15.6 C
Thursday, August 17, 2017

Millions of Stolen US University Email Credentials for Sale on the...

Researchers find booming underground market for stolen and fake email credentials from the 300 largest universities in the US.

DoD Taps DEF CON Hacker Traits For Cybersecurity Training Program

Famed capture-the-packet contest technology will become part of DoD training as well. The Defense Department for the second year in a row sent one of its top directors to DEF CON in Las Vegas this month, but it wasn’t for recruiting purposes. So what was Frank DiGiovanni, director of force training in DoD’s Office of the Assistant Secretary of Defense for Readiness, doing at DEF CON? “My purpose was to really learn from people who come to DEF CON … Who are they? How do I understand who they are? What motivates them? What sort of attributes” are valuable to the field, the former Air Force officer and pilot who heads overall training policy for the military, says. DiGiovanni interviewed more than 20 different security industry experts and executives during DEF CON. His main question:  “If you’re going to hire someone to either replace you or eventually be your next cyber Jedi, what are you looking for?” The DEF CON research is part of DiGiovanni’s mission to develop a state-of-the-art cyber training program that ultimately helps staff the military as well as private industry with the best possible cybersecurity experts and to fill the infamous cybersecurity skills gap today.

The program likely will employ a sort of ROTC-style model where DoD trains the students and they then owe the military a certain number of years of employment. With the help of DEF CON founder Jeff Moss, DiGiovanni over the the past year has met and then picked the brains of, seasoned hackers and the people who hire them about the types of skills, characteristics, and know-how needed for defending organizations from today’s attackers. DiGiovanni, who is also responsible for helping shape retention and recruitment policy efforts in the DoD, has chatted with CEOs of firms that conduct penetration testing, as well as pen testers and other security experts themselves, to get a clearer picture of the types of skills DoD should be teaching, testing, and encouraging, for future cybersecurity warriors and civilians. This is the second phase of the development of a prototype cyber training course he spearheads for DoD at Fort McNair: the intensive six-month prototype program currently consists of 30 students from all branches of the military as well as from the US Department of Homeland Security.
It’s all about training a new generation of cybersecurity experts. The big takeaway from DiGiovanni’s DEF CON research: STEM, aka science, technology, engineering, and mathematics, was not one of the top skills organizations look for in their cyber-Jedis. “Almost no one talked about technical capabilities or technical chops,” he says. “That was the biggest revelation for me.” DiGiovanni compiled a list of attributes for the cyber-Jedi archetype based on his interviews.

The ultimate hacker/security expert, he found, has skillsets such as creativity and curiosity, resourcefulness, persistence, and teamwork, for example. A training exercise spinoff of DEF CON’s famed capture-the-packet (CTP) contest also will become part of the DoD training program.

DiGiovanni recruited DEF CON CTP and Wall of Sheep mastermind Brian Markus to repurpose his capture-the-packet technology as a training exercise module. “In October, he will submit to the government a repackaged capture-the-packet training capability for DoD, which is huge,” DiGiovanni says.

Also on tap is a capture-the-flag competition, DoD-style, he says. One of the security experts DiGiovanni met with at DEF CON this year was Patrick Upatham, global director of advanced cybersecurity at Digital Guardian. “I was a little apprehensive at first,” Upatham says. “After learning what they are doing and the approach that they are taking, it totally made sense.” “He [Frank] is looking for a completely different mindset and background, and [to] then train that person with the technical detail” to do the job, Upatham says. “They are looking for folks who are more resourceful and persistent, and creative in their mindset.” DoD’s training program is about being more proactive in building out its cybersecurity workforce.

That’s how it has to work now, given that more than 200,000 cybersecurity jobs were left unfilled last year overall.

DoD’s Cyber Mission Force is calling for some 6,200 positions to be filled. The goal is to train that workforce in both offensive and defensive security skills.

That means drilling down on the appropriate problem-based learning, for example.

The current prototype training program doesn’t require a four-year degree, and it’s more of a “journeyman apprentice” learning model, DiGiovanni says. About 80% or so is hands-on keyboard training, he says, with the rest is lecture-based. “A lot of the lectures are by the students themselves, with a learn-by-teaching model,” he says. From 'Cable Dog' To Hax0r DiGiovanni gave an example of one student in the DoD training program who came in knowing nothing about security.

The young man was a self-professed  “cable dog” at Fort Meade, a reference to his job of pulling cable through pipes.

