Faced with the risk of cyberattacks, the prospect of losing data and the potential for large fines, the private sector has turned to the insurance industry to protect against losses arising from all manner of information security incidents. Research from CFC Underwriting shows a 50% growth in demand for cyberinsurance last year and the firm expects continued high demand for cyber insurance products in 2017.

The cyberinsurance industry is growing quickly as a result. Allianz estimates the total written premium for cyber insurance is currently $2.5 billion, but forecasts this could reach $20 billion by 2025. U.S. data breach regulations have fueled demand and the European Union General Data Protection Regulations are likely to further boost growth.

Cyberinsurance often provides victims of attacks with more than just payouts though. In many cases, cyber insurance companies will arrange for incident response firms to clean up after an intrusion. This is largely a positive thing for both parties--it can reduce pressure on the company to find and engage a competent provider at a time of crisis and gives the insurer some control over the cost of a cleanup, which can be significant. However, the tie-up between incident response firms and insurance companies may not be wholly positive.

( Read more : 10 things you should ask of your cyber incident response tool )

Influencing Incident Response

Insurance companies will be keen to ensure they partner only with those companies that have capacity to respond to multiple incidents simultaneously, potentially across multiple geographies, and have the skillsets required to deal with the range of potential incidents. This of course favors the larger response providers who already have a considerable advantage over smaller firms and will make it harder still for smaller providers to compete. Particularly outside the U.S. and U.K., incident response consultancy usually comes from independent firms that offer incident response expertise alongside other cybersecurity services.

But the influence of the insurance industry doesn’t end there. Insurance companies will not only dictate which providers are used, but are also how the incidents are handled. Generally, insurers want incidents to be resolved as quickly as possible to limit costs. For simple incidents, such as ransomware attacks, immediate remediation is fine, but for complex intrusions the best strategy is often to monitor the attack and tailor the response accordingly.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Investigation vs Remediation

As I recall from my time leading incident response consultancy engagements, gathering information about the attackers, their tools and techniques, and understanding the type of information being targeted can help inform the best way to ensure the attackers are completely removed from the network. This is especially important when dealing with sophisticated cybercriminals or persistent nation state hackers who may have installed hidden backdoors or will immediately attempt to regain access to the network.

The expense associated with investigating, rather than simply responding to an incident, can be significant, but the option should be open to security decision-makers, rather than be imposed by a company seeking to limit the cost of a claim. An incorrect response could cause longer-term damage and disruption.

Organizations should know that insurers are not always obliged to pay for a response to an attack. One area that security executives must be aware of is the retroactive date of a policy. It is commonplace to detect intrusions months, and in some cases years, after the initial compromise took place, falling outside the period covered by a policy.

Cyberinsurance is still reasonably immature, but has the potential to make a positive impact on cybersecurity. The current situation of high premiums and relatively low coverage ceilings will change as more data are gathered about the scale of the problem and the threat actors involved. Over time, insurance companies will fine-tune the most effective ways to reduce cyberrisk and organizations must be incentivized through premium reductions to listen and take action.

( Read More: Checklist To Assess The Effectiveness Of Your Vulnerability Management Program )

Post Author : Rob Sloan, Cybersecurity research director, Dow Jones

This post was initially posted here & has been reproduced with permission.

In the fast moving world of cyber security incident response, the challenge is to rapidly identify and stay ahead of the threat. Incident responders must move faster, be more agile, have longer stamina than the attacker. Additionally they must also be more responsive than the attacker or malware can morph and be concealed. In the world of small networks (1-100 nodes), this is not a particularly oppressive challenge with the old methodologies, tools, and procedures. In midsize to large-scale enterprises, however, the old ways and tools will leave you chasing your tail in an attempt to find the malware, isolate the breach, and remediate the network as it morphs or infects faster than you can find and remediate it. The longer that it takes to stop the bleeding, the more exposure there is in terms of fines, legal liability, and damage to corporate image. In practical terms, this need for maximizing the speed in which a breach is handled places some very exacting and demanding requirements on the capabilities of the tool that is used to perform the incident response (IR).

( Read More:  Cyber incident response- The 5 important steps )

image courtesy: https://www.flickr.com/photos/jakerust/16649925388

First and foremost, your tool must be forensically sound. In nearly every case, you will identify that there is a breach and your team will begin reacting to it long before law enforcement agencies respond. On the IR battlefield, your incident responders will make decisions based on the reliability of the data that you collect, and that requires a forensic grade of exactness. If law enforcement becomes involved in the incident, your computer incident response team (CIRT) will need to provide them with forensically sound data to enable the successful prosecution of the case. Before everyone jumps on the single hard drive examination model bandwagon in which every drive in the enterprise is imaged and then examined with a stand-alone forensic tool, be aware that this model doesn’t scale to the size and complexity of the modern malware battlefield, nor is it required for a successful prosecution of the case. For large enterprises this model is way too slow and expensive. What it does mean is that your tool must be able to generate digital fingerprints in the form of Message Digest 5 (MD5) and SHA hashes for each piece of evidence that is collected. Your tool must also have the ability to store that evidence in an investigative container with procedures and controls to ensure to a legal standard that the integrity and originality of the investigative container are pristine. Any file or other OS artifact that must be acquired and maintained as part of the investigation must be done so as not to change the file system artifacts or metadata. These artifacts include the file created date, file modified date, last accessed date and, depending on the file system involved, the deleted date. It also applies to items like volatile memory and individual processes that are imaged. It goes without saying that the investigative tool must not change these investigative artifacts in the acquisition process. The preservation of the metadata and the generation of the hash values for each piece of evidence allow your team to testify to the originality of the evidence and to the preservation state of the evidence. To stand up to the legal scrutiny that your investigation and evidence collection will undergo in the event the perpetrators of a breach are prosecuted, your tool should have the ability to log your actions and any action should be able to be replicated. Without these basic elements, successful prosecution of perpetrators of the breach will likely fail.

( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )

Second, your CIRT tool must be truly enterprise capable. Given the speed in which an investigation must be accomplished, coupled with the size of modern enterprises, you should be able to conduct searches simultaneously across your enterprise without performing a self-induced denial of service attack on yourself. Surprisingly, the forensic tools with the most market share for the enterprise environment are not capable of this essential task. The reason for this is found in the evolution of these tools. Originally, these tools were stand-alone computer forensic examination programs designed for “dead drive” forensics on single computers. As the need arose for remote acquisitions and analysis, these companies simply added an agent that allows the examiner to access a remote computer, but they didn’t change the investigative dynamics of the programs themselves. Under this model, all the data from the remote computer must be transported from the remote node back to the investigative computer for analysis. If an examiner needed to do a grep search across both the allocated and unallocated space on a hard drive—a normal occurrence for a complete forensics investigation—the contents of the entire hard drive of each computer in question must be transported across the network. To shield their customers from really understanding this limitation (and from performing a self induced DOS on their network) these companies often license their programs under a “concurrent connection” model. Under the concurrent connection model, the examiner is constrained to using between one and ten concurrent connections, thereby limiting the examiner to only being able to search up to ten computers at a time. In the world of three terabyte hard drives for desktops and even small networks containing 1,000+ computers, it doesn’t take a rocket scientist to figure out that the concurrent connection model will not scale. The irony of this type of licensing model, however, is that the customer thinks that it is a limitation of their software license, not that the tool simply cannot handle the task. To truly support an incident response investigation, your tools must be able to search all of the nodes on your network in parallel. Only by searching simultaneously can your CIRT get ahead of the breach and any polymorphic activity that is occurring. A well-known entertainment company spent over eighteen months using a “leading” enterprise forensic tool trying to rid their system of a polymorphic breach and could never isolate the malcode because their tool was too slow in searching the network. Yes, their CIRT was using a tool that was following the concurrent connection model. If your current tool set is following this licensing scheme, I would be very concerned.

Third, memory analysis shouldn’t be a bolt on “we do it too.” It should be part of the core functionality of your CIRT tool. Your tool must be able to handle remote node memory extremely well. Let’s face it, the ability to identify processes, identify the executable that spawned the processes, identify what other processes have hooks into a given process, and the ability to identify process dependencies are all critical to finding and isolating a breach. It is in this memory space that the malware must live to function. Consequently, your tool should have the ability to operate in this space and have the ability to remotely acquire individual processes and/or the entire memory of the remote nodes. When I say “acquire the entire memory or the entire process,” I mean just that. Unfortunately, a significant amount of tools out there only acquire what is actually located in the RAM at that particular moment, ignoring or unable to access the data that has been cached in the pagefile.sys or hiberfile.sys as part of the virtual memory management of a system. When you do perform your memory acquisition, if your acquired memory image size is the same size as your installed RAM, that is a pretty good indicator that you are only getting the data that is loaded into RAM and not the cached bits and bytes located in your virtual memory. Similarly, in an enterprise environment, you want to have the option of not pulling the entire contents of RAM over the network in lieu of pulling out individual processes directly. If your tool can’t do both of these things, it is probably time to reevaluate your tools. Given the frequency that you and your examiners are going to be examining and imaging RAM on a large breach, it shouldn’t be a twelve-step process. Your tool should have the ability to remotely image the entire memory or a subset of the processes with a simple right click of the examiner’s mouse. Using the right tool, this simply isn’t too complex a task.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Fourth, your tool should be able to support live analysis methodologies. In the dynamic world of today’s business and the increasing quantity of malware incidents, this should be a no-brainer. One shouldn’t have to bring down a network or even just the critical nodes on the network to conduct an investigation. Unfortunately, many of the leading tools don’t support live analysis of critical components of the enterprise. This requires the CIRT to either bring down the resource to create a forensic image to analyze offline, or—at a minimum—export subsets of data to analyze offline. A prime example of this is an organization’s Microsoft Exchange mail server. One of the leading causes of malware infestations is through someone clicking on an email attachment. A recent study conducted by TNS Global determined that over thirty percent of all users open suspicious emails. Given that this is so common, your CIRT tool must be able to analyze the Exchange server and the contents of the individual mailboxes without taking them off line and halting office productivity.

Fifth, your CIRT tool agent needs to reside low enough in the remote node’s operating system to ‘see’ root kits. While this may seem fairly straight forward—given that we are trying to find malware and root kits—in fact few do. The resulting impact of this failure is that most IR tools rely on the remote node’s operating system to tell it what is there in the form of process and file listings. Try finding a root kit when the OS can’t see it using this method—you can’t. To be effective, the IR tool should be able to operate in both the OS/User readable realm as well as the physical hard drive. At the physical levels, the examiner can see everything that the OS is trying to mask, including root kits and shielded processes. This is essential to an effective IR.

Sixth, your CIRT tool should be able to mount remote nodes as local physical disks on your examination machine. There will be occasions when you will need to run a specific program for a particular purpose on an identified remote node. The top tier tools will allow you to select the remote node, select the media of interest, and then mount the device. Once mounted, the best-of-breed tools will create a volume for the device at the physical layer on your examination box. This will allow you to run programs on your local examination box against the mounted drive as if it were a truly local, physically attached hard disk. This is very versatile for specialized situations. Unmounting the remote node should be just as easy, with no residual entries or system hangs within either the host or remote OS.

Seventh, your CIRT tool should enable the team to conduct the complete investigation remotely, without requiring physical access to the remote nodes. As simplistic as this sounds, how many teams are still slapping USB or DVD disks into remote nodes and then imaging to them? Part of the impetus behind these practices is the investigative mindset that still focuses on the traditional (but outdated) “one disk, one case, one examiner” dynamic that is still taught by basic forensic educational programs. Another aspect that supports these practices is the lack of tools that can actually deliver on the claims made in the marketing slicks. A tool that will allow the full remote investigation and remediation of a cyber threat response will support the following capabilities:

1. Ability to image all the memory or selected memory segments of a node, both physical and virtual, across the network to either the local examiner’s node or another location designated by the examiner.
2. Ability to support CIRT automated workflows.
3. Ability to drop down into an integrated command shell or GUI that will allow the examiner to remove rogue processes and perform other administrative functions on the remote node.
4. Support all aspects of the forensic investigation.
5. Remote recovery of deleted data on the remote node.
6. Built in viewers for the most common file formats on the remote nodes.
7. Ability to do remote screen captures. While often overlooked, a screen shot of what is going on at a remote node can be invaluable, especially in court.

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

Eighth, it is imperative that a CIRT tool is able to perform extensive logging in three critical areas: examiner actions, remote node network traffic, and remote node processs/applications activity. As previously mentioned in this paper, it is essential that the CIRT tool be forensically sound from its foundation up. One of the critical components to that foundation is the ability to log all the actions taken by the examiner. This provides an exact record of what actions were performed and serves as the ultimate shield against misguided defense attorney claims or assertions that the examiner destroyed or planted evidence. Additionally, the logs will also serve as an excellent basis from which to analyze findings and to form the basis for reporting to the client. Logging of remote node network traffic is critical to determine exfiltration methodologies, exfiltration destination addresses, and the content of the payload for malware. Logging of the remote node processes and applications simplifies the identification of malware, the mode of infection, identification of attack vectors, and creates the ability to identify, isolate and remediate breaches in a fraction of the time it would take using traditional tools. In the evolving world of hacker methodologies, attacking the common log aggregators and the individual system logging systems is very common. The ability to have a self contained logging system that is only accessible through your CIRT tool provides a trusted log base that can be used as the basis of investigation.

Ninth, in an enterprise CIRT tool it doesn’t make sense to limit the number of “seats” or concurrent users via a licensing scheme that is non-responsive to the realities of incident response. The reason that you need an enterprise level CIRT tool is because the issue that you are combating is a very BIG problem, often spread globally. While each CIRT will have standard response procedures that will dictate the number of the initial responders, often the true scope of an incident is apparent only after the team is neck deep in in the initial response investigation. Requirements to surge support into ongoing and developing responses are an everyday occurrence. It is critical then to have a CIRT tool that supports the reality of the response environment. Companies that are proactive will have a tool inside of their infrastructure pre-incident that will allow their internal staff to be augmented at a moment’s notice by surge responders or additional resources with no delay due to negotiations with software vendors for more examiner seats. That said, if the tool that you are using employs the concurrent connection methodology schema, it probably can’t handle more responders and additional investigative demands anyway. Today’s environment demands you have a tool that can.

Tenth, it is abundantly clear that our infrastructure budget is under constant downward pressures. Your CIRT tool should be versatile enough to support other functions in the environment than just look for malware. The capabilities necessary to be a world class CIRT tool also are the capabilities that are required for other needs within a corporate structure. Internal human resource related investigations, intellectual property preservation, and e-Discovery collection requirements come to immediate mind. In many instances, the price for a world class CIRT tool can more than pay for itself in the savings generated by consolidating tools and functions within the organization. One of our enterprising government clients has turned the purchase of their world class CIRT tool into a revenue generation center with positive cash flows by providing a fee for service function to other departments within their agency.

Once armed with a highly capable CIRT tool, your CIRT and your organization is prepared to effectively and quickly respond to those cyber threats that constantly bombard your defenses—and unfortunately occasionally get through.

Post Author : Ben Cotton, President/CEO,Cyber technologies services, Inc

This post was initially posted here & has been reproduced with permission.

This article gives a 5 principal steps and questions one must solicit the emergency from the cyber security incident response steps. This includes the incident, the control points, plan of action, communication, business impacts.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Step 1 - Is there really an incident?

Incidents rarely emerge fully formed. Rather they start as a set of indicators, often described as an event, that through investigation may turn into an incident that requires follow up, or not. The response plan should include a policy that sets the parameters, severity, and standards for when and how an incident is declared. This will define the criteria for a major and minor incident type and set the required procedures to be followed after each type of incident. Be sure to include any third party or vendor incident response procedures if they are likely to be involved.

Step 2 - Who's in charge?

When an event is escalated to an incident it is important to understand who is in charge; roles, responsibilities, and authority are for all members of the response team should be defined in advance. Policy-granting authority needed to fulfill the roles of team members must be clearly communicated across the organization.

Despite all the time and effort we put in to protecting our environment, in the face of attack we are judged purely on how efficiently and effectively we respond to it

Step 3 - Plan of Action

The response team needs to go over what happened in order to understand what should have been done better by means of simulations such as:  • Drills  • Desktop exercises  • Functional exercises  • Full-scale exercises 

All of these exercise scenarios are designed to stimulate technical, operational, communication, and/or strategic responses to cyber incidents with a view to reviewing and refining current capabilities.

Each exercise consists of determining what improvements could be made in:  1. Preparation  2. Detection and analysis  3. Containment and eradication of threats  4. Post-incident activity  5. Recovery process and getting back to business

Article 31 of the incoming General Data Protection Regulations requires us to notify the appropriate authority of a data breach within 72 hours on learning about the exposure 

Step 4 - Communication!

In some ways, an incident response plan is only as good as its communication network. During critical incidences, time is of the essence and communication networks tend to be the first resource to break down for a number of reasons.

( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )

Step 5 - How does this Impact business?

There have been a number of high profile data breaches in the past few years, which have impacted millions of people. The growing threat of identity theft makes customers especially sensitive to any of their data being at risk. As a result, companies need to understand exactly what is at risk in each type of incident and how that could have a negative impact on the business. 

Post Author : Aaron Fox,Information security: Enterprise account manager, HANDD business solutions

This post was initially posted here & has been reproduced with permission.

The new Spora ransomware strain has now been dissected by more malware researchers and the team from G Data discovered that Spora uses an "innovative" way to spread itself via USB sticks. This strain is highly sophisticated and could become the "New Locky". 

Spora has well-implemented encryption procedures that do not need a Command & Control server, a user-friendly payment site, choice of different “packages” that victims can opt for including immunity from future attacks, and Ransomware-as-a-Service capability.

( Read More: Ransomware - Practical View, Mitigation & Prevention Tips )

Infection vector is email attachment with HTA file 

Spora uses an HTA file with obfuscated VBScript code, and arrives in an email attachment with a ZIP file. Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it.

The JScript file in turn is a dropper for a Word document and an .exe file that are both written to disk and opened by close.js, with the result the document will be opened by Word or WordPad, but an error message is shown because the file is corrupt. Meanwhile back at the ranch, the .exe that was run has a seemingly random name hardcoded by the dropper but contained the actual payload.

Spora Exhibits Worm-like Behavior Using .LNK files

Ransomware that behaves like a worm has been spotted before with the ZCryptor strain, which uses the old autorun.inf, but Spora goes further than that, borrowing new technology from other malware which uses Windows shortcuts (.LNK files) instead. Spora adds the hidden .LNK attribute to files and folders on the desktop, in the root of USB drives and the system drive.

These hidden files and folders are, with the standard folder options, not visible anymore. Spora then replaces Windows shortcuts with the same name and icon as the hidden files and folders. Those .LNK files open the original file to avoid raising any suspicion but at the same time execute the malware and the worm copies itself as hidden file alongside the .LNK files.

Spora ransomware goes global

Data gathered by the ID-Ransomware service shows what was expected; Spora has started to spread to new territories outside former Soviet states. It was first spotted in the wild during the first week of the year, and its first version featured a ransom note only in Russian, meaning its distributors were only targeting territories with Russian-speaking users. 

Last week, things changed, when Spora was identified in multiple ransomware distrubtion campaigns. ID-Ransomware started registering uploads of Spora-encrypted files from users outside the former Soviet territory. Countries like Saudi Arabia, Austria, or the Netherlands, became hotspots of Spora infections. Treat this like a heads-up, America will follow shortly.

( Read More: Bad USB Defense Strategies )

Spora now spreads via exploit kits and spam waves

A new development is that security researchers Brad Duncan and Malware Breakdown have now spotted RIG-v exploit kits spreading Spora, and it's only the start of things. 

MalwareHunterTeam is keeping an eye on a malware distribution server that had been used to host multiple ransomware strains in the past few days, such as Cerber, Locky and Spora. This server had been used combined with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the distribution server.

Spora includes support for a "campaign ID," a parameter used to track both the effectiveness of different spam runs, but also different groups renting Spora from its creators. The jury is out if Spora has been made available as a Ransomware-as-a-Service offering, but what is sure is that this malware has now become a global threat.

Anyone bringing a USB stick to the office is now a possible ransomware infection vector.

Simply navigating through the folders on your system or desktop using double-click will execute the worm. Using this strategy, it will not only spread to USB thumb drives, it will also encrypt newly created files on the system. Anyone getting infected at the house with Spora and bringing their USB sticks to the office is now an infection vector.

The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet, meaning at this point the user will be asked whether the malware is allowed to make changes. Wait for that to be fixed in a coming release.

Post Author : Stu Sjouwerman, Co-founder, KnowBe4

This post was initially posted here & has been reproduced with permission.

Ransomware is a type of malware that encrypts everything on your system with a cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomware. The first type encrypts all data on the system and renders it nearly impossible to decrypt without the key. The second type simply locks the system and demands to enter the key for data decryption but does not encrypt data itself.

One of the very well-known ransomware systems is Cryptolocker. It uses the RSA cryptosystem to encrypt data. The command and control server of malware stores the private key for the decryption of data. It typically propagates as a Trojan virus and relies mainly on social engineering for propagation.

The operation of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide it into the following steps: 

1.   Entering the system of the victim and installing it as a covert/silent    installation. It places its keys in the system registry.

2.   After installation, it contacts its command and control center. The server   tells the ransomware what to do. It starts the communication by performing a "handshake" with the server and then exchanges keys.

 3.   Next it actually begins to work with the key provided by the server. It then starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.

4.   This is where it gets scary. After encrypting the data, a message appears on your screen informing you that it has locked data on your computer and threatens that if you do not pay within a specific time period, you may never see your data again.

( Read More:  2016-The year of Ransomware - Let's change 2017...)

How it propagates:

Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also likely the cause of infection. Ransomware also spreads through mediums like USB, portable hard drives and the like.

Ransomware installation:

Its installation is a covert operation. It uses Windows default behavior to hide extensions from the file name, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and a user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in AppData, User Temp and Local AppData folders. Later, it adds a Windows registry key, which activates the malware every time Windows restarts. For more details to understand the differences click here.

Primary Method of Operation

The main method is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg, etc. and other files whose extensions are in the malware code. It uses an AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with an asymmetric private key using an RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.

Malware communicates with its command and control center to obtain the public key. It uses a domain generation algorithm (DGA) with common names such as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and that the failure to do so will delete the key.

The compromised system can have such symptoms as a high rate of Peer to Peer (P2P) communication, increased network communication (Communication with Command & Control center server) and high usage of system resources.

( Read More : Ransomware Attacks: How Prepared Are You? )

Mitigation and Prevention:

So far, there is no way to break the CryptoLocker encryption and provide you the key to decrypting data. Purchasing a key seems to be the only way to get data back - unless you have a backup. However, past incidents have shown that paying did not ensure the return of data. For example, some people paid but did not receive the key; in other cases, the given key did not work. Ultimately, the best way to keep your data safe is to be proactive. So lets discuss some proactive steps to take to prevent these types of attacks from happening to you.

1. The first and foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and stakeholders is the most important thing. Understand that we are in a war against malware. Additionally, users cannot win this fight unless they are aware of the threats. SOC/Security management teams can organize seminars, awareness campaigns, etc., to guide their employees. Periodic briefing is important. Also, explaining the cases with examples to both technical and lay employees can make it easier for them to understand and remember the scenarios they are likely to encounter in everyday life. Here are just a few ways you can keep your staff educated about these types of attacks:

•  Avoid surfing untrusted sites (e.g. porn, gambling, freeware downloads and so on.). It is recommended to use Chrome or Firefox browsers, which are less vulnerable to attacks.  Be especially cautious when using older versions of Internet Explorer. If you as a company can't afford expensive solutions, you might consider allowing your users the use of extensions like Web of Trust as an obscurity measure.
• Do not open an email or attachment that originates from an unknown source  (EXE file inside a zip archive is an obvious example). Recent events taught us that a Word document with macros can be dangerous (Locky).
• When transferring files from mobile storage units / D.O.K.,  don't forget to scan the device. Consider disabling auto run. Doing so will help improve your endpoint security.

2. Along with user awareness, implementation of security policies inside the    domain via GPO and email transport rules to block such potential types of emails and .exes to execute silently. One major recommendation: Use Security Group policies in your organization to safeguard against malware. Let us walk through the process of implementing this.

Certain applications and programs apply software restriction policies for their execution. This utilizes Group policy. What we can do is block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In a small business environment, or within homes or organizations with no domains, apply local security policies.

• Open a Group Policy management console on your primary DC to implement a Software restriction policy.

• Create a New GPO. Name it “Software Restriction Policy”.

• Next, edit the newly made GPO and add user space folders in which you don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click on 'Additional Rules' and click ‘Add new Path rule’. Here you will create a new rule and enforce software restriction.

• You will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.

The paths to be included in the policy are for Windows 7 and above.

• %AppData%\*.exe
• %AppData%\*\*.exe
• %LocalAppData%\Temp\*.zip\*.exe
• %LocalAppData%\Temp\7z*\*.exe
• %LocalAppData%\Temp\wz*\*.exe
• %LocalAppData%\Temp\Rar*\*.exe

• Allow some time to let the GP sync to all the systems or you can go to every system and open cmd as Administrator, and write ‘gpupdate /force’ to force update the group policy to the system.

There can be a disadvantage to applying the software restriction policy, i.e. all the other legitimate .exes will not run in those spaces. However, you can whitelist the legitimate software in Software Restriction policies.

For whitelisting apps in the Software Restriction policy, exceptions have to be set for those apps. You can manually instruct Windows to allow those apps while blocking all the others. To do that, just add the same rule for particular apps as previously explained and set the security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps, and their execution to take place in the user space.

If you have an onsite email server or exchange, Transport rules become very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so the User is warned by the content of the email.

• Open Exchange Management Console on your exchange server.
• Go to Organization Configuration > Hub Transport.
• Open Transport Rules.

• Add a new rule by right clicking the main screen. Enter the name of the rule along with its description.

• Select the condition for the rule from the next window. Select the “When any attachment file name matches text patterns” option.

• Select as many extensions as you like. Here we add .exe, .html, .doc, .docx, .jpg, .jpeg, .zip, .rar, etc.
• Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Then add “Possible Spam” as the text to be added in the subject line.

• If there are any exceptions, add them on the next screen; otherwise, leave it as is. Complete the process by clicking Next and then Finish. The transport rule is now added and enabled, with priority set to 0.

Now, when the user receives emails with those specific extensions that we added in the rule, they will see Possible Spam as the subject of those emails.

3. User permissions:  Review the NTFS permissions carefully every time you are dealing with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permissions and the user system gets infected then you are in trouble. Apply “Least Privilege” principle where you will give few permissions as possible to lessen the possibility of damage. Also, consider to disable users being local administrators on the endpoints by.

4. Minimize the amount of mapped shared folders on endpoints (ransomware can encrypt every accessible file, even if it is located in a shared folder).

 5. At this juncture, many antivirus software programs are able to detect and remove the virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.

( Read More: Top 11 Ransomware Prevention Resources )

6. Keep your systems up-to-date and patched up with the latest security patches that the manufacturer releases.

7.  Enable the “System Restore” option, in order to be able to restore the system to the previous state, before the ransomware infection occurred.

8. Consider applying a software whitelisting solution (e.g. Windows AppLocker / commercial solution). Applying a good software whitelisting solution can help prevent executing malicious software components like ransomware.

9. Consider applying a 3rd party anomaly based detection solutions in order to locate malicious activity and files.

10. Update your operating system and 3rd party software on a regular basis (for example, Internet Explorer 8 which is vulnerable to browser attacks, and also Adobe and Java software components, which are known for multiple new vulnerabilities every year).

11. Do not allow Peer to Peer (P2P) communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep it safe.

12. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.

13. Consider preventing executing files with macros (e.g. Microsoft Word / Excel). This can be done via Group policy.

14. Consider restricting insertion of mobile devices, USB devices, CDs and even floppy disks to the endpoint (can be done by 3rd party solutions and also by applying group policy restrictions).

USB ports can be blocked on the system from any unauthorized access. Malware, once exposed to a system via USB, can spread through a LAN and affect all other systems.

USB storage access can be disabled on the system with a registry tweak:

1. Go to Run and write ‘Regedit’
2. Navigate to the key: ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR’
3. Select ‘Start’ from the right pane, and change its ‘Value data’ to 3. This will disable the USB storage.

15. Avoid using unknown anti-virus programs on your system, even if they claim to remove malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key. So, if any unknown anti-virus program claims that it can break encryption quickly, be wary. It is very likely an other type of malicious virus.

16. BACKUP ALL your data regularly. I have seen clients affected by ransomware and the only thing that saved them was a successful backup. Performing a backup of all your critical data to an external drive or NAS or SAN that is isolated from your system is very useful. If you are a large organization, develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can take for your organization. There are many backup solutions available in the market that can assist you in backing up your data to an external storage or remote location, i.e. cloud storage.

Aside from 3rd party solutions, Windows also provides backup utilities within Windows OS and Windows Server OS. Continuous backup of important files can be stored on external drives and NAS. In addition, System Restore points can be saved frequently. Windows also uses Volume Shadow Copy, which can be used to save previous versions of important and critical data. To revert to the previous version, just right click the file and go to Properties. If System Restore or Shadow Copies is enabled, the Previous Version tab will appear in Properties. This will list all the previous versions of the files. Choose the version  you want to restore and click to save it to an existing location. You can also choose another location to save.

17. Apply adequate network segmentation via firewalls, in the event of a malware's lateral movement (spreading to other endpoints and servers in the corporate network with credentials of a compromised user).

18. Implementation of IPS (intrusion prevention system) between the corporate network segments, if you have not yet done so.  Consider applying IPS for outgoing communication. Update the IPS signatures database on a regular basis.

19. Web filtering – consider applying a web filtering solution that will prevent access to untrusted websites and downloaded files (e.g. .exe, .zip, .rar, .jar, .scr, etc.. If possible, use “surfing virtualization” solutions like VDI, Citrix Smart Browsing, Jetro Secure Browsing etc. This will help to minimize the possible effect on internal endpoints, because internet surfing doesn’t really happen on the internal endpoint.

20. Mail Relay solution will help filter the incoming emails. Apply rules that will prevent incoming emails with attachments like .zip, .rar, .exe, .scr, .jar, .js, .bat, .cpl, etc. Allow what's required for the ongoing work and consider restricting incoming attachments with PDF’s and MS Office macros if possible.

21. Consider applying a “Sandbox” solution that will check every incoming file that originates from the email infrastructure or is downloaded from the internet.

22.  Disabling Autoplay through Group Policy or the registry. For more details click here.  

23.  Disabling Windows Script Host - Consider enabling per necessary user groups. For more details click here.  

( Read More: Checklist To Assess The Effectiveness Of Your Vulnerability Management Program )

Actions to be taken in case of a ransomware infection:

1. Isolate the station from the corporate network to prevent the spreading of the ransomware encryption process (e.g. pull the network cable out of the plug or isolate the station via Corporate NAC, you also can consider having separate VLAN that will be dedicated to such scenarios which can help your IR team).

2. After isolating the station from the network:

• Do a damage assessment to understand what was encrypted and check if there is any valid backup that you can restore your data from.
• Paying the ransom is not always a good idea as the money is the “fuel” that runs these criminals and you don’t have any guarantee that your files will actually be decrypted even after paying (so basically you will have paid for nothing).

• Not recommended - if you don't have "nothing to lose” and losing your files is much more expensive than paying the $400, you can do it and cross your fingers that it works.
• It is recommended to fully format the infected station in order to eliminate any residues of malware.

3. Investigate  – the investigation phase is basically the aftermath analysis that will help apply countermeasures to minimize the likelihood of your corporate getting infected again (all the suggestions written above).

Post Author : Tal Eliyahu, Lead Risk Manager, BugSec

This post was initially posted here & has been reproduced with permission.

The mobility explosion is the big bang that keeps expanding. It moved from stages like laptop, blackberry, touch based devices, tablets & more. The boundaries between working “in the office,” “on the road,” or “at home” have been blurred by the untethered power of smartphones, tablets, and other portable devices. Employees expect the flexibility to work on the devices they choose, and employers have come to expect always-on availability. That business requirement often conflicts with those in charge of securing corporate networks and data. In some organizations, this has led to the draconian answer “no.” But today those responses are few and far between. The norm today is, “It depends.” One also can’t forget the microcosm of different departments within an organization, which yet again causes great debate on how much access is needed, balanced against how to protect sensitive data.

To help maximize mobility, a nuanced strategy is the order of the day. For mobility’s transformative potential to be realized, IT needs to become a business partner that understands business drivers and then devises the technology roadmap to support everyone’s goals.

Why Read The Report ?

• Learn how to manage the devices (MDM)
• Assessing Mobility's ROI
• Understanding the evolution of the Enterprise Mobility Management (Big Bang)

>> Download the Complete Report

Last Year was a great year for us at CISO Platform Community & we saw some great milestones hit.

Some of them are:

• 150+ Blogs

• 10+ Playbooks Created

• 25+ RFPs Created

• 10+ Events Organized

• 470+ Security Professionals As Attendees In Events

• 6+ Industry Expert Task Force

• 40+ Partnerships

Below, we have listed the Top Blogs, Talks, Reports of 2016 for those who may have missed.

Top Blogs In 2016:

• CISO Platform Top IT Security Influencers (Part 1)

• Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)

• Top 10 Open Source or Free IT- Security Tools

• Top 6 Reasons Why Data Loss Prevention(DLP) Implementation Fails

• 4 Areas where Artificial Intelligence Fails in Automated Penetration Testing

• Top Emerging APT Security Vendors Globally

• 16 Application Security Trends That You Can't Ignore In 2016

Top Reports In 2016:

• Guide To Building Enterprise Security Architecture Governance Program

• Crisis Management Plan For Banking Industry

• Top Talks @ Black Hat Conference USA 2016: Your Complete Guide

• Top N Threats & Controls Mapping For Insurance Industry

• Top Talks @ RSA Conference- 2016

Top Talks/Discussions From CISO Platform Conferences In 2016:

• Wargame Strategy Simulation:Creating A Successful Evaluation & Implementation Checklist For An IT GRC Solution

• Application Threat Modeling (SACON Presentation)

• RBI Cyber Security Framework – Key Takeaways

• Using Behavioral Psychology and Science of Habit to Change User Behavior (Annual Summit Presentation)

We are glad to have your support (4000+ Security Professionals and 60k Subscribers). Membership is free and exclusive to IT Security Professionals Only.....Click Here To Become Member

Our editorial team has handpicked some great talks from Black Hat Conference - one of the largest IT Security Conference in the world. 

Black Hat - built by and for the global InfoSec community - returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (July 30 - August 2) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 3-4).

(Source: Black Hat Conference USA 2016)

image courtesy: https://www.flickr.com/photos/jasonahowie/7910370882

1) 1000 ways to die in mobile oauth

Speaker: Eric Chen, Yutong, Yuan Tian, Shuo Chen, Robert Kotcher, Patrick Tague

In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications

>>Go To Presentation

2) Behind the scenes with IOS security

Speaker: Ivan Krstić

We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.Data Protection is the cryptographic system protecting user data on all iOS devices.

>>Go To Presentation

3) Bad for Enterprise: Attacking BYOD enterprise mobility security solutions

Speaker: Vincent Tan ( @vincent_tky )

Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in some cases can even expose an organization to unexpected risks. I will show attacks against EMS protected apps on jailbroken and non-jailbroken devices, putting to rest the rebuttal that CxOs and solution vendors often give penetration testers, ""We do not support jailbroken devices.""

Whether you are a CxO, administrator or user, you can't afford not to understand the risks associated with BYOD.

>>Go To Presentation

4) Samsung pay: tokenized numbers flaws and issues

Speaker: Salvador Mendoza ( @Netxing )

Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the most secure approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security.

>>Go To Presentation

5) The Art of defence: How vulnerabilities help shape security features and mitigations in android

Speaker: Nick Kralevich

In this talk, we will cover the threats facing Android users, using both specific examples from previous Black Hat conferences and published research, as well as previously unpublished threats. For the threats, we will go into the specific technical controls which contain the vulnerability, as well as newly added Android N security features which defend against future unknown vulnerabilities. Finally, we'll discuss where we could go from here to make Android, and the entire computer industry, safer.

>>Go To Presentation

Your Complete Guide To Top Talks @Black Hat Conference 2016 (USA)

Get your FREE Guide on Top Talks @ Black Hat Conference 2016 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at the Conference into a single guide. Get your Free copy today.

>>Click Here To Get Your FREE Guide

Our editorial team has handpicked some great talks from Black Hat Conference - one of the largest IT Security Conference in the world. 

Black Hat - built by and for the global InfoSec community - returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (July 30 - August 2) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 3-4).

(Source: Black Hat Conference USA 2016)

1)HTTP cookie hijacking in the wild: security and privacy implications

Speaker: Suphannee Sivakorn, Jason Polakis

In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies.

>>Go To Presentation

2) Timing attacks have never been so practical: Advance cross site search attacks

Speaker: Nethanel Gelernter

This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible.

>>Go To Presentation

3) Abusing bleeding edge web standards for appsec glory

Speaker: Bryant Zadegan ( @eganist ), Ryan Lester ( @TheRyanLester )

In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios.

>>Go To Presentation

4) The year in Flash

Speaker: Natalie Silvanovich ( @natashenka )

This talk describes notable vulnerabilities and exploits that have been discovered in Flash in the past year. It will start with an overview of the attack surface of Flash, and then discuss how the most common types of vulnerabilities work. It will then go through the year with regards to bugs, exploits and mitigations. It will end with a discussion of the future of Flash attacks: likely areas for new bugs, and the impact of existing mitigations.

>>Go To Presentation

Your Complete Guide To Top Talks @Black Hat Conference 2016 (USA)

Get your FREE Guide on Top Talks @ Black Hat Conference 2016 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at the Conference into a single guide. Get your Free copy today.

>>Click Here To Get Your FREE Guide

Timing attacks have never been so practical: Advance cross site search attacks

Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.

Speakers

Nethanel Gelernter

Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies in the College of Management Academic Studies in Israel. Beyond the academic world, Nethanel provides consulting services, and he recently founded Cyberpion, a company that investigates unknown attack vectors and develops countermeasures against them.

Detailed Presentation:

Demystifying Secure enclave processor

The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors.

Speakers

Tarjei Mandt ( @kernelpool )

Tarjei Mandt is a senior security researcher at Azimuth Security. He holds a Master's degree in Information Security from GUC (Norway) and has spoken at security conferences such as Black Hat USA, CanSecWest, INFILTRATE, RECon, SyScan, and Hack in the Box. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Previously, he has discovered several Windows kernel vulnerabilities, and spoken on topics such as kernel pool exploitation and user-mode callback attacks. More recently, he has focused on Apple technology and presented on various security flaws and weaknesses in Mac OS X and iOS.

Mathew Solnik ( @msolnik )

Mathew Solnik is senior security researcher who's primary focus is in the mobile, M2M, and embedded space specializing in cellular network, hardware/baseband, and OS security research/exploit development. Prior to doing full time research, Mathew was a Senior Member of Technical Staff at Appthority, Inc. where he helped design and build an automated mobile threat and malware analysis platform for use in the enterprise and defense space. Previous to Appthority, Mathew has held positions in multiple areas of IT and security - including consulting for Accuvant, and iSEC Partners where he performed the first Over-the-Air Car Hack (as was featured in a previous Black Hat talk) as well as R&D for Ironkey where he handled in-house penetration testing and design review for multiple DARPA funded projects.

David Wang ( @planetbeing )

David Wang (@planetbeing) is a senior security researcher with Azimuth Security specializing in iOS exploitation. Before joining the Azimuth team, he was a member of the evad3rs iOS jailbreak team. With the evad3rs, David was nominated for a Pwnie for Best Privilege Escalation in 2013 and 2014, winning in 2013. David was also recognized by Forbes' 30 Under 30 in the technology category in 2014 for his work in iOS exploitation. Other notable contributions: David ported Android to iPhone in 2010; he was a member of the iPhone Dev Team where he wrote significant parts of several jailbreaks and baseband exploits; and he has spoken at Hack in the Box, Chaos Communications Conference, and XCon Xfocus.

Detailed Presentation:

Breaking hardware enforced security with hypervisors

Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution. 
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening.

Speakers

Joseph Sharkey

Joseph Sharkey is the Chief Technology Officer for Siege Technologies where he leads all corporate technical strategy while still finding time to get his hands dirty conducting R&D and writing code. Before entering the security domain in 2007, his work focused on micro-processor design, where he has more than two dozen publications and conference presentations (see https://scholar.google.com/citations?user=x5jerpcAAAAJ&hl=en). Dr. Sharkey's research interests include trusted computing, hypervisors, low-level system software, and advanced processor architecture features and how they interact with the overall security of the system.

Detailed Presentation:

Breaking Kernal address space layout rendomization: KASLAR with Intel TSX

Kernel hardening has been an important topic, as many applications and security mechanisms often consider the kernel their Trusted Computing Base (TCB). Among various hardening techniques, kernel address space layout randomization (KASLR) is the most effective and widely adopted technique that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory disclosure vulnerability exists and high randomness is ensured. In this talk, we present a novel timing side-channel attack against KASLR, called DrK (De-randomizing Kernel address space), which can accurately, silently, and rapidly de-randomize the kernel memory layout by identifying page properties: unmapped, executable, or non-executable pages. DrK is based on a new hardware feature, Intel Transactional Synchronization Extension (TSX), which allows us to execute a transaction without interrupting the underlying operating system even when the transaction is aborted due to errors, such as access violation and page faults. In DrK, we turned this property into a timing channel that can accurately distinguish the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged address space. In addition to its surprising accuracy and precision, the DrK attack is not only universally applicable to all OSes, even under a virtualized environment, but also has no visible footprint, making it nearly impossible to be detected in practice. We demonstrate that DrK breaks the KASLR of all major OSes, including Windows, Linux, and OS X with near-perfect accuracy in a few seconds. Finally, we propose potential hardware modifications that can prevent or mitigate the DrK attack.

Speakers

Yeongjin Jang

Yeongjin Jang is a PhD student at Georgia Institute of Technology. His research interests are focused on operating system and mobile security. In addition to the academic research works, he participates various capture-the-flags (CTF), and won the black badge in DEF CON 23 (as a member of team DEFKOR). Before joining to Georgia Tech, he received his BS degree in Computer Science from KAIST in 2010.

Sangho Lee

Sangho Lee is a Postdoctoral Fellow at Georgia Tech. He has interests in all aspects of computer security including system, web, and mobile security.

Taesoo Kim

Taesoo Kim is an Assistant Professor in the School of Computer Science, College of Computing, Georgia Institute of Technology. He is interested in building a system whose underlying principles justify why it should be secure. Those principles include the design of the system, analysis of its implementation, and clear separation of trusted components. He holds the B.S. from KAIST (2009), the S.M. (2011), and the PhD (2014) degrees from Massachusetts Institute of Technology, all in computer science.

Detailed Presentation:

Recover A RSA Private key from a TLS session with perfect forward secrecy

They always taught us that the only thing that can be pulled out from a SSL/TLS session using strong authentication and latest Perferct Forward Secrecy ciphersuites is the public key of the certificate exchanged during the handshake - an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible to derive the private key of server regardless of the size of the used modulus. Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and computational resources. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occurring certain conditions such as CPU overheating, RAM errors or other hardware faults. Because of these premises, devices like firewall, switch, router and other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author will explain the theory behind the attack, how common the factors are that make it possible and his custom pratical implementation of the technique. At the end, a proof-of-concept, able to work both in passive mode (i.e. only by sniffing the network traffic) and in active mode (namely, by participating directly in the establishment of TLS handshakes), will be released.

Speakers

Marco Ortisi

Marco Ortisi works as Senior Penetration Tester in ENCS (European Network for Cyber Security) where he is fully involved in increasing the security of European critical infrastractures such as energy grids, and reducing the gap with the classical IT systems. Netizen since 1996, he has literally grown up on ""bread and vulnerability's research,"" a fascinating field leading him to continuosly study new attack techniques and at the same time to develop alternative defense methods. Prior to this role at ENCS, Marco worked as Independent Penetration Tester and Security Consultant on different sectors (telco, governmental, utility, banking, pharmaceutical, financial, etc...) by helping to improve the IT security posture of several big companies and organizations operating in EMEA (Europe and Middle East).

Detailed Presentation:

TCP injection attacks in the wild: A large scale case study

In this work we present a massively large-scale survey of Internet traffic that studies the practice of false content injections on the web. We examined more than 1.5 Peta-bits of data from over 1.5 million distinct IP addresses. Earlier this year we have shown that false content injection is practiced by network operators for commercial purposes. These network operators inject advertisements and malware into webpages viewed by potentially ALL users on the Internet.
In this presentation we recap the injections we discovered earlier this year and show them in detail. Additionally, we shall show new types of non-commercial injections, identify the injectors behind them and discuss their modi operandi. Finally, we shall discuss in detail analysis of a targeted injection attack against an American website.
The attacks we discovered are done using out-of-band TCP injection of false packets (rather than in-band alteration of the original packets). This is what actually allowed us to detect the injection events in the first place. We also present a novel client-side tool to mitigate such attacks that has minimal performance impact.

Speakers

Gabi Nakibly

Gabi Nakibly is a network security research leader at the National Cyber and Electronics Research Center at Rafael Advanced Defense Systems (an aerospace and defense company). Gabi has a track record of more than a decade of high-end security research. He holds a PhD in computer science (Technion) and is an adjunct lecturer and researcher at the Technion. Gabi was a visiting scholar at Stanford University and is an active speaker at top security conferences: Black Hat USA, Black Hat Europe, RSA Conference.

Detailed Presentation:

Attacking SDN infrastructure: Are we ready for the Next Gen networking

Software-Defined Networking (SDN), by decoupling the control logic from the closed and proprietary implementations of traditional network devices, allows researchers and practitioners to design new innovative network functions/protocols in a much easier, more flexible, and powerful way. This technology has gained significant attentions from both industry and academia, and it is now at its adoption stage. When considering the adoption of SDN, the security vulnerability assessment is an important process that must be conducted against any system before the deployment and arguably the starting point toward making it more secure. 
In this briefing, we explore the attack surface of SDN by actually attacking each layer of SDN stack. The SDN stack is generally composed of control plane, control channel and data plane: The control plane implementations, which are commonly known as SDN controllers or Network OS, implementations are commonly developed and distributed as an open-source project. Of those various Network OS implementations, we attack the most prevalent ones, OpenDaylight (ODL) [1] and Open Network Operating System (ONOS) [2]. These Network OS projects are both actively led by major telecommunication and networking companies, and some of the companies have already deployed them to their private cloud or network [3, 4]. For the control channel, we also attack a well-known SDN protocol [5], OpenFlow. In the case of the data plane, we test some OpenFlow-enabled switch device products from major vendors, such as HP and Pica8.
Of the attacks that we disclose in this briefing, we demonstrate some of the most critical attacks that directly affect the network (service) availability or confidentiality. For example, one of the attack arbitrarily uninstalls crucial SDN applications running on an ODL(or ONOS) cluster, such as routing, forwarding, or even security service applications. Another attack directly manipulates logical network topology maintained by an ODL(or ONOS) cluster to cause network failures. In addition, we also introduce some of the SDN security projects. We briefly go over the design and implementation of Project Delta, which is an official open-source SDN penetration testing tool pushed forward by Open Networking Foundation Security group, and Security-Mode ONOS, a security extension that protects the core of ONOS from the possible threats of untrusted third-party applications.

Speakers

Changhoon Yoon

Changhoon Yoon is a PhD student at KAIST (School of Computing) in South Korea. He is working with Dr. Seungwon Shin at Network and System Security Laboratory, and his research interests primarily lie in the area of network security including Software-Defined Networking (SDN) and Network Function Virtualization (NFV) security. He is currently leading Security-Mode ONOS project, which is a collaborative project with the researchers from ON.LAB and SRI International to design and implement a security extension for ONOS, and he is also participating in other SDN security projects, such as SDN WAN security project and etc. In addition, he has presented ""Security-Mode ONOS"" at ONS 2016, and he published several research papers on SDN security at a major journal and a workshop.

Detailed Presentation:

HEIST: HTTP encrypted information can be stolen through TCP windows

Over the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been discovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of observing or manipulating network traffic. This prevented a wide and easy exploitation of these vulnerabilities. In contrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic. HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. Most importantly, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites. Finally, we explore the reach and feasibility of exploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is used. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In short, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy.

Speakers

Mathy Vanhoef

Mathy Vanhoef is a PhD researcher at KU Leuven, where he performs research on streamciphers, and discovered a new attack on RC4 that made it possible to exploit RC4 as used in TLS in practice (the RC4 NOMORE attack). He also focuses on wireless security, where he turns commodity Wi-Fi cards into state-of-the-art jammers, defeats MAC address randomization, and breaks protocols like WPA-TKIP. He also did research on information flow security to assure cookies don't fall in the hands of malicious individuals. Apart from research, he knows a thing or two about low-level security, reverse engineering, and binary exploitation. He regularly participates in CTFs with KU Leuven's HacknamStyle CTF team."

Tom Van

Tom Van Goethem is a PhD researcher at the University of Leuven with a keen interest in web security and online privacy. In his research, Tom performs large-scale security experiments, both to analyse the presence of good and bad security practices on the web, as well as to demystify security claims. More recently, Tom started exploring side-channel attacks in the context of the web, resulting in the discovery of browser-based timing attacks. In an attempt to make the web a safer place, Tom on occasion rummages the web in search for vulnerabilities."

Detailed Presentation:

A Cloud Access Security Broker (CASB) is a solution to secure SaaS apps end-to-end, from cloud to device. Today, most CASBs focus only on software as a service (SaaS), although they can enforce best practices and security policies across all cloud services, including infrastructure (IaaS) and platforms (PaaS)

CASBs are generally designed for the following use cases from security perspective:

• Visibility: Who is doing what and where are the workloads that are off premise (Office 365, Box, Salesforce etc.)
• Data loss prevention (DLP): What kinds of data are users accessing and from what device?
• Risk analysis and mitigation: From what locations/devices is company data being accessed?

Evolving security features are:

• Compliance: CASBs impose controls on cloud usage to enforce compliance with industry regulations (for example, HIPAA). They also can detect when cloud service usage is at risk of falling out of compliance.
• Threat protection: This includes threat intelligence, anomaly detection and malware protection, as well as controlling unauthorized devices and users from accessing corporate cloud services

Some Pointers To Keep In Mind If You Need A CASB:

• CASB architectures vary from one vendor to the next with agent or agentless.
• Most have a primary proxy mechanism upon which their architecture is built - either a forward proxy or a reverse proxy, supported by API integration into the applications for scanning data at rest.
• Proxies enable real-time, inline control. Proxy mode is fine, but it provides a single point of failure and can introduce application latency.
• APIs, while not real-time, provide control over backend functions like external sharing. Admins can also give CASBs their permission to use their cloud administration credentials so that the CASB can see and control cloud policy, monitor various levels of administrator and end-user access, and define policy. The only downside to API mode is the skill set required and learning curve necessary to understand how to make the API connection and maintain it overtime as new APIs get released. Such skills can be difficult to find and keep on staff.
• Most enterprises will require a hybrid CASB that provides both proxy-based and API-based protections for comprehensive cloud data protection.
• CASB tools are available from a variety of vendors, including Adallom (recently purchased by Microsoft),Elastica, Firelayers, Imperva Skyfence, Netskope and Skyhigh, to name a few.

Selection Considerations

When it comes to choosing the right CASB for your organization, there are a number of considerations, including:

• Range of coverage - Salesforce, Office 365, AWS, Box, etc.
• Ease of use
• Market Leader
• Cost: The majority of CASB providers use subscription models based around these methods of licensing:
  
  
  • Number of users
  • Number of cloud applications protected
  • Features specifically used 
• Integration: Proxy, DLP, SIEM or any security tools

Article Contributor:  Venkatasubramanian Ramakrishnan, Head Information Risk Management, Cognizant

A sandbox is a security mechanism to analyze the behaviour of any suspicious file types and web objects by allowing it to execute in an isolated environment with constrained resources. It allows one to execute any untested, un-trusted/outsourced code without causing any damage to the host machine and production environment. Usually the program is run into Virtual environment or emulation software which provide the feel and functionality similar to the actual environment.

There are two ways to deploy a sandbox solution in your network:

• On-Premise : Sandbox appliance is present on-premise. All the network security solutions such as firewalls, IDSes, IPSes, SWGs and SEGs feeds suspicious files into the sandbox and based on the analysis it assigns threat score for the same. Generally on-premise deployment are preferred by those who has data security concerns and do not want their data to reside on third party cloud. This deployment however adds to the cost of appliance and sensors (if needed) hence increasing the TCO

• Cloud based: Sandbox appliance resides in Cloud. This deployment is very cost-effective as it reduces the cost of owning and managing appliance. Also the licensing options are flexible in this regard which further reduces the TCO. Since all on-premise network security devices have to upload/retrieves files to the Cloud sandbox this adds to the cost of network bandwidth requirement  for an organization

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist )

Sandboxing technology is used to detect advanced malware and is one of the most sought after security tools today. Here in this blog we look at some of the criteria to help us evaluate sandboxing technology. 

1. The ability to analyze wide-ranging  file types and web objects:

A sandbox solution should be able to analyze all kind of file types such as Executables, pdf's, Ms office files, graphic files, Archived files ad web objects such as javascripts, HTML pages, URL's etc.

2. The ability to Automatically upload files to Sandbox platforms:

Earlier, using sandbox environment to analyze malware used to be a tedious and complex task for the malware analysts, as they had to manually upload files to the Sandbox environment for analysis. This has changed in the current times with the sandbox solutions having capabilities to automatically upload the files and analyze the files for its suspicious behaviour if any.

3. The ability to support multiple OS environment and Application stack

Certain malwares are designed to detonate in specific environment conditions such as  type of operating systems/applications, versions of operating systems/ applications etc. It is very important for any sandbox solution to detect such malware through support for variety of OS environments and applications stacks.

4. The ability to analyze malwares with VM-evasion technologies:

Malware authors are getting smarter by the day. Current day malware has VM-aware capabilities,  which basically finds out if it's executing in any sandbox. Such malware can stay idle for long time and evade its detection by traditional sandbox environments.

5. The ability to integrate with existing security controls:

Sandbox solutions must be able to integrate with existing security controls such as Firewalls, IPSes, IDSes, SWGs, SEGs, Endpoint Protection platforms and Forensics tools. These security Controls can actually feed suspicious files and web objects into the Sandbox solution. This reduces the overall TCO and increases the efficacy of Sandbox solutions.

6. The ability to preserve malware samples for contextual analysis and forensics:

Preserving malware samples for forensics and contextual analysis is useful in understanding the tactics, techniques and procedures of the attacker. This helps us create signatures, gain deeper insight into the attack and helps create incident response plan for similar attacks in future.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Pre-Registrations For Annual Summit Is Now open! Click Here To Know More

RansomWare is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. [RM1] The RansomWare arrives via email attachments, insecure downloads,  use of outdated browser's, or through Trojans such as Zeus etc. Once executed the malware usually reaches out to its Command & Control server over an internet connection to get the encryption key. The encryption is almost always asymmetric and impossible to crack. The malware is also able to encrypt locally mapped network drives/ cloud storage drives. The main motive of the attacker is to extort money from the victim in return of the private key for decryption. The attacker usually leaves a message  in encrypted folders  instructing users to pay ransom in Bitcoins or via Moneypak. In most of the cases even paying ransom does not work quite well for the victim as the private key fails to decrypt some of the important documents especially those in mapped drive and locally mapped cloud storage drives. There are RansomWare developed  specifically for mobile platforms as well, and have affected thousands of mobile devices worldwide.

Some of the well known RansomWare are CryptoLocker, Cyrptowall, Teslacrypt, Torrentlocker and CTB locker. Frequently attackers release new variants of Ransomware by tweaking and subtly changing lines of codes in most popular ones to avoid detection.  According to various research works, India ranks 3rd in the Asia and 9th worldwide among the countries affected by Malware attacks. The most affected being Banking and Pharmaceuticals sectors. A research team at Malwarebytes has identified LeChiffre, whose name means "encryption" in French, which caused millions of dollars of damages after infecting several banks and pharmaceuticals company. According to The Economic times, some companies have paid ransoms in millions of dollars after such attacks.

( Read More: 5 Major Types Of Hardware Attacks You Need To Know )

Here are some of the tips that you can put to use to prevent yourself from getting into such situations:

1. Back up your important data at regular intervals

This is the most logical preventive measure that your organization  can adopt to thwart any such attacks. Make sure that your Backup solution is up and running as it should. Keep in mind that the back-up should be kept in a separate external drive. If you are using automated backup solution then make sure that your backup drives are connected only during the backup process and are disconnected from the network once the process is complete.

2. Develop robust vulnerability management and Patch management Program

Vulnerable applications, software's are some of the attack vectors for the attackers. Remember to keep your operating systems, browsers, plug-ins used by your browsers, java and other software's are up to date with the latest patches installed. The best way to accomplish this is by developing robust vulnerability management and patch management program, use of automated vulnerability detection tools and patch management solutions and making sure that the all the patches are installed in a timely manner can ensure you of better protection against such attacks

3. Fine tune your systems and security solutions to a more secure configuration

Fine tuning your security solutions and systems can give you a great deal of protection against RansomWare attacks. Tweak your anti-spam solution to filter out mails with executable attachments, tweak your IPS and firewall to block any malicious traffic, disable remote access services on systems if not required, deactivate auto-play for devices, disable unused network adapters (Wi-Fi, Bluetooth etc.), Do not map network drives & cloud storage folders to your local system only if not necessary, configuresystems to show hidden file extensions, block unauthorized USB access, uninstall application that you don't use  etc.

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

4. Use a good Endpoint security solution to detect any malicious code

A good advance Anti-malware software can help you identify malicious code and possible malware attacks. keep your security software up-to-date with the latest version and malware database. It is also a good idea to run windows firewall or any other host firewall software on your system to detect any unauthorized attempt to connect to internet by any malicious code.

5. Educate your employees & colleagues

Educate your employees of the safe Internet browsing practices such as not to double click any suspicious links, not to run any suspicious program on their system and not to install any unverified browser plug-ins. Employees should also be educated about social engineered attacks, verifying mail attachments before downloading or opening it etc.

References:

• http://www.symantec.com/security_response/publications/threatreport.jsp

https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/