Thursday, January 18, 2018

The Dropping Elephant – aggressive cyber-espionage in the Asian region

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools.
Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks. Overall, the activities of this actor show that low investment and ready-made offensive toolsets can be very effective when combined with high quality social engineering. We have seen more such open source toolset dependency with meterpreter and BeEF, and expect to see this trend continue. The Attack Method: Infection Vector Dropping Elephant uses two main infection vectors that share a common, and fairly elaborately maintained, social engineering theme – foreign relations with China. The first approach involves spear-phishing targets using a document with remote content.

As soon as the user opens the document, a “ping” request is sent to the attackers’ server.

At this point, the attackers know the user has opened the document and send another spear-phishing email, this time containing an MS Word document with an embedded executable.

The Word document usually exploits CVE-2012-0158.
Sometimes the attackers send an MS PowerPoint document instead, which exploits CVE-2014-6352. Once the payload is executed, an UPX packed AutoIT executable is dropped. Upon execution, this downloads additional components from the attackers’ servers.

Then the stealing of documents and data begins. The second approach involves capturing victims through watering hole attacks.

The actor created a website that downloads genuine news articles from other websites.
If a website visitor wants to view the whole article they would need to download a PowerPoint document.

This reveals the rest of the article, but also asks the visitor to download a malicious artifact. The two main infection vectors are supported by other approaches.
Sometimes, the attackers email out links to their watering hole websites.

They also maintain Google+, Facebook and twitter accounts to develop relevant SEO and to reach out to wider targets. Occasionally, these links get retweeted, indiscriminately bringing more potential victims to their watering holes. 1. Malware Analysis The backdoor is usually UPX packed but still quite large in size.

The reason for this is that most of the file comprises meaningless overlay data, since the file is an automatically generated AutoIT executable with an AutoIT3 script embedded inside. Once started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user’s Google Chrome credentials.

The backdoor also pings the C2 server at regular intervals.

A good security analyst can spot this while analyzing firewall log files and thereby find out that something suspicious might be going on in the network. Generally speaking, backdoors download additional malware in the form of encrypted or packed executables/libraries.

But, in the case of Dropping Elephant, the backdoor downloads encoded blobs that are then decoded to powershell command line “scripts”.

These scripts are run and, in turn download the additional malware. One of the more interesting malware samples downloaded is the file-stealer module. When this file-stealer is executed, it makes another callback to the C2 server, downloading and executing yet another malware sample.
It repeatedly attempts to iterate through directories and to collect files with the following extensions: doc, docx, ppt, pptx, pps, ppsx, xls, xlsx, and pdf.

These files are then uploaded to the C2 server. Also interesting are the resilient communications used by this group. Much like the known actors Miniduke or CommentCrew, it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands. 2.

C2 Analysis In many cases it was very difficult to get a good overview of the campaign and to find out how successful it is.

By combining KSN data with partner-provided C2 server data, we were able to obtain a much fuller picture of the incident. We examined connections and attack logins to this particular C2.

As it turned out, the attackers often logged in via a VPN, but sometimes via IPs belonging to an ordinary ISP in India. We then looked at the time the attackers were active, of which you can find an image below. Victim Profile and Geography We also wanted to get a better idea of the geolocation of most visitors.

Analysis of the image provided access counts and times, along with the IP of the visiting system. Noteworthy are the many IPs located in China.

This focus on China-related foreign relations was apparent from the ongoing social engineering themes that were constant throughout the attacks.

The concentration of visits from CN (People’s Republic of China) could be for a variety of reasons – diplomatic staff are visiting these sites from their CN offices, CN academics and analysts are very interested in researching what they believe to be CN-focused think tanks, or some of the IPs are unknown and not self-identifying as bots or scrapers. Regardless, because we were able to determine that multiple targets are diplomatic and governmental entities, these foreign relations efforts are likely to represent the main interest of the attackers. Conclusion Campaigns do not always need to be technically advanced to be successful.
In this case, a small group reusing exploit code, some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015. Our analysis of the C2 server confirmed the high profile of most victims, mainly based in the Asian region and specially focused on Chinese interests.

