To put together this report, Obrela collected and analysed 1 PBs of logs as well as 100,000 devices. In this time, they detected 7,369 cyber incidents with an average response time of 7 seconds.  

Using this, Obrela’s security team was able to find out what attack vectors were most prominent and what type of methods threat actors tended to execute when attempting to gain unauthorised access. Some of the more significant shifts within the threat landscape included: 

• A 16% increase in data breaches, as well as attacks that targeted end users as opposed to corporations.  
• A 6% upswing in zero-day attacks, particularly exploiting vulnerabilities.  
• A 12% surge in attacks related to internal threats, such as policy violations, privileged user activity and inadvertent actions.

Looking at particular attack methods, Obrela found that those most utilised were typically malware infection, reconnaissance, data exfiltration and phishing attacks, along with the exploitation of malicious insiders.  

The study also looks into which sectors are most vulnerable to cyber criminals, with banking & financial services, and government/corporate being at the top of the list. This is mostly down to the monetary value that threat actors can extract from exploiting weaknesses in security, as well as the personal and confidential data they store on their servers. In addition, banking, finance, government and corporate sectors play an important role in global economic activity, making them an incredibly attractive target for a criminal looking to exfiltrate information and extort.   

What can companies do to protect themselves?  

To decrease risk and make sure their security posture is up to scratch, organisations must remember to do the ‘basics’. This means, following best practices such as implementing security training, user authentication and access, and protecting their endpoints and brand. In order to boost security and improve security, organisations should extend their best practices to also include network management, as well as network segmentation and Zero trust. These should be deployed across the whole company and its network. Another option is for organisations to partner with an MSSP, who can monitor their IT and cloud infrastructure, removing the pressure from their own IT teams and allowing them to focus on internal issues and tasks; this could make the difference between a secure corporate nature and becoming another breach statistic. 

Emerging use cases 

After analysing the data and devices, Obrela found new incident cases, including:  

Domain impersonation: this is often associated with phishing campaigns, where employees of an organisation or end-users are targeted by cyber criminals pretending to be from their bank. Victims are taken to an impersonation site, via a phishing link, which will prompt them to enter personal information, including bank details or passwords. By the time the victim notices it is often too late, and malicious actors will already have access to their accounts or network.  

Internal Directory Busting: This vector is similar to a brute force web attack, which targets public facing websites. In using this method, threat actors can then exfiltrate personal and confidential data to use for malicious purposes.  

Unfortunately, cyber criminals are becoming increasingly sophisticated and are adaptable to the evolving threat landscape. Organisations must ensure they have the basic cybersecurity infrastructure, but they should also implement an extra layer of protection around their end users and networks. A network or system breach can not only impair their business operation, but it can also significantly affect their reputation, damaging their brand image and often leading to loss of customer trust.  

In partnering with an MSSP who understands the fluid nature of the security market, organisations can better secure their environments and keep their employees and customers protected from numerous cyber threats.  

 The Digital Universe study can help organisations understand what these types of threats are and how to protect against them.

You can find the full report here: https://www.obrela.com/digital-universe-report-h1-2022/  

The post Obrela’s 2022 Digital Universe Study – A look at today’s threat landscape   appeared first on IT Security Guru.

In fact, in a 12-hour period earlier this month, Iris Detect found 313 instances of domains incorporating the term “metaverse”, with nearly half of these (150) given DomainTools Risk Scores of 70 or higher—a signal of likely malicious intent.

Iris Detect works by comparing global new domain registrations, discovered in near-real time, against brand terms selected by users. It also gives near-instant risk scoring of these domains based on proprietary DomainTools algorithms, and also captures screenshots; these details help the user make fast decisions about which domains represent the largest threat. Going beyond many competitive brand protection tools, Iris Detect continues to watch any domains the user flags as suspicious, to pick up signals of “weaponisation” that could indicate that the domain is about to be used for malicious purposes. Moreover, Iris Detect also allows the user to escalate dangerous domains for enforcement actions, including blocking in security controls, or forwarding to Google Phishing Protection, which blocks dangerous domains in Chrome, Safari, and Firefox browsers.

Lookalike domains are implicated in phishing and malware attacks of various kinds, including ransomware, business email compromise (BEC), and credential harvesting, as well as counterfeiting and other kinds of brand abuse. The costs associated with these activities collectively run to the billions of dollars per year. But historically, it has been difficult for those on the defensive side of the battle to stay ahead of such abuse. 

