How the Adoption of EDR Transforms a SOC's Effectiveness

Endpoint detection response is helping take the headache out of responding to threats by providing visibility where most organizations are blind. Endpoint detection and response (EDR) is much more than a next-generation endpoint capability, it is a driving force of evolutionary change within security operations centers (SOC) today.

EDR provides visibility where most organizations are blind.
In our network-centric world, EDR provides a fast path to endpoint context, enabling rapid identification of false positives or the origin of attacks.  To illustrate this point, I created a litmus test to review common limitations in security information and event management (SIEM) and threat monitoring today.

Because most SIEM have insufficient endpoint data, threat analysts struggle to answer even the most fundamental questions, such as:  Is the attack targeting a critical, sensitive, or regulated asset?   Does the identified exploit target the right operating system or application? Nor the more complex questions such as: What process executed a connection to the known malicious IP or URL? What occurred following the successful inbound attack?  Life without EDR  For organizations without EDR, researching and responding to threats is a maddening exercise. With limited access to endpoints or endpoint context, threat analysts -- particularly in large enterprise or managed security service provider (MSSP) -- have few choices other than to open a ticket and delegate the research to others with access to the targeted machine.  The stakeholder could be in another department or region.

For MSSPs, this is the heartbeat of communication between the SOC and customers under attack.

Tickets may be answered quickly but a large majority take days and weeks.
Some aren’t answered at all.
In fact, due to the substantial delays incurred, special tools have been created to address the hold up.  One such tool is called alert suppression. Using alert suppression, mature SOCs can hide repetitive alerts waiting for information requested from stakeholders. Another technique is to auto notify and close tickets without response. Last but not least, it’s often easier to simply re-image the machine than to investigate root cause.  This is the average day to day of threat analysts in the SOC.
It’s not sexy, nor is it cost effective. Repeated tens (if not hundreds) of times on a daily or weekly basis drives up organizational costs to an unsupportable level. When I hear people say: “I can’t afford to build or staff a SOC,” it’s not surprising given the status quo. Manual and human intensive tasks give security a bad name.

This is life without EDR.  Life with EDR The introduction of EDR is a major evolution in SOC effectiveness.

Threat analysts no longer need to ask others to validate threats, the data is available to real-time query. With immediate access to the data, three incredible things happen: The SOC Analyst can research and respond to alerts in rapid succession, dramatically increasing their workload.  Armed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2. By eliminating the high volume of tickets requesting context, MSSP customers or stakeholders of large enterprise are relieved of the deluge of inquiries.  Inevitably, a breach will occur. When that does happen, utilizing a best-in-class EDR vendor that includes continuous and centralized recording takes the guesswork out of incident response.

The attacker may have erased their tracks, but EDR recorded the attackers every move with an endpoint DVR, the cyber equivalent to a surveillance camera. With a complete historical recording of an attacker and their actions, incident responders don’t need to fly to the scene of the crime, scrape RAM, or image machines to look for clues.

The full recorded history of the attack enables on the spot incident response.  EDR is much more than an endpoint security product; it’s causing an evolution in the people and process utilized within security operation centers globally.

And for individual corporations or customers who rely on MSSPs to deliver skills and expertise, EDR is a fundamental technology that is not optional. It’s a foundational requirement of the next generation security operation center and primary reason we’ll collapse the average ~250 day gap between attack initiation and discovery. John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ...
View Full Bio More Insights

Kaspersky DDoS Intelligence Report for Q2 2016

Q2 events DDoS attacks on cryptocurrency wallet services have played an important role in the lives of these services.
In the second quarter of 2016, two companies – CoinWallet and Coinkite – announced they were terminating their work due to lengthy DDoS attacks.

According to Coinkite’s official blog, the e-wallet service will be shut down, as well as its API.

The company admits that the decision was largely due to constant attacks and pressure from various governments who want to regulate cryptocurrency. A piece of malware was detected that possesses worm functionality and builds a botnet of Linux-based routers (including Wi-Fi access points).
It spreads via Telnet.

An analysis of the worm’s code has shown that it can be used in various types of DDoS attacks. Experts have registered a growing number of botnet C&C servers operating based on LizardStresser – a tool used to perform DDoS attacks.

The LizardStresser source codes belong to the hacker group Lizard Squad and were made publically available at the end of 2015.

This is what led to the increase in the number of botnets using new versions of the tool. Researchers discovered a botnet consisting of 25 000 devices most of which are surveillance cameras.