Actually, some hints suggest the group has been successful enough to have recently expanded its operations, perhaps after proving its effectiveness and the value of the data stolen. This is quite worrying, especially given the fact that no 0 days or advanced techniques were used against such high profile targets.
Simply applying software patches will prevent attacks based on old exploits, as well as training in the most basic social engineering attacks. However, it should be noted that in this case Microsoft´s patch for exploit CVE-2014-1761 just warns the user not to allow the execution of the suspicious file. Dropping Elephant artifacts are detected by Kaspersky Lab products as:Exploit.Win32.CVE-2012-0158.*Exploit.MSWord.CVE-2014-1761.*Trojan-Downloader.Win32.Genome.*HEUR:Trojan.Win32.Generic As usual Kaspersky Lab actively collaborates with CERTs and LEAs to notify victims and help to mitigate the threat.
If you need more information about this actor, please contact intelreports@kaspersky.com More information on how Kaspersky Lab technologies protect against such cyberespionage attacks is available on Kaspersky Business blog. Indicators of Compromise Backdoors eddb8990632b7967d6e98e4dc1bb8c2f1ec225204857d2eee62c78ee7b69fd9dd3d3a5de76df7c6786ed9c2850bd840505c5cc0e66ad848ec540fcd3af5853b10839b3f0a4b28111efc94942436041cb0cf4acddfaa77bc66c44a687778f8695233a71ea802af564dd1ab38e6223663339538c8845bd0b4a96c4b8bc1e5d7ea354c49a6768e5f8551d0918e63b2007757a662144f9d6bada8aea09b579e15562aa755fc3521954b10fd65c07b423fc56d8102a24ca00ef3db7d942912765441ee231583412573ecabfd05c4c0642a8b9eddb8990632b7967d6e98e4dc1bb8c2ffb52fbd9b3b465453276f42c46350c25 Exploit documents d69348794e85ddea6a5f68b85f9bf47b 10_gay_celebs.doc9f9824e9a4d7d3073aebbcc781869660 1111_v1.docd1c864ae8770ae43a0e59a31c0788dc2 13_Five_Year_Plan_2016-20-1.pps9a0534772ac23ff64e3c85b18fbec596 2015nianshijiexiaoxuanshou.doca46d44e227b49d2075730610cfec0b2e 7GeopoliticalConsequencetoAnticipateinAsiainEarly2016_1.doc79afb3f44172447015578b8064c1dda0 7GeopoliticalConsequencetoAnticipateinAsiainEarly2016_2.doc6abf60e9e2f6e3fa4c8020e1b2ef2867 ABiggerBolderChinain2016_1.doc89963d5aac8441b0febbe5d5a0ab7629 ABiggerBolderChinain2016_2.docd79e1d6302aabbdf083ba89a7c2f34fc aeropower.pps90af176bfdf248d2899b49316458e4b6 australia_fonops_1.pps24c722f3d0770ede82fa3d6b550098b3 australia_fonops_2.pps08a116efce7d947257ce94fc8f3e276e aviation_1.pps0ae8f01b9ba0394f5e68536574076aa1 aviation_2.pps0d1bdb45bac3b09e28e4f0cb09c97194 beauty3.ppsd807fb3cb1a0687e152d288171ab9b59 beauty6.ppsf017c65c7b5d14df11c5e0e4f0406562 CHINA_FEAR_US_3.pps3cd8e3e80a106b0590a7b5eedddf4715 CHINA_FEAR_US_6.ppsa1940b31af27139a13dff852cb012a22 ChinainSyria.doce7ba5c209635607b2b0e38a00a822953 chinamilstrat1.docd273f090b96eca7c93387a03d9527d9b chinamilstrat2.doc17d5acf49a4d65a4aacc362576dbaa12 chinamilstrength.pps3c68ca564595e108920a0f105728fded China_Response_NKorea_Nuclear_Test1.pps8c21aee21b6bfa12ecf6070a4532655a China_Response_NKorea_Nuclear_Test2.pps533ce967d09189d27f38fe6ed4711099 chinascyberarmy2015_1.pps9c9e5d09699821c53d68e957044ec6e8 chinascyberarmy2015_2.ppsc4f5d6ed36c3d51cb1b31f20922ce880 ChinasMilitaryIntelligenceSystemisChanging_1.doc1fb7eece41b964517d5224b57073c5d4 ChinasMilitaryIntelligenceSystemisChanging_2.doc1e620679c90563d46aa349e991d2e0f2 CHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_1.doca0177d2fd49d835244028e98449c77a5 CHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_1.pps1e620679c90563d46aa349e991d2e0f2 CHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_2.doc70c5267c56ded521c6f674a6a6649f05 CHINA’S_PUZZLING_DEFENSE_AGREEMENT_WITH_AUSTRALIA_2.ppsa1940b31af27139a13dff852cb012a22 ChinatoReceive_S-400_Missiles.doc77ff734bc92e853b92595ddf999ee1ec China_two_child_policy_will_underwhelm1.doc8c875542def907312fd92d10746c230c China_two_child_policy_will_underwhelm1.ppse98b1ed80ba3a3b6b0809f04536e9753 ChinaUS_1.pps36581da1d10ba6382a63e7046c21dd8d ChinaUS_2.pps9a7e499d7abfcbe7fb2a78cf1d7a2f10 chinesemilstrat_1.pps40ace1c9394c95d7e9e1e80f24bd1a73 chinesemilstrat_2.pps71d59036f84aba8e60aa8785e3883372 cppcc_1.pps04aff7c333055188219e290e58313d78 cppcc_2.ppsdffe28c9c4dc9e2e865e3237f4bc38c4 Dev_Kumar_Sunuwar.docae27773e49fea122e3f8ce7a27e6c555 election.pps86edf4fab125d8ccba85138f43b24def enggmarvels_1.ppsa8022594e81c74b22abca772eb89657c enggmarvels_2.ppsbc08d1bddf72369adceffbfc36f848df fengnew33.pps2c70e1f152e2cb42bb29aadb66ece2ec fengnew36.pps3a2be243b0c78e8689b34e2415d5e479 fengnew63.pps2158cb891a8ecbaaa70a641a6529b787 fengnew66.ppsa1940b31af27139a13dff852cb012a22 final.doca1940b31af27139a13dff852cb012a22 FinancialCrisisChina.doc884f76542f3972f473376c943daeaf8f futuredrones_1.pps098c74c23ed73ac7bf7581fec2eb088d futuredrones_2.pps915e5eefd145c59677a2a9eded97d114 gaokaonewreforms_1.doc57377233f2a946d150115ad23bbaf5e6 gaokaonewschedule_1.pps1c5b468489cf927c1d969484ddbdd8ea gaokaonewschedule_2.ppsfa2f8ec0ab22f0461e860394c6b06a68 harbin_1.pps9a0534772ac23ff64e3c85b18fbec596 Heart_Valve_Replacement.doc4ea4142bab2b90e5779df19616f7d8ca Implication_China_mil_reforms_1.doc8a350d3f6fb359377d8939e1a2e033f3 Implication_China_mil_reforms_1.ppsf5e121671384fbd43534b8515c9e6940 ISIS_Bet_Part1.doc3a83e09f1b751dc08f4b719ed51c3fbc ISIS_Bet_Part2.doc8a1a10dcc6e2ac6b40a86d6ed20cf1bd japan_pivot_1.pps72c05100da6b6bcbf3f96fee5cf67c3f japan_pivot_2.ppsebe8efbad7f01b76465afaf474589c2f jtopcentrecomn.pps165ae88945852a37fca8ec5224e35188 korea1.pps38e71afcdd6236ac3ad24bda393a81c6 militarizationofsouthchinasea_1.pps61f812a1924e6d5b4307313e20cd09d1 militarizationofsouthchinasea_2.pps4595dbaeec06e3f9b466d618b4da767e MilitaryReforms1.pps1de10c5bc704d3eaf4f0cfa5ddd63f2d MilitaryReforms2.ppsce1426ffe9ad4439795d269ddcf57c87 MilReform_1.doc1e620679c90563d46aa349e991d2e0f2 MilReform_2.doc8d2f4e691f2e318f7162a3a5d397b29c MilReforms_1.pps631d44688303be28a1b825aa1c9f3202 MilReforms_2.ppsfe78c037844ad08a9a79c85f46e68a67 my_lovely_pics_3.ppsd5a976cc714651711c8f067dd5e00709 my_lovely_pics_6.pps657e9333a052f593b7c51c58917a1b1f my_photos_3.ppse08bbed0aa4b21ae921d4dc5350789c7 my_photos_6.pps141a8b306af8087df4feee15f571eb59 nail_art_3.pps122d7dff33174e532063a16ae526208d nail_art_6.ppsd049a6f9e527a72a4b917eec1acbd6f9 netflix1.doc09a478efd8c5aeef3a5395e3988f5059 netflix1.ppsd791f8d9495d5d5df0cedb8b27fb3b49 netflix2.doce7b4511cba3bba6983c43c9f9014a49d netflix2.ppsd01be8c3c027f9d6f0d93542dfe7ca97 nianshijiexiaoxuanshou2015.doc040712ba00b32cc19e1938e14e732f59 North_Korea_Nuclear_Test_1.doc3b0ca7dafb94333234e4f1330a1699da North_Korea_Nuclear_Test_2.doc1e620679c90563d46aa349e991d2e0f2 Obama_Gift_China_1.doc6f327b93279f3ce39f4fbe7a610c3cd2 Obama_Gift_China_1.pps1e620679c90563d46aa349e991d2e0f2 Obama_Gift_China_2.doc58179b5cf455e2bcac396c697cd43050 Obama_Gift_China_2.ppsfa94f2843639f7afec3c06799a8d222e PAK_CHINA_NAVAL_EXERCISEn.doc4d2bde1b3985d1e1088801d92d1d6ca9 pension_1.pps9a0534772ac23ff64e3c85b18fbec596 Reconciliation_China’s_PLAN.doc2c9b4d460e846d5814c2691ae4591c4f Stewardess1.docdab037a9e02978bcd275ddaa15dab01d stewardess1.pps007c9c29786d0af81caf437fe626c6fe Stewardess2.doc8aae16b5e64445703d939bc7923ae7b7 stewardess2.pps036a45983df8f81bf1875097fc026b04 syria_china.ppsa8b9a32723452d27257924a737ec1bed TaiwanDiplomaticAccess_1.ppsf16ee3123d5eb21c053ac95e7cd4f203 TaiwanDiplomaticAccess_2.pps71ce64fee9cd323828a44e9228d2736b tibetculture_1.ppsb5e5e428b31a8affe48fdf6b8a253dc6 tibetculture_2.ppsd64efa0b8c091b8dbed3635c2b711431 underestimatingUS_1.pps543fe62829b7b9435a247487cd2a9672 underestimatingUS_2.pps807796263fd236a041f3633ac578140e UruguayJan-Jun_1o.pps98e7dc26531469e6b968cb422371601a uruguayjan-jun_1.pps7eb1b6fefe7c5f86dcc914056928a17b UruguayJan-Jun_2o.pps7660c6189c928919b0776713d2755db2 uruguayjan-jun_2.pps7c4c866cf78be30229b75a3301345f44 UruguayJul-Dec_1o.ppsa4fcf3a441865ae17f2c80ff7c28543d uruguayjul-dec_1.ppsdba585f7d5fc51566c663bd738de2c33 UruguayJul-Dec_2o.ppsf7905a7bd6483a12ab36071363b012c3 uruguayjul-dec_2.pps409e3368af2add71265d2811aa9d6817 US_China.doc5a89f11f4bb3b5637c731e206f807ff7 us_srilanka_relations_1.pps7f50d3f4eabffe7225a2d5f0c91009c8 us_srilanka_relations_2.pps3d01d2a42450064c55574d853c086f9a WILL_ISIS_INFECT_BANGLADESH.doc1538a412fd4035954237c0b4c135fcba WILL_ISIS_INFECT_BANGLADESH.ppseb0b18ecaa6f40e48970b08f3a3e6803 zodiac_1.ppsda29f5eeb39332a850f04be2906315c1 zodiac_2.pps Domains and IPs http://www.epg-cn[.]comhttp://chinastrat[.]comhttp://www.chinastrats[.]comhttp://www.newsnstat[.]comhttp://cnmilit[.]comhttp://163-cn[.]orgalfred.ignorelist[.]comhttp://5.254.98[.]68http://43.249.37[.]173http://85.25.79[.]230http://10.30.4[.]112http://5.254.98[.]68http://microsofl.mooo[.]comussainbolt.mooo[.]comussainbolt1.mooo[.]comupdatesys.zapto[.]orgupdatesoft.zapto[.]org C2 redirectors (with obfuscated comments) http://feeds.rapidfeeds[.]com/61594/http://wgeastchina.steelhome[.]cn/xml.xmlhttp://hostmyrss[.]com/feed/playershttp://feeds.rapidfeeds[.]com/81908/http://feeds.rapidfeeds[.]com/79167/http://feeds.rapidfeeds[.]com/61594/ Update: our friends from Cymmetria have released their analysis of the Dropping Elephant / Patchwork APT – make sure to check it as well for more data about the attacks.