But when he finished the six-month DoD course, he was reverse-engineering malware. “When he came to the course, he didn’t know what a ‘right-click’” of a mouse was, nor did he have any software technology experience, DiGiovanni recalls. “To me, that’s a heck of a success story.” The next step is determining how to scale the DoD training program so that it can attract and train enough cyber warriors for the future.

The goal is to hand off the training program to a partner organization to run it and carry it forward, possibly as early as this fall, he says. Meantime, DiGiovanni says the DEF CON hacker community is a key resource and potential partner. “The security of our nation is at stake.
I think it’s imperative for DoD to embrace the DEF CON community because of the unique skill they bring to the table,” he says. “They want to serve and contribute, and the nation needs them.” Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

And Now a Ransomware Tool That Charges Based On Where You...

Malware is designed to charge more for victims in countries with a higher cost of living, Recorded Future says.

Donald Trump's Hotel Chain Hacked Again: Report

Hotel chain reportedly faces yet another breach in less than a year. US Republican presidential candidate and businessman Donald Trump's chain of luxury hotels may have suffered another data breach of its customer payment information, according to a KrebsOnSecurity report. Trump's organization is currently probing the claims. “We are in the midst of a thorough investigation on this matter. We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly,” the organization said in a statement provided to KrebsOnSecurity. According to the sources in the article, fraudulent patterns on customer credit cards indicate that hotel customers' credit card information had been breached at some and possibly all of Trump's hotel chain locations. This is the second time Trump's luxury hotel properties have been hit by card breaches.
In July of last year, KrebsOnSecurity reported a potential breach of the credit card information system at Trump properties, which the Trump Hotel Collection officially confirmed in October. Read the complete KrebsOnSecurity report here.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

After Election Interference, RSA Conference Speakers Ask What Comes Next

Election-tampering called 'a red line we should not allow anyone to cross.'

FBI Highlights BEC, Tech Support Scams, Ransomware Concerns

The 2016 Internet Crime Report found tech support fraud, business email compromise, and ransomware were major fraud categories last year.

Inside the Motivations Behind Modern Cyberattackers

Attackers seeking money, dominance, and data are banding together and sharing infrastructure to target businesses.

5 Things To Consider With A Threat Hunting Program

A change in mindset and the ability to think like a malicious hacker are two key requirements. The constantly evolving ability of cyberattackers to get past even the most fortified of enterprise defenses has intensified pressure on organizations to develop better threat detection and response capabilities. One outcome of that focus is the growing interest in what many have taken to calling as "threat hunting," a notion that it is better to proactively scour for malicious activity on the network rather than simply waiting for something bad to happen first. A recent survey by the SANS Institute showed that many organizations to some extent are already engaged in threat hunting practices.

Eighty six percent of the 494 IT professionals surveyed by SANS say they have implemented threat-hunting processes.

About 59% claimed that threat hunting had enhanced their incidence response capabilities, while 75% credited the process with reducing their attack surface. David Bianco, a security technologist at Sqrrl Data Inc. who has developed a threat hunting maturity model for threat hunting, has described threat hunting as “the collective name for any manual or machine-assisted techniques used to detect security incidents.” Core to the process is the quality of data that is used for hunting, the tools that are available to access and analyze the data, and the skill levels of the analysts tasked with using the data to hunt down security threats, according to Bianco.   The actual techniques that hunters might use to chase down an intruder can vary and it's difficult to point to a single approach as being the best, he noted.
In fact, it is actually better for hunters to be familiar with a variety of methods so they know the most suitable one for a particular situation. Here are five things to consider when implementing a threat hunting process in your organization: Change Your Mindset Threat hunting is less about new technologies and techniques than it is about a fundamental change in mindset, says Yonatan Striem Amit, chief technology officer and co-founder at Cybereason, a vendor of endpoint detection and response technologies. The emphasis is on using human smarts to ferret out malicious activity rather than relying solely on security alerting tools. Hunches and "gut-feel" play as much a part in threat hunting as indicators of compromise and other technology metrics and alerts. “Because of a general lack of understanding of what a complex attack looks like, there is often a huge amount of focus on how to prevent the initial break-in,” or on how and where an intruder might have broken in, Amit says. Less attention is paid on understanding what an intruder might do after the initial compromise. “To threat hunt, you have to acknowledge that attackers are probably getting past your existing defenses,” says Richard Stiennon, chief research analyst at IT-Harvest. “While you should never cease shoring up those defenses, you do have to look for adversaries that have defeated them. You do this by threat hunting." Amit likens the difference in attitude that is needed to the difference in approach taken by traffic police and criminal investigators when responding to incidents. “The working assumption when you are a traffic cop is that accidents happen because of inattention,” and other accidental causes, Amit says. “But when you are a cop working on a murder investigation, you assume the people involved have a malicious reason and you go and investigate that and understand why it happened," he says. Think Like A Hacker To be good at threat hunting you absolutely need to think like a malicious hacker would, Amit says.

