16.8 C
London
Saturday, September 23, 2017
Home Tags Indicators of Compromise (IoC)

Tag: Indicators of Compromise (IoC)

Critical Apache Struts bug was fixed in March.
In May, it bit ~143 million US consumers.

Introducing WhiteBear

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear.
It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure.

Neutralization reaction

Corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are.

And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled. We hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection.
In July 2017, during an investigation, suspicious DNS requests were identified in a partnerrsquo;s network.

The source of the queries was a software package produced by NetSarang. Our analysis showed that recent versions of the software had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.
Friday May 12th marked the start of the dizzying madness that has been ‘WannaCryrsquo;, the largest ransomware infection in history.

Defenders have been running around trying to understand the malwarersquo;s capabilities.
In the process, a lot of wires have gotten crossed and we figured itrsquo;s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.
Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations in over 80 countries.

During the first quarter of 2017, there were 33 private reports released to subscribers of our Intelligence Services, with IOC data and YARA rules to assist in forensics and malware-hunting.
Dependency injection is a software design pattern that helps you to build pluggable implementations in your application using loosely coupled, testable components.
It eliminates the hard-coded dependencies between the types and makes your types easi...
Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently.

This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the… Read Full Article
Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East.

The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012.
This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry.

Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.
Bromium expands its virtualization based security isolation and detection approach into a platform play that correlates threats across a distributed network of endpoint sensors. Security vendor Bromium announced its new Secure Platform technology on Ja...
Your organization must address these blind spots to detect sophisticated attacks. When an organization as established and trusted as Yahoo gets breached, it seems like there's no hope for the rest of us.

And in many ways, there isn't. Despite Yahoo's perimeter defenses, the company's network was still breached. Not once, but at least twice.

This indicates that these attacks were very sophisticated and carried out by highly motivated and well-funded attackers.

Although Yahoo's breaches demonstrate that it's virtually impossible to prevent every motivated attacker from getting past perimeter defenses and gaining access to a secure network, there are ways to detect breaches before massive exfiltration can occur.When it comes to breach detection and response, most enterprises today still rely on sifting through logs from network appliances such as firewalls and web gateways.

This includes performing correlation using security information and event management systems to figure out how the breaches occurred.The Yahoo breach exposed three key blind spots that need to be addressed to detect sophisticated attacks. (Editors' Note: In the spirit of transparency, SS8, the author's company, helps organizations detect and protect against network breaches using some of the concepts described in this article.) 1. Lack of application, identity, device, and geolocation information. Tools like NetFlow can't distinguish between multiple exchanges of information in a traffic flow (for example, an email session), and at best can only provide a summary of the entire flow.

They leave out valuable application-specific information such as To, CC, From, and Subject fields in an email, as well as the presence of any potential malicious attachments.
In addition, certain obfuscated protocols such as Tor can be difficult to detect on a network, but the ability to identify their presence and investigate these connections is critical to network security. 2.

Challenges tied to archiving and network history lookup. 
Although some tools can store network log data for long periods of time, it remains difficult to access that information quickly for the purpose of cyber investigations such as correlating potentially malicious network activity to an individual device or user. Meanwhile, packet recording tools can provide more granular detail into network data, but the economics of storing full packets over an extended period of time is often cost-prohibitive. 3. Lack of automated workflows for threat detection. The volume of new, constantly-generated threat information, combined with a shortage of skilled cybersecurity personnel, often leads to "log and alert fatigue." This is generally due to a lack of automation for correlating the latest threat intelligence, and tying it to actual events happening on the network.

Currently, most cyber investigators still have to manually perform a series of complicated steps to generate useful forensic information from log reports and the limited history of full packet capture tools. The Yahoo breach, like most advanced cyberattacks, was carried out over a long period of time, with attackers hiding their communications in the normal flow of network traffic.

According to the latest Verizon Data Breach Investigations report, dwell time — that is, the length of time an attacker is in a system before being detected — is averaging more than 200 days.  Perimeter defenses have to make point-in-time decisions to allow or block a specific communication.

Therefore, it isn't possible for them to detect advanced and persistent cyberattacks carried out over long periods of time.

Even though threats can breach the perimeter through a variety of attack vectors, most malicious activity can be still be detected in the network before data exfiltration — the ultimate goal of the attack — takes place. If we want to prevent protracted infiltrations and exfiltrations, like the one experienced by Yahoo, we need to combine deeper network visibility, including the ability to rewind past activity with constantly updated threat intelligence, and automated workflows.

This will allow us to discover indicators of compromise and devices of interest early in the breach cycle, which can be investigated using actual network history to pinpoint a compromise before massive data exfiltration takes place. Prevention is the always the goal, but incident detection and fast response can save the day. Related Content: Dr.

Cemal Dikmen is Chief Security Officer for SS8, which helps companies detect and protect against network breaches. He also works with the nation's leading telecommunications service providers as well as law enforcement and intelligence agencies on cybersecurity ...
View Full Bio More Insights