NATO Ambassador: How The Ukraine Crisis Fits Cyber War Narrative

Kenneth Geers previews his Black Hat talk and discusses the strategic military maneuvers governments can make within cyberspace. When Kenneth Geers, ambassador of the NATO Cyber Centre, first suggested two years ago that there might be a connection between spikes in cybercriminal activity and spikes in geopolitical conflict, there was skepticism.
Since then, NATO has declared cyberspace a domain for war and regions of geopolitical strife have also seen their fair share of cyberespionage and cybercrime. What's been learned and has the skepticism waned or grown?    Geers, who has been living in Ukraine for the past two years, will discuss this in an upcoming session at Black Hat USA, "Cyber War in Perspective: Analysis from the Crisis in Ukraine." The talk will cover some of the work published by 20 prestigious researchers on behalf of the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE), investigating the cyber activity in the region between 2013 and 2015. Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
Two years ago, Vladimir Putin signed a bill incorporating the Crimean peninsula into the Russian Federation, and Russian military forces massed along the Ukrainian border. Geers was a global threat analyst for FireEye at the time, and noticed a spike in malware traffic traced back to Ukraine and Russia at the height of the conflict between the two nations. Geers tentatively suggested at the time that there could be a connection between the geopolitical climate and the increase in cybercriminal activity, and that this connection could be used for threat intelligence. He received some pushback, at the time, even among colleagues within FireEye. Since then, however, Ukrainian targets have been hit with more cyberattacks that directly or indirectly impact the country's autonomy.    Ukrainian presidential elections in 2014 were “completely, utterly, thoroughly hacked,” says Geers.

Three days before the election was to be held, a pro-Moscow hacking group attacked the election commission.

As a Wall Street Journal feature described: Its stated goal: To cripple the online system for distributing results and voter turnout throughout election day.
Software was destroyed. Hard drives were fried. Router settings were undone.

Even the main backup was ruined. A valiant effort by the election commission's IT staff rebuilt the voting system in time for the election, starting from an offline backup. However, attackers were able to post false election results that appeared to be hosted by the Commission's website -- media outlets reported these false results briefly before they were debunked. Cyber war skeptics would argue that these attacks didn’t actually change the results of the election, so the impact was minimal, says Geers, who maintains “it degrades the integrity of the government” and the systems on which it relies. In addition to these moves against elections, there have been cyberattacks on Ukraine's banks, railroads, mining industry, and of course the highly publicized one in December that took down a significant portion of the Ukrainian power grid.  Skeptics of the very existence or possibility of "cyber war" could point to attacks like these and dismiss them by saying they did not cause death or widespread destruction.

They therefore challenge terms like "Cyber Pearl Harbor."   "People don’t like it," says Geers, "but we talk about ['Cyber Pearl Harbor'] a lot at Cyber Command.” The term, says Geers, is in reference to the tactical advantage the Japanese forces gained in World War II by the attacks on Pearl Harbor. "It wasn’t meant to win the war.
It was meant to create some breathing space.” Similarly, he says, cyberattacks can be used “to give you a bit of time.

An edge.” Disrupting satellite communications, causing mass blackouts, derailing trains, or stirring up some public unrest, might not be the ultimate goal, but it could be a strategic maneuver in a war.
It's something to divert leaders' attention and resources away from something of greater importance.  Perhaps more sinister, is the possibility of cyberattacks being used to change data. “So the ship goes left, not right.
So the agent meets at 2, not 12.

Those things could get people killed," and that, says Geers, is not hyperbole.

A cyberattack, he says “is not an artillery barrage, but you could lead troops into an artillery barrage” with a cyberattack. The changes could be smaller, he says, to less critical systems, and maybe socks get sent to the base that needs more bullets and bullets get sent to the base that needs more socks. Regardless, it's a matter of diminished integrity, says Geers -- diminished integrity of data, of systems, and of people. Once citizens' trust in their own nation is compromised, they could be open to other kinds of manipulation, like "psyops," (psychological operations), the process of changing people's minds -- something Geers says Russian intelligence is particularly good at.  Regardless of what skeptics believe, NATO officially declared cyberspace a domain for war in June, which would mean that an act of war in cyberspace would initiate a collective response by NATO allies. (Neither Russia nor Ukraine are NATO member countries.) Geers says that governments will spend “ungodly” amounts to prepare the battle space for the military, and that he's sure they are investing heavily in ways to compromise military vehicles. "They're floating, driving, and flying computers at this point," he says.  What has become clear to Geers and his co-authors of the NATO CCDOE book is that as geopolitical tension rises, not only does the amount of malware traffic rise -- as Geers reported in 2014 -- but so does the number of sophisticated cyberattacks. Which one is driving the other? To this point, says Geers, geopolitics has been driving the cyber activity -- with both intelligence agents and opportunistic financially driven attackers upping their game when the action gets hot. However, he says, “the ubiquity of computers will mean they’ll begin to play a lead role.” Related Content: Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Government Should Publicly ID Cyberattackers, Ex-US Intel Chief Says

Michael Rogers believes acknowledgement will help insurance companies defend against lawsuits. The former chair of the US House Intelligence Committee says the US government should publicly name perpetrators of cyberattacks so that private sector companies can defend against lawsuits effectively, reports FedScoop.
Speaking before the Stimson Center, Michael Rogers said such attribution would provide better legal protection to the victims. Rogers cited examples of cyberattacks on health insurers in which China was suspected to be responsible. "If the government had publicly come out and attributed who the attacker was, it would help the defense on those lawsuits," he said.  However, former DHS deputy undersecretary Bruce McConnell argued that Rogers' contention "oversimplifies" the situation, and cyber insurance contains exclusions, and insurance companies offer coverage in line with current threats. Read details here.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Diagnosis SOC-atrophy: What To Do When Your Security Operation Center Gets...

Whether it's due to lack of attention, poor capital planning or alert fatigue, there are lots of reasons why an SOC can become unhealthy. Here's how to make it better. Congratulations, you’re the new CISO! Whether you have served in the role previously or it’s new to you, you’ll be asked to observe your new organization, to develop a 100-day plan, to evaluate people, processes, and technology, and of course you’ll need to tell the CEO where you would attack the organization and how you will protect against that.
It’s a daunting and exciting task to be the new CISO.  There is so much to observe, learn, and then you have to formulate a plan of action. You are inundated with learning the new organization from the CISO’s chair.

Finally, the day comes when you tour the Security Operations Center. You are looking forward to this, because it’s operational; it’s where you fight the adversary—hackers with various forms of capabilities, motives, and sponsorship.  Of course you want to see the chess match in action between your cyber analysts and threat actors. You look around: it looks like a SOC (analysts at monitors), and then your SOC Director briefs you on manpower, processes, technology, annual budget, measures and metrics.

As the briefing continues your smile transitions to furrowed eye brows.

As you investigate, and question, and seek to understand, you can see what has happened, your SOC is sick. You have seen the symptoms before and you know the diagnosis, it’s SOC-atrophy.   SOC-atrophy: An omissive noun. 1. When your technology has remained dormant too long. 2. Unrefreshed cyber technology. 3.

The absence of intelligence and heuristics. 4. Plagued by false positives.
Your SOC became sick for several reasons. The technology you have is antiquated and completely signature-based, best suited for static threats, not advanced threats. While signature-based solutions have a role, it’s a secondary protection role. The organization failed to keep up with technology and the evolving threat.

For years, the organization has relied on incremental funding.

This budget strategy has a typical result; a disparate mix of capabilities purchased individually as security silos without consideration for how the capabilities will work together.

The tools don’t work together.  It’s an integration nightmare! But SOC-atrophy is not a technology problemAs you sit down with your analysts, you observe that each analyst must be knowledgeable about several different tools and that they spend a lot of time collecting data and alerts. You observe the waterfall of alerts overflowing your analysts with data -- mostly false positives.

The analysts have alert fatigue; they just can’t keep up. The bottom line: the organization didn’t see the evolution of the threat, didn’t keep up with technology, and has not figured out how to use threat intelligence, much less integrate intelligence as a key enabler.

The old technology in your SOC was the right decision for a different time, but not for today.  Capital planning for cyber investment has also been a challenge.

Typically SOCs are developed and funded piecemeal, a silo of capability at a time.

This has a cause and effect, the tools are hard to integrate or don’t integrate at all, which in turn make it virtually impossible for an analyst to perform. Whether it has been lack of attention, inadequate measurement of effectiveness, poor capital planning, or alert fatigue, there are several ways for a SOC to become sick. Your goal now is to bring it back to a healthy state. Here are five strategies to overcome SOC-atrophy. Research to understand all SOC investments. You need to analyze the costs of each tool, effectiveness, and cost, and then prioritize the value of what you have. You will want to keep the best value, and get rid of the lower value, higher cost, solutions.

This is your available trade space. Perform a SOC-focused assessment.

This will gauge operational effectiveness and highlight gaps. Knowing your current health is a relatively low-cost endeavor and helps you in building a business case for investments to close the gaps. Study the threat landscape.

From CEO to cyber analysts, your organization needs to clearly understand the threat landscape and how the threat is escalating.

This understanding will help you focus on the technology, expertise, and intelligence you need to protect your organization. Resist the urge to fund your tools piecemeal. Develop the business case for an integrated platform with the ability to visualize web, email, file servers, endpoints, mobile, and SIEM, in one picture, enabling the ability to detect and remediate threats earlier in the kill chain.

The board needs to understand the business case for an integrated platform. Encourage cross-organizational collaboration. It’s critical to build partnerships for vetting the business case and gaining consensus on your SOC plans.
Spending quality time with your fellow IT executives and other business leaders to discuss -- at a strategic level -- what you are working on, your timeline, and your forthcoming proposal.

There is no greater feeling than going into a board meeting with many of the members clearly in your corner. Related Content:  Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Lance Dubsky, CISSP, CISM, is Chief Security Strategist, Americas, at FireEye and has over two decades of experience planning, building and implementing large information security programs.

Before joining FireEye, he served as the Chief Information Security Officer at two ...
View Full Bio More Insights

A Closer Look At Microsoft's Proposed Norms For Cybersecurity

Microsoft last month outlined steps companies can take to collaborate on cybersecurity, following its proposed norms for nation-states. Microsoft has a clear view on cybersecurity norms: global information and communications technology (ICT) companies, like nation-states, must also adhere to some agreed-upon norms. In a report headed up by Scott Charney, Microsoft’s corporate vice president for trustworthy computing, the company says that before international cybersecurity laws can be enacted, nation-states and global ICT companies must agree upon a set of norms.

The report maintains that it’s very risky for the world to enact cybersecurity laws because it lacks scenario experience. “This is really a new area,” says Bruce McConnell, global vice president of the EastWest Institute. “And as we move to the Internet of Things, it really doesn’t help to continue talking about doomsday scenarios.
I understand why people might be skeptical about cybersecurity norms, but it’s certainly a good place to start.” James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies, adds that the computer industry is still working through the Snowden effect. "We must find a way to build trust in the supply chain and norms are a good first step,” he says. Microsoft issued a set of norms for nation-states about a year ago, and last month added norms for global ICT companies to the equation. Microsoft took its lead from the United Nations Group of Governmental Experts, which in a July 2015 report said that the private sector should contribute to the development of cybersecurity norms. The UN report noted that this approach followed other developments in the financial sector and the aviation industry, which have collaborated for many years to develop regulatory frameworks.  Here's a rundown of Microsoft’s proposed norms for nation-states as well as for businesses, along with a quick analysis of the proposals based on interviews with Bruce McConnell, James Lewis, and additional reporting: 1. Maintain trust. Nation-States: Governments should not target global ICT companies to insert vulnerabilities  (back doors) or take actions that would otherwise undermine public trust in products and services. Global ICT:  Companies should not should not permit or enable nation-states to adversely impact the security of commercial, mass-market ICT products. Analysis: Apple tested this principle after it refused to cooperate in the FBI’s investigation of the San Bernardino shootings.

As a general principle, global companies can’t afford to be compromised by their home country government. While disputes will inevitably come up, and nation-states will continue to develop cyber weapons, setting this principle as an accepted norm stands as something global ICT companies can point to in a crisis. 2.

Coordinated approach to vulnerability-handling.
Nation-States: Governments should have a clear, principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them. Global ICT:  Companies should adhere to coordinate disclosure practices for handling of ICT products and service vulnerabilities. Analysis: Microsoft has taken the lead with this since 2003 with Patch Tuesday, which takes place either the second or fourth Tuesday of every month.

Google has also stepped up its practices by issuing monthly vulnerability reports and patches.

And most other reputable global ICT companies have a formal patching schedule.    3.
Stop proliferation of vulnerabilities.
Nation-States: Governments should exercise restraint in developing cyber weapons and should ensure that any that are developed are limited, precise and not reusable. Global ICT: Companies should collaborate to proactively defend against nation-state attacks and to remediate the impact of such attacks. Analysis: On the government front, the NSA and other intelligence agencies have found a reduction in the number of hacking incidents by the Chinese.
Some of the reduction could be the result of an agreement between presidents Barack Obama and Xi Jinping last fall, but US officials are still not clear if some of the hacking has left government and simply been passed to Chinese companies. One point is clear: The Chinese have acknowledged a cyber threat of their own internally and are more disposed to cooperate than in the past.

As far as ICT companies collaborating, Fortinet, Intel Security, Palo Alto Networks, and Symantec have formed the Cyber Threat Alliance, for example.

The companies aim to share threat information to protect industry from advanced cyber adversaries. 4. Mitigate the impact of nation-state attacks. Nation-States: Governments should commit to nonproliferation activities related to cyber weapons. Global ICT: Global ICT companies should not traffic in cyber vulnerabilities for offensive purposes, nor should ICT companies embrace business models that involve proliferation of cyber vulnerabilities for offensive purposes. Analysis: Although some of the government-sponsored hacking may ease over time, it’s naïve to think that it will ever stop altogether.

The release of these norms attempts to put a set of ethical values that governments can follow.

The same holds true for ICT companies. While some companies make zero-day attacks available to customers for defensive purposes, as a general principle, it makes sense that ICT companies should not traffic or aggressively deploy vulnerabilities to enact a ransom or in tandem with a government entity. Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
  5. Prevent mass events. Nation-States: Governments should limit their engagement in cyber-offensive operations to avoid creating a mass event. Global ICT: There is no corresponding norm for the Global ICT industry. Analysis: It remains to be seen to what extent governments will cooperate. 6.
Support response efforts.
Nation-States: Governments should assist private sector efforts to detect, contain, and respond to, and recover from, events in cyberspace. Global ICT: Global ICT companies should assist public sector efforts to identify, prevent, detect, respond to, and recover from events in cyberspace. Analysis: At the federal level here in the US through the Cyber Information Sharing and Collaboration Program, the Department of Homeland Security has built a trusted environment for sharing cyber threat information with the private sector through formal Cooperative Research and Development Agreements.

As of July 2015, there were 125 agreements in place and DHS has already shared more than 28,000 indicators with these partners since the program’s inception. More are under way. 7. Patch customers globally. Nation-States: No corresponding norm for nation-states. Global ICT: Companies should issue patches to protect ICT users, regardless of the attacker and their motives. Analysis: Global ICT companies can’t afford to favor companies in one country over companies in another.

Their allegiances are much broader than any one country or one government, so they can’t be seen as playing favorites.

As a general principle, they have to support the concept of patching a vulnerability when it appears, especially if it’s a customer under attack. Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology.
Steve is based in Columbia, Md.
View Full Bio More Insights

China's Economic Cyber-Spying Drops Post Sept Talks: US Official

U.S.

Assistant Attorney General John Carlin's statement finds support in FireEye report of a 90% fall in China-based hacking. Cyber-espionage activities coming out of China appear to have dropped after September talks in which the country said it would stop supporting the hacking of US trade secrets, Reuters says quoting US Assistant Attorney General John Carlin. This statement finds support in a recent report from security firm FireEye, which witnessed a dramatic 90% drop in breaches by China-based groups in the last two years. Speaking at the Center for Strategic and International Studies think tank in Washington, Carlin said last year’s talks with China and Group of 20 nations were vital to a uniform cyber law. However, he says it remained to be seen how long this reduction in hacking activities would last.

Carlin added that private sector and US intelligence officers were "better positioned to assess hacking trends." For details, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

5 Things To Consider With A Threat Hunting Program

A change in mindset and the ability to think like a malicious hacker are two key requirements. The constantly evolving ability of cyberattackers to get past even the most fortified of enterprise defenses has intensified pressure on organizations to develop better threat detection and response capabilities. One outcome of that focus is the growing interest in what many have taken to calling as "threat hunting," a notion that it is better to proactively scour for malicious activity on the network rather than simply waiting for something bad to happen first. A recent survey by the SANS Institute showed that many organizations to some extent are already engaged in threat hunting practices.