For example, if your organization is the kind that measures success by how many trouble tickets you can close in an hour and how quickly you can remediate issues, there’s a good chance that attackers know that as well. “If I was running a hacking campaign, I would send a slew of known malware just to give you lot of work.
If you don’t have the habit of going down to the bottom of an event each time, I know you are going to be susceptible.”  It is vital for organizations to realize that the initial intrusion is usually the easiest first step of a complex attack. Once you understand that, a lot of other things fall into place, he says. “You look into understanding how your adversary works, and the processes and motivations driving adversarial activities,” to know what they are likely to be doing on your network and where they are most likely going to be lurking, Amit says. Stop Focusing Solely On The Malware The malware that attackers use on your network is just a means to an end.
So merely finding and eradicating malware samples is not enough. “Threat hunting is not just searching hosts for indicators of compromise, says John Pescatore, director of emerging security trends at the SANS Institute. “In reality, that is nothing but host-based intrusion detection using a fancy name for signatures.” Threat hunting requires a combination of active threat monitoring and directed probing. “That is, I know how the active dangerous threats are operating, I know which of my assets they would target, and [whether they] are active against those assets,” Pescatore says. By focusing too much on finding malware, you also run the risk of overlooking malicious activities that are being carried out by attackers using legitimate tools and access credentials on your network, Amit cautions. Often, attackers who manage to gain initial access on a system will try to figure out a way to escalate privileges and quietly move around the network by leveraging PowerShell, Windows tools like WMI, and other similar capabilities. Malware detection tools cannot help spot such activity. Make The Right Data Available Good data and intelligence are key to an effective cyber-hunting capability, says Kris Lovejoy, president of security vendor Acuity Solutions. Data gathered by security systems, SIEM, and analytics platforms and network monitoring tools could provide a wealth of information on the health of a network. When properly vetted through the right filters, such data can play a vital role in helping threat hunters arrive at a more contextual understanding of what they might be seeing or chasing down on the network, she says. “Think about the job of cyber hunting as the same thing as monitoring photographs on Facebook for child pornography,” Lovejoy says.

The human staff on Facebook tasked with the job of monitoring photos sometimes have to make determinations based both on experience and on the intelligence gathered by Facebook’s systems to help them interpret what they are seeing. Threat hunting is all about piecing together disparate data to build a picture of an attack underway, Stiennon adds. “It could be unusual behavior reported by a UEBA [User and Entity Behavior Analytics] solution.
It could be a traffic spike or unusual connection identified by your netflow monitoring solution,” he says. Or it could be on a piece of threat intelligence against your SIEM or endpoint monitoring.  “Beyond technology you need digital sleuths pulling the levers on all of these modern tools,” Stiennon says.

This is a role that is ideally filled by puzzle solvers and people who are inquisitive by nature.  Look for these traits anywhere in your IT department, he says. “Put them in front of a console that allows them to do link and graph analysis on lots of data.

Feed them lots of data.
Stand back and watch what happens.” Do Crazy Ivans Doing something unexpected is a good way to ferret out hidden intruders on your network, Lovejoy says. One example would be the digital equivalent of a Cold War era tactic called Crazy Ivan that was used by submarine commanders to detect if another submarine was hiding behind them in their wake.

The tactic involved abrupt hard turns and other maneuvers so a submarine following behind another would be exposed, Lovejoy says. One way to do the same thing in the digital world is to unexpectedly change passwords to see if someone is making password-cracking attempts, she says.

Another tactic is to clear DNS caches to make it easier to see if any compromised endpoints that are trying to resolve to botnets and malicious servers, Lovejoy says. Related Content:   Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

DevOps Security & the Culture of ‘Yes’

Communication, collaboration, and the use of production data to drive decisions are essential for security work in a DevOps world.

Half of Security Pros Ignore Some Important Alerts

Short-staffed, more than half of organizations admit they ignore alerts that should be investigated because they lack resources to handle the overflow.

10 Free or Low-Cost Security Tools

At a time when many organizations struggle with security funding, open-source tools can help cut costs for certain businesses.

The True State of DevSecOps

Automation improving, but security needs to find ways to slide into DevOps workflow and toolchain.