The Cyber Threat From Russia and China: Myths and Realities

An expert look at the threat posed by the cyberspace's two largest superpowers Over the last few years, hackers from Russia and China have been accused of everything from re-routing the Internet to tampering with U.S. elections.

But if you're a U.S.-b...

‘123456’ Leads The Worst Passwords Of 2016

New report analyzes trends in more than 5 million passwords stolen from enterprises and leaked to the public last year.

SEC Investigates Yahoo Data Breaches

Report of an SEC probe of Yahoo serves as a new wake-up call for companies to properly disclose breaches in their earnings reports and disclosures.

Machine Learning In Cybersecurity Warrants A Silver Shotgun Shell Approach

When protecting physical or virtual endpoints, it's vital to have more than one layer of defense against malware. Cybersecurity is arguably the most rapidly evolving industry, driven by the digitalization of services, our dependency on Internet-connected devices, and the proliferation of malware and hacking attempts in search for data and financial gain. More than 600 million malware samples currently stalk the Internet, and that’s just the tip of the iceberg in terms of cyber threats. Advanced persistent threats, zero-day vulnerabilities and cyber espionage cannot be identified and stopped by traditional signature-based detection mechanisms.

Behavior-based detection and machine learning are just a few technologies in the arsenal of some security companies, with the latter considered by some as the best line of defense. What is Machine Learning?The simplest definition is that it’s a set of algorithms that can learn by themselves.

Although we’re far from achieving anything remotely similar to human-level capabilities – or even consciousness – these algorithms are pretty handy when properly trained to perform a specific repetitive task. Unlike humans, who tire easily, a machine learning algorithm doesn’t complain and can go through far more data in a short amount of time. The concept has been around for decades, starting with Arthur Samuel in 1959, and at its core is the drive to overcome static programming instructions by enabling an algorithm to make predictions and decisions based on input data.

Consequently, the training data used by the machine learning algorithm to create a model is what makes the algorithm output statistically correct.

The expression “garbage in, garbage out” has been widely used to express poor-quality input that produces incorrect or faulty output in machine learning algorithms. Is There a Single Machine Learning Algorithm?While the term is loosely used across all fields, machine learning is not an algorithm per se, but a field of study.

The various types of algorithms take different approaches towards solving some really specific problems, but it’s all just statistics-based math and probabilities.

Decision trees, neural networks, deep learning, genetic algorithms and Bayesian networks are just a few approaches towards developing machine learning algorithms that can solve specific problems. Breaking down machine learning into the types of problems and tasks they try to solve revolves around the methods used to solve problems.
Supervised learning is one such method, involving training the algorithm to learn a general rule based on examples of inputs and desired outputs. Unsupervised learning and reinforcement learning are also commonly used in cybersecurity to enable the algorithm to discover for itself hidden patterns in data, or dynamically interact with malware samples to achieve a goal (e.g. malware detection) based on feedback in the form of penalties and rewards. Is Machine Learning Enough for Cybersecurity?Some security companies argue that machine learning technologies are enough to identify and detect all types of attacks on companies and organizations. Regardless of how well trained an algorithm is, though, there is a chance it will “miss” some malware samples or behaviors.

Even among a large set of machine learning algorithms, each trained to identify a specific malware strand or a specific behavior, chances are that one of them could miss something. This silver shotgun shell approach towards security-centric machine learning algorithms is definitely the best implementation, as more task-oriented algorithms are not only more accurate and reliable, but also more efficient.

But the misconception that that’s all cybersecurity should be about is misguided. When protecting physical or virtual endpoints, it’s vital to have more layers of defense against malware.

Behavior-based detection that monitors processes and applications throughout their entire execution lifetime, web filtering and application control are vital in covering all possible attack vectors that could compromise a system. Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ...
View Full Bio More Insights

3 Lessons From The Yahoo Breach

Your organization must address these blind spots to detect sophisticated attacks. When an organization as established and trusted as Yahoo gets breached, it seems like there's no hope for the rest of us.

And in many ways, there isn't. Despite Yahoo's perimeter defenses, the company's network was still breached. Not once, but at least twice.

This indicates that these attacks were very sophisticated and carried out by highly motivated and well-funded attackers.

Although Yahoo's breaches demonstrate that it's virtually impossible to prevent every motivated attacker from getting past perimeter defenses and gaining access to a secure network, there are ways to detect breaches before massive exfiltration can occur.When it comes to breach detection and response, most enterprises today still rely on sifting through logs from network appliances such as firewalls and web gateways.

This includes performing correlation using security information and event management systems to figure out how the breaches occurred.The Yahoo breach exposed three key blind spots that need to be addressed to detect sophisticated attacks. (Editors' Note: In the spirit of transparency, SS8, the author's company, helps organizations detect and protect against network breaches using some of the concepts described in this article.) 1. Lack of application, identity, device, and geolocation information. Tools like NetFlow can't distinguish between multiple exchanges of information in a traffic flow (for example, an email session), and at best can only provide a summary of the entire flow.

They leave out valuable application-specific information such as To, CC, From, and Subject fields in an email, as well as the presence of any potential malicious attachments.
In addition, certain obfuscated protocols such as Tor can be difficult to detect on a network, but the ability to identify their presence and investigate these connections is critical to network security. 2.

Challenges tied to archiving and network history lookup. 
Although some tools can store network log data for long periods of time, it remains difficult to access that information quickly for the purpose of cyber investigations such as correlating potentially malicious network activity to an individual device or user. Meanwhile, packet recording tools can provide more granular detail into network data, but the economics of storing full packets over an extended period of time is often cost-prohibitive. 3. Lack of automated workflows for threat detection. The volume of new, constantly-generated threat information, combined with a shortage of skilled cybersecurity personnel, often leads to "log and alert fatigue." This is generally due to a lack of automation for correlating the latest threat intelligence, and tying it to actual events happening on the network.

Currently, most cyber investigators still have to manually perform a series of complicated steps to generate useful forensic information from log reports and the limited history of full packet capture tools. The Yahoo breach, like most advanced cyberattacks, was carried out over a long period of time, with attackers hiding their communications in the normal flow of network traffic.

According to the latest Verizon Data Breach Investigations report, dwell time — that is, the length of time an attacker is in a system before being detected — is averaging more than 200 days.  Perimeter defenses have to make point-in-time decisions to allow or block a specific communication.

Therefore, it isn't possible for them to detect advanced and persistent cyberattacks carried out over long periods of time.

Even though threats can breach the perimeter through a variety of attack vectors, most malicious activity can be still be detected in the network before data exfiltration — the ultimate goal of the attack — takes place. If we want to prevent protracted infiltrations and exfiltrations, like the one experienced by Yahoo, we need to combine deeper network visibility, including the ability to rewind past activity with constantly updated threat intelligence, and automated workflows.

This will allow us to discover indicators of compromise and devices of interest early in the breach cycle, which can be investigated using actual network history to pinpoint a compromise before massive data exfiltration takes place. Prevention is the always the goal, but incident detection and fast response can save the day. Related Content: Dr.

Cemal Dikmen is Chief Security Officer for SS8, which helps companies detect and protect against network breaches. He also works with the nation's leading telecommunications service providers as well as law enforcement and intelligence agencies on cybersecurity ...
View Full Bio More Insights

Cyber Lessons From NSA's Admiral Michael Rogers

Security teams must get better at catching intruders where we have the advantage: on our own networks. The Russians spent a year inside the Democratic National Committee before they were discovered. It took five months for OPM to catch the thieves that stole the records of more than four million federal employees. Intruders broke into Yahoo’s systems in 2013, and we don’t even know how long they were inside; Yahoo only discovered the hack when stolen data turned up for sale on the dark web. We invest more and more in our security, but the breaches just get bigger. How many more times does this have to happen before we accept that what we’re doing isn’t working?Earlier this month, during a Senate Armed Service Committee hearing, Admiral Michael S. Rogers, the director of the National Security Agency, told us what we need to do to fix the problem, recognizing two different kinds of cybersecurity: Keeping intruders out of networks. Identifying, containing, and ejecting them once they get inside. We must be able to do both, Admiral Rogers argued, noting that there is an entirely “different thought process, methodology, prioritization, and risk approach to dealing with someone who is already in your network versus trying to keep them out in the first place.”The head of the best offensive agency in the world is telling us exactly what we’re missing, but we aren’t listening. Most organizations still focus heavily on keeping attackers out, rather than trying to catch the ones that get in. A common bit of security wisdom is that hackers have the advantage because they only need to be right once to get in. This is largely true today - hackers can launch assault after assault to try to break through your defenses, probing for a weakness until you slip. And every security team, no matter how good, slips up eventually. But once inside, the intruders are in your network - unfriendly territory. They have to hide inside your environment, and they only have to slip up once to get caught.Consider the White House, one of the most secure buildings on the planet. Jumping the wrought iron fence on Pennsylvania Avenue isn’t the challenge. The challenge is dealing with the Secret Service agents that tackle you as soon as your feet hit the lawn. Cybersecurity teams should play to our strengths, and follow the example of both Admiral Rogers and the Secret Service. We should always work to keep intruders out, but some will always get in. We should heavily invest where we have the advantage: on our own networks. Image Source: By: Orhan Cam via Shutterstock At the White House, it is the Secret Service’s visibility and control inside the grounds that shuts down intruders. Crossing that lawn is exposed, and the Secret Service detects intruders in seconds. Access within the compound is limited to only where you need to go for purposes of your meeting, so visitors that step out of bounds are easy to spot. And once an intruder is detected, there is almost always an agent nearby, with a wide range of tools at their disposal to contain the intrusion. This is the essence of the defender’s advantage: visibility linked with control means that intruders are at a huge disadvantage once they get in.Unfortunately, we have largely ceded this advantage on our networks. Security teams often don’t know what devices are connected, or how those devices are talking to each other. This offers an incredible opportunity for intruders, because by understanding our networks better than we do, they can operate at their strongest when they should be at their weakest.If we are going to take Admiral Rogers’ advice, this is what we must correct. There are emerging technologies that could help us correct this imbalance. Organizations need real-time visibility into how their devices are communicating so they can identify intruders quickly. We should limit access to important systems; segment networks and important data; patch vulnerable systems; encrypt data. Each of these steps increases visibility and control. They enable organizations to quickly identify intruders, act to constrain their movements, and eject them from the network. None of these tools are rocket science, but they require that we focus not just on keeping intruders out, but on catching them when they get in.This reality makes Admiral Rogers’ comments during the Senate hearing all the more poignant. If there are two types of cybersecurity, why have we invested so heavily in the one where we are at a disadvantage, and given up the advantage we hold for the other? Related Content: As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ... View Full Bio More Insights

Cyber Lessons From The NSA's Admiral Michael Rogers

Security teams must get better at catching intruders where we have the advantage: on our own networks. The Russians spent a year inside the Democratic National Committee before they were discovered.
It took five months for OPM to catch the thieves that stole the records of more than four million federal employees.
Intruders broke into Yahoo’s systems in 2013, and we don’t even know how long they were inside; Yahoo only discovered the hack when stolen data turned up for sale on the dark web. We invest more and more in our security, but the breaches just get bigger. How many more times does this have to happen before we accept that what we’re doing isn’t working?Earlier this month, during a Senate Armed Service Committee hearing, Admiral Michael S. Rogers, the director of the National Security Agency, told us what we need to do to fix the problem, recognizing two different kinds of cybersecurity: Keeping intruders out of networks. Identifying, containing, and ejecting them once they get inside. We must be able to do both, Admiral Rogers argued, noting that there is an entirely “different thought process, methodology, prioritization, and risk approach to dealing with someone who is already in your network versus trying to keep them out in the first place.”The head of the best offensive agency in the world is telling us exactly what we’re missing, but we aren’t listening. Most organizations still focus heavily on keeping attackers out, rather than trying to catch the ones that get in. A common bit of security wisdom is that hackers have the advantage because they only need to be right once to get in.

This is largely true today - hackers can launch assault after assault to try to break through your defenses, probing for a weakness until you slip.

And every security team, no matter how good, slips up eventually.

But once inside, the intruders are in your network - unfriendly territory.

They have to hide inside your environment, and they only have to slip up once to get caught.Consider the White House, one of the most secure buildings on the planet. Jumping the wrought iron fence on Pennsylvania Avenue isn’t the challenge.

The challenge is dealing with the Secret Service agents that tackle you as soon as your feet hit the lawn.

Cybersecurity teams should play to our strengths, and follow the example of both Admiral Rogers and the Secret Service. We should always work to keep intruders out, but some will always get in. We should heavily invest where we have the advantage: on our own networks. Image Source: By: Orhan Cam via Shutterstock At the White House, it is the Secret Service’s visibility and control inside the grounds that shuts down intruders.

Crossing that lawn is exposed, and the Secret Service detects intruders in seconds.

Access within the compound is limited to only where you need to go for purposes of your meeting, so visitors that step out of bounds are easy to spot.

And once an intruder is detected, there is almost always an agent nearby, with a wide range of tools at their disposal to contain the intrusion.

This is the essence of the defender’s advantage: visibility linked with control means that intruders are at a huge disadvantage once they get in.Unfortunately, we have largely ceded this advantage on our networks.
Security teams often don’t know what devices are connected, or how those devices are talking to each other.

This offers an incredible opportunity for intruders, because by understanding our networks better than we do, they can operate at their strongest when they should be at their weakest.If we are going to take Admiral Rogers’ advice, this is what we must correct.

There are emerging technologies that could help us correct this imbalance. Organizations need real-time visibility into how their devices are communicating so they can identify intruders quickly. We should limit access to important systems; segment networks and important data; patch vulnerable systems; encrypt data.

Each of these steps increases visibility and control.

They enable organizations to quickly identify intruders, act to constrain their movements, and eject them from the network. None of these tools are rocket science, but they require that we focus not just on keeping intruders out, but on catching them when they get in.This reality makes Admiral Rogers’ comments during the Senate hearing all the more poignant.
If there are two types of cybersecurity, why have we invested so heavily in the one where we are at a disadvantage, and given up the advantage we hold for the other? Related Content: As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ...
View Full Bio More Insights

Threat Attribution: Misunderstood & Abused

Despite its many pitfalls, threat attribution remains an important part of any incident response plan. Here's why. Threat attribution is the process of identifying actors behind an attack, their sponsors, and their motivations.
It typically involves forensic analysis to find evidence, also known as indicators of compromise (IOCs), and derive intelligence from them. Obviously, a lack of evidence or too little of it will make attribution much more difficult, even speculative.

But the opposite is just as true, and one should not assume that an abundance of IOCs will translate into an easy path to attribution. Let’s take a simple fictional example to illustrate: François is the chief information security officer (CISO) at a large US electric company that has just suffered a breach.

François’ IT department has found a malicious rootkit on a server which, after careful examination, shows that it was compiled on a system that supported pinyin characters. In addition, the intrusion detection system (IDS) logs show that the attacker may have been using an IP address located in China to exfiltrate data.

The egress communications show connections to a server in Hong Kong that took place over a weekend with several archives containing blueprints for a new billion-dollar project getting leaked. The logical conclusion might be that François’ company was compromised by Chinese hackers stealing industrial secrets.

After all, strong evidence points in that direction and the motives make perfect sense, given many documented precedents. This is one of the issues with attribution in that evidence can be crafted in such a way that it points to a likely attacker, in order to hide the real perpetrator’s identity.

To continue with our example, the attacker was in fact another US company and direct competitor.

The rootkit was bought on an underground forum and the server used to exfiltrate data was vulnerable to a SQL injection, and had been taken over by the actual threat actor as a relay point. Another common problem leading to erroneous attribution is when the wrong IOCs have been collected or when they come with little context. How can leaders make a sound decision with flawed or limited information? Failing to properly attribute a threat to the right adversary can have moderate to more serious consequences.

Chasing down the wrong perpetrator can result in wasted resources, not to mention being blinded to the more pressing danger. But threat attribution is also a geopolitical tool where flawed IOCs can come in handy to make assumptions and have an acceptable motive to apply economic sanctions.

Alternatively, it can also be convenient to refute strong IOCs and a clear threat actor under the pretext that attribution is a useless exercise. Despite its numerous pitfalls, threat attribution remains an important part of any incident response plan.

The famous “know your enemy” quote from the ancient Chinese general Sun Tzu, is often cited when it comes to computer security to illustrate that defending against the unknown can be challenging.
IOCs can help us bridge that gap by telling us if attackers are simply opportunistic or are the ones you did not expect. More Insights

Close The Gap Between IT & Security To Reduce The Impact...

IT and security teams work more effectively together than apart. Every modern organization operating today needs to rely on IT teams for service assurance within their networks and security professionals to keep everything safe. Organizations need both to operate effectively, not unlike a person employing both halves of the brain. However, because of the way IT and security have developed in siloed environments over the years, a gap has formed between them that decreases the effectiveness of both. It's probably no surprise to anyone working in technology why this gap has formed between these two teams.

For years, the primary focus of most organizations was IT.

The IT team had to get websites, applications, and communication systems up and running.

Then came a wave of cyberattacks, and a security team got added — some might say bolted on — as a separate entity with its own responsibilities. Even though both groups have the best interests of the host organization at heart, the gap still formed because they use different lexicons and tools, and have different priorities within network operations.
In some cases, they may not be physically based in the same location or, in the case of outsourcing, be managed by the same company.

That puts a lot of roadblocks in the way of collaboration, with the costs associated with effective systems integration being one of the leading factors impeding executives' decision making.

But leaders need to ask the question: Do I invest in securing my business effectively in a manner that allows systems to function to the full extent of their capabilities, or do I suffer the costs of being compromised? Hackers have already taken notice and are using this gap to their advantage.

The use of advanced tools, such as Hammertoss, is a perfect example.
It was designed to mimic normal user behavior, thus hiding from cybersecurity teams that didn't have enough visibility into network operations to spot the anomalies.

And it exfiltrated data so slowly, using such little bandwidth, that IT teams didn't detect anything amiss on their end. Had IT and security teams been working together on a unified platform with shared situational awareness, there likely would have been more than enough clues to unmask the threat before it could cause significant damage. There are many advantages to having separate IT and security teams, with the most important being that it allows experts in both groups to hone specific skill sets that make them more effective at their jobs.

But that doesn't mean that each must operate within a silo.

Combining security and IT operations can be as simple as encouraging more communications and providing tools that give them visibility into areas supervised by the other group. In security, having a deeper understanding of how systems within the network are designed to perform would help them to better spot and stop threats. Modern advanced persistent threats that use tools like Hammertoss, which have been successful at exploiting the gap, would have a much harder time.

Attacks that leverage native capabilities in the operating system or whitelisted websites/applications (such as tech support) would not be so invisible to those on the security team if they knew what day-to-day operations of those systems looked like from an IT perspective. IT would also benefit from better collaboration with security. One advantage would be allowing IT teams to think more like analysts when planning network expansions.

Generally, IT staffers working in a silo consider having more systems and more capacity to be a good thing, even though recent studies have found that as much as 40% of the capacity of most networks is not utilized.

From a security perspective, more capacity and more systems equals a bigger complexity, which adversaries can use to their advantage.

Combining those methodologies could lead to more efficient and less expensive network growth. I have seen firsthand the advantages when IT and security become more integrated.

During my time working in government, I used to manage a branch that performed root cause analysis and analyze metrics for cyber defense across agencies. We worked with assessment teams as well as incident response with focus on identifying gaps across people, process, technology, and policy. What I always observed was that organizations that had their IT and security teams tightly integrated to foster collaboration had much greater success during our assessments. Ideally, security and IT should collaborate from the design phase of every new project.

That can act as a good starting point in bringing those two worlds together and teaching them how to work together. Once the advantages of doing that are observed by both groups, it will be much easier to get buy-in on the bigger goal of complete integration and collaboration. Only then will the gap finally start to close, eliminating a core danger to networks while also improving overall efficiency and cost savings. Related Content: Travis Rosiek serves as the CTO of Tychon, where he is responsible for product innovation and professional services. With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber-defense leader, having led several commercial and U.S. ...
View Full Bio More Insights

Ransomware: How A Security Inconvenience Became The Industry's Most-Feared Vulnerability

There are all sorts of ways to curb ransomware, so why has it spread so successfully? The word "ransomware" conjures up images of dark cloaks and even darker alleys, and not surprisingly, the level of media attention has been unprecedented.

The fact that news stories measure the affect of ransomware in terms of cash helps grab the public's attention. (One analysis estimates more than $1 billion in ransoms were paid out in 2016). The most frightening thing about ransomware is that its success is built on trust. Ransomware often gains access by way of a clever email designed with the sole intention of winning the victim's confidence. "My skill is in my ability to get a bunch of people to click on the attachment," explains a malicious actor in a YouTube primer. Ransomware perpetrators have even started copying incentive tactics from legal industries.

There's the Christmas discount for victims who pay up, and a pyramid scheme offer, described in the press as "innovative": "If you pass this link and two or more people pay, we will decrypt your files for free!" This sophistication and business savvy speaks to ransomware's growth as an industry, and IT has had to take notice.

A recent survey of IT professionals from around the globe found that more than 50% of IT staff and more than 70% of CIOs see defending against ransomware as their #1 priority for 2017. What made ransomware into such a strong threat? Is it really a greater malice than traditional security threats or data theft? Or is it just more buzzworthy because the consequences are more dramatic? What's enabling the epidemic, and what produced the conditions for ransomware to flourish? The Patching ConundrumIn a way, the rise of ransomware in 2016 was in the works for a long time.
Vulnerability patching has been a significant IT challenge for several years — among industrial control systems, 516 of 1,552 vulnerabilities discovered between 2010 and 2015 didn't have a vendor fix at the time of disclosure.

A full third of known "ways in" had to wait for a patch to be developed, providing ample time for criminals to do their worst. Reliance on distributed security appliances has only exacerbated the problem.

Even after patches become available, there's still a significant lag.

A combination of staff shortages, the volume of devices deployed across today's business networks, and distance has dramatically lengthened patch rollout times.
Varying reports put the gap between 100 days to 18 months. Before ransomware even became a trend, the stage had been set for adversaries to gain access. It Should Be Easy to StopFrom an IT perspective, one of the most aggravating things about ransomware is that even after the attack gains a foothold, it should be relatively easy to stop.

The file encryption — which actually does the damage — is the final stage of a multistep process.
In fact, there are several opportunities to block the attack before it affects valuable data.

First, if the attack is caught by URL filters or secure Web gateways, it will be averted. The second step is where the initial malware "drop" downloads the ransomware program.

To do this, it must connect back to the attacker's server from within the compromised network.
It's only after the ransomware program itself deploys inside the victim's environment that it encrypts local and network server files.

And still, before the process can launch, most ransomware must connect to a command-and-control server, to create the public-private key pair that encrypts the data. At any point in the process, a network security stack has ample chance to block the malicious program from making these connections, and data lockdowns would never happen. With all these opportunities to stop the attack, how has ransomware been so successful? Complexity upon ComplexityIn November, security researchers discovered a mutation to exploit Scalable Vector Graphics (SVG), and this may provide a clue.
SVG is an XML-based vector image format supported by Web-based browsers and applications.

Attackers were able to embed SVG files sent on Facebook Messenger with malicious JavaScript, ostensibly to take advantage of users' inclination to view interactive images. The way these files were manipulated is of much greater concern than either the app that was targeted, or the breach of users' trust: The SVG file had been loaded with obfuscated JavaScript code (see Figure 1).

These files automatically redirect users to malicious websites and open the door to eventual endpoint infection.

The obfuscation tricks detection engines, and signature-based detection will always fall behind as code morphs to new signatures for the same threat. Figure 1: The string "vqnpxl" is the obfuscation function.Source: Cato Networks The above attack spotlights an urgent need to simplify. Modern networks see their vulnerability go up thanks to a patchwork of point solutions.
It's not sustainable to expect IT pros to update each point solution, and patch every existing firewall, when each new attack vector comes about.
Skilled attackers will always build new threats faster than IT can defend against them.

For ransomware, the critical test is, "how fast can you roll defenses out?" Higher StakesWhen prevention is the only true cure, it's no wonder ransomware goes to the front of CIOs' agendas for 2017.

But the predominant trend toward cloud-based security and the promise of a "patch once, fix all" model are starting to correct the problem.

Cloud defenses promote quicker adaptation to ransomware mutations.

The idea is to consolidate all traffic from physical locations and mobile users, and integrate a single firewall service as a permanent "line of sight" between any given user, any given device, and a potential threat source.
In this respect, the cloud is not just about saving work, but also about improving speed to security. 2016 was the year that IT's reluctance to use the cloud backfired, and it played right into ransomware's hands.

Familiarity, comfort, and experience with using the cloud to keep networks safe may improve outcomes in 2017. Related Content:   Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a cloud-based Web applications security and acceleration company.

Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and ...
View Full Bio More Insights

FBI Chief: Russian Hackers Exploited Outdated RNC Server, But Not Trump...

Russian state-sponsored hackers attacked Republican state political campaigns, and compromised an old Republican National Committee (RNC) server, but did not penetrate the "current RNC" or the campaign of president-elect Donald Trump, FBI director James Comey told lawmakers at a Senate hearing Tuesday. Reuters reports that Comey told lawmakers the FBI "'did not develop any evidence that the Trump campaign, or the current RNC, was successfully hacked.' He did not say whether Russia had tried to hack Trump's campaign." Russia did not release any information obtained through these compromises of state campaigns or old RNC email domains, Comey said, reports Reuters.  From the New York Times: Mr.

Comey said Tuesday that there was 'evidence of hacking directed at the state level' and at the R.N.C., 'but that it was old stuff.' He said there was no evidence 'that the current R.N.C.' — he appeared to be referring to servers at the committee's headquarters or contractors with current data — had been hacked. There is no evidence that computers used by the Trump campaign or the Clinton campaign were also compromised, though the personal email account of John D. Podesta, Hillary Clinton's campaign chairman, was copied and released as part of the Russian-ordered hack. According to the Times, the "old stuff" to which Comey referred appeared to be a single email server used by the RNC that was soon going out of service and contained outdated material.   Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Latest Ukraine Blackout Tied To 2015 Cyberattackers

Broad cyberattack campaign hitting finance, energy, transporation in Ukraine were meant to disrupt but not cause major damage, researchers say. S4x17 CONFERENCE -- Miami, Fla.-- A wave of fresh cyberattacks against power substations, defense, finance, and port authority systems in Ukraine last month appear to be the handiwork of the same attackers who in December 2015 broke in and took control of industrial control systems at three regional power firms in that nation and shut off the lights, researchers said here today. A pair of researchers from Ukraine confirmed that a second power outage on Dec. 16, 2016, in the nation also was the result of a cyberattack. Ukrainian officials have identified Russian hackers as the perpetrators, and Ukraine President Petro Poroshenko recently revealed that his nation had suffered 6,500 cyberattacks at the hands of Russia in the past two months. But unlike the 2015 cyberattack that crippled some 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the Pivnichna remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour. Confirmation of yet another cyberattack campaign against the Ukraine comes at a time when Russian nation-state hacking is a front-burner concern in the US and Western world, especially with the US intelligence community's recent report concluding that Russian president Vladimir Putin directed a wide-ranging campaign to influence the outcome of the 2016 US presidential campaign in favor of President-Elect Donald Trump. US officials say Russia employed cyber espionage attacks against policy groups, US primary campaigns, and the Democratic National Committee (DNC) in 2015, as well as propaganda to influence public opinion. Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, who today presented the newest findings on the Ukraine hacks, said the attackers appear to be using Ukraine "as a training ground for R&D" - basically a way to hone their attacks on critical infrastructure attacks in general. She said in an interview that this testbed-type approach against Ukraine is considered by experts as a "standard practice" by Russian nation-state attackers for testing out their tools and attacks. This recent campaign worries some US security experts. "The 'red lines' that conventional wisdom taught us would prevent disruptive or destructive attacks in critical infrastructure are dimming, if not gone," says Steve Ward, a senior director at Claroty. "With the 2015 Ukraine incident and the fact that no apparent repercussions followed, it is not surprising to be at the point where a follow-up attack has been confirmed … We should be very concerned with the potential of such attacks in America," Ward says. Honeywell's Krotofil says the latest attacks began on Dec. 6 and lasted until Dec. 20, with each target getting hit one-by-one, via a combination of remote exploits and websites crumbling under distributed denial-of-service attacks. With the Ukraine rail system's server taken offline by the attacks, travelers were unable to purchase train tickets, and cargo shipments also were interrupted, she says. She said the attackers didn't appear to intend to wreak major damage on Ukraine's infrastructure, however. "It's hypothesized that this hacking campaign was to sabotage normal operations in Ukraine to cause disorganization and distrust," she said. "The goal was to destabilize the economy and political situation." The attackers used many of the same tools that they deployed in the 2015 power grid blackout -- including BlackEnergy framework tools and KillDisk. "The attacks [grew] in sophistication," Krotofil said. "They were more organized, with several groups working together like a good orchestra.

That was different from" the 2015 attack that appeared to be more disjointed and disorganized, she said. A spear phish on July 14, 2016, kicked off the first phase of the attacks aimed at a Ukraine bank.

The attachment employed malicious macros that checked for sandboxes and hid its activity with obfuscation techniques.

The researchers did not confirm the initial attack vector for the electric grid, however. Via a translater, in a pre-recorded video shown during Krotofil's talk, Oleksii Yasynskyi - head of research for Information Systems Security Partners in Ukraine and a fellow investigator of the Ukraine attacks - said that the attackers were "several cybercriminal groups" working together. Yasynskyi said the groups employed legitimate IT administrative tools to evade detection as they gathered the necessary intelligence about the networks in the reconnaissance phase of the attacks. They gathered passwords about targeted servers and workstations, for instance, noted Yasynskyi, and they created custom malware for their targets. "The code was written by experts," he said. Macro Got More Game The attackers upped their malicious macro game significantly in the 2016 attacks in comparison to the 2015 attack.

Case in point: 69% of the code in their macro software was for obfuscation, 30% for duping forensic analysis, and only one percent of the code actually corresponded to the macro's ability to launch malware, according to Yasynskyi. "In essence, this macro is a sophisticated container for infiltrating and delivering malicious code for actual intrusion by the attackers," he said. The attackers this time around also put extra effort into making malware analysis as onerous as possible. "It writes itself into certain parts of memory, like a puzzle," he said. "It unwraps only parts it needs at the time. "This only confirms the theory that this was executed by several teams: infrastructure, instruments to automate the analysis and penetration, and to deliver the malicious code," he said. The dropper malware, a custom tool called Hancitor, had two different samples, but some 500 software builds during a two-week period, demonstrating the level of software development by the attackers, Krotofil noted. The attackers also obviously had done the homework in order to wreak havoc on the power grid, such as the inner workings of industrial processes there. "You can't simply get" that information or documents on the Net, Krotofil said. Interestingly, while it took some four months to investigate the 2015 Ukraine power grid attack, it took Yasynskyi and the other investigators only two weeks to investigate the 2016 attacks.

They were able to detect the similar methods and tools in the second attacks based on the research from the previous attacks. Michael Assante, SANS lead for ICS and SCADA security, in a presentation here today noted that the Ukraine attacks raise new issues for ICS/SCADA operators. "In the case of Ukraine, it opened up a lot of questions" after that 2015 attack about how to engage when such physically disruptive events hit, such as who should identify a cyberattack, how to respond, and what protocol to follow if the attack causes damage. Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights