Components of Google BeyondCorp

Device & Hosts

• Device : Collection of physical & virtual components that act as computer. Eg. PC, Server, VMs

• Host : Snapshot of a device state at a given point of time. Eg. Device might be a mobile phone, while a host would be specifics of operating system and software running on the device.

Device Inventory Service

• Contains information on devices, hosts and their trust decisions

• Continuously updated pipeline that imports data from a broad range of sources
  
  
  • System management source : Active directory, Puppet, Simian
    
    
  • On-device agents, CMS, Corporate Asset Management
    
    
  • Out-of-band-data source: vulnerability scanners, certificate authorities, network infrastructure elements (eg. ARP tables)
    
    
  • Full or incremental data set
    
    
  • Google's scale : Initial phases ingested billions of deltas from 15+ data sources at 3 million data per day totalling to 80 Terabytes
    
    
  • Retaining historical data allowed Google to understand end-to-end life cycle of a device, track & analyze trends, perform security audits & forensic analysis

Tiered Access

• Trust levels are organised into tiers and assigned to each device by the trust inferer
  
  
• Each resource is associated with minimum trust tier required for access
  
  
• To get access, each device's trust tier assignment must be >= resource's trust tier
  
  
• Trust inferer also supports network segmentation effort by dynamically assigning VLAN based on device state
  
  
  • Eg. A device without adequate OS patch level becomes untrustworthy and hence assigned to a quarantine network

>> Check full details of Google's BeyondCorp Architecture & Components in the presentation here by Arnab Chattopadhayay, Senior Director. It was earlier presented at SACON - International Security Architecture Conference.

Google's BeyondCorp Architecture (Image)

Architecture shown above includes:

• Devices
  • cell installer
  • configuration mgmt agent
  • patch & inventory agent
• Certificate authority
• Configuration Mgmt Services
• Patch Mgmt Services
• Asset Mgmt
• Directory Services
• Network Infrastructure
• Vulnerability Scanners
• Inventory Service

Did you enjoy reading this? Great security minds from the world come together to present and conduct workshops at SACON - International Security Architecture Conference. Check out this year's session plan here

Interested to deliver a talk? Fill in Call For Speakers here

Here's a small classification of Types Of Threats In Application Threat Modeling. This was earlier presented in SACON (International Security Architecture Conference) by Nilanjan De [Multiple patents, Zero Day Discovery, Co-Founder at FireCompass]

Types Of Threats :

• Network
• Host
• Application

Threat Against The Network

• Information Gathering
  
  
  • Port Scanning
  • Using trace routing to detect network topologies
  • Using broadcast requests to enumerate subnet hosts
• Eavesdropping
  
  
  • Using packet sniffers to steal passwords
• Denial Of Service (DoS)
  
  
  • SYN floods
  • ICMP echo request floods
  • Malformed packets
• Spoofing
  
  
  • Packets with spoofed source addresses

Threats Against The Host

• Arbitrary Code Execution
  
  
  • Buffer Overflows In ISAP DLLs (eg. MS01-033)
  • Directory Traversal Attacks (MS00-078)

• File Disclosure
  
  
  • Malformed HTR requests (MS01-031)
  • Virtualized UNC share vulnerability (MS00-019)

• Denial Of Service (DoS)
  
  
  • Malformed SMTP requests (MS02-012)
  • Malformed WebDAV requests (MS01-016)
  • Malformed URLs (MS01-012)
  • Brute-force file uploads

• Unauthorized access
  
  
  • Resources with insufficiently restrictive ACLs
  • Spoofing with stolen login credentials

• Exploitation of open ports & protocols
  
  
  • Use NetBIOS and SMB to enumerate hosts
  • Connecting remotely to SQL Server

Threats Against The Application

• SQL Injection
  
  
  • Including a DROP TABLE command in text typed into an input field

• Cross-site scripting
  
  
  • Using malicious client-side script to steal cookies

• Hidden-field tampering
  
  
  • Maliciously changing the value of a hidden field

• Eavesdropping
  
  
  • Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections

• Session hijacking
  
  
  • Using a stolen session ID cookie to access someone else's session state

• Identity Spoofing
  
  
  • Using a stolen forms authentication cookie to pose as another user

• Information Disclosure
  
  
  • Allowing client to see a stack trace when an unhandled exception occurs

References:

You can view the full presentation here

SACON is the only International Conference On Security Architecture in the region. Who attends : CISO, CRO, CIO, Information Security Experts, IT Risk Professionals, Appsec professionals. Agenda includes SOC, Incident Response, Security Architecture Workshops, Cyber Range Drills, Threat Hunting, IoT Security, Forensics, AI & Machine Learning, Deception & much more. Click here to Pre-Register.

With Big Data and Behavior Analytics advances, the need of an SIEM at the enterprise level may be a question. This question is addressed in this report. It analyses, dissects and tries to find out the pros and cons of both sides.

>> Download

Why Read This Report ?

• Evaluate if SIEM is a need for your organization (in presence of Big data & behavior analytics) ?
• How to build and effective & mature SIEM?
• How to build SIEM infrastructure to reduce false positives?
• How to scale the security detection in an SIEM?

& more (includes data security, event logs...)

>> Download

This report gives insight into 4 key cyber security incident trends observed in 2015. Includes top insights and detailed analysis of each attack and how one could prevent their organisation from being a target as well as mitigation.

>> Download Report

Why Read This Report ?

• 4 Key Cyber Crime Trends
• Factors that facilitate each attack
• Impact of each type of attack
• Preparation & Prevention strategies

>> Download Report

Author - Sanjay D. Tiwari, CISO, Suryoday Small Finance Bank

Prioritizing the handling of the incident is perhaps the most critical decision point in the incident handling process.
Incidents should not be handled on a first come, first served basis because of resource limitations. Instead, handling should be prioritized based on severity. Prioritizing incident defines how quickly the addressed incident need to be resolved.

Prioritization based on how quickly an incident to be resolved is directly proportional to the impact of the incident.

Here is a sample of classification of Incidents based on severity.

Also, find below the detailed Incident Management Plan shared by our member.

Download The Complete Plan :

Need to download the detailed Incident Management Plan ? You can download it here

In this Forrester's report they identify and analyze 13 significant firms in the IT security consulting services - Accenture, Atos, BAE Systems, Dell SecureWorks, Deloitte, EY, HPE, IBM Security Services, KPMG, Protiviti, PwC, Verizon & Wipro 

Why Read This Report ?

• Capability Mapping for the 13 significant players
• Information Security Consulting Services Evaluation Overview
• Forrester Wave for Information Security Consulting Service Providers

>> Download Report

Organizations around the globe are investing heavily in cyber defense capabilities to protect their critical assets. Whether protecting brand, intellectual capital, and customer information or providing controls for critical infrastructure, the means for incident detection and response to protect organizational interests have common elements: people, processes, and technology.

The maturity of these elements varies greatly across organizations and industries. In this fourth annual State of Security Operations report, Hewlett Packard Enterprise provides updates to the current and emerging capabilities, best practices, and performance levels of security operations as learned from the assessment of organizations around the globe.

>> Download Report

Why Read This Report ?

• SOC Struggles (Industry Wise)
  
  
• Commercial vs Open Source Tools in Security Operations
  
• Regional & Industry trends (Healthcare, Government, Financial, Telco etc.)
  
• Finding for each category - People, Process, Technology, Business in SOC
  
• Summary Of Findings

>> Download Report

As mobile gains more capabilities and access to company data, mobile devices continue to play an important role in how workers do their jobs. Information workers are no longer tied to their PCs — smartphones, tablets, and laptops give them the flexibility to choose the device that best suits the context of each task performed. The internet of things (IoT) represents the next leap in business transformation, changing how enterprises sense, analyze, and control their connected worlds. Applying artificial intelligence (AI) techniques, such as cognitive computing and machine learning, to the analysis of all the new data created in such a paradigm is not only transformational but required as the device count (and complexity) rises. 

Forrester Consulting evaluated the means by which enterprises are managing and securing various endpoint form factors today and how strategies will change over the next three years. In conducting an in-depth survey of 556 IT and security leaders in the US, the UK, Germany, India, and Australia, Forrester found that while enterprises have a decentralized approach to managing and securing smartphones, tablets, laptops, and IoT today, they will move to a more consolidated and cognitive approach by 2020.

> Download The Report

Key Points in This Report : 

• The Impact Of Mobility, IOT & AI On The Future Of  Business Transformation in 2020
• How consolidation plays a key role in bringing down TCO (Total cost of ownership)
• How are organisations planning for Unified End point management for future

> Download The Report

Author - Tushar Vartak, Director Information Security, Rak Bank

Since 12th Apr 2017, a Ransomware exploiting MS17-010 has been wreaking havoc worldwide.

Precautions to be taken:

1 - Patch Management

• Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010.

2 - Antivirus

• Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution.
• Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week.

3 - IPS

• Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode.
• Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week.

4 - eMail Gateway

• Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment.

5 - Proxy

• Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy.
• Verify last one week logs for the IOCs on Proxy and take action on sources of infection.

6 - Firewall

• Block the IP addresses on Perimeter Firewall.
• Verify logs for last one week.

7 - Anti - APT Solutions

• Ensure signatures are up to date.
• Check for possible internal sources of infection and take actions.

8 - SIEM

• Check logs to verify if any of the IOCs have been detected in 1 week logs.

Note:
a - If required, raise case with OEM for getting details
b - All changes to follow proper approvals and change management process

Author - Abdur Rafi, CISO, ABP Pvt. Ltd., India

A series of broad attack began that spread the latest version of the WanaCryptor ransomware. This attack, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organizations worldwide.  The attack caused Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.

Here's a solution : Anti-WannaCry, developed by ABP IT Security Team, in Kolkata DataCentre, India, launched on 15^th May 2017.

Anti-WannaCry, is a complete framework, which not only find and remove any traces of WannaCry from the PC, but also actively stops any future infection, thus making the system immune from future Wannacry attacks.

It’s a self-contained client based solution. Its OS independent, but .NET framework version 4.5 is required.  

It works based on behavioral analysis and not signature dependent. It doesn’t require any internet connectivity or updates to work properly. It is also able to work in isolated systems where no network or internet is provided.

The structure of its 360 degree protection system will cover all these:

It monitors and protects all these vectors for WannaCry related infections, and actively stops its execution and growth. (See more on : https://youtu.be/sJzeb30SwBQ)

Please download a copy yourself to evaluate from here.

(Link was provided by author, please be careful while navigating outside cisoplatform.)

What is WannaCry?

WannaCry is the latest ransomware, effecting PC’s and servers like wildfire. The functional architecture of the ransomware is shown below: 

If you execute the ransomware, you can see the following files:

Dissecting Its Package - Part 1

• After execution file footprint :
  • WannaCry.exe
  • Tasksche.exe ( with /i switch )
• Anti-Detection/Stealthy ness:
  • OpenServiceA@ADVAPI32.DLL at PID 00003256
  • OpenServiceA@ADVAPI32.DLL at PID 00003256

Some interesting ransomware code snippet

Dissecting Its Package - Part 2

Features of WannaCry:

• Contains a remote desktop related string.
• Reads terminal service related keys (RDP related).
• Uses network protocols on unusual ports.
• Deletes volume snapshots.
• Disables startup repair.
• Modifies auto-execute functionality by setting/creating values in the registry.
• Spawns a lot of processes.
• Tries to suppress failures during boot (often used to hide system changes).
• Reads system information using Windows Management Instrumentation Command line (WMIC).
• Reads the active computer name.
• Reads the cryptographic machine GUID.

Dissecting Its Package - Part 3

Some of the interesting Processes interacts / executed / created by WannaCry:

• attrib.exe
• taskdl.exe
• cmd.exe with command line "cmd /c 44651494617562.bat“
• attrib.exe with command line "attrib +h +s %SAMPLEDIR%\$RECYCLE"
• cscript.exe with commandline "//nologo m.vbs"
• @WanaDecryptor@.exe with commandline "co"
• cmd.exe with commandline "/c start /b @WanaDecryptor@.exe vs"
• taskhsvc.exe with commandline "TaskData\Tor\taskhsvc.exe"
• taskse.exe with commandline "C:\@WanaDecryptor@.exe"
• http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.testing

(Kill switch for WannaCry v2.0)

Dissecting Its Package - Part 4

Some of the interesting strings found inside the source code & Memdump of WannaCry:

• !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
• https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
• \\172.16.99.5\IPC$ ( Malicious share will be opened )
• \\192.168.56.20\IPC$ ( Malicious share will be opened )
• C:\%s\qeriuwjhrf
• C:\WannaCrya.exe
• C@GW?M[3
• cmd.exe /c "%s"
• CryptImportKey
• DisableLocalOverride
• DisablePassport
• diskpart.exe
• GetAdaptersInfo
• GetCommandLineA
• GetComputerNameW
• GetCPInfo
• GetCurrentProcess
• GetCurrentProcessId
• GetExitCodeProcess
• GetLastError
• GetNativeSystemInfo

CISO Platform Decision Summit @Pune, last week saw over 150+ attendees for over 2 days making the the spirit of knowledge sharing and learning a huge success in the Information Security Executives of India. Here are the highlights of the awesome keynotes, electrocuting Turbo sessions and some great knowledge boost training sessions.

It was held on 12th & 13th May, Hyatt, Pune, India.

Some Exciting Sessions & Task Force Meetups:

• Overview Of Google's Beyondcorp Approach To Security By Arnab Chattopadhayay (Click here for PPT)
• IoT Hacking By Sri Chakradhar (Click here for PPT)
• Tabletop Wargame: Cyber Crisis Management Drill ( PPT not yet available )
• Panel Discussion On Emerging Technologies ( PPT not yet available )
• Task force Reference Framework: Breach & IR Playbook ( PPT not yet available )
• Task force: Convincing the management ( PPT not yet available )
• Task force SecDevOps Program ( PPT not yet available )
• Task force Mobility Management Playbook ( PPT not yet available )
• Task force Security Maturity model and scorecard for organisation ( PPT not yet available )
• Task force Student awareness program framework ( PPT not yet available )
• Task force Create A Framework For Role Of A CISO ( PPT not yet available )
• Tabletop Wargame: Creating a Framework for 3rd party risks / Vendor Risk Management ( PPT not yet available)
• Panel: Key Security Insights From Top Security Implementations (Deception, SOC, Privacy etc) ( PPT not yet available )

( Note - Speaker presentations represent the views of the individual speakers and not of CISO Platform or their employers )

Post finalization & collection of the above presentations, they will be available at this link : http://www.cisoplatform.com/page/ciso-platform-task-force

(Currently not yet available. Expected by 29th May, 17)

Photo Album

Some great photographs have been compiled into an album. Help us Tag you ( Tag yourself ) and let us know if you want to add some pictures you took at the event. Email - pritha.aash@cisoplatform.com

Here's the Photo Album link - Click Here

Here's the CISO Platform 100 Recognition Photo Album Link - Click Here

This Article was shared by Nachiket Sathaye, Information Security Consultant, Ultradefence Solutions

“We are PCI Compliant, now we are secured”- While assisting customers with their PCI DSS Compliance, I always come across teams making this statement. This is a very common myth amongst PCI DSS customers. Do you really think that you will not face any security threats once you are PCI compliant - Absolutely not!

When PCI Scope is defined, a small piece of infrastructure dealing with card holder data and related processes is considered. Stakeholders and owners participating in PCI Assessment work throughout the assessment cycle performing various tasks and maintaining records / evidences; sometime actively or sometime forcefully. Most of the time PCI DSS is considered as a project by Compliance and / or IT Infrastructure teams rather than Business requirement. Other teams are always busy with their tasks and not willing to actively participate in PCI programs as it is not on their priority list. This may lead to ignorance towards security standards and processes making them weakest link in the chain.

There are lot of technologies and processes involved in any Payment businesses – Business Applications, Network and Compute systems, processes etc. Vulnerabilities and other NCs which makes this payment ecosystem more complex. Teams struggle to remediate the issues but they face challenges in terms of compatibility issues, application and business process level dependencies, no downtime approvals, fund shortage for technology upgrade etc. which further delays the compliance cycle. PCI Compliance is a snapshot of time. Evidences / records maintained for assessment cycle are validated along with periodic security tests performed throughout the assessment cycle. However, attackers and threats are nowadays getting very sophisticated. Instead of leaking out the data immediately, they harvest the information, wait for the perfect time for actual breach. That’s why Customers must assess and remediate the issues in CDE environment at regular intervals.

Many times, PCI Customers outsource the tasks to 3rd party vendors or merchants. Although outsourcing simplifies customer’s business and it is cost effective, it creates another security challenge. Understanding and implementing PCI DSS Standards is a challenge for small vendor without skilled security resources or IT Teams with good knowledge of security standards. Past Data breaches in the Payment industry has revealed that many times the breach happened via 3rd party / outsourced unit as it was a part of customers trusted network but with less security controls at their end thus making them easy target.

PCI Standards also talks about security and penetration testing from non CDE environment but how many customers do really focus of this part and related processes to maintain the similar security standards to it? I would say, very few customers. Most of the time, non CDE Environment is ignored due to lack of time, workload with existing resources, commercial issues etc. which leads to a breach via non card data environment.

Security awareness amongst employees is also big challenge. IT Teams, Business Application owners, management people might be aware of security threat but not the general user. Common Users (or sometimes experienced guys, CxO guys also) becomes victim of security attacks due to lack of security
awareness which in might led to huge security breach in future.

PCI DSS standards (or any other security framework) is just a benchmark and snapshot of particular period. It should be part of your IT Security strategy of businesses to protect sensitive data and continuity of operations but at the same time they need to look beyond the Compliance standards, continuously assess the environment for all kind of security threats, create and assess organization wide security awareness, give equal importance to entire infrastructure and outsourced vendors as well.

Instead of following / targeting the compliance frameworks points just to handle the mandates , one should follow short term / long term security strategies to strengthen their environment and business processes, regular audits / tests to check the effectiveness which will automatically help them to achieve the compliance certification without much issues.

Want To Be A 'Knowledge Donor' too? Click here to write an article

This is a study done by Ponemon Institute on 2016 Cost of Data Breach Study in India. This report includes 150 Indian Organisations who have participated in the benchmarking process.

This study examines the costs incurred by 37Indian companies in 12industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims and/or regulators as required by lawsand business contracts. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the individuals we interviewedover a ten-month periodin the companies that are represented in this research

>>Download The Report

Why Read This Report ?

• 7 Global Trends In The Cost Of Data Breach Research
  
  
• Key Findings & Trends from the India Dat Breach Research
  
  
• Learning the Costs, Factors, Root Causes for the data breach (In Depth with graphical representation)

>>Download The Report

Our editorial team has handpicked the best of the best talks at RSA Conference - one of the largest IT Security Conference in the world. Following is the list of top Emerging Areas In Security Technology talks at RSA Conference 2017.

RSA Conference held its event at the Moscone Center in San Francisco and brought together a record number of more than 45,000 attendees. Attendees experienced keynotes, peer-to-peer sessions, top notch track sessions, tutorials and seminars. Keynotes, sessions and debates focused on New Attack Technique, Encryption, Artificial Intelligence, Machine Learning, Internet Of Things, Cloud Security & Virtualization & many more.

(Source: RSA Conference USA 2017)

1) Machine Learning: Cybersecurity Boon or Boondoggle?

Speaker :  Dr. Zulfikar Ramzan

Machine learning (ML) and artificial intelligence (AI) are the latest “shiny new things” in cybersecurity technology but while ML and AI hold great promise for automating routine processes and tasks and accelerating threat detection, they are not a panacea. This session will demonstrate what they can and can’t do in a cybersecurity program through real world examples of possibilities and limits.

>> Go To Presentation

2) Ridge-based Profiled Differential Power Analysis

Speakers : Yu Yu 

Ridge-based differential power analysis techniques and side-channel attacks on intermediate states with no partial key guessing are discussed. Topic 1: Ridge-Based Profiled Differential Power Analysis Authors: Weijia Wang, Yu Yu, François-Xavier Standaert, Dawu Gu, Sen Xu and Chi Zhang Topic 2: My Traces Learn What You Did in the Dark: Recovering Secret Signals without Key Guesses Authors: Si Gao, Hua Chen, Wenling Wu, Limin Fan, Weiqiong Cao and Xiangliang Ma.

>> Go To Presentation

3) Advances in Cloud-Scale Machine Learning for Cyber-Defense

Speakers : Mark Russinovich

Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attackers. This session will present the latest frameworks, techniques and the unconventional machine-learning algorithms that Microsoft uses to protect its infrastructure and customers.

>> Go To Presentation

4) Applied Machine Learning: Defeating Modern Malicious Documents

Speakers : Evan Gaustad

A common tactic adopted by attackers for initial exploitation is the use of malicious code embedded in Microsoft Office documents. This attack vector is not new, but attackers are still having success. This session will dive into the details of these techniques, introduce some machine learning approaches to analyze and detect these attempts, and explore the output in Elasticsearch and Kibana.

>> Go To Presentation

5) Hello false flags! The art of deception in targeted attack distribution

Speakers : Brian Bartholomev (@Mao_Ware), Juan Andrés Guerrero-Saade

When it comes to targeted attacks, everyone is obsessed with attribution. It’s a near impossible question to answer. Attackers often try to muddy the waters through deception tactics like false flags. This talk will draw on unpublished research to provide real-world examples of false flag operations and explain why understanding them is crucial for researchers and users of threat intelligence.

>> Go To Presentation

6) Confusion and Deception:  New Tools for Data Protection

Speakers : Craig Astrich, Daniel Frank

Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once. As petabytes of data traverse the ecosystem, legacy data protection methods leave many gaps. By looking through the adversary’s eyes, you can create subterfuges, delay attack progress or reduce the value of any data ultimately accessed—and shift the risk equation.

>> Go To Presentation

7) Automated Prevention of Ransomware with Machine Learning and GPOs

Speakers : Rob Soto, Joseph Zadeh

This talk will highlight a signature-less method to detect malicious behavior before the delivery of the ransomware payload can infect the machine. The ML-driven detection method is coupled with the automated generation of a Group Policy Object and in this way we demonstrate an automated way to take action and create a policy based on observed IOC’s detected in a zero-day exploit pattern.

>> Go To Presentation

8) Applied Cognitive Security: Complementing the Security Analyst

Speakers : Vijay Dheap, Brant Hale 

Security incidents are increasing dramatically and becoming more sophisticated, making it almost impossible for security analysts to keep up. A cognitive solution that can learn about security from structured and unstructured information sources is essential. It can be applied to empower security analysts with insights to qualify incidents and investigate risks quickly and accurately.

>> Go To Presentation

9) (FREE ACCESS) FireCompass : Discover & Compare 1000+ Global Sec...

Description: AI Assistant For Security Product Buying

FireCompass is an AI Assistant for Cyber Security Decision Making. Discover & Compare 1,000+ Cyber Security Products. Grab your FREE Account Now (For a Limited Time ONLY).

>>Claim Free Account

Your Complete Guide To Top Talks @RSA Conference 2017 (USA)

Get your FREE Guide on Top Talks @ RSA Conference 2017 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at RSA Conference into a single guide. Get your Free copy today.

>>Click Here To Get Your FREE Guide

2016 has been a great year for the CISO Platform Community and our vision to create tangible community goods. We wanted to thank all those who made valuable contributions to make this happen. 

We have created more than 200+ checklist. Here are some of them listed:

Partial List of Past community projects-

1. Cyber Crisis Management Plan (CCMP) for Banks in India- Click here to download
   
   
2. Top N Threats & Controls Mapping for IT/ITES Industry- Click here to download
   
   
3. Top N Threats and Controls Mapping for Insurance Industry- Click here to download
   
   
4. Top 4 Resources On IoT Security Click Here To Read More
   
5. Checklist To Evaluate SIEM Technology - Click Here To Read More
   
   
6. Checklist To evaluate A Cloud Based WAF- Click Here To Read More
   
   
7. Checklist To Evaluate A DLP Technology - Click Here To Read More
   
   
8. (Checklist) Incident Response: How to respond to a security breach during first 24 hours Click Here To Read More

Access 300+ Community Articles/Frameworks we built

To read more of the community articles,checklists etc. click here

2016 Community Achievements

• 8 Successful Task Force Initiatives which created various best practices documents like Crisis Management Framework, Top N Threats Frameworks etc.
  
  (For more details on Task Force Initiative and contribution click here )
   
• 10+ Playbooks Created which summarised the community learning in form of practical reference document. Thanks to those who hosted or agreed to host such Round Tables in their offices for more intimate knowledge sharing.
   
• 150+ Blogs and Articles were published on CISO Platform
   
• 25+ Community RFPs Created
   
• SACON- India's 1st & Only Security Architecture Conference was started to bridge the skill gap in security architecture. We have a lot of hackers (ethical or otherwise) but very few security architects. We had more than 250 people who participated in Bangalore and Goa
  
  (For more details on SACON event click here)
   
• CISO Platform 100 global initiative is promoting the top 100 influencers of the industry. At Kochi we hosted India's top 100 influencers who are shaping the future of the industry and the country
   

Focus for 2017

Technical Focus Areas: Incident Response, Security Architecture, Fintech Security (for cashless india), IoT Security. Apart from these we will continue with the earlier initiatives.

Key Community Programs: Task Force, Playbooks and Wargaming. 

"CISO Platform 100" Community Projects- Promote the spirit of giving to community to shape the future of our industry, country and society.... Let's inspire the next generation... Let's create a dent in the world.

A big thank you to our  CISO Platform IoT Security Task Force. They did a 6 hour blogathon and came up with very interesting articles for our community.

If you love it, don't forget to share it !

IoT Security Using Blockchain

Two of the most talked about technologies in today's world are blockchain and IoT. In this article our attempt is to critically view the use of blockchain technology to secure IoT......Read More

Faced with the risk of cyberattacks, the prospect of losing data and the potential for large fines, the private sector has turned to the insurance industry to protect against losses arising from all manner of information security incidents. Research from CFC Underwriting shows a 50% growth in demand for cyberinsurance last year and the firm expects continued high demand for cyber insurance products in 2017.

The cyberinsurance industry is growing quickly as a result. Allianz estimates the total written premium for cyber insurance is currently $2.5 billion, but forecasts this could reach $20 billion by 2025. U.S. data breach regulations have fueled demand and the European Union General Data Protection Regulations are likely to further boost growth.

Cyberinsurance often provides victims of attacks with more than just payouts though. In many cases, cyber insurance companies will arrange for incident response firms to clean up after an intrusion. This is largely a positive thing for both parties--it can reduce pressure on the company to find and engage a competent provider at a time of crisis and gives the insurer some control over the cost of a cleanup, which can be significant. However, the tie-up between incident response firms and insurance companies may not be wholly positive.

( Read more : 10 things you should ask of your cyber incident response tool )

Influencing Incident Response

Insurance companies will be keen to ensure they partner only with those companies that have capacity to respond to multiple incidents simultaneously, potentially across multiple geographies, and have the skillsets required to deal with the range of potential incidents. This of course favors the larger response providers who already have a considerable advantage over smaller firms and will make it harder still for smaller providers to compete. Particularly outside the U.S. and U.K., incident response consultancy usually comes from independent firms that offer incident response expertise alongside other cybersecurity services.

But the influence of the insurance industry doesn’t end there. Insurance companies will not only dictate which providers are used, but are also how the incidents are handled. Generally, insurers want incidents to be resolved as quickly as possible to limit costs. For simple incidents, such as ransomware attacks, immediate remediation is fine, but for complex intrusions the best strategy is often to monitor the attack and tailor the response accordingly.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Investigation vs Remediation

As I recall from my time leading incident response consultancy engagements, gathering information about the attackers, their tools and techniques, and understanding the type of information being targeted can help inform the best way to ensure the attackers are completely removed from the network. This is especially important when dealing with sophisticated cybercriminals or persistent nation state hackers who may have installed hidden backdoors or will immediately attempt to regain access to the network.

The expense associated with investigating, rather than simply responding to an incident, can be significant, but the option should be open to security decision-makers, rather than be imposed by a company seeking to limit the cost of a claim. An incorrect response could cause longer-term damage and disruption.

Organizations should know that insurers are not always obliged to pay for a response to an attack. One area that security executives must be aware of is the retroactive date of a policy. It is commonplace to detect intrusions months, and in some cases years, after the initial compromise took place, falling outside the period covered by a policy.

Cyberinsurance is still reasonably immature, but has the potential to make a positive impact on cybersecurity. The current situation of high premiums and relatively low coverage ceilings will change as more data are gathered about the scale of the problem and the threat actors involved. Over time, insurance companies will fine-tune the most effective ways to reduce cyberrisk and organizations must be incentivized through premium reductions to listen and take action.

( Read More: Checklist To Assess The Effectiveness Of Your Vulnerability Management Program )

Post Author : Rob Sloan, Cybersecurity research director, Dow Jones

This post was initially posted here & has been reproduced with permission.

In the fast moving world of cyber security incident response, the challenge is to rapidly identify and stay ahead of the threat. Incident responders must move faster, be more agile, have longer stamina than the attacker. Additionally they must also be more responsive than the attacker or malware can morph and be concealed. In the world of small networks (1-100 nodes), this is not a particularly oppressive challenge with the old methodologies, tools, and procedures. In midsize to large-scale enterprises, however, the old ways and tools will leave you chasing your tail in an attempt to find the malware, isolate the breach, and remediate the network as it morphs or infects faster than you can find and remediate it. The longer that it takes to stop the bleeding, the more exposure there is in terms of fines, legal liability, and damage to corporate image. In practical terms, this need for maximizing the speed in which a breach is handled places some very exacting and demanding requirements on the capabilities of the tool that is used to perform the incident response (IR).

( Read More:  Cyber incident response- The 5 important steps )

image courtesy: https://www.flickr.com/photos/jakerust/16649925388

First and foremost, your tool must be forensically sound. In nearly every case, you will identify that there is a breach and your team will begin reacting to it long before law enforcement agencies respond. On the IR battlefield, your incident responders will make decisions based on the reliability of the data that you collect, and that requires a forensic grade of exactness. If law enforcement becomes involved in the incident, your computer incident response team (CIRT) will need to provide them with forensically sound data to enable the successful prosecution of the case. Before everyone jumps on the single hard drive examination model bandwagon in which every drive in the enterprise is imaged and then examined with a stand-alone forensic tool, be aware that this model doesn’t scale to the size and complexity of the modern malware battlefield, nor is it required for a successful prosecution of the case. For large enterprises this model is way too slow and expensive. What it does mean is that your tool must be able to generate digital fingerprints in the form of Message Digest 5 (MD5) and SHA hashes for each piece of evidence that is collected. Your tool must also have the ability to store that evidence in an investigative container with procedures and controls to ensure to a legal standard that the integrity and originality of the investigative container are pristine. Any file or other OS artifact that must be acquired and maintained as part of the investigation must be done so as not to change the file system artifacts or metadata. These artifacts include the file created date, file modified date, last accessed date and, depending on the file system involved, the deleted date. It also applies to items like volatile memory and individual processes that are imaged. It goes without saying that the investigative tool must not change these investigative artifacts in the acquisition process. The preservation of the metadata and the generation of the hash values for each piece of evidence allow your team to testify to the originality of the evidence and to the preservation state of the evidence. To stand up to the legal scrutiny that your investigation and evidence collection will undergo in the event the perpetrators of a breach are prosecuted, your tool should have the ability to log your actions and any action should be able to be replicated. Without these basic elements, successful prosecution of perpetrators of the breach will likely fail.

( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )

Second, your CIRT tool must be truly enterprise capable. Given the speed in which an investigation must be accomplished, coupled with the size of modern enterprises, you should be able to conduct searches simultaneously across your enterprise without performing a self-induced denial of service attack on yourself. Surprisingly, the forensic tools with the most market share for the enterprise environment are not capable of this essential task. The reason for this is found in the evolution of these tools. Originally, these tools were stand-alone computer forensic examination programs designed for “dead drive” forensics on single computers. As the need arose for remote acquisitions and analysis, these companies simply added an agent that allows the examiner to access a remote computer, but they didn’t change the investigative dynamics of the programs themselves. Under this model, all the data from the remote computer must be transported from the remote node back to the investigative computer for analysis. If an examiner needed to do a grep search across both the allocated and unallocated space on a hard drive—a normal occurrence for a complete forensics investigation—the contents of the entire hard drive of each computer in question must be transported across the network. To shield their customers from really understanding this limitation (and from performing a self induced DOS on their network) these companies often license their programs under a “concurrent connection” model. Under the concurrent connection model, the examiner is constrained to using between one and ten concurrent connections, thereby limiting the examiner to only being able to search up to ten computers at a time. In the world of three terabyte hard drives for desktops and even small networks containing 1,000+ computers, it doesn’t take a rocket scientist to figure out that the concurrent connection model will not scale. The irony of this type of licensing model, however, is that the customer thinks that it is a limitation of their software license, not that the tool simply cannot handle the task. To truly support an incident response investigation, your tools must be able to search all of the nodes on your network in parallel. Only by searching simultaneously can your CIRT get ahead of the breach and any polymorphic activity that is occurring. A well-known entertainment company spent over eighteen months using a “leading” enterprise forensic tool trying to rid their system of a polymorphic breach and could never isolate the malcode because their tool was too slow in searching the network. Yes, their CIRT was using a tool that was following the concurrent connection model. If your current tool set is following this licensing scheme, I would be very concerned.

Third, memory analysis shouldn’t be a bolt on “we do it too.” It should be part of the core functionality of your CIRT tool. Your tool must be able to handle remote node memory extremely well. Let’s face it, the ability to identify processes, identify the executable that spawned the processes, identify what other processes have hooks into a given process, and the ability to identify process dependencies are all critical to finding and isolating a breach. It is in this memory space that the malware must live to function. Consequently, your tool should have the ability to operate in this space and have the ability to remotely acquire individual processes and/or the entire memory of the remote nodes. When I say “acquire the entire memory or the entire process,” I mean just that. Unfortunately, a significant amount of tools out there only acquire what is actually located in the RAM at that particular moment, ignoring or unable to access the data that has been cached in the pagefile.sys or hiberfile.sys as part of the virtual memory management of a system. When you do perform your memory acquisition, if your acquired memory image size is the same size as your installed RAM, that is a pretty good indicator that you are only getting the data that is loaded into RAM and not the cached bits and bytes located in your virtual memory. Similarly, in an enterprise environment, you want to have the option of not pulling the entire contents of RAM over the network in lieu of pulling out individual processes directly. If your tool can’t do both of these things, it is probably time to reevaluate your tools. Given the frequency that you and your examiners are going to be examining and imaging RAM on a large breach, it shouldn’t be a twelve-step process. Your tool should have the ability to remotely image the entire memory or a subset of the processes with a simple right click of the examiner’s mouse. Using the right tool, this simply isn’t too complex a task.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Fourth, your tool should be able to support live analysis methodologies. In the dynamic world of today’s business and the increasing quantity of malware incidents, this should be a no-brainer. One shouldn’t have to bring down a network or even just the critical nodes on the network to conduct an investigation. Unfortunately, many of the leading tools don’t support live analysis of critical components of the enterprise. This requires the CIRT to either bring down the resource to create a forensic image to analyze offline, or—at a minimum—export subsets of data to analyze offline. A prime example of this is an organization’s Microsoft Exchange mail server. One of the leading causes of malware infestations is through someone clicking on an email attachment. A recent study conducted by TNS Global determined that over thirty percent of all users open suspicious emails. Given that this is so common, your CIRT tool must be able to analyze the Exchange server and the contents of the individual mailboxes without taking them off line and halting office productivity.

Fifth, your CIRT tool agent needs to reside low enough in the remote node’s operating system to ‘see’ root kits. While this may seem fairly straight forward—given that we are trying to find malware and root kits—in fact few do. The resulting impact of this failure is that most IR tools rely on the remote node’s operating system to tell it what is there in the form of process and file listings. Try finding a root kit when the OS can’t see it using this method—you can’t. To be effective, the IR tool should be able to operate in both the OS/User readable realm as well as the physical hard drive. At the physical levels, the examiner can see everything that the OS is trying to mask, including root kits and shielded processes. This is essential to an effective IR.

Sixth, your CIRT tool should be able to mount remote nodes as local physical disks on your examination machine. There will be occasions when you will need to run a specific program for a particular purpose on an identified remote node. The top tier tools will allow you to select the remote node, select the media of interest, and then mount the device. Once mounted, the best-of-breed tools will create a volume for the device at the physical layer on your examination box. This will allow you to run programs on your local examination box against the mounted drive as if it were a truly local, physically attached hard disk. This is very versatile for specialized situations. Unmounting the remote node should be just as easy, with no residual entries or system hangs within either the host or remote OS.

Seventh, your CIRT tool should enable the team to conduct the complete investigation remotely, without requiring physical access to the remote nodes. As simplistic as this sounds, how many teams are still slapping USB or DVD disks into remote nodes and then imaging to them? Part of the impetus behind these practices is the investigative mindset that still focuses on the traditional (but outdated) “one disk, one case, one examiner” dynamic that is still taught by basic forensic educational programs. Another aspect that supports these practices is the lack of tools that can actually deliver on the claims made in the marketing slicks. A tool that will allow the full remote investigation and remediation of a cyber threat response will support the following capabilities:

1. Ability to image all the memory or selected memory segments of a node, both physical and virtual, across the network to either the local examiner’s node or another location designated by the examiner.
2. Ability to support CIRT automated workflows.
3. Ability to drop down into an integrated command shell or GUI that will allow the examiner to remove rogue processes and perform other administrative functions on the remote node.
4. Support all aspects of the forensic investigation.
5. Remote recovery of deleted data on the remote node.
6. Built in viewers for the most common file formats on the remote nodes.
7. Ability to do remote screen captures. While often overlooked, a screen shot of what is going on at a remote node can be invaluable, especially in court.

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

Eighth, it is imperative that a CIRT tool is able to perform extensive logging in three critical areas: examiner actions, remote node network traffic, and remote node processs/applications activity. As previously mentioned in this paper, it is essential that the CIRT tool be forensically sound from its foundation up. One of the critical components to that foundation is the ability to log all the actions taken by the examiner. This provides an exact record of what actions were performed and serves as the ultimate shield against misguided defense attorney claims or assertions that the examiner destroyed or planted evidence. Additionally, the logs will also serve as an excellent basis from which to analyze findings and to form the basis for reporting to the client. Logging of remote node network traffic is critical to determine exfiltration methodologies, exfiltration destination addresses, and the content of the payload for malware. Logging of the remote node processes and applications simplifies the identification of malware, the mode of infection, identification of attack vectors, and creates the ability to identify, isolate and remediate breaches in a fraction of the time it would take using traditional tools. In the evolving world of hacker methodologies, attacking the common log aggregators and the individual system logging systems is very common. The ability to have a self contained logging system that is only accessible through your CIRT tool provides a trusted log base that can be used as the basis of investigation.

Ninth, in an enterprise CIRT tool it doesn’t make sense to limit the number of “seats” or concurrent users via a licensing scheme that is non-responsive to the realities of incident response. The reason that you need an enterprise level CIRT tool is because the issue that you are combating is a very BIG problem, often spread globally. While each CIRT will have standard response procedures that will dictate the number of the initial responders, often the true scope of an incident is apparent only after the team is neck deep in in the initial response investigation. Requirements to surge support into ongoing and developing responses are an everyday occurrence. It is critical then to have a CIRT tool that supports the reality of the response environment. Companies that are proactive will have a tool inside of their infrastructure pre-incident that will allow their internal staff to be augmented at a moment’s notice by surge responders or additional resources with no delay due to negotiations with software vendors for more examiner seats. That said, if the tool that you are using employs the concurrent connection methodology schema, it probably can’t handle more responders and additional investigative demands anyway. Today’s environment demands you have a tool that can.

Tenth, it is abundantly clear that our infrastructure budget is under constant downward pressures. Your CIRT tool should be versatile enough to support other functions in the environment than just look for malware. The capabilities necessary to be a world class CIRT tool also are the capabilities that are required for other needs within a corporate structure. Internal human resource related investigations, intellectual property preservation, and e-Discovery collection requirements come to immediate mind. In many instances, the price for a world class CIRT tool can more than pay for itself in the savings generated by consolidating tools and functions within the organization. One of our enterprising government clients has turned the purchase of their world class CIRT tool into a revenue generation center with positive cash flows by providing a fee for service function to other departments within their agency.

Once armed with a highly capable CIRT tool, your CIRT and your organization is prepared to effectively and quickly respond to those cyber threats that constantly bombard your defenses—and unfortunately occasionally get through.

Post Author : Ben Cotton, President/CEO,Cyber technologies services, Inc

This post was initially posted here & has been reproduced with permission.

This article gives a 5 principal steps and questions one must solicit the emergency from the cyber security incident response steps. This includes the incident, the control points, plan of action, communication, business impacts.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Step 1 - Is there really an incident?

Incidents rarely emerge fully formed. Rather they start as a set of indicators, often described as an event, that through investigation may turn into an incident that requires follow up, or not. The response plan should include a policy that sets the parameters, severity, and standards for when and how an incident is declared. This will define the criteria for a major and minor incident type and set the required procedures to be followed after each type of incident. Be sure to include any third party or vendor incident response procedures if they are likely to be involved.

Step 2 - Who's in charge?

When an event is escalated to an incident it is important to understand who is in charge; roles, responsibilities, and authority are for all members of the response team should be defined in advance. Policy-granting authority needed to fulfill the roles of team members must be clearly communicated across the organization.

Despite all the time and effort we put in to protecting our environment, in the face of attack we are judged purely on how efficiently and effectively we respond to it

Step 3 - Plan of Action

The response team needs to go over what happened in order to understand what should have been done better by means of simulations such as:  • Drills  • Desktop exercises  • Functional exercises  • Full-scale exercises 

All of these exercise scenarios are designed to stimulate technical, operational, communication, and/or strategic responses to cyber incidents with a view to reviewing and refining current capabilities.

Each exercise consists of determining what improvements could be made in:  1. Preparation  2. Detection and analysis  3. Containment and eradication of threats  4. Post-incident activity  5. Recovery process and getting back to business

Article 31 of the incoming General Data Protection Regulations requires us to notify the appropriate authority of a data breach within 72 hours on learning about the exposure 

Step 4 - Communication!

In some ways, an incident response plan is only as good as its communication network. During critical incidences, time is of the essence and communication networks tend to be the first resource to break down for a number of reasons.

( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )

Step 5 - How does this Impact business?

There have been a number of high profile data breaches in the past few years, which have impacted millions of people. The growing threat of identity theft makes customers especially sensitive to any of their data being at risk. As a result, companies need to understand exactly what is at risk in each type of incident and how that could have a negative impact on the business. 

Post Author : Aaron Fox,Information security: Enterprise account manager, HANDD business solutions

This post was initially posted here & has been reproduced with permission.