that addresses multiple vulnerabilities in the Android operating system. Among the vulnerabilities addressed is the critical “KRACK” Wi-Fi key reinstallation flaw that could allow actors to monitor nearby wireless traffic. Overall, 31 vulnerabilities were patched by Google. Nine of said vulnerabilities could be exploited to allow an actor to execute code remotely.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow, or can be exploited by malicious actors.
Tags: Vulnerabilities, Android, Security updates

Phishing Emails Are Being Sent to The Users of Netflix by Hackers (November 6, 2017)
Researchers have found that threat actors are targeting Netflix users with phishing emails. The objective of the campaign is to steal billing data by claiming that the recipient needs to update said information. If the recipient follows a link provided in the phishing email, they will be directed to a fake Netflix page that asks the user to log in and enter their information such as credit card data.
Recommendation: Netflix has stated that it will never contact ask its customer for personal information in an email. Therefore, if an email purporting to be Netflix requests personal data needs to changed or updated, it is likely a sign of a scam. If a user is curious, they should visit Netflix’s official website to check their account status.
Tags: Phishing, Netflix, Data theft

Watch Out: GIBON Enters The Ransomware Space (November 6, 2017)
Proofpoint researcher, Matthew Mesa, has discovered a new strain of ransomware, dubbed “GIBON.” Threat actors are distributing this ransomware via phishing campaigns. The malicious attachments contain macros that will download and execute the ransomware if they are enabled. GIBON targets every file that is not located in the Windows folder. At the time of this writing, there are minimal details discussing the technical features of this new malware, in addition to the ransom demanded for the encryption key.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. In addition, as shown in this story, employees should also be cautious of opening suspicious attachments in emails even if they appear to have been sent from within the company as the Necurs botnet is easily able to spoof email addresses. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Phishing, Ransomware, GIBON

Google Releases Security Update for Chrome (November 6, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning Google Chrome users to update their web browser as soon as possible. A vulnerability resided in Chrome for Linux, Mac, and Windows operating systems that has been addressed in Chrome version 62.0.3202.89. The vulnerability could be exploited by threat actors to take control of an affected system, according to the US-CERT.
Recommendation: The US-CERT recommends that users and administrators review the Chrome releases page located at “https://chromereleases.googleblog.com/search/label/Stable%20updates” and apply the necessary update.
Tags: Alert, Vulnerability, Google Chrome

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services


Source: Honeypot Tech

Frequent Software Releases, Updates May Injure App Security

The more frequently you release apps, the more security vulnerabilities you are likely to introduce in the code, a new study confirms.
Source: Vulnerabilitys & Threats

Smart Public Kiosks Enhance Livability, Connect Communities

Cities are busy places, and they’re getting busier. Thankfully, many of them are also getting smarter by enabling smarter parking, better transportation and better air quality management for better citizen experiences. Among the most groundbreaking of innovations contributing to those experiences are smart public kiosks — replacing outdated infrastructure, such as phone booths and static signage, with smart kiosks. From providing environmental sensors and smart lighting to boosting cell reception and serving as a free Wi-Fi hotspot, kiosks enhance quality of life, equity, sustainability and security in a city. They are able to generate new revenue streams for cities through advertising — which can help them to become self-funded —and provide valuable services, such as wayfinding, transit routes, free Wi-Fi, and emergency alerts for more connected experiences between citizens and the services provided by their local governments and businesses.

A person stands in front of a smart public kiosk.

Connecting Citizens to Local Government

Smart public kiosks, such as Intel technology enabled CIVIQ Smartscapes, Intersection and CityBeacon, offer tremendous opportunities to enhance and ease citizens’ quality of life by enabling citizens to more easily access information and connect to the world around them. CityBeacon is an Intel IoT Market Ready Solution — it’s a proven, commercially available today solution that bridges digital and physical worlds providing reliable connectivity and maximum flexibility for smarter city management. For public kiosks, those connections include speakers, large digital signage screens and flashing lights can broadcast public service announcements or missing child alerts. Interactive transit route maps can make navigating public transit easier with wayfinding features. Under the hood, kiosks can also provide powerful Wi-Fi hotspots and strengthen cell phone signals. As kiosks expand their reach, citizens and local governments alike are only beginning to realize the full potential of the technology to empower communities.

A person's finger touches a smart public kiosk.

Enhancing Safety in Public Spaces

From a community health and safety standpoint, kiosks can brighten dark spaces with smart lighting that adjusts to current conditions for better lit, and safer, public spaces. Built-in incident and facial detection features can further enhance safety and enable public safety officers and EMTs to more quickly respond to incidents. Kiosks can even monitor air pollution, helping to contribute to healthier communities.

Growing Local Economies

For local businesses, kiosks are scaling out their digital and interactive display offerings are even more convenient because they have facial detection — they can detect emotions, demographic information and more while maintaining the privacy of consumers. These kinds of cognitive analytics enable the display to engage in a real-time feedback loop, refining messaging in response to the reactions, in order to reach the right consumers with even more precise messaging in the future. From purchasing tours and event tickets, to paying for parking or bus fare, kiosks enable businesses to connect with customers wherever they are, creating amazing experiences along the way.

Engaging and interactive, kiosks support smart city initiatives delivering real-time information, services and alerts to citizens and visitors—quickly and cost-effectively. To learn more, check out the smart kiosk at the village during Smart City Expo World Congress in Barcelona, Nov. 14-16, or visit intel.com/publickiosks.

Learn more about Intel IoT Market Ready Solutions at www.intel.com/iotmarketready. Visit intel.com/retail to learn more about how Intel technology is shaping the future of responsive retail. To stay informed about Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit intel.com/IoTLinkedInFacebook and Twitter.

 

 


Source: Network News

Access Point Support Subscriptions

WatchGuard access points provide secure, reliable wireless connectivity to businesses around the world. At WatchGuard, we are passionate about mobility and security and are dedicated to keeping wireless environments updated with the latest software features to keep people safe and their businesses running smoothly. For example, at the time of our public announcement of the WPA/WPA2 key reinstallation (KRACK) vulnerability, corrective software was already available online. Additional details about KRACK and software updates for WatchGuard products can be found in this knowledge base article.

Support Subscriptions for Access Points

Standard Support for access points is included in our Wi-Fi service subscriptions: Basic, Secure, and Total Wi-Fi. See this FAQ for more information on the Wi-Fi SKUs. Maintaining active support subscriptions for your access points is recommended to continue to receive important software updates, RMA replacement, and support.

Basic, Secure, and Total Wi-Fi Subscriptions include Standard Support:

  • 24×7 support
  • Unlimited number of support cases per annual subscription
  • Targeted response times:
    • 4 Hour – Critical, High
    • 8 Hours – Medium
    • 24 Hours – Low
  • Web-based support
  • Phone-based support
  • Software updates and patches for:
    • Gateway Wireless Controller
    • Access point firmware
    • Wi-Fi Cloud
  • Advanced hardware replacement
  • Product documentation and guides
  • Technical Training Materials
  • Moderated Customer Forum

At this time, premium four hour RMA is not available for access points.  Please remember to maintain an active Basic, Secure, or Total Wi-Fi subscription with each access point in order to maintain support.

Total Wi-Fi Program Chart

Sincerely,

Ryan Orsi
Director, Product Management, Secure Wi-Fi
WatchGuard Technologies


Source: WatchGuard

6 Steps for Sharing Threat Intelligence

Industry experts offer specific reasons to share threat information, why it’s important – and how to get started.
Source: Vulnerabilitys & Threats

Restful Mash-Ups to Help Under-Staffed Infosec Teams

“This article was originally featured on Wire Data on April 2nd, 2017.”

In this post, we will couple ExtraHop’s wire data analytics, Anomali STAXX, a leading threat intelligence solution and Slack, a cloud-based collaboration platform to demonstrate how we can use orchestration and automation in a manner that helps today’s under-(wo)manned security teams meet today’s threats with the level of agility needed!  

I was fortunate enough to be selected to speak at RSAC 2017 and it was surely a career highlight for me. As several analysts pointed out post-show, automation and orchestration seemed to be the flavor of the year. Over the last 36 months, it has become glaringly obvious that we simply cannot keep bad actors and malicious software off of our networks. I have been preaching the folly of perimeter (only) based security since 2010. The speed with which systems are now compromised and the emergence of the “human vector” through phishing has all but assured us that the horde is behind the wall and needs to be directly engaged. The reliance on logs, SIEM products will give you a forensic view of what is going on but will do little to be effective against today’s threats where a system could be compromised by the time the log is written.

While the idea of automation and orchestration is a great one, there are issues with it and will not be the first time “self-defending networks” have been brought to market. Bruce Schneier makes a very good point in his “Schneier on Security” blog post when he states the following:

“You can only automate what you’re certain about, and there is still an enormous amount of uncertainty in cybersecurity”. He also makes one of the greatest quotes in INFOSEC history when he states “Data does equal information and information does not equal understanding”.

Perhaps the battle here is to get to a place of certainty, I too was once an advocate of “log everything and sort it out later” but the process of sorting through the data become extremely tedious and the amount of work it took to get to “certainty” I believe, gave bad actors time to operate while I wrote SQL queries, batch processes and parsing scripts for my context-starved data sets.  Couple this with the fact that teams are digitally bludgeoned to death with alerts and warnings that the “INFOSEC death sentence” starts to take root as people get desensitized to the alerts.

So where do we find certainty and how do we use it?
While the industry is still developing, there have been great strides in Threat Intelligence. ISACs around the world are working together to build shared intelligence around specific threats and making the information readily available via TAXII, STIXX and CIF. There is even a confidence level associated with each record that we are able to use as a guide to determine if a specific action is needed. The challenge with good threat intelligence is how we make it usable. Currently most threat Intel is leveraged in conjunction with a SIEM or logging product. While I certainly advocate for logs, there are some limitations with them.

  • Not everything logs properly (IoT Systems normally have NO logging at all)
  • You have a data gravity issue (you have to move the data into the cloud to be evaluated or you have to store petabytes of data to evaluate)
  • In some cases, only a small portion of the log is usable (but you pay to index the entire log with most platforms)
  • Their use is largely forensic with many of today’s threats

The case for Wire Data Analytics:
The key difference that I want to point out here is that using Wire Data Analytics with ExtraHop you can perform quite a bit of analysis in flight. ExtraHop “takes” data off the wire and is not dependent on another system to “give” the data to it. The only prerequisite for ExtraHop is an IP address. Examples of how I have made a SIEM more effective using wire data include:

  • Reducing Logging by 5000% by looking at logins by IP and calculating the total THEN sending a syslog message to the SIEM for those IPs with more than 100 logins vs. sending tens of thousands of logs per minute to the SIEM and checking on the back end
  • Checking an EGRESS transaction to against threat intelligence THEN sending the syslog if there is a match
  • In an enterprise with tens of thousands of employees, rather than logging EVERY failed login, aggregate records into five-minute increments then send those with more than 5 login failures to the SIEM.

The point here is that you can deliver some context when you leverage wire data analytics with your SIEM workflows. Using SIEM-only, you must achieve context by aggregating the logs and looking at them after they are written. Using ExtraHop with your SIEM, you are able to achieve context (and more importantly, get closer to Mr. Schneier’s certainty) BEFORE sending the data to the SIEM. You can keep all the workflows that are tied to the incumbent SIEM system, you are just getting better, and fewer, logs. Should I disable an account that has 50 login failures in the last five minutes (Locked out or not)…..HELL YES! While I don’t think that automation and orchestration are a panacea, I think there are SOME cases where the certainty level is high enough to orchestrate a response. Also, I believe that automation and orchestration is not just for responding but can be used to make your SOC more effective.

Now that I have, hopefully, established the merits of using Wire Data Analytics, let’s keep in mind orchestration does NOT have to be a specific action or response. Orchestration can also be used to make your team more agile and hopefully, more effective. Most security teams I come across have at least one, two and in some cases, three open positions. The fact is, at a time when threats are becoming more complex, finding people with the needed skills to confront them is harder than ever. The situation has gotten so bad that the other day I typed “Human Capital Crisis” in Google and it auto-filled “in cybersecurity”. The job is getting tougher and there are fewer of us doing it, what I am going to show you in this post will never replace a human being but it might ease some of the heavy lifting that goes into achieving situational awareness.

PHISHING: “PHUCK YOU, YOU PHISHING PHUCKS!!!”
Anyone who has ever been phished or worked in an organization that is experiencing a phishing/spear phishing campaign has felt exactly as the section title says.  Let’s have a look at how we can help our security teams get better data by leveraging the API’s of three unique platforms to warn them when a known phishing site has been accessed.

For those of us who are working too hard to bring context to the deluge of data, my suggestion…get some REST!!! Below I am going to walk you through how I can monitor activity to known phishing sites by doing a mash-up of three technologies using the RESTFUL API of all three platforms.

Solution Roster:

  • ExtraHop Discovery/Explorer appliance
    ExtraHop provides wire data analytics and surveillance by working from a mirror of the traffic. Think of it as a CCTV for packets/transactions.
  • Anomali STAXX Virtual Machine
    Anomali STAXX provides me lists of current threat intelligence. Think of this as equipping the CCTV operator with a list of suspicious characters to look for.
  • Slack Collaboration Community
    Slack provides me a community at packetjockey.slack.com where my #virtualsoc team operations from anywhere in the world.
  • A python peer (Windows or Linux)
    This is the peer system that accesses the threat intelligence and pulls it off of the STAXX system and uploads the threat intelligence to the ExtraHop appliance.

How it works:
As you can see in the drawing below, the Linux peer uses the REST API to get a list of known phishing sites then executes a Python script to upload the data into the memcache on the ExtraHop appliance equipping it with the threat intelligence it needs. The ExtraHop appliance uses an application inspection trigger that checks every outgoing URI to see if it is a known phishing site. If there is a match, an alert is sent to Slack, Email/SMS in addition to being logged on their own internal dashboards and search appliance.

What the final product looks like:
From my Linux box, (I don’t dare go to these sites on my Windows or Mac laptop) I do a “wget” on one of the known phishing sites and within milliseconds (Yes milliseconds, watch the video if you don’t believe me). We get the client IP, Server IP and the site that they went to. From here we can find out who owns that client machine and get them to change their password immediately as well as issue an ACL for the server in case this is a spear phishing campaign and they are targeting specific uses. Also, before you ask, “Yes” we can import the list of known malicious email addresses and monitor key executive recipients in case one of them gets an email from a known malicious address. We can also check HTTP referrers against the phish_url threat intelligence.

In the screenshot below, you see my “wget” command and the result at 11:23:53 and you can see that the Slack warning came in at 11:26.  If you watch the video you will see it takes milliseconds.

I believe that by using slack you can also color code certain messages for specific messages and program in that awesome “WTF” emoji (if one exists) ExtraHop sends. Also, if you are not comfortable with specific information being sent to slack, we can configure the appliance to send you a link to the LOCAL URI that ONLY you and your team can access.

Conclusion:
While there is a lot of buzz around Orchestration and Automation I believe the pessimism around it is justified. Security teams have been promised a lot over the last few years and what we have found, especially lately, is that a lot of tried-and-true solutions either lack the shutter-speed or context to be effective. Here we are doing some orchestration and automation but we are doing so in order to give the HUMAN BEING better information. Our security director made a very good point to me the other day when he said the last thing a security team wants is more data. What we have hopefully shown in this post is that if you have open platforms like Anomali, SLACK and ExtraHop, you can craft an automation and orchestration solution that can actively help security teams in a manner that still leverages the nuance and rationalization that only exists in a human being. While there will be solutions that will effectively automatically block certain traffic, issue ACLs, Disable accounts, etc. We can also use automation to do some of the heavy lifting for today’s out(wo)manned security teams. To get where I think the Cyber Security space needs to be, it is going to take more than one product/tool/platform. If you have a solution that is closed and does not support any kind of RESTFUL API or open architecture, unless it fulfills a specific niche, get rid of it. If you are a vendor and you are selling a solution that is closed, do so at your own peril as I believe closed systems are destined to go the way of the dinosaur. By leveraging wire data with existing workflows, you can drastically reduce your TTWTF (time to WTF!??) and be better positioned to trade punches with tomorrow’s threats.

Thanks so much for reading, please watch the video.

John M. Smith


Source: Honeypot Tech

Siemens Teams Up with Tenable

ICS/SCADA vendor further extends its managed security services for critical infrastructure networks.
Source: Cyber Monitoring