Eighty six percent of the 494 IT professionals surveyed by SANS say they have implemented threat-hunting processes.

About 59% claimed that threat hunting had enhanced their incidence response capabilities, while 75% credited the process with reducing their attack surface. David Bianco, a security technologist at Sqrrl Data Inc. who has developed a threat hunting maturity model for threat hunting, has described threat hunting as “the collective name for any manual or machine-assisted techniques used to detect security incidents.” Core to the process is the quality of data that is used for hunting, the tools that are available to access and analyze the data, and the skill levels of the analysts tasked with using the data to hunt down security threats, according to Bianco.   The actual techniques that hunters might use to chase down an intruder can vary and it's difficult to point to a single approach as being the best, he noted.
In fact, it is actually better for hunters to be familiar with a variety of methods so they know the most suitable one for a particular situation. Here are five things to consider when implementing a threat hunting process in your organization: Change Your Mindset Threat hunting is less about new technologies and techniques than it is about a fundamental change in mindset, says Yonatan Striem Amit, chief technology officer and co-founder at Cybereason, a vendor of endpoint detection and response technologies. The emphasis is on using human smarts to ferret out malicious activity rather than relying solely on security alerting tools. Hunches and "gut-feel" play as much a part in threat hunting as indicators of compromise and other technology metrics and alerts. “Because of a general lack of understanding of what a complex attack looks like, there is often a huge amount of focus on how to prevent the initial break-in,” or on how and where an intruder might have broken in, Amit says. Less attention is paid on understanding what an intruder might do after the initial compromise. “To threat hunt, you have to acknowledge that attackers are probably getting past your existing defenses,” says Richard Stiennon, chief research analyst at IT-Harvest. “While you should never cease shoring up those defenses, you do have to look for adversaries that have defeated them. You do this by threat hunting." Amit likens the difference in attitude that is needed to the difference in approach taken by traffic police and criminal investigators when responding to incidents. “The working assumption when you are a traffic cop is that accidents happen because of inattention,” and other accidental causes, Amit says. “But when you are a cop working on a murder investigation, you assume the people involved have a malicious reason and you go and investigate that and understand why it happened," he says. Think Like A Hacker To be good at threat hunting you absolutely need to think like a malicious hacker would, Amit says.

For example, if your organization is the kind that measures success by how many trouble tickets you can close in an hour and how quickly you can remediate issues, there’s a good chance that attackers know that as well. “If I was running a hacking campaign, I would send a slew of known malware just to give you lot of work.
If you don’t have the habit of going down to the bottom of an event each time, I know you are going to be susceptible.”  It is vital for organizations to realize that the initial intrusion is usually the easiest first step of a complex attack. Once you understand that, a lot of other things fall into place, he says. “You look into understanding how your adversary works, and the processes and motivations driving adversarial activities,” to know what they are likely to be doing on your network and where they are most likely going to be lurking, Amit says. Stop Focusing Solely On The Malware The malware that attackers use on your network is just a means to an end.
So merely finding and eradicating malware samples is not enough. “Threat hunting is not just searching hosts for indicators of compromise, says John Pescatore, director of emerging security trends at the SANS Institute. “In reality, that is nothing but host-based intrusion detection using a fancy name for signatures.” Threat hunting requires a combination of active threat monitoring and directed probing. “That is, I know how the active dangerous threats are operating, I know which of my assets they would target, and [whether they] are active against those assets,” Pescatore says. By focusing too much on finding malware, you also run the risk of overlooking malicious activities that are being carried out by attackers using legitimate tools and access credentials on your network, Amit cautions. Often, attackers who manage to gain initial access on a system will try to figure out a way to escalate privileges and quietly move around the network by leveraging PowerShell, Windows tools like WMI, and other similar capabilities. Malware detection tools cannot help spot such activity. Make The Right Data Available Good data and intelligence are key to an effective cyber-hunting capability, says Kris Lovejoy, president of security vendor Acuity Solutions. Data gathered by security systems, SIEM, and analytics platforms and network monitoring tools could provide a wealth of information on the health of a network. When properly vetted through the right filters, such data can play a vital role in helping threat hunters arrive at a more contextual understanding of what they might be seeing or chasing down on the network, she says. “Think about the job of cyber hunting as the same thing as monitoring photographs on Facebook for child pornography,” Lovejoy says.

The human staff on Facebook tasked with the job of monitoring photos sometimes have to make determinations based both on experience and on the intelligence gathered by Facebook’s systems to help them interpret what they are seeing. Threat hunting is all about piecing together disparate data to build a picture of an attack underway, Stiennon adds. “It could be unusual behavior reported by a UEBA [User and Entity Behavior Analytics] solution.
It could be a traffic spike or unusual connection identified by your netflow monitoring solution,” he says. Or it could be on a piece of threat intelligence against your SIEM or endpoint monitoring.  “Beyond technology you need digital sleuths pulling the levers on all of these modern tools,” Stiennon says.

This is a role that is ideally filled by puzzle solvers and people who are inquisitive by nature.  Look for these traits anywhere in your IT department, he says. “Put them in front of a console that allows them to do link and graph analysis on lots of data.

Feed them lots of data.
Stand back and watch what happens.” Do Crazy Ivans Doing something unexpected is a good way to ferret out hidden intruders on your network, Lovejoy says. One example would be the digital equivalent of a Cold War era tactic called Crazy Ivan that was used by submarine commanders to detect if another submarine was hiding behind them in their wake.

The tactic involved abrupt hard turns and other maneuvers so a submarine following behind another would be exposed, Lovejoy says. One way to do the same thing in the digital world is to unexpectedly change passwords to see if someone is making password-cracking attempts, she says.

Another tactic is to clear DNS caches to make it easier to see if any compromised endpoints that are trying to resolve to botnets and malicious servers, Lovejoy says. Related Content:   Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Ukraine's Central Bank Issued Hacking Alert In April

Country's chief financial body told lenders to strengthen security in wake of cyberattack on bank via SWIFT. The central bank of Ukraine issued an alert on April 28 to lenders in the country to review their security procedures after hackers attempted a theft at an unidentified Ukraine bank, according to a confidential message received by Reuters. The note alleged the incident involved a compromise of the SWIFT messaging system similar to the recent Bangladesh Bank cyber heist, but did not say if the theft was successful. Hackers had transferred $81 million out of Bangladesh Bank’s account with New York Federal Reserve earlier this year by sending fraudulent messages on the SWIFT network. The central bank notice, says Reuters, reported that the Ukraine bank incident came to light following SWIFT’s alert to its customers about fraudulent activities on its messaging system. SWIFT said it is working on improving security and has told banks to improve information sharing. Read more at Reuters. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

How To Use Threat Intelligence Intelligently

Sometimes it's about a beer, but it's mainly about being prepared before opening the threat intel floodgates. Sometimes the best threat intelligence strategy is to not bother adopting it at all. “You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.” Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive. Think of adding threat intelligence to the security operation as a commitment: “You need to take it on as a project and it’s a commitment to looking at what you [really] need. You can’t just go buy it. You have to look at the data and what you have internally and how you apply it,” says David Dufour, senior security architect at Webroot. “If you don’t have the available resources to work with it, then you’re wasting your money.” That money is then better off spent on incident response, he says. It’s about smart threat intelligence strategy, security experts say. Take It Slow, Have a Beer Intel-sharing’s humble roots began with security pros and executives from different companies in the same industry or region getting together over a beer or dinner, face-to-face, to swap their attack or threat war stories. Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC), joked during virtual event session chat that “beer = first-generation cyber threat intel sharing platform.” It’s true.

The early days of intel-sharing were mainly face-to-face, phone calls, or emails.

And that’s still the mode of operation for many organizations. How organizations collect and use threat intel depends on who they are, says Wendy Nather, research director of The Retail Cyber Intelligence Sharing Center (R-CISC), an intel-sharing group made up of retailers, restaurants, grocers, hotel chains and retail suppliers. Nather, who was also a panelist on the threat intel panel at this week’s virtual event, says sharing often starts with a social meetup after-hours in a more unofficial capacity. “It starts as gossip, you know somebody at another organization and you get together for a beer and talk about what you’ve seen,” she said. “The challenge is getting all sharing more formalized, open, and more organized. We try to support whatever we can from the Soltra structured data feed through the unstructured discussions.” Company A’s security manager tells Company B’s over a couple of IPAs that he saw a specific IP address serving up a specific amount of traffic, and the attacker shifted gears to “low and slow” once he realized he’d been spotted.

That’s a useful bit of intel for Company B, but then there’s the process of taking action: “It’s hard to put that into structured data, but it’s extremely valuable when you can tell that story and other people in other organizations can add to that story,” Nather explained. When adopting threat intel feeds and ingesting that information, take it slowly at first.

Anomali’s Trost says he often sees organizations taking in too much data and getting overwhelmed.

They’re typically under pressure from management that “we need to get into threat intelligence,” so they go all in and end up drowning in false positives and events they can’t respond to, he said. “That’s the biggest mistake we see.” Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
A better approach is to start slowly with an intel feed or two, assess how the organization is able to respond to the threats, and then gradually ramp up. “You may have to pivot to different [intel] providers, or processes, to make sure you’re doing it in increments, but moving forward and increasing your capability” to use and take action on the threats, said Adam Meyer, chief security strategist at SurfWatch Labs and a panelist at the virtual event. Needs v Wants Webroot’s Dufour says before taking in threat intelligence, there’s a soul-searching stage of analyzing what you want to get from the feeds as well as what you need to protect.

And sometimes, you get what you pay for. “There’s bad threat intelligence out there.
It could cost you more to get good threat intelligence, but you may not [then] need to hire three extra people” to triage and apply it, he says. Beware of dated intel data, or the data going stale before you can actually convert it into a defensive action that thwarts a would-be attack. “What exactly is the data you’re getting and what’s the timeframe reference” it’s related to, Soltra’s Clancy said. Some indicators of compromise (IOCs) are that way: they have a shelf life, as attackers shift their command-and-control servers, IP addresses, and malware variants to evade detection. The Holy Grail for threat intelligence, like anything in security, is automation, of course, but not all organizations are equipped to go there just yet. “Try to remove humans from every possible place it makes sense” in threat intel, Anomali’s Trost advised. SurfWatch Labs’ Meyer says to know why you’re collecting certain threat intel data and for what purpose. “You need clarity and context, situational awareness around threats. You need a methodology structure around collection – some instances at the machine level, correlating against tools specializing in that area, the actor’s motivations in your industry … compare that information to your own processes.

Are you well-defined in those processes or not?” It’s not just about sharing technical indictors of a threat actor, but also the techniques they use to flip the equation and put a little economic squeeze on them, according to Meyer. “Maybe [the attacker] now has to write 50 to 70 pieces of malware instead of one” to attack a vertical industry, for example, he said. He breaks threat intel “consumers” of information into three groups. “Defense is the low layer, practical, on-the-wire information to defend the organization with context, situational awareness and correlation.

Then there’s the operational level: the campaigns and actor motivations … are they targeting their industry or not? This is pure intel disciplines,” he said.

At the top is the strategic layer, the people in the organization who are evaluating the overall security strategy and evaluating its effectiveness. Bottom line: threat intelligence is not the endgame. “Threat intelligence empowers decision-making.
It’s not the end goal in itself,” says Adam Vincent, CEO of ThreatConnect. “Similar to business intelligence, threat intelligence has the power to support all different kinds of [things] and people and make faster and more accurate decisions across the security organization.” Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

Black Hat USA 2016: Beware of Malware

Over 430 million new pieces of malware were discovered last year, a 36% increase from the previous year (according to Symantec). Malware attacks are projected to rise in volume and frequency. Hackers are becoming more skilled at detecting vulnerabilities and commonly use malware as their method of attack.
It is critical to be aware of the current malware threats and learn how you can defuse potential exploits. O-checker: Detection of Malicious Documents Through Deviation from File Format Specifications describes a powerful tool, o-checker, that specializes in identifying documents containing malware-infected executable files. O-checker detected 96.1% of malicious files hidden in targeted email attacks in 2013 and 2014.

Targeted emails attacks normally inject malware in various document formats.

This talk will examine the techniques used for hiding infected files and discloses why o-checker is projected to maintain a high malware detection rate. Next-Generation of Exploit Kit Detection by Building Simulated Obfuscators reveals that exploit-kits are driving epidemic levels of malware delivery.

Each exploit-kit has a obfuscator, which transforms malicious code to obfuscator code to bypass firewall detection. Many researchers examine the obfuscated page instead of the actual obfuscator since purchasing an obfuscator that was utilized by an exploit-kit is incredibly expensive.

This Briefing will introduce a cost-effective method of building simulated obfuscators to conduct in-depth examinations and reduce malware attacks. An AI Approach to Malware Similarity Analysis: Mapping the Malware Genome With a Deep Neural Network introduces a new method of detecting malware codes, which is easier to manage and more efficient than traditional systems.
Standard malware detection systems require constant, manual effort in adjusting the formula to identify malware similarities.

This new malware detection approach significantly reduces manual adjustments in the formula and is the first to use deep neural networks for code sharing identification.

This talk will explain how the new malware detection approach operates and provides examples of its improved accuracy. If you’re interested in a hands-on experience detecting malware, Hunting Malware Across the Enterprise teaches students how to track malware without having an obvious starting point.

This nearly sold out Training will dive deep into the threat landscape, indicators of compromise, and scripting--which will help in your search for malware.
If you want to take a highly-technical course that challenges malware defense mechanisms, check out Advanced Malware Analysis.

This Training teaches students how to combat anti-disassembly, anti-debugging and anti-virtual machine techniques. To stay up-to-date with the latest information security research, take a look at the Briefings and Trainings we’ve lined up for Black Hat USA 2016. We hope you join us at Mandalay Bay in Las Vegas, Nevada, July 30-August 4 for the biggest week in InfoSec. More Insights

Building Black Hat: Locking Down One Of The World’s Biggest Hacking...

For security pros, being asked to help secure Black Hat is like being asked to be on the Olympic basketball team. Like most networks, infrastructure requirements for Black Hat are constantly evolving.  This year, show management wants to increase bandwidth and performance while maintaining security and reliability.
So Black Hat 2016 is moving away from the switching technology provided by Mandalay Bay and implementing secure, high-performance switches, along with enterprise firewall security appliances and wireless access points.  Providing security for an event like Black Hat, especially when it is followed directly by DefCon, is a significant challenge. Our security team, along with the folks from UBM and the amazing Black Hat volunteers, begin reviewing the show’s architecture and scoping out the security strategy several months before the event.

From a security perspective, the network design is very similar to a university with open networks and datacenter-like applications. Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
Onsite setup begins several days before the show events start. We begin with establishing Internet connectivity and core infrastructure deep in the lower levels of the Mandalay Bay.

Then we quickly make our way upstairs and work with the show infrastructure team to establish a Security Operations Center (SOC) that showcases all of the security technology in use by the event.

As we work closer to the official show start, secure wireless is installed along with L2 switching across the venue to provide security and connectivity for all of the event users. We then need to secure the proprietary applications and data used by the show to register attendees, process financial transactions, and manage sensitive data and personal information. Using the segmentation functionality built into the firewalls is a critical part of the security design. The next objective is to create a segmented environment in which the world's elite programmers and hackers can play, while still protecting the network, attendees, vendors, and presenters.

The challenge is in creating a robust and open environment, while still securing the Black Hat event as a whole. This is easier said than done, as the security team needs to actively monitor the network and make careful decisions about the kinds of traffic and malware being seen.

Frequently, traffic is allowed to pass through and propagate that would send an enterprise security manager running through the halls but keeps everyone on our team on their toes. In addition to all of the device configuration, physical security is absolutely essential.

Efforts need to be made to prevent attackers from gaining physical access to the networking devices and implementing precautions that will prevent them from gaining further systems access if they do. Finally, we provide constant active monitoring and penetration testing both before and during the show, and gather forensic data so we can update and improve show security both in real time and in anticipation of future events. (Stay tuned for an article from our pen testing team about what we learned from last year, and the kind of testing and active monitoring we are planning for this year’s event). Being asked to help secure Black Hat is a bit like being asked to be on the Olympic basketball team.
It’s not only gratifying to be invited, but it is also exciting to be able to work and play with some of the best folks in the industry.

This year is no exception. Related Content: Aamir Lakhani is a cyber security researcher and practitioner with Fortinet and FortiGuard Labs, with over 10 years of experience in the security industry. He is responsible for providing IT security solutions to major commercial and federal enterprise organizations. Lakhani ...
View Full Bio More Insights

The Attribution Question: Does It Matter Who Attacked You?

Everyone will ask whodunnit, but how can an organization put that information to practical use during disaster recovery and planning for the future? In normal life crises, the jump to assess blame is often the emotional reaction, but rarely the appropriate reaction.

Assessing blame for who hit you with a cyberattack, however -- if not the individual, at least the general classification -- could be effective, if not essential to your recovery efforts, according to speakers at a Dark Reading Virtual Event Tuesday. We asked speakers flat-out, "does attribution matter?" Does it matter? "It depends," said Mark Potter, principal systems security officer for Strategic Health Solutions. "It really depends, on the size and budget of your organization, the value and type of the assets, and types and frequency of attacks."  If you don't have the internal skill set to go hunting for an attacker or the funds to hire outside contractors, says Potter, then it's more important to get the business back to normal.  If you've got the resources, though, there are areas where accurate attacker attribution can help. For one: damage assessment.

Attribution is "key to trying to understand the extent of the damage and where else you should be looking," said Toni Gidwani, director of research operations at ThreatConnect.

To make sure you've found all the places the attackers have reached, infected, damaged or stolen from, she said, the forensics team can be helped by the extra context, like knowing what particular exploit kits to hunt for.   Dmitri Alperovitch, CTO and Co-founder of Crowdstrike, added that attribution helps assess the damages from a business perspective. "If your data has been stolen, who has it -- is it a competitor or is it a cybercriminal who may resell that data? ... Who's coming after and you and why can be a very important question." Some businesses have begun to ask, said Alperovitch, to know more about about the character of certain ransomware operators. When deciding whether or not to pay a ransom request, victims want to whether this is an operator with a history of delivering on their promise to restore access to locked data or the type that just takes the money and runs. Knowing the identity of attackers also impacts the design of security programs going forward.

According to Alperovith and Gidwani, the difference between an opportunistic attacker and a targeted attacker or the difference between a destructive attacker and an intellectual property thief will change the sort of decisions you make about your defense.
Some attackers move on quickly, while others come back if they didn't finish a job.

They may aim for a variety of data, systems, or users. "The better you know, the better you can allocate those funds to protect those assets," said Andrew Wild, chief security officer of Lancope. Knowing this information can also be used to get better buy-in and smarter investment from above, according to Wild.  Why did we get better at attribution? There is still a lot of progress to be made in attribution -- some are still announced with only low or moderate confidence. However, there has been a great deal of progress made in the past couple years: why? Attribution is getting better because security got better, says Alperovitch. "It used to be that adversaries were inside networks for literally years. Now we're catching more and more intrusions, we're actually building up an encyclopedia, if you will, of tradecraft on what we've seen for different adversaries," he said, "how they operate, what their motivations are.

And you start building the profiles and the modus operandi for the adversary so when you see them again, you know who you're dealing with." Better attribution, however, has had its own impacts. Knowing with high confidence that one nation-state launched a cyberattack on another can create or exacerbate socio-political conflicts, and not all regions have equal attribution capabilities (according to Richard Bejtlich in a Dark Reading interview last year). Alperovitch commented that it was "really remarkable to watch" cybersecurity become the top issue of a meeting between two world leaders, when President Barack Obama and President Xi Jinping of the People's Republic of China met last year.  Gidwani added that better attribution is "starting to open up these non-technical responses for our political leaders." The ability to respond to cyber espionage or destructive attacks with trade sanctions, for example, is, says Gidwani, a "step forward." Related Content: Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights