Trends and Analysis

Hurricanes, Earthquakes & Threat Intelligence

You must be prepared for foreseeable attacks as well as the ones that sneak up on you. Organizations deal with two types of cyberthreats: hurricanes and earthquakes. Hurricanes are those attacks you can see coming; earthquakes, you can't. Both are inevitable, and you need to plan and take action accordingly. This starts with an understanding of what threat intelligence is and how to make it relevant and actionable. Threat intelligence can help you transition from constantly reacting to being proactive. It allows you to prepare for the hurricanes and respond to the earthquakes with an efficient, integrated approach.   Eliminate Noise Mention threat intelligence and most organizations think about multiple data feeds to which they subscribe — commercial sources, open source, and additional feeds from security vendors — each in a different format and most without any context to allow for prioritization. This global threat data gives some insight into activities happening outside of your enterprise — not only attacks themselves, but how attackers are operating and infiltrating networks. The challenge is that most organizations suffer from data overload. Without the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysts and action, this threat data becomes noise: you have alerts around attacks that aren't contextualized, relevant, or a priority. To make more effective use of this data, it must be aggregated in one manageable location and translated into a uniform format so that you can automatically get rid of the noise and focus on what's important. Focus on Threats With global threat data organized, you can focus on the hurricanes and earthquakes that threaten your organization. Hurricanes are the threats you know about, can prepare for, protect against, and anticipate based on past trends. For example, based on research, say that we know a file is malware. This intelligence should be operationalized — turned into a policy, a rule, or signature and sent to the appropriate sensor — so that it can prevent bad actors from stealing valuable data, creating a disruption, or causing damage. As security operations become more mature, you can start to get alerts on these known threats in addition to automatically blocking them so you can learn more about the adversary. This allows you to focus on the attacks that really matter. Earthquakes are unknown threats, or threats that you may not have adequate countermeasures against, that have bypassed existing defenses. Once they're inside the network, your job is to detect, respond, and recover. This hinges on the ability to turn global threat data into threat intelligence by enriching that data with internal threat and event data and allowing analysts to collaborate for better decision making. Threat intelligence helps you better scope the campaign once the threat is detected, learn more about the adversary, and understand affected systems and how to best remediate. By correlating events and associated indicators from inside your environment (e.g., SIEM alerts or case management records) with external data on indicators, adversaries, and their methods, you gain the context to understand the who, what, when, where, why, and how of an attack. Going a step further, applying context to your business processes and assets helps you assess relevance. Is anything the organization cares about at risk? If the answer is "no," then what you suspected to be a threat is low priority. If the answer is "yes," then it's a threat. Either way, you have the intelligence you need to quickly take action. Make Intelligence Actionable Intelligence has three attributes that help define "actionable." Accuracy: Is the intelligence reliable and detailed? Relevance: Does the intelligence apply to your business or industry? Timeliness: Is the intelligence being received with enough time to do something? An old industry joke is that you can only have two of the three, so you need to determine what's most important to your business. If you need intelligence as fast as possible to deploy to your sensors, then accuracy may suffer and you might expect some false positives. If the intelligence is accurate and timely, then you may not have been able to conduct thorough analysis to determine if the intelligence is relevant to your business. This could result in expending resources on something that doesn't present a lot of risk. Ultimately, the goal is to make threat intelligence actionable. But actionable is defined by the user. The security operations center typically looks for IP addresses, domain names, and other indicators of compromise — anything that will help to detect and contain a threat and prevent it in the future. For the network team, it's about hardening defenses with information on vulnerabilities, signatures, and rules to update firewalls, and patch and vulnerability management systems. The incident response team needs intelligence about the adversary and the campaigns involved so they can investigate and remediate. And the executive team and board need intelligence about threats in business terms — the financial and operational impact — in order to increase revenue and protect shareholders and the company as a whole. Analysts must work together and across the organization to provide the right intelligence in the right format and with the right frequency so that it can be used by multiple teams. Operationalizing threat intelligence takes time and a plan. Many organizations are already moving from a reactive mode to being more proactive. But to make time to look out at the horizon and see and prepare for hurricanes while also dealing with earthquakes, organizations need to move to an anticipatory model with contextual intelligence, relevance, and visibility into trends in the threat landscape. Related Content: As Senior VP of Strategy of ThreatQuotient, Jonathan Couch utilizes his 20+ years of experience in information security, information warfare, and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in ... View Full Bio More Insights

5 Things Security Pros Need To Know About Machine Learning

Experts share best practices for data integrity, pattern recognition and computing power to help enterprises get the most out of machine learning-based technology for cybersecurity. 1 of 6 The concept of machine learning has been around for decades. Machine Learning (ML) is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Industries and government agencies working with large amounts of data are using machine learning technology to glean insights from this data in real time.

Financial institutions use the technology to identify investment opportunities and fraud. Utility companies use the technology to analyze sensor data to increase efficiency and save money. Healthcare practitioners are using the technology to identify trends that could improve diagnoses and patient treatment. And, cybersecurity experts, inundated by reams of data generated by multiple information technology systems, security tools, networks, and other devices are deploying machine learning technology to detect and thwart internal and external cyber-attacks and threats. “Machine learning helps humans be more efficient by [aggregating and analyzing] vast amounts of data.
It’s not just the volume, but also the scope of data; more data at the same time and more facets of data at the same time,” says Sven Krasser, chief scientist at Crowdstrike, a developer of machine learning-based endpoint security tools. “One of the big game changers is the emergence of cloud computing,” he says.  By using cloud-based infrastructures, security experts can aggregate more data from vast amounts of resources than ever before.” Traditional techniques where analysts sift through data in some manual fashion to generate rule sets doesn’t work well in today’s dynamically-changing threat environment, Krasser says. System, sensors, and other networked-devices are generating so much data that it is increasingly difficult for human analysts to find those tidbits – the abnormalities and or patterns – that might give them the insights needed to identify an attack or potential threat, says Matt Wolff, chief data scientist with Cylance, a developer of endpoint security tools based on machine learning technology. “So, machine learning is an excellent tool and the right approach to take when you have a data intensive problem that you want to solve,” Wolff says. Industry executives and government agency officials are looking for ways to combat sophisticated attacks and relentless cyber adversaries while coping with a shortage of talented information security professionals. Machine learning-based security tools are yet another technology that they can add to their cyber arsenal. DarkReading spoke with cybersecurity experts from CrowdStrike, Cylance, Darktrace, and IDC security researcher Peter Lindstrom to get a better sense of what organizations need to know about applying machine learning-based technology for cybersecurity in their organizations. Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government.
View Full Bio 1 of 6 More Insights

Senate Votes To Upgrade Cyber Command Into War-Fighting Unit

NDAA legislation awaits Obama signature; Admiral Mike Rogers will still head both Cyber Command and NSA, at least for now. The US Senate voted last week to separate Cyber Command from NSA and make it an independent combatant unit, The Hill Reports.

The legislation - the National Defense Authorization Act (NDAA) - now moves on to President Barack Obama for approval. It is unclear whether Obama will sign the NDAA because of White House concerns over the Guantanamo Bay prisoners transfer, which is part of the legislation. Obama wants to close the prison. If signed into law, the NDAA will keep a more controversial element of Cyber Command’s structure, at least for now: Admiral Mike Rogers will maintain his dual role as the director of both the NSA and Cyber Command.

The arrangement is not looked upon favorably by many who want the post split before Obama leaves office. Adm. Rogers says it is not yet time for Cyber Command to move out from under NSA. Speaking in favor the law was Virginia Senator Mark Warner, who said Congress "should give our military the tools they need to do battle in the 21st century, whether it takes place on the field or in cyberspace, and elevating CYBERCOM will improve mission outcomes and make us more agile in defending against 21st century threats.” Read full story on The Hill.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Pay Ransom Or Infect Others!

Still under development, new ransomware will ask victims to free their files by paying 1 bitcoin or by infecting two others. The ransomware world appears all set to get even more malicious as a new under-process malware has been discovered on the Dark Web which, when completed, will have a “novel and nasty twist” to it, reports Threatpost.

Dubbed Popcorn Time, the ransomware will give its victims an option – pay 1 bitcoin to get your decryption key or infect two other people to get your decryption key.

The ransom deadline will be one week. The malware is reportedly being developed to target 500 file types and will employ AES-256 encryption to freeze files with .filock extension, Threatpost says.  “I have never seen anything like this in ransomware.

This is definitely a first,” says Lawrence Abrams of “There is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key four times, the ransomware will start deleting files,” he adds. Developers of Popcorn Time claim to be students from Syria who say the money received will be used to provide relief to people of the war-ravaged country. Read details here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

From Carna To Mirai: Recovering From A Lost Opportunity

We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes? Those not immersed in security and technology are mostly oblivious to one fact: the Internet is a fragile ecosystem.

There are many parallels between the Internet and the ecosystems that span our globe.

Each has vital resources that need to be protected and utilized for the greater good. When there is an imbalance in an ecosystem, bad things happen. We saw this twice recently with the Mirai botnet, which co-opted a cadre of devices in the Internet of Things and forced them to issue denial-of-service (DoS) attacks that crippled many sites and services.

But we knew this was coming and did virtually nothing to stop it, just like many real-world ecosystem disasters. Let's look at where we were four years ago, how far we've progressed, and what we could do to stave off an Internet ecosystem disaster. Back to the Future: The Carna Botnet The Internet and media were abuzz four years ago when individuals claiming to be researchers — they remain anonymous to this day — released reports from what was described as the most comprehensive scan of the Internet to date.

This became known as the 2012 Internet Census, and it provided insight into what was running on the Internet back then.

These anonymous researchers hijacked home routers using weak, default credentials and installed software on those devices that let them control the execution of Internet service scans. While they claim to have done this solely to study the Internet, it is not known if they only performed harmless actions or used the devices in more malicious ways. Reliving the Past until We Get It Right Let the previous section sink in for a minute: we knew this was possible four years ago and as each year passed we knew there would be more "things" connected to the Internet, and yet we did nothing to prevent these "things" from being deployed insecurely. We're now at a point in time when it's easy to quickly scan the entire Internet and — if you're performing scans from hacked machines — at virtually no expense or risk. When these devices are taken over and used maliciously because of vulnerabilities or weak default configurations, there are no consequences for manufacturers of IoT devices, owners of IoT devices, or network providers where these IoT devices originate communications. Again, we're reliving the pain of decades of PC bots and viruses in the era of IoT with some key differences when it comes to things such as vulnerabilities, rampant adoption, usability, and exposure.

There is another problem that comes with millions of IoT bots joining together in massive attacks: we're virtually defenseless, primarily because of how the Internet has been architected. The distributed DoS mitigation company protecting Brian Krebs had to abandon him as a customer because it couldn't absorb the attack on his site in September.

Even if there were a handful of providers that could absorb such attacks, most people and organizations couldn't afford to use them, leaving everyone else at the mercy of the attackers.

This is what's at risk if we retain the status quo. A Secure Path ForwardIf we do nothing, the attacks we saw this fall will not only be repeated, they will grow larger, have longer impact, and potentially have more sinister outcomes. What can be done? For starters, more IoT vendors should follow Hangzhou Xiongmai's lead and recall products that have unfixable or easily exploitable default configurations.

Although this step would be the responsible thing to do, it might not have the impact you'd expect.

There's no surefire way to notify all individuals with problem equipment, and it only takes a scarily small number of vulnerable systems to cause widespread damage. Another option is for each of us, in every country, to work with lawmaking bodies and get sane standards and regulations put forth for IoT devices.

This won't affect the vast number of devices that are already out there, but most of us will throw these things away as we upgrade devices to take advantage of new features (or, they'll just break down, as many aren't made to last).

This approach can be time-consuming, and it may take five years to have strong, enforceable standards in place. A third option is for Apple, Amazon, and Google to co-develop requirements for when manufacturers want to integrate their IoT devices with the ecosystems of those three companies.

These three are fast becoming the gatekeepers of IoT, and if they set the bar high enough it would have an immediate downstream effect. My guess is that we'd see more secure versions of products within one product release cycle and discounts for upgrade/trade-in offers. A fourth option: a "cash for clunkers"-like program.

Given the potential impact of these insecure "things," governments around the world — in partnership with nonprofit foundations — could band together and offer cash incentives for bringing in derelict devices.

Coordination at this scale would be difficult, but it would be a boost to security and the global economy. The Internet of Things has the potential to dramatically change our lives for the better and for the worse. We must all work to understand the current, tenuous state our fragile Internet ecosystem is in, then work together to ensure it will be there when we expect it to be.  Related Content: Bob Rudis, Chief Data Scientist, Rapid7Bob Rudis has over 20 years of experience using data to help defend global Fortune 100 companies and is a chief security data scientist at Rapid7.

Bob is a serial tweeter (@hrbrmstr), avid blogger (, author (Data-Driven Security), ...
View Full Bio More Insights

Kaspersky Lab: 323,000 New Malware Samples Found Each Day

Credit it to mass-produced malware and better detection through machine learning. Antivirus provider Kaspersky Lab has revealed that around 323,000 new malware files are being identified each day by its product as opposed to 70,000 files per day in 2011.

This, it claims, is an increase by 13,000 per day when compared to last year. The jump is seen partly because cybercriminals have turned sophisticated and are offering “mass production of malware and tailored cybercriminal services.”  Another reason, says Kaspersky, is the improvement in the quality and technique of automated malware analysis technologies which successfully detects all malware types, both existing and unknown. Kaspersky claims to have a billion malicious malware in its cloud database now.
It gives credit for this to its machine-learning based malware analysis system Astraea which, it says, has been increasingly active in detecting malware – from 7.5% in 2012 to 40.5% in December 2016. Click here to read more threat statistics. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

US Presidential Commission Outlines Key Cybersecurity Actions For Future Administrations

Report outlines ways to lock down critical infrastructure as well as IoT - and the urgent need to expand the security workforce by 2020 with 100,000 new jobs. As part of a broader effort to strengthen national security and inform future administrations, the US Commission on Enhancing National Cybersecurity last week issued recommendations that encompass critical infrastructure and convergence driven by the Internet of Things, workforce development, public-private partnership, and information sharing. President Obama established the Commission in February of this year to improve cybersecurity across the country. Twelve commissioners representing industry, academia, and former government officials were appointed to develop recommendations.  The 100-page "Securing and Growing the Digital Economy" report by the commission, which contains short- and long-term guidance for improving cybersecurity across the public and private sectors, comes at a time when cyber threats are constant and becoming more dangerous.  "It's bad and getting worse," says Gus Hunt, former CTO of the CIA and current cybersecurity lead at Accenture Federal Services, of the current state of cybersecurity. "If you think about the threat level that has begun to emerge, things are not looking up." The Commission's recommendations are outlined in six key areas: Security of the information infrastructure and digital networks Acceleration and investment in security and growth of digital networks and digital economy Preparing consumers for the digital age Building cybersecurity workforce capabilities Equipping government to effectively and securely function in the digital age An open, fair, competitive, and secure global digital economy Peter Lee, a member of the Commission and CVP at Microsoft Research, explained how the Commission came up with its recommendations. "Soon after we got started in March, we held a series of public meetings where we took in quite a lot of input from stakeholders in different parts of the cybersecurity landscape," he says. "I came with a perspective on the tech industry, where technology might be going, and what the interests would be between Silicon Valley and the US government, as well as how that partnership might be harnessed to make improvements," Lee says. "I also have the responsibility of managing a large part of Microsoft Research, and tend to have a more technical and future-oriented view," which helped inform his insight. The Internet of Things was a key concern, especially with respect to critical infrastructure (CI). Commissioners urged government to address the convergence of IoT and CI by establishing programs for government agencies and private organizations to evaluate potential cyberattacks and determine next steps. "These programs would move beyond tabletop exercises and seek to establish public-private joint collaboration by examining specific cyber protection and detection approaches and contingencies, testing them in a simulation environment, and developing joint plans for how the government and private sector would execute coordinated protection and detection activities, responding together, in alignment with the National Cyber Incident Response Plan," the report states. Over the next decade, the distinction between critical infrastructure and other products (cars, consumer goods) will continue to fade as devices become more connected, says Lee.   "As time goes on, the computing technology in your child's teddy bear is going to be every bit as meaningful to the nation's cybersecurity as the computer control for our national electric grid," he notes. Connected devices will evolve to the point where even simple consumer products could become a meaningful element of a botnet. The Commission recommended that the government set baseline standards for connected products and label them accordingly so consumers have a better idea of their security. This would help improve consumer education and awareness of cybersecurity, says Hunt. "Security has to be built in, easily engaged with, and when possible, completely transparent for the user because users don't understand [security]," he explains. "They make mistakes, and they make all of us vulnerable." Workforce development is another key issue, says Lee, and both government and industry experts interviewed by the Commission cited a lack of supply of cybersecurity practitioners. The report states the next president should initiate a program to train 100,000 new cybersecurity practitioners by 2020. This program would develop security talent through local and regional partnerships among employers, educational institutions, and community organizations, according to the report. The government and private sector should also collaborate to sponsor a network of security bootcamps, with the idea of building critical skills in a shorter timeframe. National cybersecurity should be viewed as a shared responsibility, both experts agree. Education should start as early as K-12 levels so children learn basic security practices at a young age. Identity management is important to address because a tremendous amount of security breaches begin with the theft of a user ID or password, Lee says.The Commission urged government to make authentication stronger and easier to use, something he says Microsoft has done to prevent intrusions caused by password theft. However, neither the government nor private sector can make the necessary improvements alone. For this reason, the Commission called for a more active collaboration and partnership between the public and private sectors. This relationship extends to information sharing, which can be powerful for mitigating risk, Lee notes. Bad actors have an advantage because they embrace the latest technologies and receive direct rewards for new tools and exploits. Those trying to mitigate threats can do so by sharing information as threats emerge. "If we can create a situation where network operators are able to share data more safely and quickly, the damage caused by botnets can be dramatically reduced," for example, says Lee. A challenge for companies in sharing information is navigating legal liability risks, he notes. The report recommends government work with the private sector to identify changes in regulations or policies that would encourage companies to more freely share risk management practices. "Cyber, most interestingly, is the world's first frictionless weapon system," says Accenture's Hunt. "We're at a juncture where we have to go at this in a new way, with focus and vigor and hopefully, bring together the government, state, and private sector," Hunt says. Related Content: Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio More Insights

Adobe Flash Flaws Dominate Exploit Kits In 2016

The top 10 vulnerabilities this year were mostly Adobe Flash, followed by Internet Explorer, according to a Recorded Future study. Six of the top 10 vulnerabilities found in cyberattack exploit kits in 2016 were bugs in Adobe Flash Player – including one Flash flaw that was packaged with a whopping seven different exploit kits, new research found. Recorded Future studied the contents of 141 exploit kits from Nov. 16, 2015 to Nov. 15 of this year, and found that Flash for the second year running led as the application whose vulns were used most in exploit kits; Flash comprised 8 of the top 10 last year. "A large majority of exploit kits have Adobe Flash Player vulnerabilities, so at the end of the day, not a whole lot has changed" with Flash's prevalence in exploit kits since last year's study, says Scott Donnelly, director of technical solutions at Recorded Future. Interestingly, the Flash vulnerability found in the most exploit kits by Recorded Future's research, CVE-2015-7645 - which lives in seven exploit kits - was the first zero-day Flash flaw discovered in the wake of Adobe's efforts over the past year to better secure its software with code-structure updates and mitigation features.

Adobe worked with Google's Project Zero team to add attack mitigation features to Flash last year. Meanwhile, Microsoft Internet Explorer, Silverlight, and Windows vulnerabilities also made the top 10 list, with IE's CVE-2016-0189 as the number one flaw found in exploit kits overall. "CVE-2016-0189's impact is tied to multiple version of IE it affects as well as its link to three active exploit kits including Sundown and RIG, which have helped fill the void left by the Angler Exploit Kit," according to Recorded Future's report published today, "New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016." Recorded Future also found that the exploit kits that have stepped up to fill the gap of the now-defunct Angler exploit are Sundown, RIG, and Neutrino. Flash-yThe Flash CVE-2015-7645 flaw affects Windows, Mac, and Linux operating systems, which Recorded Future said makes it especially attractive and "versatile" for attackers.

The flaw, which Trend Micro had dubbed a "method confusion" bug, was used by the Russian state hacking group known as Pawn Storm/APT 28/Fancy Bear.

The attack group sent spear phishing emails to foreign affairs ministers in various nations and rigged the URLs with exploits that the flaw, which allows an attacker to wrest control of the victim's machine. Its dominance among exploit kits came as a bit of surprise to researchers since Adobe had been working on better securing its apps. "Theoretically, that was the more secure version" of Adobe software, Donnelly says. But the vuln is fairly simple to exploit, and isn't always patched, according to Recorded Future. "While the vulnerability was patched by Adobe fairly quickly, its ease of exploitation and the breadth of operating systems affected have kept it active. Unfortunately, slow enterprise patching and lack of knowledge by home users mean the vulnerability still manages to help kits infect machines," the report says. None of the vulnerabilities that made the top 10 in last year's report were found this year in exploit kits. "These were all new" vulnerabilities, Donnelly says. Another key finding of the report was that the new exploit kit on the block, Sundown, is making inroads.
Sundown, which reuses other kits' exploits, appears to be the handiwork of less sophisticated authors, experts say. "It's not like Angler and Neutrino, which were written from scratch by sharp guys," says CW Walker, a Recorded Future researcher. "It's gaining a lot of popularity, but it doesn't require the same support as Tier 1, AAA-level exploit kits in the past." ChecklistRecorded Future says the best bet is to patch the vulns it cites in the report, as well as get rid of any of these affected apps that aren't needed by the business.

The security firm in its report also recommends: Enable "click to play" for Flash Take a look at running Google Chrome, which benefits from Google Project Zero's work and study of Flash flaws Deploy browser ad-blockers to protect from malvertisting attacks Run regular backups, especially for shared files Related Content:   Kelly Jackson Higgins is Executive Editor at
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

Where Cybercriminals Go To Buy Your Stolen Data

What malicious sites provide both free and paid access to stolen credit cards, company databases, malware and more? 1 of 10 Image Source: imsmartin With nothing more than a standard Web browser, cybercriminals can find personal, private information all over the public Internet.
It isn't just legitimate services - from genealogy sites to public records and social media - that can be mined and exploited for nefarious purposes. Openly malicious criminal activities are also happening on the public Internet.  True, much of the cybercrime underground consists of private and established communities that don't appear in a normal search engine and are not accessible by regular users without special authorization. However, according to the team at identity protection and fraud detection provider CSID, there are different levels of cybercriminal resources - and not all are so tightly protected.

The quality and quantity of the more easily accessible forums are still high, say the CSID team, and anyone can access content such as stolen credit cards, cyberattack tools, and even advanced malware, which can be leveraged with minimal technical know-how required. Adam Tyler, chief innovation officer at CSID, describes how black-market organizations are becoming more like traditional online businesses we visit and buy from every day. “For example," he says, "many sites now have their own Facebook, Twitter and even YouTube pages to advise their member base on new attacks and tools that are available.” Data sold on criminal marketplaces “age quickly, meaning that once the information is stolen, it has to be used for fraudulent purposes quickly,” says Christopher Doman, consulting analyst at Vectra Networks. “The more times the information is abused for fraud, the more the information will be devalued.” “Companies should have these marketplaces monitored, looking for trends in data breaches and attacks as well as to see if any of their data has been compromised,” says Carefree Solutions’s CEO Paul San Soucie. “One point that I’m not sure is evident is that there is more public and Dark Web research than any one IT person can handle. Researching and absorbing this information requires significant training and experience.

Even large US banks that have dedicated security staff are not able to do some of the research and analysis that specialized reconnaissance teams can perform.” San Soucie nevertheless suggests treading carefully when doing this research. "While you can get to most of these sites using standard https, I still consider them dark and strongly recommend accessing them via a VPN as both criminal and government sources track access in some cases.” Read on for a collection of some of the popular sites where private data, credentials, and attack tools are up for sale, or even for free download. Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ...
View Full Bio 1 of 10 More Insights

Dark Web Vendor Gets 50 Months Jail For ID Theft

Minnesota resident Aaron Glende aka IcyEagle caught selling stolen bank details on AlphaBay market. A resident of Minnesota has been sentenced to 50 months in prison for identity theft and selling personal data of victims on the Dark Web cybercrime ...

Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

800,000 domains seized, sinkholed, or blocked, and five individuals arrested, in international effort to bring down botnet linked to 17 major malware families. The Avalanche botnet - linked to many of the world's most troublesome ransomware, RATs, and banking Trojans - has been dealt a critical blow in what Europol called today the "largest-ever use of sinkholing to combat botnet infrastructures." Five individuals were arrested and 800,000 domains seized, sinkholed, or blocked in an international takedown operation that began Wednesday.  Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets.
It was estimated to involve as many as 500,000 active infected devices worldwide on a daily basis.

From the Europol statement: What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique.

The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action. The double-fast flux technique was what made Avalanche attractive as a communication provider for other botnets - including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, and URLzone - and also what made it effective for securing cybercriminal proceeds. According to Europol, Avalanche has cost the German banking industry EUR 6 million ($6.4 million USD) in online crime alone.

Europol estimates that Avalanche is responsible for monetary losses amounting to hundreds of millions of dollars worldwide, but states that accurate numbers are difficult to come by because there is such a wide variety of malware associated with the botnet.  Avalanche hosted 17 of the "the world’s most pernicious types of malware," as described by the Department of Justice, the FBI, and the US Attorney of the Western District of Pennsylvania in a joint statement.

These malware include Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and Nymaim.

A more complete list can be found in a technical alert released by US-CERT and the FBI today. Investigation into Avalanche dates back to 2012.
Symantec research into the Ransomlock ransomware and a German law enforcement probe into local Bebloh banking trojan infections united when they discovered that the two types of malware were both targeting German speakers and sharing a command-and-control infrastructure. (Symantec described this in a blog today.) The investigation expanded as other malware were connected to the same infrastructure. The Luneberg, Germany police force and the public prosecutor's office in Verden, Germany led the investigation, working closely with investigators and prosecutors from more than 40 countries, Europol, Eurojust, the FBI, and the DoJ.

The German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analyzed over 130 TB of captured data and identified the server structure of the botnet.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Mandia: Russian State Hackers Changed The Game

Founder of Mandiant and FireEye CEO says Russia doesn't appear to want to cover its tracks anymore. WASHINGTON, DC – Russia's leak of emails it hacked from the Democratic National Committee and Clinton campaign chairman John Podesta during the US presidential campaign came as a shock to FireEye CEO Kevin Mandia. It takes a lot to surprise the seasoned Mandia, whose incident response firm Mandiant was acquired by FireEye nearly three years ago and who has been investigating and studying Russian nation-state breaches since the 1990s.
In an interview at FireEye's Cyber Defense Summit here today, Mandia said the recent Russian state-sponsored attacks and leaking of information were a gamechanger in cyber espionage tradecraft. "The doxing shocked me.
I'm fascinated by it," he said.
It's part of a major shift in Russia's nation-state hacking machine, according to Mandia. Of the around two dozen breaches FireEye currently is investigating, Russian state hackers are behind many of them; in the "double digits," Mandia said.

Even more chilling than the relative volume of attacks, however, is how dramatically Russia has changed its cyber espionage modus operandi over the past two years. Mandia said the big shift began in the fall of 2014. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, the attackers would disappear as soon as they were found: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way." The Russian cyber espionage groups also began hacking universities, but not necessarily for the usual government research secrets they traditionally had been hunting. "They were [now] stealing [from] professors who had published … anti-Russian, anti-Putin sentiments. We'd seen the Chinese do that, but had never seen Russia doing that," Mandia said. "The scale and scope were starting to change.

Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns. "They used to have a working directory and would remove it when they were done.

But they just stopped doing that," Mandia said.

That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable." There are no easy solutions for response to this new MO of Russia's hacking machine, either, he said. "They're damn good at hacking," Mandia said. The Obama administration's Executive Order signed in 2015 gives the US the power to freeze assets of attackers who disrupt US critical infrastructure, or steal trade secrets from US businesses or profit from theft of personal information. It's unclear for now whether President-Elect Donald Trump will preserve Obama's cybersecurity EOs and policies. Mandia said he doesn't expect them to be scrapped. "No one wants to be hacked. Whether you're a Democrat or a Republican, you don't want people stealing your email.
I can't imagine this is an issue that’s divided" politically, he said. Trump's cybersecurity platform published during the campaign calls for developing "offensive" capabilities in cybersecurity. "Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately," according to his statement. Some security experts say it's unclear if that leaves the door open for private organizations to hack back. Mandia opposes businesses hacking back at their online adversaries: "It's very dangerous. You will not have the intended consequences if you have anyone in the private industry do anything on offense, unless they were deputized by the government," he said. Mandia is a fan of the oft-criticized pact by President Obama and China president president Xi Jinping not to conduct cyberspying attacks for economic gain.

The agreement specifically applies to the theft of trade secrets and stops short of banning traditional espionage via hacking.

Cyberespionage has been a notoriously prolific US strategy for China, with the US among its top targets, although Chinese officials deny such hacking activity. While some security experts say the US-China agreement has not slowed China's hacking for IP theft, Mandia said his firm saw a dramatic decrease in the wake of the pact.

FireEye saw the number of such attacks drop from 80 to four within one month after the pact. "Whoever runs China's cyber espionage: they have disciplined troops.

They stick to the rules of engagement," Mandia said. He said he can't see how the Trump administration would scrap the pact with China. "It has had impact in such an incisive way, I don't know why they would change it." The New 'Wave' Mandia said cyber espionage and cyber attacks have now entered a new, less predictable phase. "More emboldened nations are doing more emboldened things" hacking-wise, such as Iran, he said. "Every day, Iran is hacking and there are no repercussions.

They are getting operational experience and getting better at it," he said. Grady Summers, CTO of FireEye, said his firm is seeing more coordination and destruction in all types of cyberattacks.

They're seeing attackers use ransomware attacks moving from targeting a machine or two to thousands of machines. "They're establishing a foothold, going lateral and going destructive and encrypting en masse," Summers said.

That allows attackers to encrypt thousands of machines, and do more damage and gain more leverage.  Related Content: Kelly Jackson Higgins is Executive Editor at
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights