What to do with Threat Intelligence (II)
This is the second article in a series regarding security threat intelligence.
To be sure, security intelligence isn’t easy for a new or under-resourced program to undertake - but it’s far from impossible. Let’s look at where to start.
First, decide how deep you want to be.Those looking to simply gather threat information and make informed risk management decisions could take a very simple approach, choosing to focus on, for example, high-profile data breaches against others in their industry.
Some organizations may be ready to monitor their environment for specific technical indicators; others may want to begin with more general behavior. Financial institutions might look for patterns of transactions that indicate fraud. Manufacturers might use data loss prevention (DLP) tools to monitor network traffic for theft of intellectual property. Software developers might set up search engine alerts to see if their source code has been posted online.
If looking for technical identifiers is within your capability, it might be good to start with a limited scope in mind. Do you want to examine network traffic? Are you most interested in one specific protocol or application - just email or web traffic - or more? Would you limit yourself to a certain location on your network, such as the internet perimeter or the DMZ? Maybe you want to monitor endpoint systems - but just critical servers? Eventually, you might expand to user workstations or mobile devices.
Next, choose your sources of data. How will you learn about the threats that could affect you? The low-hanging fruit in this step comes from news headlines. When a breach hits the front page of the New York Times, scour the article for technical details. How did the attackers gain access to the data? What tools and techniques did they use? When the Times doesn’t have the information you need (they probably won’t), search further, or find the company that discovered the breach. As you read about the attack, ask the question, “If this happened to us, how would we know?”
Security researchers often discuss new and interesting attack techniques, online via social media or industry publications, or at conferences like Derbycon (www.derbycon.com) and Blackhat (www.blackhat.com). A few hours at a conference will leave you with more than enough threat intelligence to worry about for the next few months! The trusted reputation of the researchers you choose to listen to is key for the credibility of this source.
Collaboration has become more common. Security and technical staff from peer businesses - even competitors - in some industries have formed casual birds-of-a-feather relationships that meet regularly to share intelligence. This might include recently seen attack techniques (“check out this phishing email we just got hit with”) or even breach details (“they raided our source code repository to find all the bugs in the application we’re working on”). Hesitation to share and mistrust of peers has begun to give way to a “united we stand” approach that has been extremely effective - especially in the financial services and defense industries.
Law enforcement may also have useful information about recent attacks they’ve investigated. While sharing specifics about the target organization is typically frowned upon, they may be willing to reveal how attacks happen and key indicators to watch for.
Internal research is probably the most effective way of obtaining threat intelligence. As attacks occur, security research teams will review the details of each tool or resource used by the attacker, and document it for future use. The documentation would include network identifiers, such as command and control hosts or protocols used; host-based identifiers, such as common storage locations for tools or registry keys left behind; or descriptors of binaries that would be obtained from reverse engineering malware, such as a common code-signing certificate or imported library.
It will be helpful to prioritize your data sources. You may consider certain sources, including peer intelligence or internal research as more trustworthy than others, such as public research.
Then, determine how you will track your intelligence.It should be stored in a secure location accessible only to the security staff that uses it; but it should also allow for easy collaboration and use by the organization’s tools. Common storage systems range from low-tech spreadsheets to password-protected wikis.
Noted security research firm Mandiant has pioneered an open standard called OpenIOC (IOC standing for Indicators of Compromise) to describe technical threat identifiers. This standard enables you to write simple or complex descriptors in a file. This file can be edited using their IOC Editor. Endpoint systems can be reviewed to see if IOCs are present with their IOC Finder tool. Both of these tools and the schema can be downloaded for free from the www.openioc.org website.
Threat intelligence does require some care and feeding. A process to decommission intelligence that is no longer useful or stale should be implemented - otherwise an organization’s database will quickly grow too large to be effective. You may consider eliminating indicators after a certain period of time, or a set number of weeks or months after its last detection in the environment.
Fill the Gap in PCI Compliance
When we’ve invited guests over to our house, I usually spend the afternoon before they arrive cleaning – my wife likes the place to be immaculate. Within a few days, however, our house is just as messy as it was before. According to a recent report from Verizon Business, many organizations behave the same way with PCI compliance. The report (available here as a PDF) states, among other findings, that 79% of businesses examined in 2010 did not meet the PCI-DSS standard, and that most of those that failed the audit were compliant the year before.
The PCI Data Security Standard is a set of tools and metrics for merchants, payment processors and financial institutions to protect cardholder data. It was initially released in 2004 by a council of the major payment card industry members (Visa, Mastercard, American Express, etc.). The current version of the standard is v2.0, released in 2010, and defines twelve requirements that must be met by businesses that wish to process credit and debit cards. So why is it so uncommon for these businesses to remain compliant? It’s a relevant question because you and I want to do business with merchants that take measures to keep our financial data safe.
There are likely various causes for the gap in compliance. Organizations might feel the need to “just get the box checked” – and as a result they act like a teenager cleaning his or her room, covering up the disarray so that it’s just out of sight. It doesn’t take long for the place to get out of order after the auditors leave.
Cost and complexity are also factors. There’s nobody to watch the logs from the new firewall; there’s no money for the annual penetration test this year; the CIO got too busy and didn’t have time to finish updating the company’s security policy.
Properly securing a business can be like training for a marathon. It requires a long-term commitment, doing hard work that doesn’t have an immediate reward, and most of all, it can really hurt. But remembering our responsibilities – to our customers and their data; to our shareholders and owners; and to our own employees – is key. All of these folks would be adversely affected if a breach were to occur!
The requirements mandated by PCI-DSS aren’t just good for businesses that process or store cardholder data. They’re solid recommendations that can improve the security posture of any organization with critical systems or data to protect. If your organization doesn’t have a formal security program, PCI can be a great place to learn about controls and defenses. Other resources, such as ISO 27002, NIST’s 800-53, or SANS’ Top 20 Critical Controls, describe the steps to start developing the people, process, and technology required to protect your business.
If you are subject to PCI-DSS, don’t stop there! PCI is the beginning of the journey, not the end. After all, organizations that are PCI compliant can still suffer breaches. Heartland Payment Systems, who reported a breach and the loss of millions of records in 2008, was PCI compliant at the time. A comprehensive information security program goes beyond boxes on an audit report – it includes maturity that’s baked into the business at a foundational level, and a culture that cares first and foremost about protecting its data and assets.
Hacker Collectives in the News Part II
What do hacker collectives mean for your business?
Perhaps your response to reading this material has been, “they wouldn’t ever come after us”. Are you certain that no individuals bear your organization – or maybe an employee of yours – any ill will? Some of LulzSec’s targets were chosen simply because a frustrated individual asked them to attack a perceived enemy!
It’s also possible that your organization was inadvertently exposed when an employee used their company email address as their login name when signing up for a service that’s been attacked recently. They may have even used the same password for the service that they use at work! If those credentials were stolen, they are likely in the hands of hackers who may be using them for further attacks.
What actions can you take to protect your organization, either from hacktivists, or any other malicious entities?
Check your public-facing systems and applications. When was the last time your Internet-facing systems were examined for vulnerabilities? Have you ever had a web application assessment, which would look at more than just the holes in the operating system or application platform? What about a penetration test, which would gauge your systems’ resiliency against hackers by simulating actual attacker techniques? Many of the recent attacks where data was stolen involved a technique called SQL injection, where an attacker exploits weaknesses in web applications to retrieve normally inaccessible data from a database. This kind of attack has become extremely common, as it’s fairly easy to execute and can typically be done without alerting the system owners.
Educate your users. Tell them to never use their company email address, username, or password on systems that aren’t controlled by your organization. Remind them to never reuse passwords on different sites, especially those that store personal or financial data. In the LulzSec attacks, hundreds of thousands of usernames and passwords were disclosed. This is a huge problem if one email address and password could get you into all of the websites you use, including your bank, personal email, or shopping sites like Amazon. That’s like having a single key that starts your car, opens your front door, your mailbox, and your safety deposit box!
Monitor your network. Would you know if you’d been targeted by hackers? What would tip you off? Collecting logs from critical systems, or those that store sensitive data, and reviewing it regularly is a must considering today’s threat landscape. It’s not just enough to watch for outages, or even to review logs a few times a month looking for “bad stuff”. Constant monitoring – and investigating suspicious activity in a timely manner – is key!
Hackers aren’t going to stop their attacks any time soon. Organizations that don’t take measures to protect their systems, and that aren’t prepared to respond to a breach, are the ones that end up on the front page. Don’t be the next headline!
Hacker Collectives in the News - Part I
You’ve likely seen names like HBGary, Fox News, and Sony in the headlines recently, as a few of the dozens of corporations and government organizations that were targets of hackers. You may have also heard other, less familiar terms – like LulzSec, or Anonymous, or Antisec. Who are they? What are they after? Should your organization be concerned?
Hacker collectives certainly aren’t new. Ever since computers have been connected to phone lines and networks, the curious and the mischievous have tinkered with systems, discovered hidden weaknesses, and occasionally exposed them for fun and profit. Groups like the Chaos Computer Club and l0pht have operated in this manner for decades, disclosing vulnerabilities in an effort to push vendors to secure their systems more effectively.
Anonymous, LulzSec and Antisec
A group called Anonymous, which became active in 2003-2004 as a loose collective of internet forum members, carried a social and political agenda. Championing freedom of speech, press, and information, they attacked organizations that they claimed threatened this freedom. Their targets included the Church of Scientology, opponents of the whistleblower website Wikileaks, and government security contractor HBGary Federal. These activities gave rise to the term “hacktivism” – to hack for a cause.
Members of Anonymous split off in early 2011 to form a new collective called Lulz Security. True to their namesake – “lulz” is a slang term for humor through mischief, originating from the Internet forums that gave rise to the group – LulzSec attacked several Sony subsidiaries, shortly after their Playstation Network was taken down by others upset at Sony’s crusade against hackers. The goal was to embarrass Sony, drawing further attention to the international media giant’s poor security track record. LulzSec also attacked PBS, as well as several video game publishers and developers, information security companies, and an adult website. The group has posted hundreds of thousands of usernames, email addresses, and passwords, stolen in these attacks, to the public Internet.
The group also targeted local, state and federal government. A denial-of-service attack brought down the CIA’s website; the US Senate website was defaced; and emails and personal information about dozens of Arizona government employees and law enforcement officers were published online.
In late June, likely in fear of retribution from law enforcement, LulzSec officially disbanded. Their leaders encouraged other hackers to continue in these hacktivist efforts, in a movement they deemed Antisec. Anonymous took up the cause, which continues to target the information security industry, as well as sources of government corruption and threats to civil liberties. On July 11, Anonymous published over 90,000 credentials for US military email accounts allegedly stolen from defense contractor Booz Allen Hamilton.Government networks in Africa and South America have been the targets of intrusion under the Antisec banner in the past few weeks.
Note: What this means to your business and what you can do to protect your data coming soon
The Epsilon Attack Analysis
On March, 30, 2011 an attacker obtained unauthorized access to some of Epsilon’s business customer data. This data consists of the names and email addresses provided by Epsilon’s business customers, some of which are top global companies, to conduct email marketing campaigns.
While only a few dozen of Epsilon’s thousands of business customers were affected, the number of records stolen could number in the millions, considering the significant size of the businesses that reported the breach to their customers.
Why would someone steal this data?
Email lists are valuable to spammers, whose goal is to reach as broad an audience as possible with their unsolicited content. We can also assume the lists are tied to the business customers who provided them to Epsilon – meaning an attacker could send fraudulent email to the customers, acting as if they originated from the businesses themselves. The recipient would likely feel safer opening the email and following any instructions it provides, if they are used to receiving email from that business.
What’s the worst case scenario?
A targeted phishing attack. An attacker could send an email to an individual on a bank’s customer list, and design the email so that it is convincing as a legitimate message. This message could claim that, due to the Epsilon breach, it was discovered that the user’s online banking credentials or personal financial data was also compromised, and direct the user to change their online banking credentials immediately. The email could then point the user to a fraudulent website, appearing to be hosted by the bank itself, and provide a form where the user could supply their existing credentials, or financial information, allowing them to be stolen by the attacker.
This kind of attack is possible for any Epsilon’s business customer that is responsible for customer data. Any number of scenarios arise where attackers could coerce the customer to a fraudulent website to supply sensitive information.
How can you protect your organization from a similar attack?
Begin with a data classification exercise. Identify all types of data, for which your organization is the primary owner, or a steward. Examples of primary ownership include internal company information, employee personal data, customer usernames and passwords, or customer account numbers. Data for which you are a steward includes customer personal information, such as name, address, phone, social security number, or financial data including account numbers and credit card numbers.
Establish internal owners of each category of data. Define secure storage, data retention requirements, and destruction mandates for each category. Establish access controls that only allow access to read, modify, and delete the data by authorized users and systems. Monitor access to the data at the storage point, and investigate suspicious activity. Monitor perimeter activity, using a data leakage prevention product, to identify when sensitive data is leaving your network.
Be aware of other organizations – vendors, customers, government entities, and so on – that may steward your data. Make sure they provide you with copies of their policies that dictate how they will and will not use your data. Ensure they take sufficient measures to protect your data.
Educate users and customers about modern attack techniques. Warn them to be wary of any email-based communication that asks them to provide or change sensitive information – such as usernames and passwords, account numbers, social security numbers, etc. Advise against clicking links or opening attachments in email messages – instead, direct them to manually browse to websites to ensure they are visiting an authentic website.
Your Secrets at Stake
Who’s coming after your data and how to stop them?
What does the Colonel put in his famous “secret recipe” that makes his chicken so tasty? What’s the code behind your favorite Internet radio station that always picks just the right song? How does the military make fighter jets that avoid detection and break the sound barrier?
Secrets are what help these organizations succeed. They prosper when others don’t. If their secrets got out though, what would happen to them?
That is why protecting your organization’s intellectual property is so important. Think about what would happen if your business’ proprietary information was broadcast on the local news – or widely distributed over the Internet. How would that impact you? Would it affect your reputation? Would you lose your competitive advantage? Would customers leave and head to the other guy?
The threat of intellectual property theft is real, and in the past few years, our security team has worked with customers who have been targeted by attackers to get their hands on these secrets by any means necessary.
Who is coming after these secrets? Often we see shady companies conducting corporate espionage against their competitors. Or, some disgruntled employees decide they’ve had enough, and they decide to steal vital data before walking out the door and handing it over to an industry peer. Even worse is when it’s an accident – an employee mistakenly emails sensitive data to the wrong destination or posts what should have been a secret on a social networking site.
In many cases, malicious hackers are breaking in to networks and gathering as much data as they can, so that later they can sift through it, find the gems, and sell it on the black market to the highest bidder. Or, a foreign state that would rather grow by poaching ideas and technology than innovate on their own chooses to target an entire industry with an army of government-funded cybercriminals. Sound a little crazy? Our security team has participated in these very investigations!
The motive is almost always profit. In today’s highly competitive global economy, any factor that provides an advantage is worth pursuing, and plenty of folks are willing to pay a premium to obtain information that will give them an edge. In other cases, the information is used to allow unauthorized use of hardware or software, beyond what was intended by its creators.
What can you do to defend against this threat?
Be aware! Know where your most sensitive data is sitting, who’s using it, and how.
Be alert! Monitor your network and systems for unusual activity and investigate.
Be proactive! Use authentication, encryption, and DLP technologies to protect your data before it’s targeted.
Good luck, and happy defending!
Information Security Trends 2011 - Part II
Wait a minute Mr. Postman – As good as we think we are getting with protecting network users from spam and other malicious email, the attackers are just making us look bad… really bad in some cases. Think of all the protections that you have in place. Now think back to the email you received today. Did you get any unwanted or unsolicited email? Some of you are smiling… thinking ‘all my email was legitimate today’. And in the corporate sense, you are probably right. My real question is not just concerning your corporate email… it is concerning personal email as well. Now your answer and thoughts to my question may be different. As I mentioned before, our internal users are causing us major nightmares. In the case of email, consider the users that…
are able to access their corporate accounts from their home PCs
bring peripherals (in the form of external storage) to work from their home PCs
send email (with potentially critical data… or even malicious code) back and forth from their home email accounts to their work email accounts
have smartphones that collect both their corporate and home email
Do you see my point here? All of these scenarios (and I will bet many more) exist where spam and malicious email could affect your network security… even though the spam was not sent to a @yourcorp.com account directly.
I want my MTV – And, I want my new technology as well. The speed at which technology changes is staggering… and we all want the NEW stuff NOW! As new operating systems, applications and systems/devices (physical and virtual) make their way into the hands of eager users, more security risks begin to mount. It is almost impossible for our teams of security professionals to keep up with the demands of securing these technologies, and the new platforms… well, attackers find them to be some of their favorite playgrounds to operate from! This leads to too many No-Win situations for the good guys (that’s us BTW!).
I want my MTV part 2 – Attackers are using the things we like and use the most against us. There is a new breed of attacks out there that targets web users, search engines and the things we like to do the most on the net! What is it, you ask? Well, the answer will be different for all of us. Attackers are using targeted attacks through current events, popular attractions on the Internet and even advertising (‘Malvertising’) to push their evil plans. Do you know what you are connecting to on the web?
Cool the Engines – Slow this rocket down and put that checkbook away, and there is more. Unfortunately it doesn’t get any better for organizations trying to secure their networks. I just read an article the other day reporting that a major smartphone manufacturer just produced and sold its 10 millionth smartphone… in only 7 months. I know what you’re thinking… and it wasn’t Apple. There are an unbelievable number of network capable devices (almost always ‘ON’ devices) being introduced into the Internet every second. If that isn’t scary enough, these devices are too powerful and too immature in the methodology and technology for us to properly secure them (both on the corporate and personal level). I’m talking about smartphones, tablets, and now even TVs and other entertainment type devices!
As you can see, there are a lot of new threats that are coming at us full throttle over the next 6 to 12 months. And we are just scratching the surface here! There are just too many to talk about in this short post. Tell us what you think. Share the things with us that keep you (as an IT security practitioner) up at night! We’re all on the same team here and we’ve all got to help each other… otherwise we will never stand a chance!
And one last thing… while you are dropping us a line, I will leave you with this thought:
That Internet-enabled TV that your ‘non-technical’ neighbor just bought… who is going to secure it?’ It certainly isn’t going to be your neighbor! As long as that TV is working, that neighbor isn’t going to do a thing to it because it may prevent them from seeing the ‘Big Game’. Meanwhile, a rootkit (or other piece of malware) has found its way onto that system. What will you do when you get to work the next day and find it is your neighbor’s TV that is leading the attack against your network???
Information Security Trends 2011 - Part I
As the New Year (2011) begins, it is critical for organizations to point their vision forward and look to the challenges they will face to their network infrastructure security over the next 6 to 12 months. For CBTS Security Team and myself, it brings another year of constant research and evaluation of the latest trends in threats and attacks that will be making their way to our clients’ networks… and believe me, we love to live and breathe this stuff!
As my team looks ahead in 2011, these are the things that we think are keeping even the most skillful security professionals awake at night:
Looking Up – Make no mistake about it – the number of security threats that are spreading around the Internet (and the corporate network near you) is increasing dramatically. We are seeing threats being realized in many different ways. Some you may have seen before, some you may have not… including:
Credit Card Fraud (Even MY credit card number was stolen recently!)
Theft of Personal Information (Nothing about us is safe!)
Insider Abuse (YES! Your own people are causing major issues!)
Social Engineering (EVERYONE can be tricked by something!)
Malware /Botnets (You may ALREADY be infected and not know it!)
Organized Crime (Tony Soprano is getting into this game big-time!)
Bills, Bills, Bills – The cost of a breach is moving skyward at unbelievable rates as well, and it is not just cost of adding more security. The cost per compromised record (of personal and critical data) is rising along with related investigation and litigation costs after a breach has been realized.
Weird Science – The sophistication of the attacks that we are seeing is really scary. Not only are we seeing an abundance of new technologies and techniques being used against us on a much more regular basis, but we are also seeing much more coordinated attack efforts. This calculated use of multiple and targeted attack techniques can lead to the compromise of our most valued data.
Gangs of New York (And everywhere else!) – Once it’s out there, everyone knows it… and everyone wants a piece of it. We are seeing attacks not just from one source, but from many. Pretty common you might think at first, but not so fast! In some of our investigations, we are starting to discover that organizations infected with one Botnet are actually infected with several. Once a group of attackers compromise a network and are successfully harvesting information, it is only a matter of time until another group finds that organization as well. We are even finding evidence that certain botnets / malware are designed to delete competitive botnets / malware from a compromised system. The attackers are fighting each other for YOUR data on YOUR networks!
Now, the threats don’t stop here. In my next post, the second part of this two-part series, I will discuss the security issues around using email, new Internet technologies, and other network capable devices we love and use the most. Stay tuned...