Home Tags Kill Chain

Tag: Kill Chain

Kill Chain & the Internet of Things

IoT "things" such as security cameras, smart thermostats and wearables are particularly easy targets for kill chain intruders, but a layered approach to security can help thwart an attack.

Microsoft’s ‘Samaritan’ refuses help to hackers doing Win 10 recon

'SAMRi10' script hides the creds hackers crave, making box-to-box jumps harder Microsoft hacker Itai Grady has created a tool to help protect blackhat scouts from stealing Windows credentials, an effort they hope will make network compromises harder to achieve. The SAMRi10 PowerShell script (the pair say it's pronounced as samaritan) eliminates the easy username information hackers seek in initial reconnaissance of Windows boxes. It changes the default permissions for remote Windows Security Account Manager (SAM) access on Windows 10 and Windows Server 2016 in a bid to limit the amount of information hackers can glean. Grady (@ItaiGrady) says the Windows 10 tool will help increase the cost and complexity of the first step in the offensive hacking kill chain. "Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users. "Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed [in terms of] password complexity and change policy, and less monitored [with] no traffic and logs besides the specific computer. "Querying the Windows Security Account Manager remotely via the SAM-Remote protocol against their victim’s domain machines allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network." Frameworks like Veris Group's BloodHound automates that network mapping, elevating the risk by exposed credentials. Good samaritan: Admins okay, unauth users denied.
Images: Microsoft. SAMRi10 is not known to work on any platform other than Microsoft's tougher Windows 10 platform, which has about 22 percent market share. The researchers have outlined their script's functionality and use in full, and encourage all security administrators to review it. ® Sponsored: Customer Identity and Access Management

Regular password changes make things worse

Security experts have been saying for decades that human weakness can trump the best technology. Apparently, it can also trump conventional wisdom. Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person's, or an organization's, security. Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, "time to rethink mandatory password changes." She gave a keynote speech at the BSides security conference in Las Vegas earlier this month making the same point. But the message was not new -- she has been preaching it for some time.

Cranor, who before her move to the FTC was a professor of computer science and of engineering and public policy at Carnegie Mellon University, gave a TED talk on it more than two years ago. She contends that changing passwords frequently could do more harm than good. Not because new passwords, in and of themselves, would make it easier for attackers, but because of human nature. She cited research suggesting that, "users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily." This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to crack new passwords if they had cracked an older one, since users tended create a new password with a minor tweak of the old one. Those tweaks included changing a lower-case letter to upper case, substituting a number for a letter, such as a "3" for an "e," or simply adding a couple of letters or numbers to the end of the previous password. Cranor said the researchers found that if they knew a previous password, they could guess the new one in fewer than five tries.

A hacker who had also stolen the hashed password file would be able to guess new ones within three seconds -- and that was with 2009 technology. The UNC study is not the only one reaching that conclusion. Researchers at the School of Computer Science at Carleton University in Ottawa, Canada, in a paper published in March 2015, concluded that security advantages of password expiration policies were, "relatively minor at best, and questionable in light of overall costs," for the same reason the UNC researchers found. "(W)hen password changes are forced, often new passwords are algorithmically related to the old [password], allowing many to be found in few guesses," they wrote. And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked "Retired" this past April), said password expiration policies frequently frustrate users, who then, "tend to choose weak passwords and use the same few passwords for many accounts." Not surprisingly, attackers are very much aware of these vulnerabilities.

The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. A report released earlier this month by Praetorian found that four out of the top five activities in the cyber kill chain had nothing to do with malware, but with stolen credentials, thanks to things like weak domain user passwords and cleartext passwords in memory. All of which would seem to be even more ammunition for organizations like the FIDO Alliance, which has been crusading to eliminate passwords entirely since its formation four years ago.

The Alliance has been pitching two passwordless authentication options it hopes will be irresistible to both users and service providers. But even with increasing interest and acceptance of those options, Brett McDowell, FIDO's executive director, has acknowledged that there will be a "long tail" for password use. And during that long transition, he and others say there are multiple ways to improve security that don't involve creating a new password every couple of months that is easier to crack than previous ones. Zach Lanier, director of research at Cylance, cites Apple's TouchID and Google's Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, "still around, and they're likely to be for a bit longer.
It's just that they're so ‘standard' for people and enterprises, and have been for so long, that it's really hard to make them completely disappear." In the interim, he said, organizations can improve their password security through a combination of employee training and, "actively testing their authentication mechanisms and auditing users' passwords -- cracking them -- whether it's through internal infosec teams or external firms.
In my opinion, it should be both," he said. "This can give the organization a better idea of where things are broken, from people to technology." The users can be brought into this as well, he added, by, "making available the tools to enable, if not force, users to test the strength of their own passwords." McDowell agrees that education is, "a laudable endeavor, especially to help users avoid falling victim to phishing and/or social engineering attacks." But he said the "shared secret" authentication model is vulnerable to too many forms of attack -- not just social engineering -- hence the need to eliminate them as soon as possible. Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. "Current policies set the bar far too low for complexity in passwords and don't require multi-factor authentication, acknowledged as the best commonly available solution," he said. Lanier agreed. "There are some really awful organizations, sites or services that can't seem to move past the year 1998 with authentication," he said. "Things like not allowing certain characters, or limiting the length of the password to something ridiculously low, all because the developers, database admins, and/or designers are using outdated or deprecated mechanisms." Pendergast said he sees the same thing. "There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules.

A surprising number of companies don't use these basic password reinforcement functions," he said. And, Lanier noted that, "password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note.

This at least reduces the risk that a person might serialize their password choices.

Certainly not a panacea, but for the average person, it's a great idea." Still, as McDowell noted, even rigorous passwords can't compensate for a person being fooled by a skilled attacker. "Many times, passwords are simply given away in a phishing or social engineering attack," he said. "I saw a recent stat from the SANS Institute that 95% of all attacks on enterprise networks are the result of successful spear phishing." All agree that the weaknesses of human nature mean it would be better to move beyond passwords.

But, as McDowell notes, human nature also requires that whatever replaces passwords must be, "easier to use than passwords alone. "User experience is going to win over security every time so the key to building a secure password replacement system is to build ease-of-use into its foundation," he said. Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone. "At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker," he said. This story, "Regular password changes make things worse" was originally published by CSO.

Attacker's Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers' five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software. Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation, according to researchers there. Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks.

The most common of these "root causes" though, were not zero-days or malware at all. The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were: abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks broadcast name resolution poisoning (like WPAD) -- 64% local admin password attacks (pass-the-hash attacks) -- 61% attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% insufficient network segmentation -- 52% The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering.
Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one. "If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian.

The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do." As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does.

By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal."  The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers.

But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of  hacking.

The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise." Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons.

For one, he says, malware can fail or cause system failures, which draw attention to the attacker.
Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix.  Mitigation  There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements. He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report: Deploying Microsoft's LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks. Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes.  Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix. Some (not all) of Praetorian's suggestions in the report include: To strengthen passwords: increase Active Directory password length requirements to at least 15 characters enhance password policy enforcements (expiration, etc.) implement two-factor authentication for all administrator access and remote access. To mitigate broadcast name resolution poisoning: populate DNS servers with entries for all known valid resources disable LLMNR and NetBIOS on end-user workstations. To improve network segmentation -- after proper inventory of systems, data, and review with lines-of-business about employee access: Enforce network Access Control Lists (ACLs) so that only authorized systems have access to critical systems -- on a machine basis, by VLAN, or per user with "next-gen" firewalls. Update network architecture and network diagrams to reflect the new ACLs. For Praetorian's complete mitigation suggestions, see the report.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Best Of Black Hat Innovation Awards: And The Winners Are…

Three companies and leaders who think differently about security: Deep Instinct, most innovative startup; Vectra, most innovative emerging company; Paul Vixie, most innovative thought leader. Dark Reading this year is launching a new annual awards program, the Best of Black Hat Awards, which recognizes innovative companies and business leaders on the conference’s exhibit floor. The 2016 Dark Reading Best of Black Hat Awards recognize three categories of achievement: the Most Innovative Startup, which cites companies that have been in the industry for three years or less; the Most Innovative Emerging Company, which cites companies that have been operating for three to five years; and the Most Innovative Thought Leader, which recognizes individuals from exhibiting companies who are changing the way the industry thinks about security. These new awards, chosen by the editors of Dark Reading, are not an endorsement of any product, but are designed to recognize innovative technology ideas and new thinking in the security arena.
In future years, Dark Reading hopes to expand the awards program to recognize new products in different categories, as well as more individuals who are making a difference in the way we think about security. Most Innovative Startup: Deep InstinctThe finalists for our Most Innovative Startup Award are Deep Instinct, which is driving past machine learning with an artificial intelligence concept called deep learning; Phantom, a security orchestration tool that provides a layer of connective tissue between existing security products; and SafeBreach, which provides a hacker’s view of enterprise security posture. The winner is: Deep Instinct. Here’s what our judges wrote about Deep Instinct:  “This was not an easy decision—each of the finalists, Phantom, Deep Instinct, and SafeBreach, bring really intriguing and useful technology to the security problem. In the end, we selected Deep Instinct as the Most Innovative Startup. Here’s why:  the concept of a cerebral system to detect malware and malicious activity at the point of entry in real-time and quashing it then and there solves many of the other security problems down the line.
If the tool can catch the malware when it hits the endpoint, a security pro theoretically wouldn’t need to check out security alerts, correlate them among various security tools and threat intel feeds, and then take the appropriate action (sometimes too late).

And unlike traditional antivirus, this technology looks at all types of threats, not just known malware, which of course is key today given the polymorphic nature of malware. We considered Deep Instinct’s approach of automatically stopping a threat at the endpoint, where it first comes in, using software that can on its own understand that it’s a threat and continuously learn about threats as unique and promising for security organizations.

Deep learning is the next stage of machine learning, mimicking the brain’s ability to learn and make decisions, and Deep Instinct is the first company to apply this type of artificial intelligence to cybersecurity, which also made it a top choice. In addition, benchmark tests of Deep Instinct’s technology indicate a high degree of accuracy in detecting malware, at 99.2%.

And unlike some endpoint security approaches, it occurs locally and there’s no sandbox or kicking it to the cloud for additional analysis.” Most Innovative Emerging Company: VectraThe three finalists for our Most Innovative Emerging Company are SentinelOne, which combines behavioral-based inspection of endpoint system security processes with machine learning;  Vectra, which offers real-time detection of in-progress cyber attacks and helps prioritize the attacks based on business priority; and ZeroFOX, which monitors social media to help protect against phishing attacks and account compromise. And the winner is: Vectra. Here’s what our judges wrote about Vectra:  “It was a tough choice, but in the end, we selected Vectra, because it addressed several of security professionals’ most persistent challenges, with solutions that were both inventive and practical. Infosec pros are inundated with alerts about threats. Whether those warnings come from media reports, newsletters, or one of many pieces of security technology, it’s often hard to prioritize them. Maybe it was declared “critical,” but is it critical to me? Maybe it was “medium,” but is it critical to me? Infosec pros have attackers dwelling on their networks for many, many months, largely because security teams cannot quickly make sense of all this threat data.

And infosec pros try to solve problems faster by adding new security technology that can sometimes put a huge strain on the network. We chose Vectra as the winner, because their solution helps prioritize threats for your organization specifically, can reduce attacker dwell time, and do so with a lightweight solution. Vectra’s tool tunes into all an organization’s internal network communications, and then, using a combination of machine learning, behavior analysis, and data science will identify threats, correlate them to the targeted endpoint, provide context, and prioritize threats accordingly -- as they relate to your organization.
Vectra can detect things like internal reconnaissance, lateral movement, botnet monetization, data exfiltration and other malicious or potentially malicious activities throughout the kill chain. Most importantly, Vectra’s tool allows security teams to identify their most important assets, so that the tool will know to push even a gentle nudge at those systems to the top of the priority list. With just a glance at the simple, elegant visualization used by Vectra’s threat certainty index, an infosec pro will know in moments what precise endpoint needs their attention first.” Most Innovative Thought Leader: Paul VixieThe three finalists for our Most Innovative Thought Leader are Krishna Narayanaswamy, Chief Scientist and Co-Founder of Netskope, Inc., a top specialist in cloud security; Dr. Paul Vixie, Chairman, CEO, and Co-Founder of Farsight Security Inc., a leader in DNS and Internet security; and Jeff Williams, Chief Technology Officer and Co-Founder of Contrast Security, who focuses on application security. And the winner is: Paul Vixie, Farsight Security. Here’s what our judges wrote about Paul:  “This was perhaps the most difficult choice we had to make in the awards, because all three of these individuals are thought leaders and difference-makers in their own fields of security.

Each of them is a contributor not only to innovation in his own company, but to the industry at large. In the end, we chose Paul Vixie, at least in part, because he likes to work and research and innovate in areas where few others are working.

The world of Domain Name Systems often seems impenetrable even to security experts, yet it is an essential element to the global Internet and, potentially, a huge set of vulnerabilities that could affect everyone who works and plays online. In the last year or so, Paul has taken some of the lessons he’s learned about DNS and the way the internet works and built Farsight Security, which collects and processes more than 200,000 observations per second to help security operations centers and incident response teams more quickly identify threats.
It works by analyzing DNS, which is a fundamental technology that the bad guys have to use, just as the good guys do.

And while Farsight is not the only company working in the DNS security space, it has developed new methods of analyzing and processing the data so that enterprises can make better use of relevant information. Paul doesn’t stop with the work he is doing at his own company.

As a longtime contributor to internet standards on DNS and related issues, he continues to participate in a variety of efforts, including source address validation; the OpSec Trust initiative, which is building a trusted, vetted security community for sharing information, and internet governance, including the controversial discussion around route name service. While all three of our finalists are deserving of special recognition, we feel that Paul Vixie’s contributions to innovation at his company, to enterprise security, and to internet security worldwide earn him this award.” Our congratulations to all of this year’s Dark Reading Best of Black Hat Awards winners! Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ...
View Full Bio More Insights

The threat hunter's guide to securing the enterprise

It’s time to face facts: Attackers are stealthy enough to evade your monitoring systems.
If you’re sitting back waiting for alarms to go off, there’s a good chance you’re already hosed. Despite spending more than $75 billion on security products and services, enterprises are frequently compromised, highly sensitive data is stolen, and the fallout can be devastating. Worse, enterprises don’t discover they’ve been breached for weeks to months after initial compromise, taking between 120 to 200 days on average to even detect an attack.