According to the experts, 46% of the infected devices are CCTV systems H.264 DVR.

The other compromised devices were manufactured by ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV. A new botnet named Jaku located mainly in Japan and South Korea was detected. Researchers have stated that the botnet operators are focused on major targets: engineering companies, international organizations, scientific institutions. A new modification of Cerber ransomware that uses an infected device to carry out DDoS attacks was discovered.

This cryptor Trojan is responsible for sending the UDP packets in which it changes the sender address for the address of the victim.

A host that receives the packet sends a reply to the victim’s address.

This technique is used to organize a UDP flood, meaning that this Trojan, in addition to its basic ransomware functionality, also integrates the functionality of a DDoS bot. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity.

The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. Resources in 70 countries were targeted by DDoS attacks in Q2 2016 #KLReport Tweet The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the second quarter of 2016. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours.
If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack.

Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses.
In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. 77.4% of targeted resources in Q2 2016 were located in China #KLReport Tweet It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab.
It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q2 Summary Resources in 70 countries were targeted by DDoS attacks in Q2 2016. 77.4% of targeted resources were located in China. China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets. The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.

The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter. In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter. Geography of attacks In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks.
In fact, 97.3% of the targeted resources were located in just 10 countries.

The three most targeted countries remained unchanged – China, South Korea and the US. Distribution of DDoS attacks by country, Q1 2016 vs. Q2 2016 This quarter’s statistics show that 94.3% of attacks had unique targets within the 10 most targeted countries. Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q2 2016 Here too China was the leader: 71.3% of all DDoS attacks targeted unique resources located in the country (vs. 49.7% in Q1). In Q2 2016 China, South Korea and the US remained leaders in terms of the number of DDoS attacks #KLReport Tweet The growth in the proportion of attacks on Chinese resources resulted in a decline in the share of attacks on resources in the other TOP 10 countries: South Korea saw its share fall by 15.5 percentage points, while the contribution of the US fell by 0.7 p.p. Russia left the TOP 5 after its share decreased by 1.3 p.p.
Vietnam took Russia’s place after its share remained unchanged (1.1%).

Germany and Canada both left the TOP 10 and were replaced by France and the Netherlands on 0.9% and 0.5% respectively. Changes in DDoS attack numbers DDoS activity was relatively uneven in Q2 2016, with a lull from late April till the end of May and two sharp peaks on 29 May and 2 June.

The peak number of attacks in one day was 1,676, recorded on 6 June. Number of DDoS attacks over time* in Q2 2016 *DDoS attacks may last for several days.
In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) #KLReport Tweet An analysis of the data for the first half of 2016 shows that although the distribution of DDoS attack numbers by day of the week remains uneven, a steady upward trend is evident. Number of DDoS attacks, Q1 2016 – Q2 2016 In Q2, Tuesday was the most active day of the week for DDoS attacks (15.2% of attacks), followed by Monday (15.0%).

Thursday, which came second in Q1, fell one place (-1.4 p.p.).
Sunday became the quietest day of the week in terms of DDoS attacks (13.0%). Distribution of DDoS attack numbers by day of the week Types and duration of DDoS attacks The ranking of the most popular attack methods remained unchanged from the previous quarter.

The SYN DDoS method has further strengthened its position as leader: its share increased from 54.9% to 76%.

The proportion of the other types of attacks decreased slightly except for UDP DDoS whose contribution grew by 0.7 p.p. However, those little fluctuations did not affect the order of the Top 5. Distribution of DDoS attacks by type The growth in the popularity of SYN-DDoS is largely down to the fact that during the second quarter of 2016, 70.2% of all detected attacks came from Linux botnets.

This was the first time in a number of quarters that there has been such an imbalance between the activity of Linux- and Windows-based DDoS bots. Previously, the difference had not exceeded 10 percentage points. Namely Linux bots are the most appropriate tool for using SYN-DDoS. Correlation between attacks launched from Windows and Linux botnets Attacks that last no more than four hours remained the most popular, although their share decreased from 67.8% in Q1 to 59.8% in Q2 of 2016.