According to the FBI’s most recent Internet Crime Report, in 2020, the Internet Crime Complaint Center (IC3) received 19,369 business email compromise (BEC)/email account compromise (EAC) complaints with adjusted losses of over $1.8 billion. In 2020, the IC3 also received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million.

“With the threat malicious domains pose and the methods threat actors use that make traditional tracking inefficient, DomainTools Iris Detect leads the way with impressively fast detection paired with features that separate precious signal from what would seem like noise using other vendor solutions,” said Sasha Angus, co-founder of threat intelligence firm Scylla.

“Iris Detect represents the state of the art for speedy discovery of malicious online infrastructure, and the culmination of multiple technologies developed by DomainTools and Farsight Security over many years,” said Tim Chen, CEO of DomainTools. “We are proud to deliver a product that truly empowers defenders to make the Internet a safer place for their organisations and for the public at large.”

Iris Detect rounds out the DomainTools Iris family, complementing two previously existing products: Iris Enrich is an application programming interface (API) enabling large-scale automated enrichment of threat indicators, and Iris Investigate is an interactive web-delivered platform and API for deeper analysis of online infrastructure.

Learn more about Iris Detect here.

The post DomainTools Announces Availability of Iris Detect appeared first on IT Security Guru.

CEO Sachin Nayyar elaborated: “This is a huge step in cybersecurity monitoring. With a combination of cloud-native and big data architecture we are providing customers scalable search and threat hunting capabilities while reducing their operational costs. We strongly believe in a community-powered approach to cybersecurity and plan to incorporate it in all aspects of the Securonix Next-Gen SIEM platform.”

New updates to the platform include:

Community-Powered Threat Hunting

SOC teams who solely rely on their own threat hunting content are at a disadvantage when it comes to detecting continuously evolving threats. With a community-driven approach, Securonix creates collaborative threat hunting workbooks utilising contributions from the Securonix threat research team, commercial threat intelligence, and global user communities such as MITRE ATT&CK and Sigma.

Live Search Channel on Streaming Data

The legacy practice of indexing data to make it searchable introduces pipeline latency and impacts an organisation’s ability to act on threats in real-time.

Securonix live channel allows SOC teams to search and act on live streaming data with virtually zero latency. Security operations teams can set up multiple live channel searches that leverage Securonix threat content, or their own custom hypotheses.

Long-Term Search at One-Third of the Cost

Organisations are concerned about hidden threats existing in their environment. Finding these threats requires the ability to continuously run new searches and investigations on historical data. This creates challenges for legacy platforms with their lack of scalability and huge vendor costs for making long-term data searchable.

Securonix addresses this challenge by providing a rapid search capability at one-third of the price of comparable solutions. Leveraging its cloud-native, big data architecture, the Securonix platform decouples search and compute resources and scales on demand to deliver high-performance searches on long-term data.

Integrated SIEM and SOAR

Securonix search and threat hunting capabilities are embedded within the Securonix Next-Gen SIEM platform, providing SOC teams a single pane of glass to hunt for threats, take action with integrated SOAR, and automate future detection with SIEM.

Multi-Tenant Threat Hunting for MSSPs

With a multi-tenant architecture, Securonix live and long-term searches can be executed simultaneously across multiple tenants. This allows Securonix MSSP partners to deliver a centrally managed threat hunting service to their customers.

“Securonix is continuously raising the bar when it comes to advanced threat detection and response, which is the reason why we chose Securonix to power our managed security services,” said Kelly Hertel, Sr Director, ICS Managed Security Operations, NTT DATA Services. “The SearchMore multi-tenant search and threat hunting capabilities coupled with our co-managed services delivers a powerful augmentation solution for security teams.”

According to the company, other SearchMore benefits include:

• Stopping threats that bypass latent detection with live search.
• Discovering dormant threats with ongoing searches on historical data.
• Increasing threat hunting strength with proactive community-powered content.
• Reducing cost up to one-third for searching long-term data, compared to comparable solutions.

The post The rise of Community-Powered Threat Hunting appeared first on IT Security Guru.

Researchers at Comparitech, who will often be the source of finding these misconfigured databases to alert the unsuspecting company, decided to set up a honeypot experiment to see just how little time it would take before such a database could be found.

Head cybersecurity researcher, Bob Diachenko created a simulation of a database on an Elasticsearch instance complete with fake user data and left it publicly exposed to record the results over 11 days.

In just over 8 hours after exposure, the database had attempted unauthorised access (which Diachenko refers to as an “attack). And over the days where it was left exposed, it was attacked on average 18 times a day, 175 times in total.

The research should serve as a stark reminder to companies of the importance of securing databases like Elasticsearch and shows just how opportunistic hackers are. Commenting, Warren Poschman, senior solutions architect at comforte AG, said:

“IT departments leaving unprotected databases on the internet, data in misconfigured S3 buckets, or not patching critical systems that are internet facing is an unfortunate and increasing regular occurrence as more organisations cloudify their legacy operations or move toward new cloud-native infrastructures.

“With hundreds of controls and a multitude of regulations emerging to protect privacy proper and robust implementation can be a daunting task – let alone the basic security requirements that are required for basic survival,” he continued.

David Kennefick, product architect at Edgescan said that his team finds these instances a lot more than people might think as Edgescan monitors for exposed databases as part of its continuous profiling service; however, the cloud has improved matters. He said: “There has been a substantial improvement during the great cloud migration. Using a service such as AWS or Azure, which automatically locks down your machines and services, is a great way to reduce the likelihood of leaving something exposed. These providers, in fact, have this control enabled by default, meaning that users have to go out of their way to leave anything exposed on the internet.

“The issues with exposed databases are introduced when teams are managing technologies that don’t have this control enabled by default – there is an assumption of security, and this leads organisations down the path of accidental exposure,” Kennefick explained.

Of course, if the good guys are searching, so are the bad guys. Boris Cipot, senior security engineer at Synopsys, explained that hackers have created their own search engines to hunt out exposed databases or devices.

“Finding exposed databases or devices on the internet today quite easy, as further proven by Comparitech’s honeypot research. There are specially designed search engines that look for exposed devices on the internet, and even malware like Kaiji (as one example) automatically looks for exposed operating systems with root access,” Cipot said.

“For this reason, a timestamp of less than 9 hours before the first “attack” started is nothing surprising. It however shows that there is not much time for companies to find a mistake and repair it before there is potential for a bad actor to identify and manipulate it. Every mistake in provisioning your resources can lead to big problems. We see often that insecure steps are made when deploying instances in the cloud environment. Insecure security settings lead to exploitable systems and devices.”

Comforte’s Poschman noted that the findings are key indicators that going beyond the perimeter, access controls, and other traditional controls are absolutely necessary.

“Data security is that one catch-all that must not be left out.  By implementing a data-centric security, organisations can eliminate risk by ensuring that data is protected regardless of where it resides or who is using it – not a nice to have but a necessity given today’s attack vectors and expanding cloud usage,” he said.

Synopsys’ Cipot recommended that companies think about provisioning resources much like a pilot’s checklist before take-off, which will to lead to two important things, “first, the creation of security policies and procedures and secondly, a checklist that does not allow room for mistakes.”

The full details, including what attack methods were used and what attackers attempted to do with the data, can be found in this blog:

https://www.comparitech.com/blog/information-security/unsecured-database-honeypot/

The post Unsecured Internet-facing database attracts hackers in a matter of hours appeared first on IT Security Guru.

Guided by the common goal of making the internet a little more secure and to help users hunt unknown malicious infrastructure, DomainTools has announced that it will integrate its Iris tool with TheHive and Cortex platform. The open-source community will have access to DNS threat investigation and intelligence, rich datasets and contextual enrichment for Indicators of Compromise (IOC). 

What is TheHive and Cortex? 

TheHive is a scalable open-source solution built for SOCs, Cyber Security Incident Response Teams (CSIRTs), Computer Emergency Response Teams (CERTs) and any information security practitioner and allows them to investigate security incidents efficiently. Collaboration across the incident management phases and functions is at the heart of the platform. Cases can be created for every investigation either manually or automatically using templates which can vary based on the type of investigations.

Cortex is our standalone analysis engine and a perfect companion for TheHive. TheHive speaks natively to Cortex via REST API to perform quick assessments of observables.

Together, the two platforms can be a significant time-saver and take away some of the tedious tasks associated. Analysts can then use the Analyze functionality you can add and investigate a single or thousands of observables associated with the case. Finally, good old practices of associating TLP and source tags are also baked in the platform.

Descriptions Courtesy of TheHive and Cortex 

Over the past three years, TheHive project matured, and more and more enterprises adopted it as part of their enterprise SOC/CSIRT/CERT. TheHive and Cortex  enables users to optimize security incident management, automate threat intelligence analysis, and perform digital forensics.

By enriching observables within TheHive and Cortex, users can now utilise DomainTools Iris intelligence to add value to their incident management workflow. In this way, DNS threat context will be available in a single toolset, without the need to access it via upstream systems. Through the point-and-click TheHive interface, users will now be able to access the rich DomainTools domain and DNS intelligence, Domain Risk Score, and supporting evidence. 

Enriched Observables

TheHive and Cortex users will benefit from this integration in a number of ways but the key element is improved context for investigations. They will now have access to additional insights, including Whois data which can provide key information about domain ownership, as well as the DomainTools’ Risk Score, which enables faster triaging based on the type of risk the domain represents.

While enriching the observables, DomainTools  persists the enrichment data in observable reports within an incident. This enables users to review the enriched dataset conveniently including DomainTools Guided Pivots, to help further their investigations. 

Artifacts with Guided Pivots below a threshold limit, configured by the organization, are visually highlighted for convenience. Users can add these artifacts as potential points of pivot/reversing.

This enables an analyst to investigate the incident without context switching across multiple tools. Further, the enrichment data inside of an incident forms a qualified tool for convenient reporting and reconciliation. And whenever an analyst feels the need to dive into DomainTools investigation platform, they can conveniently launch it from within the observable report, all without losing their context in the investigation.

What about the connected infrastructure?

When profiling a DNS artifact isn’t sufficient, the integration with DomainTools’ Iris pivot analyser will allow TheHive and Cortex  users to see what is connected to the domain observable, gaining insight into more detailed associations in order to build a more accurate picture of the infrastructure surrounding a domain: Associated IPs, SSL hashes and registrant email addresses can now be pivoted on to retrieve associated IOCs. Moreover, the Guided Pivot analytics will assist IT security practitioners in choosing which attributes to pivot on, and with Guided Pivot counts will even create an investigation path on their own. 

Viable Guided Pivots will be flagged during observable enrichment, effectively allowing users to discover IOCs that would have otherwise gone undetected. To further consolidate intelligence and map forensics, users will have access to DomainTools analytics like Age and Domain Risk Score, which will narrow down the list of target IOCs to be imported into the platform. MISP users will also be able to link two instances and create an auto-case out of a MISP event. 

Overall, the automation of incident handling procedures through pivots on key domain attributes, as allowed by this integration of DomainTools Iris with TheHive and Cortex, will reduce the time IT security teams will have to spend on investigating and triaging on multiple tools. 

When working in today’s ever-growing and complicating threat landscape, it is increasingly important that organisations manage to effectively collaborate in ways such as this: Increasing visibility, and providing security teams and researchers with enriched data is one of the key things that will help us to take the fight to cybercriminals. 

The post DomainTools supports the open-source security community and its customers with new TheHive and Cortex integration capabilities appeared first on IT Security Guru.

“This is why companies like Corelight invest into features like SSH Inference to inform defenders while protecting privacy,” explained Richard Bejtlich, principal security strategist at Corelight. “Our new sensor feature profiles Secure Shell traffic to identify account access, file transfers, keystroke typing, and other activities, all while preserving default encryption and without modifying any endpoint software. I believe security teams will have to increasingly incorporate these sorts of solutions, rather than downgrading or breaking encrypted traffic,” he continued.

Corelight, in fact, has just recently unveiled the new capabilities of its network traffic analysis (NTA) solutions for cybersecurity, the Corelight Encrypted Traffic Collection (ETC). ETC will empower threat hunters and security analysts with rich and actionable insights for encrypted traffic, without the need to ‘break and inspect’.

Effectively able to read the network’s ‘body language,’ the tool will single out the behaviour of malicious activity even when decryption is not an option. Rather than simply detecting threats, the data that ETC can provide will allow enterprises to make critical, informed security decisions.

Capabilities

Availing itself of both Corelight’s Research Team packages and the curated packages from the open-source Zeek community, ETC will provide:

● SSH client brute force detection – supports threat hunting for Access techniques by revealing when a client makes excessive authentication attempts.

● SSH authentication bypass detection – reveals when a client and server switch to a non-SSH protocol, a tactic used in Access attempts.

● SSH client keystroke detection – reveals an interactive session where a client sends user-driven keystrokes to the server, which may be an indication of Command and Control activity.

● SSH client file activity detection – reveals a file transfer occurring during the session where the client sent a sequence of bytes to the server or vice versa, which could indicate either Staging or Exfiltration activity.

● SSH scan detection – accelerates threat hunting for Access techniques by inferring scanning activity based on how often a single service is scanned.

● SSL certificate monitoring – extend’s Zeek’s existing certificate monitoring capabilities to help defenders limit attack surface, find vulnerabilities, and enforce internal policy.

● Encryption detection – accelerate threat hunting by finding unencrypted traffic over commonly encrypted ports/protocols as well as custom / pre-negotiated sessions.

For more technical information, you can read Corelight’s blog detailing the new capabilities.

The post Product News: Encrypted Traffic Insights with Corelight appeared first on IT Security Guru.

Zero-day vulnerabilities are previously unknown software bugs that can be exploited by attackers to inflict serious and unexpected damage. The new exploit is used in attacks that leverage a waterhole-style injection in a Korean-language news portal. A malicious JavaScript code is inserted in the main page, which in turn, loads a profiling script from a remote site to further check if the victim’s system could be infected by examining versions of the browser’s user credentials. The vulnerability tries to exploit the bug through the Google Chrome browser and the script checks if version 65 or later is being used. The exploit gives an attacker a Use-After-Free (UaF) condition, which is very dangerous because it can lead to code execution scenarios.

The detected exploit was used in what Kaspersky experts call “Operation WizardOpium”. Certain similarities in the code point to a possible link between this campaign and Lazarus attacks. Additionally, the profile of the targeted website is similar to what has been found in previous DarkHotel attacks, which have recently deployed comparable false flag attacks.

The exploited vulnerability was detected by Kaspersky’s Exploit Prevention technology, embedded in most of the company’s products.

“The finding of a new Google Chrome zero-day in the wild once again demonstrates that it is only collaboration between the security community and software developers, as well as constant investment in exploit prevention technologies, that can keep us safe from sudden and hidden strikes by threat actors,” said Anton Ivanov, a security expert at Kaspersky.

Kaspersky products detect the exploit as PDM:Exploit.Win32.Generic.

Kaspersky recommends taking the following security measures:

• Install the Google patch for the new vulnerability as soon as possible.
• Make sure you update all software used in your organization on a regular basis, and whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
• Choose a proven security solution, such as Kaspersky Endpoint Security for Business, that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
• Make sure your security team has access to the most recent cyberthreat intelligence.  Private reports on the latest developments in the threat landscape are available to Kaspersky Intelligence Reporting customers. For further details, contact: intelreports@kaspersky.com.
• Last, but not least, ensure your staff is trained to understand and implement the basics in cybersecurity hygiene.

For further details on the new exploit see the report on Securelist.

The post Kaspersky uncovers zero-day in popular web browser exploited in the wild by threat actor appeared first on IT Security Guru.

What automation primarily means is that teams now have the chance to scale their tasks to meet the needs of the business. Nowadays, given that vulnerabilities are discovered on a daily basis, organisations need tools that can keep track of these weaknesses as these are made public and patches become available.  

The great strategic advantage of using an automation tool for vulnerability management is the frequency at which it allows IT security teams to track changes: monitoring assets continuously has become a requirement, given the speed at which code changes today. The days when running one yearly, or even a quarterly, pen test was enough to spot the potential entry points an attacker may leverage are long gone. Modern businesses need to keep a much closer look over their digital assets.  

However, what is important to remember is that while automation is great when it comes to making mundane, repetitive tasks more manageable, the accuracy of a human being is still something that machines cannot replicate. Risk is something contextual, and machines are still not there when it comes to assessing the severity of a potential threat.  

When vulnerabilities are discovered, their risk score needs to be assessed based on the likelihood of them being exploited, and this is something that humans are still better at. An ML/AI powered tool often flags all vulnerabilities and cannot prioritise based on their risk factor.  

The best model for organisations wishing to optimise their security processes remains a hybrid one – where automation tools are integrated with human interventions at certain critical points. Automation can augment people, but it cannot replace them completely. 

The post Q&A with Eoin Keary  appeared first on IT Security Guru.

Similarly, there are two main cybersecurity horror stories – external attacks and insider threats. Like cliched horror movies where teenagers are stalked by maniacal killers, or families are haunted by unwelcome ghosts and specters, most organisations are under continuous attack from fearsome cyber threats in one form or another.

Companies need to beware of both external cyberattacks and insider threats. Like a classic horror film, both threats come with their own elements of mystery, suspense and fear. Fortunately, it is possible to defend each type of attack vector using a similar cybersecurity strategy for each. More on that later. First, let’s set the scene of the current security landscape.

Ghosts Float Through the Walls

In the past, IT focused on hardening the network perimeter against outsiders. The idea was that if you stop the villains from getting in, then nothing bad happens. It was the classic fortress-based approach to keeping the zombie hordes at bay. But there was a fatal flaw. Many organisations fixated on perimeter security gave implicit trust to anyone already on the inside. Needless to say, this approach triggered a number of horrific data breaches and paved way for the zero trust movement.

Of course, companies should continue protecting the perimeter and defending against known threats, as they’ve always done. Known cyber threats represent an omen of doom looming over every organisation. But today’s enterprises must go further and watch for those unpredictable threats that spook you when you least expect it.

Like sub genres of the horror film industry, there are classifications for different types of cyber threats. Let’s look at four of the most frightening cybersecurity horror stories, some originating from the outside and others coming from within.

The Possessed

To conjure up their nefarious schemes, cyber criminals need access. Methods for gaining access vary, but one of the most common tactics is account compromise – hijacking an account that already has the right access.

Like the horror flick “Paranormal Activity” where an evil entity possesses the main character, a compromised account is taken over by an attacker for their own wicked purposes. This means the intruder can get into any of the systems and applications which that compromised account has access to, and no one will know anything is amiss.

How does account compromise happen? Usually it involves password guessing, malware, malvertisements or keystroke logging. It can also happen through Pass-the-Hash attacks and brute force password hacks. But targeted spear phishing is still probably the most prevalent technique for compromising accounts.

Account compromise attacks are difficult to uncover because they resemble an insider threat from a detection standpoint. Conventional whitelist / blacklist type security solutions are ineffective at stopping account compromise, because to these solutions the account appears legitimate. So, what’s the holy water that can be sprinkled on the account compromise nemesis? Behaviour-based security analytics.

With behaviour analytics, it’s possible to spot these “possessed” accounts based on anomalous behaviour patterns. Such abnormal activity can include unusual access to high-risk or sensitive assets, a lot of access requests in a short amount of time, activity originating from dormant accounts, and more. Anomalies identified as inconsistent with a user or peer’s normal activities trigger an alert allowing SOC teams to intervene.

The Shadow Lurker

Privileged access abuse is an attack vector that overlaps with account compromise. First the antagonist breaches perimeter security through one of many ways. Once inside, they seek SSH keys, passwords, certificates, Kerberos tickets, and similar assets. Their goal is to steal the credentials that let them elevate their access, gain unrestricted movement on the network, and anonymously steal data at will.  Because cyber geists use automated hacking tools, this entire process can occur surprisingly quickly.

But, like the patient predator stalking his victims in a teenage slasher film, the attackers usually bide their time. They’ll quietly monitor activity and then use the information they gather to expand their control of the network. According to Ponemon, hackers lurk like ghostly apparitions on the network for an average of 206 days before being discovered. That’s a lot of time for any malicious entity to prowl around.

Many skilled cybercriminals have an arsenal of automated tools they can continuously hurl at unsuspecting targets. Such witch craft puts immense pressure on cybersecurity teams to fight sophisticated cyberattacks that they’ve never seen before, often using a Frankenstein like amalgamation of various security products.

And it’s not just outsiders who should be feared. There’s also an element of insider threat. IT personnel typically have anonymous access on the network through shared privileged accounts, with passwords that rarely if ever change. This gives unsavory individuals the opportunity to snoop out and take confidential data without anyone being aware. So what can you do to cull these phantasms in your midst?

Identity analytics technology can discover who has privileged access with entitlements that may have escalated after provisioning, or exist within applications and unstructured data. This enables IT security leaders to manage, monitor and control privileged access with optimal effectiveness.

And with user and entity behaviour analytics (UEBA) it’s possible to automatically analyse data to reveal suspicious activities – accessing inappropriate files, systems and applications being accessed from new locations or new devices, and even stranger things that could indicate risky behaviour.

The Threat Came from Within

Like the horror scene where the threatening phone call is traced back to the house in which the victim resides, sometimes the threat comes from within. While an organisation usually faces more external cyberattacks, they should be just as concerned with insider threats. An angry employee who already has access to company files could turn psycho and secretly leak documents to competitors, or sabotage systems because he is peeved at his employer.

There are no shortage of tales of insider threat horror. Consider Terry Childs – the City of San Francisco employee who held the city hostage for two weeks while sitting in a jail cell. Or the world’s most infamous NSA contractor – Edward Snowden. And then there’s Anthony Levandowski, an engineer at an Alphabet subsidiary who is accused of downloading company files about self-driving car technology – and took it with him to a competitor (Uber). It shows that, like Jack Nicholson’s demented character in the isolated Overlook Hotel, sometimes even reliable, trusted people can turn.

Malicious insiders are ominous because it’s challenging to detect them before they inflict horror. They’re not as obvious as a creepy clown or a freak in a hockey mask. An insider threat could be anyone – an employee, a third-party contractor. Unlike the previously described attack vectors, insiders don’t have to bother with breaking in and secretly searching out valuable data. They’re already on the inside and know where that priceless data exists.

Without an insider threat detection solution, it can seem impossible to decipher if an employee is performing his regular work activities or involved in something more sinister. Complicating the matter, it’s not just the creepy characters who are a concern. There’s also the accidental insider to fear. A normally effective, loyal employee could still succumb to a carefully crafted phishing email or social engineering campaign. In a sense, every employee is a possible insider threat suspect.

So, is there a silver bullet that can neutralise the threat? Not with conventional cybersecurity tools. However, security analytics technology can combine different data sources across an organisation and link behaviours from multiple feeds to a single identity. Then, machine learning can identify risky behaviour, and deliver insights with as much context as possible. This tactic – providing a correlated, risk prioritised view for security teams to respond to – is one of the keys to handling the insider threat.

The Prowler

There are a number of reasons why someone might launch a cyberattack. Perhaps it’s to conduct espionage. Maybe it’s to inflict damage. But the most common reason is simple theft – stealing valuable information that can profit the attacker. Today, data is the gold inside the vault at most organisations. It’s the final destination of the cybersecurity kill chain.

So, whatever the tactic used – account compromise, privileged access abuse or the others – it usually boils down to protecting the data that criminals seek. DLP and SIEM tools were once the preferred solutions for blocking access to data. But SIEM and DLP solutions became ineffective because of their rules-based nature of blocking only known threats. Additionally, they generate too many alerts that would require a human analyst to have a sixth sense for deciphering the real threats.

Preventing data exfiltration starts with security teams knowing who is in their environment, what they have access to and what they are doing. Many organisations operate in an eerie, gray area of unknown risk. Addressing this scary problem requires an accurate and timely measurement of the risks that lurk like monsters in those darkened areas.

We need a solution that intervenes before data is exfiltrated. But how can that be done? In the aforementioned  cyberattack thrillers, there was one common factor – aberrant behaviour. Behaviour is a leading threat indicator, as we like to say.

Some horror movie buffs say you can predict which characters will live and which will die, based on some particular patterns of behaviour. Similarly, if you can spot behaviour that’s outside the range of normal activities on a network, it is possible to detect and predict activities associated with sabotage, misuse and data theft. It takes a combination of the right data sources, machine learning and data science to pinpoint the aberrant activities indicative of malicious actions.

Gurucul’s behaviour-based security analytics can bring SIEM, DLP, PAM, IAM and network monitoring solutions into a unified analytics platform. The platform combines context-aware alerts and automated security against those things that go bump in the night in today’s enterprises.

Ready to exorcise your security demons? Request a demo to see how we can resolve your cybersecurity horror stories.

The post Cybersecurity Horror Stories Don’t Have to Keep You Up at Night appeared first on IT Security Guru.

Advanced Persistent Threats are long term patterns of network exploitation that go undetected for extended periods of time and are usually aimed at high profile targets such as governments, higher education institutions, political activists, and companies. They are often motivated by economic, political, and financial reasons, and the attacks tend to be highly targeted, resourceful, and risk tolerant.  

The typical APT involves several phases:  

• Infiltration/Initial compromise: 

This is when a malicious actor gains access to the network. The most common way in which criminal groups gains a foothold is through spearphishing or other forms of highly targeted, socially engineered attacks. These are preceded by a reconnaissance phase, when attackers collect information about the organisation they intend to breach, such as network hierarchy, operating systems and other relevant information that will allow them to remain undetected. 

• Lateral Movement  in the network: 

In this phase, hackers consolidate their presence on the network and open a communication channel between the compromised system and the command and control server. This usually requires stealing credentials, where threat actors use Man-in-the-Middle techniques or keyloggers to obtain access to specific areas of the network.  

With the stolen credentials, attackers can further expand to control desktops, or even obtain domain credentials to log in systems, servers and switches.  

• Exfiltration of relevant information:  

At this stage, attackers have likely gained access to the type of data they’re trying to steal (credit cards, PII, etc) and they can start moving that data out of the network with the goal of not being detected. 

• Covering their tracks: 

It’s in the actor’s best interest not to be spotted so that they can maintain their presence on the network for future initiatives. For this reason, after exfiltrating data, attackers usually cover any track of their activity, meaning that victims can be unaware of a threat on their network even for years.   

Why APTs are a legitimate concern for organisations of any size 

Small and medium enterprises should not make the mistake of falling into a false sense of security. While it’s true that APTs tend to aim at high-profile targets such as governmental organisations or large enterprises, these often have the highest cybersecurity measures in place, precisely because they are aware of being potential targets.  

To avoid the trouble of having to circumvent such strict security defence systems, threat actors oftentimes break into the network of smaller, less protected companies. They may also attack a third-party supplier of their actual target. Since they aren’t viewed as high-risk for APT attacks, these small companies and contractors often have limited security resources and allocated IT security staff. 

Once they’ve gained a foothold from within the smaller organisation, they can conduct attacks from that organisation against their final target.  

But gaining access to a larger enterprise is not the only reason why a motivated threat actor could want to infiltrate the network of SMBs. Smaller businesses should not underestimate the value of their digital assets: even seemingly trivial information can be sold on the dark market for a profit, and exploited in further criminal endeavours.  

For this reason, while your organization or company may not be involved in higher-risk industries associated with APTs (such as financial, government or tech institutions), you should still absolutely worry about this model for sophisticated attacks. It’s easy to dismiss APT protection as a useless investment because of the small likelihood of being attacked by one, but they are as real as more obvious and noticeable attacks, such as ransomware or DDoS.  

Furthermore, often times sophisticated threat actors use open-source attacks, tools or techniques to compromise assets. These open source attacks or techniques get recycled and used by other threat actors, even non-sophisticated ones, so having APT protection in place can be a sensible investment to protect from other, lower level attacks.  

How can organisations protect themselves? 

While the likelihood may be lower, you should still craft a threat model based on your organization’s assets. A great place to start is by looking at what assets your organization have that is Internet-facing as well as how large your networks are. The first principle of protecting the network is always visibility: you can’t protect yourself against something you didn’t know existed. All the potential entry points to your organisation’s infrastructure should be mapped and monitored continuously. 

Stay vigilant of attackers infiltrating your network, malicious actors use attack vectors such as phishing, Business Email Compromise (BEC), and spearphishing to gain access to an organisation’s network. To prevent these types of campaigns, which rely on email, investing in a solid email filtering is a good place to start.  

More importantly, you should make sure that your employees are cybersecurity savvy by running training courses and – better—simulation drills. While this might not be useful against particularly well-designed emails, users who are aware of cybersecurity best practices will be less likely to click on suspicious links or download attachments from unrecognised senders.  

Finally, design your identity access management policies and procedures to follow the principle of least privilege, so that you not only know who has access to what and when, but that you can monitor all activities in the most critical areas of the network – ideally through session recording or behavioural monitoring.  

Building defenses against sophisticated threat actors will not only help mitigate damages (publicity impact, loss of customer trust, lawsuits) against the incident if it happens, but will also be complementary to your entire security program. If you can block APTs, you can block lower risk malware too. 

The post Anatomy of an Advanced Persistent Threat appeared first on IT Security Guru.