That’s a six-month head start on reconnaissance and exploitation -- more time on your network than most of your recent hires. Needless to say, existing approaches to threat detection aren’t working.
It’s time to strap on your threat hunting gear and proactively look for malicious activity in your environment. Here’s a plan to track down threats. Hunt in your own backyard Threat hunting, or cyberhunting, is a set of technologies and techniques that can help you find bad actors before they cause too much damage to your environment.

Although threat hunting can involve both manual and machine-assisted techniques, the emphasis is on investigators looking at all the pieces in context and uncovering relationships, says David Bianco, a security technologist at Sqrrl Data. Security automation can help collect data from network and endpoint segments, and machine learning can speed up analysis, but in the end, it’s up to you to assemble a series of diverse threat hunting activities into a comprehensive process for sleuthing out your adversaries, says Kris Lovejoy, president and CEO of Acuity Solutions and former general manager of IBM Security Services. “Threat hunting is a defensive process, not an offensive one,” Lovejoy adds. While a successful hunt requires you to think like a hacker, that doesn’t mean you should be tracing attacks back to the originating machine, immersing yourself in Dark Web forums, or engaging in questionable practices to uncover potential issues.

That may be the case for investigators and hunters from the U.S.

Department of Defense or the Federal Bureau of Investigation, but cyberhunting is purely defensive in the enterprise. You hunt by forming hypotheses about how an attacker can get into your network, then you look for evidence within your environment to prove or disprove those hypotheses. Build a baseline of knowledge Assessing security risk is a central facet of threat hunting, and the process can be split into three phases.

First, you must understand the threats most likely to target your organization, whether they be persistent adversaries, particular sets of malware, or a certain type of attack.
Second, you must identify your vulnerabilities, such as unpatched software or processes susceptible to human error.

Third, you must assess the impact a successful threat may have in targeting your vulnerabilities. Once you can calculate these risks, you can then prioritize your threat hunting activities to target them. “If I’m a bank and I know that criminals are likely to go after my database to get at accounts, I need to protect that database first,” Lovejoy says. Before you can start hunting, you need to understand the environment you are hunting in.

This goes back to basic IT administration, such as having a clear picture of the number of systems, what software and which version is running, and who has access to each one.

The network architecture, patch management process, and kind of defenses you have in place are all critical pieces of information in understanding your threat landscape.
IT teams need to know the weaknesses to identify potential points of entry. Here, adopting an adversary mindset is key in determining your attackers' moves. Your attackers’ motivations may vary wildly, but they often have similar goals and frequently share similar techniques.

An adversary intent on cybercrime will typically behave differently from one focused on economic espionage or sabotage, for example. Threat intelligence is one way to receive information about the kind of attacks hitting similar-sized organizations in the same industry.
If a number of competitors has been under attack by a gang using a Flash exploit, it makes sense to prioritize investigating potential Flash-based attacks over other types. Knowing exploit kits and other types of malware are all pushing the same dropper payload is helpful. It’s also essential to ascertain what might interest an attacker most about your organization right now.

This could be a new product your organization is working on or rumors about a potential acquisition. When you know what might trigger interest from potential attackers, you can better predict what techniques they will use and how they will traverse your network to get what they want. Map the kill chain A few years back, Lockheed Martin put forth the “cyber kill chain,” which divides targeted attacks into seven distinct phases: reconnaissance, weaponization, delivery, exploit, installation, command and control, and action.

Attackers typical move through each step, from initial compromise to theft, getting a lay of your environment well before exfiltrating any data.

A targeted attack takes time to develop; detecting the breach and blocking the attack as soon as possible will minimize damage. “Cyberhunters assume that something has been exploited, and their job is to find the threat before they can actually cause an impact,” Acuity’s Lovejoy says. During reconnaissance, criminals collect information about potential targets and avenues of attack. In the case of an acquisition, an attacker will collect information about executives and assistants who could potentially be working on the deal.

Based on the information gathered, the criminals develop a course of action, such as creating a phishing campaign. A successful hunt involves examining each phase of the kill chain and assessing specific tactics and techniques attackers may employ.

That may involve mining social media postings to determine whether anyone working on a possible acquisition may have identified themselves as working on the deal and creating a list of employees who may be potentially targeted by a phishing email.
If you believe phishing is the likely entry point of a targeted attack, then you can make assumptions about what the attack scenario will look like along each phase of the kill chain. Actively hunt for threats Your assumptions and hypotheses about potential attacks provide places to start your hunt.
Successful hunting involves examining a specific segment of your network without trying to see everything that may go wrong.
It’s about closely scrutinizing an endpoint for specific indicators of attack rather than getting a bird’s-eye view of system security. Most threat intelligence efforts focus on indicators of compromise that don’t help with cyberhunting.

The factors tend to be cheap, fragile, and inexpensive for adversaries to change.

Consider domain names or the name of the weaponized Word document carrying the payload.
It is trivial for attackers to generate new domain names and to change the messaging in an email accompanying an attack file to bypass security filters.
Instead, hunters should focus on patterns of attack, Lovejoy recommends. For example, you should look out for attempts to open a remote desktop session to create new admin accounts within Active Directory.
It doesn’t matter what the new accounts are called -- you should be searching for unexplained accounts. It’s trivial for an attacker to change the domain of a command-and-control server, but far more expensive to give up using a Flash exploit delivered via a malicious advertisement to remotely execute code and open a backdoor on the compromised machine. Look for attackers using legitimate tools such as PowerShell and WMI.
See where account credentials are being used. Patterns of attack reveal more about attackers than indicators of compromise because they are relevant for a longer period of time. Next-generation firewalls, anomaly detection platforms, and logs all provide a wealth of information, as do threat intelligence platforms and network threat detection systems.
In many cases, there is a silo effect, with information locked within each system, making it difficult for defenders to see all the related pieces.

Threat hunting forces defenders to break out of the tendency to consider systems in isolation. When a process touches different segments and systems, hunters must pay attention to how they relate to each other. Build up security response Once you find signs of a breach, threat hunters should step aside to let traditional incident response teams take over.

The hunter’s job is to make guesses as to where the attackers may be within the network, but they aren’t necessarily those with the expertise to block attackers.
Incident response will be in charge of mitigating the attack and remediating issues. It may be tempting to create specialized hunt teams because they pinpoint problem areas and find the attacks, but that shouldn’t be at the expense of basic IT administration, network monitoring, and defense-in-depth strategy.

Cyberhunting starts with the assumption “I have been breached” and looks for evidence to support that assumption, and dedicated incident response and forensics kick in when that evidence has been found and the damage has to be contained.

They are very distinct skill sets, and both are necessary.

Defenders need all of these elements to work together. Stop the cancer Threat hunting isn’t a new concept, and many organizations have already adopted some form of the practice as part of their overall security plan.
In a recent SANS Institute survey, 86 percent of IT professionals said they had implemented threat hunting processes in their organizations and 75 percent claimed threat hunting had reduced their attack surface. As with every other aspect of information security, there’s a time and place for cyberhunting.

Enterprises should look at the Hunting Maturity Model developed by Sqrrl Data’s Bianco to judge if they are ready to begin hunting.

The model defines maturity based on three factors: the quality of data collected, the tools available for accessing and analyzing that data, and the skills of those performing the analysis.

A skilled enough analyst with high-quality data can compensate for deficiencies in the toolset, but for the most part, organizations should focus on all three factors. “In order to get anywhere, you must first know where you are and where you want to be,” Bianco wrote in a blog post outlining the model. Enterprises need to reduce the breach detection gap -- more than half a year to discover a breach is unacceptable.
Start with the assumption that attackers are already present and keep looking until either the compromise has been found, or there’s conclusive proof that your environment hasn’t been compromised. Think of the enterprise as a biological system that has been infected, and threat hunting as a way to discover how far the infection has spread and what kind of damage it is causing. “Threat hunting is catching cancer in the early stages, before it metastasizes and kills you,” Lovejoy says. Related articles

Purple Teaming: Red & Blue Living Together, Mass Hysteria

When you set focused objectives for the red team, you get your blue team to work the weak muscles they need trained most. Red teams beat up on blue teams all the time. However, while there can be plenty of sore muscles on both sides, they're not always the muscles that needed the most exercise: security teams don't always learn as much from the bruising and battering as they could.

Enter "purple teaming" -- an exercise in which every bruise and muscle strain has a purpose. In a purple team exercise, the red team's objective is to test the effectiveness of a specific security control or to challenge the blue team on a specific skill set.

The objective would usually be set by someone who is familiar with the security team's needs -- an incident response manager, CISO, or security operations director.  Chris Gates, senior incident response engineer at Uber, and Haydn Johnson, senior consultant of KPMG Canada, will outline the ins and outs of the technique Oct. 18 at SecTor Canada in their session, "Purple Teaming the Cyber Kill Chain: Practical Exercises for Management."   "The mindset is about working together," says Johnson. He likens it to sparring with a partner instead of merely shadowboxing in a mirror.
It's also better than getting into a street fight. Gates says the idea appealed to him because after years of being on the red team side and watching most blue teams fail to improve their defenses even after an exercise, he'd become disillusioned with his role.     "I wanted to be a fixer instead of a breaker," he says. Johnson and Gates gave a few examples of how purple teaming can be used: If an organization has implemented ways to limit the effectiveness of Mimikatz, for example, the red team's efforts would focus on trying to run Mimikatz.
If the sec ops director wants his or her team to have practice responding to a malware attack on a corporate device on corporate wifi, the red team would build their attack accordingly.

Generally, the blue team would not be informed ahead of time, and they approach the event as a real incident. Purple teaming does not need to be a Herculean endeavor; it merely needs to accomplish the particular objective.

At Uber, Gates says, the exercise might be an "active adversarial simulation," but it might also just be a controlled test or a table-top exercise.
If the goal is simply to test the effectiveness of a security tool, Johnson and Gates explain, a purple team exercise may be as simple as an attempt to get a malicious email past the mail proxy.  Another key part of purple teaming is what happens after the exercise: both red and blue teams share information about their experiences -- the attacks, the alerting and instrumentation, the detection and response procedures.

The goal of a blue team vs. red team exercise in this case is ultimately to make the organization better, not to be adversarial.  By purple teaming, "I get to see what my attacks look like on the other side, which makes me a better attacker," Gates says.  You might think that this takes giant squadrons of people and months of planning.

Thompson and Gates say it needn't be that way: One or two internal people, plus consultants as necessary, can get the job done.   Gates says, though, that while purple teaming doesn't need a big team, it does need a mature team.

An immature security organization won't have the knowhow to set the objectives and "know where the gaps in knowledge are." "I don't think you can do it with a one-man shop" without consultants, Gates says. Though they wouldn't go quite as far as to say that purple teaming would save an organization money, Gates and Johnson say purple teaming lets them put time and money where it's most needed in an organization.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Diagnosis SOC-atrophy: What To Do When Your Security Operation Center Gets...

Whether it's due to lack of attention, poor capital planning or alert fatigue, there are lots of reasons why an SOC can become unhealthy. Here's how to make it better. Congratulations, you’re the new CISO! Whether you have served in the role previously or it’s new to you, you’ll be asked to observe your new organization, to develop a 100-day plan, to evaluate people, processes, and technology, and of course you’ll need to tell the CEO where you would attack the organization and how you will protect against that.
It’s a daunting and exciting task to be the new CISO.  There is so much to observe, learn, and then you have to formulate a plan of action. You are inundated with learning the new organization from the CISO’s chair.

Finally, the day comes when you tour the Security Operations Center. You are looking forward to this, because it’s operational; it’s where you fight the adversary—hackers with various forms of capabilities, motives, and sponsorship.  Of course you want to see the chess match in action between your cyber analysts and threat actors. You look around: it looks like a SOC (analysts at monitors), and then your SOC Director briefs you on manpower, processes, technology, annual budget, measures and metrics.

As the briefing continues your smile transitions to furrowed eye brows.

As you investigate, and question, and seek to understand, you can see what has happened, your SOC is sick. You have seen the symptoms before and you know the diagnosis, it’s SOC-atrophy.   SOC-atrophy: An omissive noun. 1. When your technology has remained dormant too long. 2. Unrefreshed cyber technology. 3.

The absence of intelligence and heuristics. 4. Plagued by false positives.
Your SOC became sick for several reasons. The technology you have is antiquated and completely signature-based, best suited for static threats, not advanced threats. While signature-based solutions have a role, it’s a secondary protection role. The organization failed to keep up with technology and the evolving threat.

For years, the organization has relied on incremental funding.

This budget strategy has a typical result; a disparate mix of capabilities purchased individually as security silos without consideration for how the capabilities will work together.

The tools don’t work together.  It’s an integration nightmare! But SOC-atrophy is not a technology problemAs you sit down with your analysts, you observe that each analyst must be knowledgeable about several different tools and that they spend a lot of time collecting data and alerts. You observe the waterfall of alerts overflowing your analysts with data -- mostly false positives.

The analysts have alert fatigue; they just can’t keep up. The bottom line: the organization didn’t see the evolution of the threat, didn’t keep up with technology, and has not figured out how to use threat intelligence, much less integrate intelligence as a key enabler.

The old technology in your SOC was the right decision for a different time, but not for today.  Capital planning for cyber investment has also been a challenge.

Typically SOCs are developed and funded piecemeal, a silo of capability at a time.

This has a cause and effect, the tools are hard to integrate or don’t integrate at all, which in turn make it virtually impossible for an analyst to perform. Whether it has been lack of attention, inadequate measurement of effectiveness, poor capital planning, or alert fatigue, there are several ways for a SOC to become sick. Your goal now is to bring it back to a healthy state. Here are five strategies to overcome SOC-atrophy. Research to understand all SOC investments. You need to analyze the costs of each tool, effectiveness, and cost, and then prioritize the value of what you have. You will want to keep the best value, and get rid of the lower value, higher cost, solutions.

This is your available trade space. Perform a SOC-focused assessment.

This will gauge operational effectiveness and highlight gaps. Knowing your current health is a relatively low-cost endeavor and helps you in building a business case for investments to close the gaps. Study the threat landscape.

From CEO to cyber analysts, your organization needs to clearly understand the threat landscape and how the threat is escalating.

This understanding will help you focus on the technology, expertise, and intelligence you need to protect your organization. Resist the urge to fund your tools piecemeal. Develop the business case for an integrated platform with the ability to visualize web, email, file servers, endpoints, mobile, and SIEM, in one picture, enabling the ability to detect and remediate threats earlier in the kill chain.

The board needs to understand the business case for an integrated platform. Encourage cross-organizational collaboration. It’s critical to build partnerships for vetting the business case and gaining consensus on your SOC plans.
Spending quality time with your fellow IT executives and other business leaders to discuss -- at a strategic level -- what you are working on, your timeline, and your forthcoming proposal.

There is no greater feeling than going into a board meeting with many of the members clearly in your corner. Related Content:  Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business.

Click to register.
Lance Dubsky, CISSP, CISM, is Chief Security Strategist, Americas, at FireEye and has over two decades of experience planning, building and implementing large information security programs.

Before joining FireEye, he served as the Chief Information Security Officer at two ...
View Full Bio More Insights

Jeremiah Grossman: Focus on ransomware, SDLC, and endpoints

With so many elements in information security -- application, network infrastructure, the endpoint, perimeter defenses, and data-centric approaches -- it's easy to fall in the trap of touting one as more important than the other. But it's a mistake to consider information security as a series of silos when it's actually an intersection of different areas. That overlap is most evident with application and endpoint security. For Jeremiah Grossman, the new chief security strategist at security vendor Sentinel One, application security and endpoint security are just different steps in the kill chain. As the founder and former CTO of the consultancy WhiteHat Security, Grossman has been the go-to-expert for web application security for years, and his new focus on endpoint security at Sentinel One does not mean that he has given up on securing web applications. Jeremiah Grossman "From an adversary kill-chain perspective, if we can get the bad guys not to be able to break into the website, great, let's do that. But if we can't, let's makes sure that if the system gets compromised and malware is on it, we can detect it really, really quickly and stop it, or eradicate it," Grossman said. Many of the latest data breaches began with the adversaries exploiting a vulnerability in a web application, and then pivoting in the network to find other vulnerabilities and weaknesses. The web application is the doorway, but the actual attack happens on the endpoint, whether that's valuable data stored in a database or, in the case of ransomware, documents that could be locked up to demand ransom. Web application security and endpoint security are intricately tied up together, he said. Back in 2001, when Grossman first started working on web application security, cross-site scripting flaws and SQL-injection errors were rampant, with pretty much every website affected. Fast-forward to 2016, and such attacks are incredibly rare among major sites. Cross-site scripting and SQL injection still exist on many websites, but it's no longer as widespread. App security still matters, but SDLC has to be done judiciously Information security professionals frequently talk about inserting security throughout the SDLC (software development lifecycle): Developers adopt secure coding principles and perform regular testing to catch and fix bugs before the application goes to production. The SDLC is a good thing, and more organizations need to adopt the secure development mindset. But it isn't practical to demand all existing applications be rewritten under the SDLC. Legacy software, which powers the majority of the web and is installed on billions of endpoints around the world, has vulnerabilities. Fixing those flaws is part of what Grossman calls "legacy janitorial work." No company can shoulder the cost of rewriting all their applications and starting over with a secure coding mindset. And then there are all the open source projects out there for which there's often no one to shoulder any such legacy janitorial work. Microsoft is frequently touted as the poster child for how SDLC makes a difference, but that's an interesting -- and possibly unrepeatable -- case, Grossman said. The Microsoft that said it was going to start over and make its applications more secure was a monopoly, dominated the industry, had strong market share, and had "multiple billions" in the bank to spend on the effort, he noted. That's not the case for most companies faced with the prospect of revamping their software portfolio. And today, a decade after Microsoft made that commitment, Microsoft itself couldn't likely make that commitment. "No one's going to disagree that the later versions of Windows, from Windows 7 to now, are solid. Microsoft did really good work. But what was the ROI for Microsoft in that?" Grossman said. Instead of trying to revamping all the software, the effort should be two-pronged: 1) improve the process for remediating vulnerabilities as they are found, and 2) run new code, or actively managed code, through the SDLC.  That doesn't mean just incorporating SDLC elements, but also assessing the effectiveness of the new practices. "After you do a whole bunch of SDLC stuff, does the software actually come out more secure? If so, by how much? And is it worth it?" Grossmand said. Security investments aren't going where they're most needed The industry has made progress finding vulnerabilities, but the immensity of the web -- at a billion-plus websites strong -- means the cleanup effort is going to take a lot of time and resources. That means there will be more compromises, attacks, and infections in the meantime. While the industry focuses the efforts toward fixing vulnerabilities and writing new code, there has to be a parallel effort to improve endpoint security to block the adversaries. "You could compromise a company just by sending an email. That's a pretty attractive route" for criminals, Grossman said. "The spending models are all backward," Grossman said. Enterprises spend most of their IT budgets on software, followed by endpoints, and very little on networks, whereas the lion's share of the IT security budget goes to perimeter defenses, such as firewalls and endpoint security, and very little is spent on software.  Ransomware must be tackled now, before it's too late Organizations need to look at what the adversaries are doing and allocate efforts and funding accordingly. And right now, the adversaries are looking at ransomware. The FBI has estimated payments of $23 million to $25 million were made to ransomware gangs in 2015, but that figure has ballooned to more than $200 million in the first quarter of 2016 alone. That's a staggering growth rate, especially since the latest research indicate ransomware still account for less than 5 percent of overall malware attacks. While ransomware itself might not account for a big portion of the overall malware scourge, it is a serious problem, and creative minds need to start thinking of new methods and techniques to detect and foil these infections. "While we're still going to have the big malware problem overall, we're going to have another one in the form of ransomware," Grossman predicted. Worse, it's not as if the general malware problem has been solved: Despite nearly $8 billion to $12 billion spent annually fighting malware, malware is rampant, he said. Still, the latest anti-ransomware efforts, such as what Grossman will work on as part of his new role at Sentinel One, are an opportunity for information security professionals to get ahead of a problem before it becomes entrenched. There's no need to wait for ransomware to get bigger as a problem before coming up with new solutions. "We always seem to be ambulance chasers. But ransomware, we can see it coming. It's right there," Grossman said. Grossman believes ransomware will be a billion-dollar market by 2018, and at that point it will be too late to do something about it. "We can fight an uphill battle, but for those who want to get ahead of it, we can do it now," Grossman said. The web is too valuable not to actively protect Many in the security industry, whether they came into the field by design or by accident, view the work as a calling. The web is the "greatest invention we'll see in our lifetime," Grossman said, who called it his mission to protect it and the billions of people using it every day. Whether that's endpoint security or fixing vulnerabilities in web applications, the end result is the same. "I want to be able to protect people, protect websites, protect the web. It's that important. We're all using it today," he said.

HPE Exec: How to Disrupt the Business of Hacking

A Hewlett Packard Enterprise executive details how hacking now has an organized business model and suggests steps to make it less profitable for hackers.

Andrzej Kawalec, CTO for Hewlett Packard Enterprise Security Services, has seen a significant shift in recent years in how hackers operate. While hacking was at one time just a disorganized, ad hoc activity, it has become a business and is structured that way.In a new report, HPE details how the business of hacking and modern cyber-crime operate."Today, we're not just facing talented individuals or groups of hackers; we're facing a globally integrated, industrial-scale and highly profitable adversary," Kawalec told eWEEK.To properly defend against the modern cyber-threats, it's important to first understand the adversaries and how they work, Kawalec said.

All businesses are organized around the general goal of revenue generation. Roles and operational procedures in any business are set up to support the primary goal, and the business of hacking is no different. Once defenders understand the business organization and motivation of hackers, it is possible to disrupt the operation, Kawalec said. "Disrupting the business of hacking is about changing the profit model for what the hackers are trying to do.
So for intellectual property theft, the minute we put encryption around the data, we change the profit model as the attackers can't easily monetize what they've stolen." By adding encryption to IP, it's not enough for an attacker to break into an organization and steal data, as the attackers still need to figure out how to make money, he said, adding that it's possible for defenders to disrupt the business cycle for attackers.When it comes to ad fraud and extortion, it's also possible to disrupt the profit models there as well.

For advertising fraud, one way to disrupt the business model is to tighten controls around ad delivery and advertisement payment approaches.

For extortion, which is often executed by way of ransomware, Kawalec suggests that by having proper backup and data retention policies in place, it's possible to make attacks less profitable.Other areas where defenders can disrupt the business of hacking include human resources.

As is the case with any business, hackers often need to recruit personnel. Kawalec suggested that by disrupting hackers' human resources by way of education and intervention, it's possible to hamper the recruitment process and the overall hacker business model.The modern business of hacking is also about scale and involves adversaries that are able to operate distributed online computing resources, including shared code, Web, email and hosting.

By understanding how the infrastructure is being used to support the hacking enterprise, it can be disrupted, Kawalec said."There are a number of ways we can disrupt the adversary, rather than just fighting one-off battles," Kawalec said. "Criminals have been able to scale operations using all manner of techniques that allow modern organizations to build businesses, so we need to address the issue at the fundamental function level and not as a point-in-time attack."While HPE is describing modern cyber-threats as a business, another common approach taken by many in the security industry today is to view threats as a military conflict, with the idea of the kill chain.
In a military context, a kill chain is the set of steps required to fire a missile or another piece of armament.
In cyber-security, the term has been adoped to refer to the entire process used by an attacker to exploit a victim."There is less kill chain and more on value chain in our view," Kawalec said.The HPE business of hacking model is shifting away from a focus on how an attacker got into an organization and now emphasizes how the hacker infrastructure is organized, managed and what its goals are."I would never forget the kill chain, but in our report, we're focused on the economics of attacks, rather than the techniques and the procedures," Kawalec said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter@TechJournalist.

What Are the Security Risks of the Cloud?

VIDEO: Andy Ellis, chief security officer at Akamai, details some of the challenges and opportunities for security in the cloud. In a May 6 session at the Interop conference in Las Vegas, Andy Ellis, chief security officer of Akamai, ...