Threats

Threat Attribution: Misunderstood & Abused

Despite its many pitfalls, threat attribution remains an important part of any incident response plan. Here's why. Threat attribution is the process of identifying actors behind an attack, their sponsors, and their motivations.
It typically involves forensic analysis to find evidence, also known as indicators of compromise (IOCs), and derive intelligence from them. Obviously, a lack of evidence or too little of it will make attribution much more difficult, even speculative.

But the opposite is just as true, and one should not assume that an abundance of IOCs will translate into an easy path to attribution. Let’s take a simple fictional example to illustrate: François is the chief information security officer (CISO) at a large US electric company that has just suffered a breach.

François’ IT department has found a malicious rootkit on a server which, after careful examination, shows that it was compiled on a system that supported pinyin characters. In addition, the intrusion detection system (IDS) logs show that the attacker may have been using an IP address located in China to exfiltrate data.

The egress communications show connections to a server in Hong Kong that took place over a weekend with several archives containing blueprints for a new billion-dollar project getting leaked. The logical conclusion might be that François’ company was compromised by Chinese hackers stealing industrial secrets.

After all, strong evidence points in that direction and the motives make perfect sense, given many documented precedents. This is one of the issues with attribution in that evidence can be crafted in such a way that it points to a likely attacker, in order to hide the real perpetrator’s identity.

To continue with our example, the attacker was in fact another US company and direct competitor.

The rootkit was bought on an underground forum and the server used to exfiltrate data was vulnerable to a SQL injection, and had been taken over by the actual threat actor as a relay point. Another common problem leading to erroneous attribution is when the wrong IOCs have been collected or when they come with little context. How can leaders make a sound decision with flawed or limited information? Failing to properly attribute a threat to the right adversary can have moderate to more serious consequences.

Chasing down the wrong perpetrator can result in wasted resources, not to mention being blinded to the more pressing danger. But threat attribution is also a geopolitical tool where flawed IOCs can come in handy to make assumptions and have an acceptable motive to apply economic sanctions.

Alternatively, it can also be convenient to refute strong IOCs and a clear threat actor under the pretext that attribution is a useless exercise. Despite its numerous pitfalls, threat attribution remains an important part of any incident response plan.

The famous “know your enemy” quote from the ancient Chinese general Sun Tzu, is often cited when it comes to computer security to illustrate that defending against the unknown can be challenging.
IOCs can help us bridge that gap by telling us if attackers are simply opportunistic or are the ones you did not expect. More Insights

10 Sea-Changing IT Security Trends Of The Last 10 Years

A look at ten of the megatrends that have shaped IT security -- and in some cases, enterprise business -- over the last decade. When it comes to IT security, the old saw says, the only constant is change.

As Dark Reading looks back over the ten years since its launch in 2006, that maxim seems more accurate than ever. Like generals fighting a losing battle, security thought leaders and professionals have been forced to change strategies many time over the last decade, often in response to technological and strategic advancements developed by the attackers. While IT itself has evolved quickly, the pace of new security threats has continued to move at even faster speeds, often leaving defenders in firefights that change almost daily.

And defense strategies that were once fundamental to the security industry are now being constantly challenged – if not outright rejected -- by the thinkers who once promoted them. In this feature, we take a look at some of the fundamental sea changes that have occurred over the last 10 years. Perhaps a look at where we’ve been will give us a hint at where we’re going – or at least prepare us for more change in the future. From Sentries To Detectives Ten years ago, IT security professionals were often seen as the guards at the gate – the people who were responsible for protecting corporate data and preventing cyber criminals from gaining access to enterprise systems.

There was a perception of a defensible "perimeter” for each organization, and a relatively stable set of end user technologies to secure. Today, the majority of security technologies and strategies assume that the enterprise has already been compromised.

There is a heavy emphasis on the use of data forensics to ferret out sophisticated exploits hiding in the infrastructure, as well as incident response tools to detect and remediate compromises as soon as possible.

Enterprises’ broader shift to technologies that are outside the IT department’s span of control – including cloud services and user-owned mobile devices – has virtually shattered the perimeter defense concept and forced the security team to spend most of its time searching for threats that have already penetrated the organizational walls. The Shrinking Skills Pool In 2006, a significant portion of the security team could be described as system administrators who spent much of their time onboarding new users, maintaining simple access controls, and administering passwords. While there were plenty of security thinkers and strategy architects, the demands on the average security pro were mostly around policy management and internal system defense – and while hiring was not easy, it was often possible to bring in an entry-level system administrator and teach them what they needed to know about more sophisticated threats and defenses over time. Over the past decade, however, the rapid evolution of online threats – and the negative publicity received by companies that were breached – has generated a nearly-insatiable demand for more IT security talent. Not only does the industry need more bodies – some estimates say that as many as 1.5 million new security jobs will be created over the next five years – but the skills requirement has increased, as enterprises do less simple systems administration and more post-compromise analysis of incoming threats.
If current trends are any indication, IT security will continue to remain a negative-unemployment industry for many years to come, and the most skilled people will generate the greatest demand. The Erosion Of Layered Security For many of the last ten years, IT security lived and died by the philosophy of "layered security," which holds that an enterprise’s best defense is to challenge the attacker with an array of different defenses – firewalls, antivirus, intrusion detection/prevention, encryption, authentication, and many more – in an effort to discourage all but the most determined attackers.

This strategy, sometimes called "defense in depth," encouraged enterprises to purchase and implement a wide variety of security tools and practices, making it difficult for any single-vectored attack to get through. However, after ten years of buying and deploying new security technologies and breaking new IT security spending records year after year, most security experts are beginning to wonder if the layered security philosophy is the best approach.

The incidence and cost of data breaches continue to increase, and some business executives have begun to balk at the notion of continually increasing spending on technology and people without any guarantee of data security. Many enterprises and security experts are rethinking some of the basic precepts of IT security, though a clear new philosophy has yet to emerge. Cybercrime Boom In 2006, many security strategies were still predicated on the proliferation of viruses and worms such as Love and Code Red, which were designed to infect as many machines as possible and to gain notoriety for their creators.
In some quarters, there was still a perception of hackers as teenagers working late at night in their basements, seeking approval from others online. In fact, by 2006 the cybercrime market had already begun a massive shift toward an organized, underground economy that has continued to grow and flourish over the past decade. Malware developers create and sell their exploits in online forums -- and support their products with upgrades, patches, and even 24-hour customer service.

Criminals can rent botnets by the hour, or purchase long lists of valid credit cards at less than a dollar apiece. Recent estimates project that cybercrime costs will reach $2 trillion by 2019, and some law enforcement agencies say organized crime syndicates now make more money from cybercrime than from drugs or prostitution.

Clearly, cybercrime is more lucrative than ever – and that trend bodes poorly for tomorrow’s IT security defenders. Security Goes Public When Dark Reading was launched in 2006, it carried only a few stories about security breaches, partly because laws requiring companies to disclose such breaches were only just going into effect. With the passage of breach disclosure laws in California – and subsequently, 47 other states – the extent of the cybersecurity problem became increasingly evident.

The Identity Theft  (Continued on Page 2)  Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ...
View Full Bio 1 of 2 More Insights

US Warns of North Korea’s Not-So-Secret ‘Hidden Cobra’ DDoS Botnet

Reclusive government behind DDoS infrastructure is targeting organizations around the world US-CERT says.

The Hunt for Lurk

In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk.

The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks.

For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other.

This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks. When we first encountered Lurk, in 2011, it was a nameless Trojan.
It all started when we became aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of money from customers.

To steal the money, the unknown criminals used a hidden malicious program that was able to interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank details in payment orders generated by an accountant at the attacked organization, or even generating such orders by itself. In 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but things were different back in 2011.
In most cases, the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash. Russia’s banking system, like those of many other countries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap. We participated in the investigation of several incidents involving the nameless malware, and sent samples to our malware analysts.

They created a signature to see if any other infections involving it had been registered, and discovered something very unusual: our internal malware naming system insisted that what we were looking at was a Trojan that could be used for many things (spamming, for example) but not stealing money. Our detection systems suggest that a program with a certain set of functions can sometimes be mistaken for something completely different.
In the case of this particular program the cause was slightly different: an investigation revealed that it had been detected by a “common” signature because it was doing nothing that could lead the system to include it in any specific group, for example, that of banking Trojans. Whatever the reason, the fact remained that the malicious program was used for the theft of money. So we decided to take a closer look at the malware.

The first attempts to understand how the program worked gave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the same way: it didn’t do anything.

This is how the program, and later the group behind it, got its name.

To “lurk” means to hide, generally with the intention of ambush. We were soon able to help investigate another incident involving Lurk.

This time we got a chance to explore the image of the attacked computer.

There, in addition to the familiar malicious program, we found a .dll file with which the main executable file could interact.

This was our first piece of evidence that Lurk had a modular structure. Later discoveries suggest that, in 2011, Lurk was still at an early stage of development.
It was formed of just two components, a number that would grow considerably over the coming years. The additional file we uncovered did little to clarify the nature of Lurk.
It was clear that it was a Trojan targeting RBS and that it was used in a relatively small number of incidents.
In 2011, attacks on such systems were starting to grow in popularity. Other, similar, programs were already known about, the earliest detected as far back as in 2006, with new malware appearing regularly since then.

These included ZeuS, SpyEye, and Carberp, etc.
In this series, Lurk represented yet another dangerous piece of malware. It was extremely difficult to make Lurk work in a lab environment. New versions of the program appeared only rarely, so we had few opportunities to investigate new incidents involving Lurk.

A combination of these factors influenced our decision to postpone our active investigation into this program and turn our attention to more urgent tasks. A change of leader For about a year after we first met Lurk, we heard little about it.
It later turned out that the incidents involving this malicious program were buried in the huge amount of similar incidents involving other malware.
In May 2011, the source code of ZeuS had been published on the Web and this resulted in the emergence of many program modifications developed by small groups of cybercriminals. In addition to ZeuS, there were a number of other unique financial malware programs.
In Russia, there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS.

Carberp was the most active among them.

At the end of March 2012, the majority of its members were arrested by the police.

This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity, and was considered a “leader” among cybercriminals. However, by the time of the arrests, Carberp’s reputation as a major player was already waning.

There was a new challenger for the crown. A few weeks before the arrests, the sites of a number of major Russian media, such as the agency “RIA Novosti”, Gazeta.ru and others, had been subjected to a watering hole attack.

The unknown cybercriminals behind this attack distributed their malware by exploiting a vulnerability in the websites’ banner exchange system.

A visitor to the site would be redirected to a fraudulent page containing a Java exploit.
Successful exploitation of the vulnerability initiated the launch of a malicious program whose main function was collecting information on the attacked computer, sending it to a malicious server, and in some cases receiving and installing an extra load from the server. The code on the main page of RIA.ru that is used to download additional content from AdFox.ru From a technical perspective, the malicious program was unusual. Unlike most other malware, it left no traces on the hard drive of the system attacked and worked only in the RAM of the machine.

This approach is not often used in malware, primarily because the resulting infection is “short-lived”: malware exists in the system only until the computer is restarted, at which point the process of infection need to be started anew.

But, in the case of these attacks, the secret “bodiless” malicious program did not have to gain a foothold in the victim’s system.
Its primary job was to explore; its secondary role was to download and install additional malware.

Another fascinating detail was the fact that the malware was only downloaded in a small number of cases, when the victim computer turned out to be “interesting”. Part of the Lurk code responsible for downloading additional modules Analysis of the bodiless malicious program showed that it was “interested” in computers with remote banking software installed. More specifically, RBS software created by Russian developers. Much later we learned that this unnamed, bodiless module was a mini, one of the malicious programs which used Lurk.

But at the time we were not sure whether the Lurk we had known since 2011, and the Lurk discovered in 2012, were created by the same people. We had two hypotheses: either Lurk was a program written for sale, and both the 2011 and 2012 versions were the result of the activity of two different groups, which had each bought the program from the author; or the 2012 version was a modification of the previously known Trojan. The second hypothesis turned out to be correct. Invisible war with banking software A small digression. Remote banking systems consist of two main parts: the bank and the client.

The client part is a small program that allows the user (usually an accountant) to remotely manage their organization’s accounts.

There are only a few developers of such software in Russia, so any Russian organization that uses RBS relies on software developed by one of these companies.

For cybercriminal groups specializing in attacks on RBS, this limited range of options plays straight into their hands. In April 2013, a year after we found the “bodiless” Lurk module, the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software.

Almost all operated in a similar way: during the exploration stage they found out whether the attacked computer had the necessary banking software installed.
If it did, the malware downloaded additional modules, including ones allowing for the automatic creation of unauthorized payment orders, changing details in legal payment orders, etc.

This level of automation became possible because the cybercriminals had thoroughly studied how the banking software operated and “tailored” their malicious software modules to a specific banking solution. The people behind the creation and distribution of Lurk had done exactly the same: studying the client component of the banking software and modifying their malware accordingly.
In fact, they created an illegal add-on to the legal RBS product. Through the information exchanges used by people in the security industry, we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software.
Some of them were having to release weekly patches to customers.

These updates would fix the immediate security problems, but the mysterious hackers “on the other side” would quickly release a new version of malware that bypassed the upgraded protection created by the authors of the banking programs. It should be understood that this type of work – reverse-engineering a professional banking product – cannot easily be undertaken by an amateur hacker.
In addition, the task is tedious and time-consuming and not the kind to be performed with great enthusiasm.
It would need a team of specialists.

But who in their right mind would openly take up illegal work, and who might have the money to finance such activities? In trying to answer these questions, we eventually came to the conclusion that every version of Lurk probably had an organized group of cybersecurity specialists behind it. The relative lull of 2011-2012 was followed by a steady increase in notifications of Lurk-based incidents resulting in the theft of money.

Due to the fact that affected organizations turned to us for help, we were able to collect ever more information about the malware.

By the end of 2013, the information obtained from studying hard drive images of attacked computers as well as data available from public sources, enabled us to build a rough picture of a group of Internet users who appeared to be associated with Lurk. This was not an easy task.

The people behind Lurk were pretty good at anonymizing their activity on the network.

For example, they were actively using encryption in everyday communication, as well as false data for domain registration, services for anonymous registration, etc.
In other words, it was not as easy as simply looking someone up on “Vkontakte” or Facebook using the name from Whois, which can happen with other, less professional groups of cybercriminals, such as Koobface.

The Lurk gang did not make such blunders. Yet mistakes, seemingly insignificant and rare, still occurred.

And when they did, we caught them. Not wishing to give away free lessons in how to run a conspiracy, I will not provide examples of these mistakes, but their analysis allowed us to build a pretty clear picture of the key characteristics of the gang. We realized that we were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular” members had risen to 40).

This team provided the so-called “full cycle” of malware development, delivery and monetization – rather like a small, software development company.

At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it.

The malicious program had its own team of developers, responsible for developing new functions, searching for ways to “interact” with RBS systems, providing stable performance and fulfilling other tasks.

They were supported by a team of testers who checked the program performance in different environments.

The botnet also had its own team (administrators, operators, money flow manager, and other partners working with the bots via the administration panel) who ensured the operation of the command and control (C&C) servers and protected them from detection and interception. Developing and maintaining this class of malicious software requires professionals and the leaders of the group hunted for them on job search sites.

Examples of such vacancies are covered in my article about Russian financial cybercrime.

The description of the vacancy did not mention the illegality of the work on offer.

At the interview, the “employer” would question candidates about their moral principles: applicants were told what kind of work they would be expected to do, and why.

Those who agreed got in. A fraudster has advertised a job vacancy for java / flash specialists on a popular Ukrainian website.

The job requirements include a good level of programming skills in Java, Flash, knowledge of JVM / AVM specifications, and others.

The organizer offers remote work and full employment with a salary of $2,500.
So, every morning, from Monday to Friday, people in different parts of Russia and Ukraine sat down in front of their computer and started to “work”.

The programmers “tuned” the functions of malware modifications, after which the testers carried out the necessary tests on the quality of the new product.

Then the team responsible for the botnet and for the operation of the malware modules and components uploaded the new version onto the command server, and the malicious software on botnet computers was automatically updated.

They also studied information sent from infected computers to find out whether they had access to RBS, how much money was deposited in clients’ accounts, etc. The money flow manager, responsible for transferring the stolen money into the accounts of money mules, would press the button on the botnet control panel and send hundreds of thousands of rubles to accounts that the “drop project” managers had prepared in advance.
In many cases they didn’t even need to press the button: the malicious program substituted the details of the payment order generated by the accountant, and the money went directly to the accounts of the cybercriminals and on to the bank cards of the money mules, who cashed it via ATMs, handed it over to the money mule manager who, in turn, delivered it to the head of the organization.

The head would then allocate the money according to the needs of the organization: paying a “salary” to the employees and a share to associates, funding the maintenance of the expensive network infrastructure, and of course, satisfying their own needs.

This cycle was repeated several times. Each member of the typical criminal group has their own responsibilities. These were the golden years for Lurk.

The shortcomings in RBS transaction protection meant that stealing money from a victim organization through an accountant’s infected machine did not require any special skills and could even be automated.

But all “good things” must come to an end. The end of “auto money flow” and the beginning of hard times The explosive growth of thefts committed by Lurk and other cybercriminal groups forced banks, their IT security teams and banking software developers to respond. First of all, the developers of RBS software blocked public access to their products.

Before the appearance of financial cybercriminal gangs, any user could download a demo version of the program from the manufacturer’s website.

Attackers used this to study the features of banking software in order to create ever more tailored malicious programs for it.

Finally, after many months of “invisible war” with cybercriminals, the majority of RBS software vendors succeeded in perfecting the security of their products. At the same time, the banks started to implement dedicated technologies to counter the so-called “auto money flow”, the procedure which allowed the attackers to use malware to modify the payment order and steal money automatically. By the end of 2013, we had thoroughly explored the activity of Lurk and collected considerable information about the malware.

At our farm of bots, we could finally launch a consistently functioning malicious script, which allowed us to learn about all the modifications cybercriminals had introduced into the latest versions of the program. Our team of analysts had also made progress: by the year’s end we had a clear insight into how the malware worked, what it comprised and what optional modules it had in its arsenal. Most of this information came from the analysis of incidents caused by Lurk-based attacks. We were simultaneously providing technical consultancy to the law enforcement agencies investigating the activities of this gang. It was clear that the cybercriminals were trying to counteract the changes introduced in banking and IT security.

For example, once the banking software vendors stopped providing demo versions of their programs for public access, the members of the criminal group established a shell company to receive directly any updated versions of the RBS software. Thefts declined as a result of improvements in the security of banking software, and the “auto money flow” became less effective.

As far as we can judge from the data we have, in 2014 the criminal group behind Lurk seriously reduced its activity and “lived from hand to mouth”, attacking anyone they could, including ordinary users.

Even if the attack could bring in no more than a few tens of thousands of rubles, they would still descend to it. In our opinion, this was caused by economic factors: by that time, the criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month. Attempts to come back In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity.

This included developing, maintaining and renting the Angler exploit pack (also known as XXX).
Initially, this was used mainly to deliver Lurk to victims’ computers.

But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools. By the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status.

Even though many small and medium-sized groups were willing to “work” with them, they always preferred to work by themselves.
So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a “product” from the top underground authority did not need advertising.
In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations.
It didn’t take long for it to become one of the key tools on the criminal2criminal market. As for extending the field of activity, the Lurk gang decided to focus on the customers of major Russian banks and the banks themselves, whereas previously they had chosen smaller targets. In the second half of 2014, we spotted familiar pseudonyms of Internet users on underground forums inviting specialists to cooperate on document fraud.

Early the following year, several Russian cities were swamped with announcements about fraudsters who used fake letters of attorney to re-issue SIM cards without their owners being aware of it. The purpose of this activity was to gain access to one-time passwords sent by the bank to the user so that they could confirm their financial transaction in the online or remote banking system.

The attackers exploited the fact that, in remote areas, mobile operators did not always carefully check the authenticity of the documents submitted and released new SIM cards at the request of cybercriminals. Lurk would infect a computer, collect its owner’s personal data, generate a fake letter of attorney with the help of “partners” from forums and then request a new SIM card from the network operator. Once the cybercriminals received a new SIM card, they immediately withdrew all the money from the victim’s account and disappeared. Although initially this scheme yielded good returns, this didn’t last long, since by then many banks had already implemented protection mechanisms to track changes in the unique SIM card number.
In addition, the SIM card-based campaign forced some members of the group and their partners out into the open and this helped law enforcement agencies to find and identify suspects. Alongside the attempts to “diversify” the business and find new cracks in the defenses of financial businesses, Lurk continued to regularly perform “minor thefts” using the proven method of auto money flow. However, the cybercriminals were already planning to earn their main money elsewise. New “specialists” In February 2015, Kaspersky Lab’s Global Research and Analysis Team (GReAT) released its research into the Carbanak campaign targeting financial institutions.

Carbanak’s key feature, which distinguished it from “classical” financial cybercriminals, was the participation of professionals in the Carbanak team, providing deep knowledge of the target bank’s IT infrastructure, its daily routine and the employees who had access to the software used to conduct financial transactions.

Before any attack, Carbanak carefully studied the target, searched for weak points and then, at a certain moment in time, committed the theft in no more than a few hours.

As it turned out, Carbanak was not the only group applying this method of attack.
In 2015, the Lurk team hired similar experts. How the Carbanak group operated. We realized this when we found incidents that resembled Carbanak in style, but did not use any of its tools.

This was Lurk.

The Lurk malware was used as a reliable “back door” to the infrastructure of the attacked organization rather than as a tool to steal money.

Although the functionality that had previously allowed for the near-automatic theft of millions no longer worked, in terms of its secrecy Lurk was still an extremely dangerous and professionally developed piece of malware. However, despite its attempts to develop new types of attacks, Lurk’s days were numbered.

Thefts continued until the spring of 2016.

But, either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions.

They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money.

But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year. No one on the Internet knows you are a cybercriminal? My personal experience of the Lurk investigation made me think that the members of this group were convinced they would never be caught.

They had grounds to be that presumptuous: they were very thorough in concealing the traces of their illegal activity, and generally tried to plan the details of their actions with care. However, like all people, they made mistakes.

These errors accumulated over the years and eventually made it possible to put a stop to their activity.
In other words, although it is easier to hide evidence on the Internet, some traces cannot be hidden, and eventually a professional team of investigators will find a way to read and understand them. Lurk is neither the first nor the last example to prove this.

The infamous banking Trojan SpyEye was used to steal money between 2009 and 2011.
Its alleged creator was arrested 2013, and convicted in 2014. The first attacks involving the banking Trojan Carberp began in 2010; the members of the group suspected of creating and distributing this Trojan were arrested in 2012 and convicted in 2014.

The list goes on. The history of these and other cybercriminal groups spans the time when everyone (and members of the groups in particular) believed that they were invulnerable and the police could do nothing.

The results have proved them wrong. Unfortunately, Lurk is not the last group of cybercriminals attacking companies for financial gain. We know about some other groups targeting organizations in Russia and abroad.

For these reasons, we recommend that all organizations do the following: If your organization was attacked by hackers, immediately call the police and involve experts in digital forensics.

The earlier you apply to the police, the more evidence the forensics will able to collect, and the more information the law enforcement officers will have to catch the criminals. Apply strict IT security policies on terminals from which financial transactions are made and for employees working with them. Teach all employees who have access to the corporate network the rules of safe online behavior. Compliance with these rules will not completely eliminate the risk of financial attacks but will make it harder for fraudsters and significantly increase the probability of their making a mistake while trying to overcome these difficulties.

And this will help law enforcement agencies and IT security experts in their work. P.S.: why does it take so long? Law enforcement agencies and IT security experts are often accused of inactivity, allowing hackers to remain at large and evade punishment despite the enormous damage caused to the victims. The story of Lurk proves the opposite.
In addition, it gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects. Unfortunately, the rules of the “game” are not the same for all participants: the Lurk group used a professional approach to organizing a cybercriminal enterprise, but, for obvious reasons, did not find it necessary to abide by the law.

As we work with law enforcement, we must respect the law.

This can be a long process, primarily because of the large number of “paper” procedures and restrictions that the law imposes on the types of information we as a commercial organization can work with. Our cooperation with law enforcement in investigating the activity of this group can be described as a multi-stage data exchange. We provided the intermediate results of our work to the police officers; they studied them to understand if the results of our investigation matched the results of their research.

Then we got back our data “enriched” with the information from the law enforcement agencies. Of course, it was not all the information they could find; but it was the part which, by law, we had the right to work with.

This process was repeated many times until we finally we got a complete picture of Lurk activity. However, that was not the end of the case. A large part of our work with law enforcement agencies was devoted to “translating” the information we could get from “technical” into “legal” language.

This ensured that the results of our investigation could be described in such a way that they were clear to the judge.

This is a complicated and laborious process, but it is the only way to bring to justice the perpetrators of cybercrimes.

China's Economic Cyber-Spying Drops Post Sept Talks: US Official

U.S.

Assistant Attorney General John Carlin's statement finds support in FireEye report of a 90% fall in China-based hacking. Cyber-espionage activities coming out of China appear to have dropped after September talks in which the country said it would stop supporting the hacking of US trade secrets, Reuters says quoting US Assistant Attorney General John Carlin. This statement finds support in a recent report from security firm FireEye, which witnessed a dramatic 90% drop in breaches by China-based groups in the last two years. Speaking at the Center for Strategic and International Studies think tank in Washington, Carlin said last year’s talks with China and Group of 20 nations were vital to a uniform cyber law. However, he says it remained to be seen how long this reduction in hacking activities would last.

Carlin added that private sector and US intelligence officers were "better positioned to assess hacking trends." For details, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Spam and phishing in Q1 2016

Spam: features of the quarter Trending: dramatic increase in volume of malicious spam The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million.

At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn. Number of email antivirus detections on computers with a Kaspersky Lab product installed In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year. With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it.
It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors).

This is something that built-in protection at the email client level does not provide yet.

Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email. What’s inside? The variety of malicious attachments is impressive.

They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others). Attachment containing a Trojan downloader written in Java Also worth noting is the diversity of languages used in malicious spam.
In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages. Attachment containing the Trojan banker Gozi Most emails imitated notifications of unpaid bills, or business correspondence. The malicious .doc file in the attachment is a Trojan downloader.
It downloads and runs the encryptor Cryakl using macros written in Visual Basic Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor.

The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts.
In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique.
In addition, the emails had different content and were written in different languages.

This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world. Examples of emails with the Locky encryptor The content of the emails was related to financial documents and prompted users to open the attachment. If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands.

This process was analyzed in more detail in our blog. As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic. Spam terrorism Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet.

Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users. In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage.

They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate.

The email claimed the technology came from the US Department of Defense, was easy to use and widely available.

The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc. ‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories.

The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime.

Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money.

Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money. Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime.

This was an attempt to dispel any doubts about their honesty and persuade recipients to reply. The theme of terrorism came up again in tales related to the current situation in the Middle East.

For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds.

A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money. Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users. We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products. Also trending: significant increase in volume of ‘Nigerian’ spam It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity.
In Q1 2016 we observed a significant increase in the volume of this type of mailing.
In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch.
Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from. Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers. Spammer methods and tricks: short URL services and obfuscation In our spam and phishing report for 2015 we wrote about obfuscation of domains.
In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal. Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed. First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link. Both the link which the user follows and the link to the uploaded image in the email are obfuscated: In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links: Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”.
In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing. Russian-language spam also used obfuscation and short URL services, but the algorithm was different. For example, to obfuscate links the @ symbol was used.

To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used).
If the site does not require authentication, everything that precedes the @ symbol will simply be ignored.
It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service. The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q1 2016 The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p.

By February, however, the amount of spam in email traffic had dropped to its previous level.
In March it grew again, though less dramatically.

As a result, the average percentage of spam in Q1 2016 amounted to 56.92%. Sources of spam by country Sources of spam by country, Q1 2016 The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%).

China rounded off the Top 5, accounting for 5.09% of global spam. Russia fell from last year’s second place to seventh (4.89%) in Q1 2016.
It followed closely behind France (4.90%), which was sixth biggest source of spam. Spam email size Spam email size distribution, Q4 2015 and Q1 2016 The most commonly distributed emails were very small – up to 2 KB (79.05%).

The proportion of these emails grew by 2.7 p.p. from the previous quarter.

The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%.

The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the Top 10 malware families. Top 10 malware families Trojan-Downloader.JS.Agent. A typical representative of this family is an obfuscated Java script.

This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files. Trojan-Downloader.VBS.Agent. This is a family of VBS scripts.

As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software. Trojan-Downloader.MSWord.Agent. The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened.

The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer. Backdoor.Win32.Androm.

Andromeda. This is a family of universal Andromeda/Gamarue modular bots.

The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves.

The bot functionality is extended with plug-ins that can be loaded at any time. Trojan.Win32.Bayrob. The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server.

They are used to distribute spam and steal personal data. Trojan-Downloader.JS.Cryptoload. A typical representative of this family is an obfuscated Java script.

The malicious programs of this family download and run ransomware on the user’s computer. Trojan-PSW.Win32.Fareit. This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts.

The stolen information is sent to the criminals’ server.
Some members of the Trojan Fareit family are capable of downloading and running other malware. Trojan.Win32.Agent. The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks. Trojan-Downloader.Win32.Upatre. The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza.

The main aim of this family of Trojan bankers is to steal payment data from users. Trojan-Spy.HTML.Fraud. The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc.

The user has to enter their personal data on this page, which is then forwarded to cybercriminals. Countries targeted by malicious mailshots There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016. Distribution of email antivirus verdicts by country, Q1 2016 Germany (18.93%) remained on top.

China (9.43%), which ended 2015 in 14th place, unexpectedly came second.

Brazil (7.35%) rounded off the Top 3. Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%. The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth. Phishing In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users. Geography of attacks The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter.

The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p. Geography of phishing attacks*, Q1 2016 * Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country Top 10 countries by percentage of users attacked: Brazil 21.5% China 16.7% United Kingdom 14.6% Japan 13.8% India 13.1% Australia 12.9% Bangladesh 12.4% Canada 12.4% Ecuador 12.2% Ireland 12.0% Organizations under attack The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component.
It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases.
It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity.

After the security system is activated, the user sees a banner in the browser warning about a potential threat. Distribution of organizations affected by phishing attacks, by category, Q1 2016 In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter.
Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively. Online stores Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information. Distribution of online stores subject to phishing attacks, Q1 2016 Apple Store was the most popular online store with phishers.
In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%.

Behind it in second place was another popular online store –Amazon (21.6%). Example of a phishing page designed to steal Apple ID and bank card data Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3.
It came 19th in the overall ranking of organizations affected by phishing attacks. Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email. Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers. Top 3 organizations attacked< Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies.

These companies have lots of customers around the world which enhances the chances of a successful phishing attack. The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016. Organization % of detected phishing links 1 Yahoo! 8.51 2 Microsoft 7.49 3 Facebook 5.71 In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.). Interestingly, phishing on Facebook is delivered in almost all languages. Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog. Conclusion In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter.

But it is too early to speak about a growth trend.

The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period. The US remained the biggest source of spam in Q1 2016.

The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection. Spam messages are becoming shorter.
In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam. Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically.

The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average.

This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader. This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic.

The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage.

The picture of malware distribution by email has changed significantly this year.
In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots. Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016. It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments.

Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.

Cosmetic Surgery Clinic’s Photos Released in Cyber Blackmail Attack

A Lithuanian cosmetic surgery clinic is breached, with attackers releasing more than 25,000 patient photos, some of them nude, following a blackmail scheme.

A Nation State-Looking Cyberattack that Wasn’t

Symantec researchers uncover a cybercrime campaign with all the hallmarks of a state-sponsored campaign that didn't even make much money for the attackers.

Clinton Campaign To Hold Cybersecurity-Themed Fundraiser In Vegas

Cybersecurity experts to head event during the ongoing Black Hat hacker conference this week. Plagued by cybersecurity problems throughout its presidential campaign, Democratic nominee Hillary Clinton’s campaign will now be hosting a cybersecurity-themed charity event at Las Vegas this week, during the ongoing Black Hat cybersecurity conference, reports FedScoop. Heading the fundraiser panel will be Black Hat founder Jeff Moss, Harvard University professor Michael Sulmeyer, who heads Clinton’s cyber policy working group, and Cambridge Global Advisors chief Jake Braun, also strategic advisor to Department of Homeland Security and Pentagon on cybersecurity issues. Going by their experience in digital security, it is likely that Sulmeyer and Braun could find themselves with information protection responsibilities in the next administration, says FedScoop. The fundraiser comes close on the heels of a Clinton campaign breach in which the analytics data program it uses was compromised during the DNC hack. For more details, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

NSA Director Not Opposed To Splitting Cyber Command From Agency

In the long run it may make sense to keep nation's cyber offense mission separate from NSA, Michael Rogers says. Admiral Michael Rogers, the director of the National Security Agency (NSA) this week said he is not opposed to the idea of separating US Cyber Command from the spy agency. Speaking at a forum organized by the John F. Kennedy Jr.

Forum at Harvard University’s Institute of Politics, Rogers said any decision to separate the two organizations would have to be made by the President of the United States.

But he would support the idea so long as it did not introduce any new risks. “Look, in the long run I think it is the right thing to do,” Rogers said. “The only question in my mind is the timing. We have to do it in a way that minimizes risk to Cyber Command and NSA,” said Rogers who as director of the NSA is also the head of Cyber Command. US Cyber Command was established seven years ago to provide a range of mainly offensive cyber capabilities for the US Department of Defense. The organization is structured along the lines of a typical military organization. One of Cyber Command’s missions is to provide capabilities for defending weapons systems, platforms and data against cyber attacks. On the offensive side, it is tasked with providing US operational command and policy makers with what Rogers described as a range of “options” for taking cyber action against foreign adversaries. One of its other roles is to provide capabilities for protecting US critical infrastructure targets and commercial entities against cyber attacks, if directed to do so by the president.

For example, soon after the massive intrusion at Sony Corp. two years ago, the NSA was called in to assist the FBI, the DHS and other domestic law enforcement agencies in investigating the attack. Rogers’ comments come amid reports of the Pentagon and the intelligence community recommending that the President break up the joint leadership structure that exists today for the NSA and Cyber Command. Apparently, there is a growing feeling that the missions of the two organizations are different enough to merit a different organizational structure.

The argument is that Cyber Command with its offensive mission would do far better as an independent organization than as part of the NSA, whose mission is primarily a defensive one. Concerns over the dual-hatted role of the NSA director are not new and neither is talk about the need to separate Cyber Command from NSA. Many have previously noted that the NSA director’s obligations to the agency’s signals intelligence mission under Title 50 of the US Code are in direct conflict with his cyberspace obligations under Title 10 authority. In addressing the issue at the Harvard forum this week, Rogers said Cyber Command was established within NSA seven years ago because it made the most sense to do so at that time. The US had decided then that cyber was an operational domain in which new capabilities needed to be developed, Rogers said. “We stepped back and asked ourselves ‘how do we build on previous investment and previous expertise’,” in the cyber domain within the defense department. The NSA, with its cyber capabilities was the obvious choice, he said. “While NSA is an intelligence organization, it is a combat support agency within the DoD” with extensive cyber capabilities, Rogers said.

The feeling at the time was that setting up Cyber Command within the agency would give the US a way to leverage that capability, he said. “It is now seven years later and we are currently, as we often do, stepping back and asking ourselves does that structure still make sense?” Rogers said. “Has seven years of practical experience led us to believe that perhaps some of the assumptions we made are proving to be different than we thought.” Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Fortune 1000 Companies See Security Ratings Drop

Fortune 1000 businesses report more breaches, and lower security performance, than their non-F1000 counterparts.

Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified

ISACA report finds that 55% of security jobs take three- to six months to fill, and under 25% of candidates are qualified for the jobs they apply for.