At the same time, the proportion of longer attacks increased considerably – attacks that lasted 20-49 hours accounted for 8.6% (vs. 3.9% in the first quarter) and those that lasted 50-99 hours accounted for 4% (vs. 0.8% in the previous quarter). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios in Q2 2016 #KLReport Tweet The longest DDoS attack in the second quarter of 2016 lasted for 291 hours, which significantly exceeded the Q1 maximum of 197 hours. Distribution of DDoS attacks by duration (hours) C&C servers and botnet types In Q2, South Korea remained the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 69.6%, a 2 p.p. increase from the first quarter of 2016.

The TOP 3 countries hosting the most C&C servers (84.8%) remained unchanged, while Brazil (2.3%), Italy (1%) and Israel (1%) all entered the TOP 10. Distribution of botnet C&C servers by country in Q2 2016 As in previous quarters, 99.5% of DDoS targets in Q2 2016 were attacked by bots belonging to one family.

Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.5% of cases.

The most popular families of the quarter were Xor, Yoyo and Nitol. Conclusion The second quarter of 2016 saw cybercriminals paying close attention to financial institutions working with cryptocurrency.
Several of these organizations cited DDoS attacks as the reason for ceasing their activities.
Intense competition leads to the use of unfair methods, one of which is the use of DDoS attacks.

A strong interest on the part of the attackers is due to a particular feature of the businesses involved in processing cryptocurrency – not everyone is happy about the lack of regulation when it comes to cryptocurrency turnover. In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets #KLReport Tweet Another trend is the use of vulnerable IoT devices in botnets to launch DDoS attacks.
In one of our earlier reports, we wrote about the emergence of a botnet consisting of CCTV cameras; the second quarter of 2016 saw a certain amount of interest in these devices among botnet organizers.
It is possible that by the end of this year the world will have heard about some even more “exotic” botnets, including vulnerable IoT devices.

AdGholas Malvertising Campaign Scam Smashed

SECURITY OUTFIT PROOFPOINT has made its point again and uncovered a thing called AdGholas which it warned is a pretty damn significant malvertising campaign. The firm has already smashed the campaign into the ground, thanks to work with service providers and fellow security company Trend Micro. The campaign was used by three groups, and a number of websites were affected by the placement of infected adverts.

A Proofpoint blog post explained that victims included the Belfast Telegraph and a French hotel. "Proofpoint researchers have discovered and analysed a massive malvertising network operating since 2015, run by a threat actor we designated as AdGholas and pulling in as many as one million client machines per day," the firm said. "This malvertising operation infected thousands of victims every day using a combination of techniques including sophisticated filtering and steganography, as analysed by fellow researchers at Trend Micro. "While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising." Proofpoint does a lot of this sort of thing, and just recently cast a dark light over Pokémon. AdGholas might seem like any other old malvertising whack but is a bit of a pioneer in that it is first such campaign to use stenography in drive-by malware attacks. "This campaign represents the first documented use of steganography in a drive-by malware campaign, and the attacks employed ‘informational disclosure' bugs perceived to be low risk to stay below the radar of vendors and researchers," Proofpoint said. AdGholas even used evasive tactics to avoid discovery and suspicion, and redirected or mimicked legitimate sites when under close inspection.

And it did all this undetected for over a bloody year. We guess the lesson here is to trust in security companies and don't click on links that don't look kosher.

Easier said than done. µ

SentinelOne's Ransomware Guarantee Is A PR Stunt

'Entirely comfortable paying money to criminals' grumbles infosec bod A “ransomware guarantee” from security outfit SentinelOne has been dismissed by critics as a marketing stunt. Ransomware is currently the biggest scourge of internet security, affecting corporates and consumers alike. So self-styled next generation endpoint security firm SentinelOne unsurprisingly created waves with a pledge to pay out on ransomware demands if its product failed to protect customers from file-encrypting pathogens such as Locky and CryptXXX. We believe it is time to stand behind what you sell. We have great technology, and we’re not afraid to back it.

Financially. And apparently some of the top re-insurers in the world agree with us. We’ve created the first ever Ransomware Cyber Guarantee – a warranty for our product’s performance.
It’ll give you the best protection from ransomware attacks – and if we miss something and you get infected – we’ll pay the ransom. “SentinelOne’s cyber threat protection guarantee program provides its customers with financial support of $1,000 per endpoint, or up to $1m per company,” according to a press release the firm issued on Tuesday. Anti-virus industry veteran Graham Cluley said the offer showed SentinelOne is willing to pay crooks if its tech doesn't work as advertised. “SentinelOne says it's entirely comfortable paying money to criminals,” he said in a blog post. “Of course it's a marketing stunt, but still one – I must admit – that leaves a strange taste in my mouth… couldn't SentinelOne have just offered to throw in a decent backup program?” El Reg put this criticism to SentinelOne’s PR representatives on Thursday morning but we’re yet to receive any response. SentinelOne raised hackles earlier this month by reporting it had discovered “SCADA” malware that had infected at least one European energy firm, before walking back on its claims after others questioned the ability of the malicious code it had identified to infect industrial control systems. ® Sponsored: 2016 Cyberthreat defense report

How to Roll Your Own Threat Intelligence Team

A lot of hard work needs to go into effectively implementing an intelligence-driven security model.
It starts with five critical factors. Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors: Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need.

This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization. For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization.

This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis. Factor 2: Incorporate and consolidate intelligence sources. There are a wealth of different sources: Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources Closed Sources may include community mailing lists, or organizations such as ISACs Paid Intelligence Feeds Factor 3: Map Your Intelligence Collection.

As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1.

For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis.
Store the collected intelligence in a searchable repository.
If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system. Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key.

As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant. Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white.
Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change.

These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes. Factor 5: Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on.
Intelligence products should be tailored to the audience and contain information to help them be more effective.

For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats. Related Content:   Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field.

At CrowdStrike, Adam serves as the VP of ...
View Full Bio More Insights

Hackers Spreading Chthonic Malware Via PayPal Emails

(Image: CNET/CBS Interactive) The total number of government requests for data on Amazon customers has doubled over the past year. The retail and cloud giant quietly announced the latest figures for the first six months of 2016 ending June in a report,...

Legal Sector's Threat Intel-Sharing Group Grows

LS-ISAO is 'the fastest-growing' ISAO. The Legal Services Information Sharing and Analysis Organization (LS-ISAO), which was founded less than a year ago, now has more than 100 members and is regarded the “fastest growing” ISAO, the group said this week. The LS-ISAO was formed to share real-time cyber threat intelligence between members from the legal sector, which has become a popular target of cyberattackers, including nation-states and cybercriminals interested in pilfering information about law firm clients. LS-ISAO faciltates discussions among member firms on cyber threat indicators, cross-community threat information, and phishing attack attempts on international law firms, as well as offers education resources via the FS-ISAC Summit. “My firm considers the LS-ISAO to be the best opportunity to stay up-to-date with actionable security information," said Matt Kesner of Fenwick & West LLP.  Legal services firms wishing to join LS-ISAO may contact [email protected] Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Dark Reading News Desk Coming Back To Black Hat, Live

Live from Las Vegas: over 40 video interviews with Black Hat USA conference speakers and sponsors. Wednesday Aug. 3, Thursday Aug, 4, starting at 2 p.m.

ET. The Dark Reading News Desk will return to Black Hat USA next week to bring you an exclusive look inside the conference: over 40 live video interviews with conference speakers, sponsors and industry experts. Our broadcast will stream live, right here, from 2 p.m. - 7:00 p.m.

E.T.  (11 a.m. - 4:00 p.m. P.T.) Wednesday, Aug. 3 and from 2 p.m. -- 6:10 p.m.

ET (11 a.m. -- 3:10 p.m. PT Thursday, Aug. 4. Your hosts, once again are myself (Dark Reading senior editor Sara Peters) and UBM's VP of Event and Content Strategy Brian Gillooly. We'll be having some fun, and more importantly, talking to this superb line-up of guests (subject to change): Wednesday, August 3 Jeremiah Grossman, Chief of Security Strategy, SentinelOne Bob Adams, Cyber Security Strategist, Mimecast Travis LeBlanc, Chief, Enforcement Bureau, Federal Communications Commission  Andrew Krug, Security Researcher Hugh Njemanze, CEO, Anomali Aditya Gupta, CEO and Founder, Attify Stuart McClure, President and CEO, Cylance George Karidis, President, Cloud Technology Services, CompuCom Shehzad Merchant, CTO, Gigamon Jennifer Granick, Director of Civil Liberties, and Riana Pfefferkorn, Cryptography Fellow, both from the Stanford Center for Internet & Society Jeff Schilling, CSO, Armor Israel Barak, Head of Incident Response, Cybereason Dr. Zinaida Benenson, Chair for IT Security Infrastructures, University of Erlangen-Nuremberg Joe Loveless, Director of Product Marketing, Neustar Peleus Uhley, Lead Security Strategist, Adobe Michelle Cobb, VP of Worldwide Marketing, Skybox Security Paul Vixie, CEO of Farsight Security, Inc. Charlie Miller and Chris Valasek, Security Researchers Leo Taddeo, CSO, Cryptzone Kenneth Geers, Professor, NATO Cyber Centre Hal Lonas, CTO, Webroot Jamesha Fisher, Security Operations Engineer, GitHub Stu Sjouwerman, CEO and Founder, KnowBe4 Inc. Thursday, August 4 Jeff Melrose, Senior Principal Tech Specialist, Yokogawa Nadav Avital, Application Security Research Team Leader and Itsik Mantin, Director of Security Research, Imperva Jake Kouns, CISO, Risk Based Security and Christine Gadsby Director of BlackBerry's Global Product Security Incident Response Team (SIRT) Eva Galperin, Global Policy Analyst, Electronic Frontier Foundation and Cooper Quintin, Staff Technologist, Electronic Frontier Foundation Barmak Meftah, President and CEO, AlienVault Tom Nipravsky, Security Researcher, Deep Instinct Jian Zhen, SVP of Product for Endgame Chris Wysopal, Co-founder and CTO, Veracode Joyce Brocaglia, CEO Alta Associates, Founder Executive Women's Forum Brian Vecci, Technical Evangelist, Varonis Dan Kaminsky, Chief Scientist, White Ops Carl Herberger, Radware Wade Williamson, Director of Threats and Mike Banic, Vectra Michael Sutton, CISO, Zscaler Lance James, Chief Scientist, Flashpoint Rick Holland, VP of Strategy, Digital Shadows Jelle Niemantsverdriet, Director Cyber Risk Services, Deloitte Nikhil Mittal, Security Researcher Marco Ortisi, Senior Penetration Tester, European Network for CyberSecurity Tune in Wednesday at 2 p.m.

E.T. and join the fun.
If you see anything you like, share it with the hashtags #DRNewsDesk and #BHUSA.  How could you not find something you like here? We'll have new vulnerabilities being announced, Jeremiah Grossman talking about cyber insurance, Adi Gupta talking IoT security, Jelle Niemantsverdriet talking about designing better security for end users, Andrew Krug talking about hardening AWS, Peleus Uhley talking about automation, Charlie Miller and Chris Valasek talking car hacking, and Jennifer Granick and Riana Pfefferkorn talking about handling technical assistance demands from law enforcement.  Plus, these are live, four- or five-hour shows. That's like two back-to-back SuperBowls without halftime breaks and the first one went into overtime.

That's like two back-to-back Major League Baseball games that went into 12, 13, 14 innings.
So even if you aren't interested in the infosec content, at least tune in on Thursday afternoon to see how well Brian and I are holding up. Maybe if you send us water, medicine, and Reeses Pieces around the time Dan Kaminsky is talking about how we could lose the Internet, we'll survive all the way through to Marco Ortisi's discussion of recovering a RSA private key from a TLS session with perfect-forward secrecy.

Either way, it should be good viewing!  Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Cisco Busts Ransomware Rodent After Bitcoin

VXer mass posts to Reddit in sorrowful bid to make a living The eager-but-pwned net menace behind the JigSaw ransomware has been found targeting Reddit users with multiple malware in a bid to snare victims. The VXer is thought to be behind three ransomware variants, including the well-known Jigsaw which sports iconography from the Saw film, each lurking behind websites that foist the malware to visitors. The actor using the handle minercount on a forum had built and sold ransomware on crime forums and deploy it themselves in a successful bid to infect victims. Attribution is difficult at best, but the Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms. Scores of low-ranking posts were made to the Bitcoin and related subreddits pointing those who click to the sites which downloaded an AutoIT executable that deployed their ransomware. One post was made purporting to be a cache of online anonymity tools, including the Tor browser.
It contained the actor's ransomware along a guide to the darknet. The joker even posted a poisoned link to a cryptowallremoval subreddit dedicated to help victims.

The irony is that re-encrypting already encrypted files would be a fruitless effort. Talos blackhat terminators Edmund Brumaghin and Warren Mercer pointed intelligence cannons at the Ranscam ransomware, sifting through domains, code, and posts to reveal the criminal's activities. "As observed by tracking the activities of the threat actor associated with Ranscam, new versions of this destructive malware are continuing to be developed and used in an attempt to coerce victims into paying out without necessarily requiring the threat actor to invest the resources required to maintain an advanced or stealthy operation," the pair say. "... while there may be a greater number of distinct destructive ransomware variants targeting systems, this may not directly correlate to a larger number of distinct threat actors operating in the ransomware space. "A single actor could be responsible for multiple distinct variants in an attempt to maximize their profits, or as they refine their tactics in an attempt to maximize the amount of revenue they collect from victims." Maintenance of offline backups, an absence of ravaged runtimes like Flash, and an avoidance of dodgy online oubliettes will help net users avoid ransomware and the need to pay ransoms. ® Sponsored: Global DDoS threat landscape report

Ransomware Advice Service To Tackle Extortion Gangs

European police agency Europol is teaming up with cybersecurity companies in an initiative aimed at slowing an "exponential" rise in ransomware.The scheme revolves around a website that connects victims and police, gives advic...

How Jihadists Operate Online And Under The Radar: Report

Secure browsers, VPNs, protected email apps, and mobile security apps are just tip of iceberg, Flashpoint report shows. An analysis of activity on the Dark Web shows that jihadist groups are taking advantage of a wider range of technology tools and secure services than generally assumed for propaganda and communication purposes. Researchers from security vendor Flashpoint recently examined data obtained from what they described as primary sources from the Deep and Dark Web to understand how those affiliated with terror groups maintain online presences without being detected. The analysis showed that jihadist groups rely on six broad categories of digital tools and services to maintain an online presence, obscure their tracks from law enforcement, to proselytize, and to communicate with each other.

The tools include secure browsers like Tor, proxy services and virtual private networks (VPNs) such as CyberGhost VPN, protected email services, and encrypted chat and messenger tools. “Jihadists enact stringent online security measures starting with the World Wide Web’s most fundamental portal: browsers,” the Flashpoint report observed. Unlike a majority of online users who access the Web with browsers like Chrome, Safari, and Firefox, those involved in terror activities tend to use either the Tor browser or the VPN-equipped Opera browser -- both of which offer a way for users to browse relatively securely without easily revealing their IP addresses. They tend to combine the use of secure browsers with VPN tools such as F-Secure Freedome and CyberGhostVPN to make it more difficult from law enforcement to keep tabs on their online activities, the Flashpoint report said. When it comes to email services, pro-ISIS and Al-Qaida affiliated groups tend to use a slew of protected email services to try and remain under the law enforcement radar.

Among the email services that are popular among such groups are Hush-Mail; ProtonMail, an encrypted email service developed by researchers at CERN and MIT; and GhostMail, an encrypted email service from Switzerland. Services that offer temporary, disposable email accounts without requiring users to register for an account are also popular. One example is YOPmail, a service that was used by Al-Qaida in Yemen to release a video of a terror attack on the office of French satirical newspaper Charlie Hebdo last January, Flashpoint said. Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Applications that allow terror groups to use mobile devices relatively securely are also apparently very popular on the Dark Web. Jihadist groups rely heavily on mobile technologies to communicate and stay in touch with others. But they appear acutely aware of the risks involved in using mobile devices and are leveraging a variety of tools to make it harder for law enforcement to monitor them, Flashpoint said.

Among such tools are Fake GPS, which provides a false physical location when users are using certain apps like Facebook; ISHREDDER Pro for permanently deleting files; and AFWall, an open source firewall for mobile devices. Besides the tools, jihadists also appear to be getting plenty of support and advice on how to use technology safely, from tech savvy peers. In one case documented in the Flashpoint report, a member of a jihadist forum distributed best practices and guidelines for using Tor.
In another incident, a forum member released a manual offering details on how to mask IP addresses and browse anonymously using CyberGhost VPN.

The advice covered weaknesses in VPN technology and workarounds for addressing them, like using a particular software tool to hide a computer’s disk serial number when browsing.  Meanwhile, a jihadist organization known as Horizons released a multi-episode series on the secure use of mobile devices for jihadist purposes on Telegram, an encrypted communications platform. “Jihadists’ reliance on technology for survival pushes the jihadist community to constantly learn, adapt, and advance through various technological tools,” Flashpoint said in its report. “[Their] unrelenting drive to adapt and conceal their online operations presents unique challenges to monitoring them.” Related stories:   Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Free Tools & Training To ‘Hack Yourself’ Into Better Security

How to teach your blue team to think like the red team when your network is under attack and time is your most valuable asset. Perhaps you’ve purchased the best cybersecurity technology available. Maybe you’ve brought in a red team (or have one in-house). You feel prepared in case of a cyber attack. However, there’s another step to attaining the proper level of preparation for today’s sophisticated cyber attacks: making sure your blue team knows how attackers operate. If you can implement a “hack-yourself” program effectively, you can improve the effectiveness of your defense-in-depth strategies by having a blue team capable of carrying out red team exercises to gain a better awareness of how attackers might approach certain network vulnerabilities. When your network is under attack, your most valuable asset is time.

The faster you understand you’re being attacked and the quicker you understand what’s happening, the faster you can identify where the attackers are and what they’re doing. Responding to attacks quickly and efficiently requires an advanced level of preparation that many security teams haven’t yet achieved. The first step in improving preparation is theoretical training in the latest tools, techniques and procedures.

Cybersecurity conferences such as Black Hat, DefCon, BSides and the Chaos Communication Conference can provide the higher-level, theoretical learning to get your security team moving toward proper awareness and preparation.

The next step is to introduce red team exercises. Red team exercises with third-party consultants can help large enterprises spot critical vulnerabilities in their networks. However, many companies rely on these red team exercises to the point that they don’t maintain the proper level of internal cybersecurity awareness.

External red team exercises offer a level of expertise that most organization don’t have internally.

But there is also real value in implementing a “hack-yourself” program to build your security posture from the inside -- and arm your blue team with the necessary skills to think like the red team and improve your security posture. More than simulationsRather than having your security team practice hacking skills on third-party sites, internal red team exercises are carried out on your real network--they are not just simulations.

But to get the most out of a “hack yourself” program and avoid causing damage to the network, your security team must have the proper training to identify vulnerabilities as it hunts for data, administrator credentials, or any other valuable assets on your servers. One way to ensure your security team has the proper training to carry out an advanced “hack-yourself” program is to invest in the Cyber Guardians program from the SANS Institute.

The Cyber Guardians program consists of four core courses and corresponding certificates. The program is meant to provide security professionals with knowledge about all kinds of cyber attacks and how to respond to them accordingly.

After your security team has achieved Cyber Guardian status, you’ll know that they are capable of understanding many techniques attackers might use to maneuver through your network. Once your internal red team is trained to enact the “hack-yourself” program, you need to supply them with tools similar to those that attackers have at their disposal when launching threats.

The following are two toolkits blue teams can use together for an effective “hack-yourself” program: Metasploit through Kali Linux and Cobalt Strike. MetasploitMetasploit, which has been labeled the Attacker’s Playbook by many in the cybersecurity community, offers a rich library of exploits you can run on a number of different servers.
If your blue team can simulate the various steps of APT attacks, they will better be able to spot the attack paths and vulnerabilities that might have otherwise allowed major data breaches. However, before your internal security team can start using Metasploit to its fullest potential, they’ll need specific training. Offensive Security offers a free training program for the toolkit called Metasploit Unleashed. Cobalt StrikeCobalt Strike is a tool used by red teams to emulate real network threats. You can use the tools within Cobalt Strike to conduct penetration testing.

The toolkit’s website says the software includes functionality for: Network reconnaissance Attack packages for Java Applet, Microsoft Office, Microsoft Windows, website cloning and more Spear phishing Collaboration within the penetration team Post exploitation (execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other payloads) Covert communications to evade security systems Browser pivoting to avoid two-factor authentication Reporting and logging to analyze the results of the exercise While Metasploit offers a collection of exploits for blue teams to use, the tools and functionality in Cobalt Strike help blue teams gather information and move laterally without exploits. With the combination of an exploit toolkit and a set of tools reconnaissance and lateral movement, your trained security team can successfully carry out a “hack-yourself” program and uncover even the deepest layer of vulnerabilities. Why "hack yourself?"If you’ve never experienced a cyber attack, you will likely think the first time will happen exactly as how you’ve studied.

Consequently, you will be caught off guard when an attack actually occurs; there will be so much more information that it’s hard to understand what’s important, what isn’t important, and what to investigate further.

The more you practice internally, the better prepared you’ll be when the time comes that you’re actually under attack. Related Content: Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
Ofer Israeli is illusive networks' founder and vice president of research and development. Prior to founding illusive networks, Ofer was a team leader at Check Point Software Technologies, where he led the endpoint security management and the cloud and document security ...
View Full Bio More Insights