The new Spora ransomware strain has now been dissected by more malware researchers and the team from G Data discovered that Spora uses an "innovative" way to spread itself via USB sticks. This strain is highly sophisticated and could become the "New Locky". 

Spora has well-implemented encryption procedures that do not need a Command & Control server, a user-friendly payment site, choice of different “packages” that victims can opt for including immunity from future attacks, and Ransomware-as-a-Service capability.

( Read More: Ransomware - Practical View, Mitigation & Prevention Tips )

Infection vector is email attachment with HTA file 

Spora uses an HTA file with obfuscated VBScript code, and arrives in an email attachment with a ZIP file. Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it.

The JScript file in turn is a dropper for a Word document and an .exe file that are both written to disk and opened by close.js, with the result the document will be opened by Word or WordPad, but an error message is shown because the file is corrupt. Meanwhile back at the ranch, the .exe that was run has a seemingly random name hardcoded by the dropper but contained the actual payload.

Spora Exhibits Worm-like Behavior Using .LNK files

Ransomware that behaves like a worm has been spotted before with the ZCryptor strain, which uses the old autorun.inf, but Spora goes further than that, borrowing new technology from other malware which uses Windows shortcuts (.LNK files) instead. Spora adds the hidden .LNK attribute to files and folders on the desktop, in the root of USB drives and the system drive.

These hidden files and folders are, with the standard folder options, not visible anymore. Spora then replaces Windows shortcuts with the same name and icon as the hidden files and folders. Those .LNK files open the original file to avoid raising any suspicion but at the same time execute the malware and the worm copies itself as hidden file alongside the .LNK files.

Spora ransomware goes global

Data gathered by the ID-Ransomware service shows what was expected; Spora has started to spread to new territories outside former Soviet states. It was first spotted in the wild during the first week of the year, and its first version featured a ransom note only in Russian, meaning its distributors were only targeting territories with Russian-speaking users. 

Last week, things changed, when Spora was identified in multiple ransomware distrubtion campaigns. ID-Ransomware started registering uploads of Spora-encrypted files from users outside the former Soviet territory. Countries like Saudi Arabia, Austria, or the Netherlands, became hotspots of Spora infections. Treat this like a heads-up, America will follow shortly.

( Read More: Bad USB Defense Strategies )

Spora now spreads via exploit kits and spam waves

A new development is that security researchers Brad Duncan and Malware Breakdown have now spotted RIG-v exploit kits spreading Spora, and it's only the start of things. 

MalwareHunterTeam is keeping an eye on a malware distribution server that had been used to host multiple ransomware strains in the past few days, such as Cerber, Locky and Spora. This server had been used combined with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the distribution server.

Spora includes support for a "campaign ID," a parameter used to track both the effectiveness of different spam runs, but also different groups renting Spora from its creators. The jury is out if Spora has been made available as a Ransomware-as-a-Service offering, but what is sure is that this malware has now become a global threat.

Anyone bringing a USB stick to the office is now a possible ransomware infection vector.

Simply navigating through the folders on your system or desktop using double-click will execute the worm. Using this strategy, it will not only spread to USB thumb drives, it will also encrypt newly created files on the system. Anyone getting infected at the house with Spora and bringing their USB sticks to the office is now an infection vector.

The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet, meaning at this point the user will be asked whether the malware is allowed to make changes. Wait for that to be fixed in a coming release.

Post Author : Stu Sjouwerman, Co-founder, KnowBe4

This post was initially posted here & has been reproduced with permission.

Ransomware is a type of malware that encrypts everything on your system with a cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomware. The first type encrypts all data on the system and renders it nearly impossible to decrypt without the key. The second type simply locks the system and demands to enter the key for data decryption but does not encrypt data itself.

One of the very well-known ransomware systems is Cryptolocker. It uses the RSA cryptosystem to encrypt data. The command and control server of malware stores the private key for the decryption of data. It typically propagates as a Trojan virus and relies mainly on social engineering for propagation.

The operation of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide it into the following steps: 

1.   Entering the system of the victim and installing it as a covert/silent    installation. It places its keys in the system registry.

2.   After installation, it contacts its command and control center. The server   tells the ransomware what to do. It starts the communication by performing a "handshake" with the server and then exchanges keys.

 3.   Next it actually begins to work with the key provided by the server. It then starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.

4.   This is where it gets scary. After encrypting the data, a message appears on your screen informing you that it has locked data on your computer and threatens that if you do not pay within a specific time period, you may never see your data again.

( Read More:  2016-The year of Ransomware - Let's change 2017...)

How it propagates:

Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also likely the cause of infection. Ransomware also spreads through mediums like USB, portable hard drives and the like.

Ransomware installation:

Its installation is a covert operation. It uses Windows default behavior to hide extensions from the file name, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and a user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in AppData, User Temp and Local AppData folders. Later, it adds a Windows registry key, which activates the malware every time Windows restarts. For more details to understand the differences click here.

Primary Method of Operation

The main method is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg, etc. and other files whose extensions are in the malware code. It uses an AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with an asymmetric private key using an RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.

Malware communicates with its command and control center to obtain the public key. It uses a domain generation algorithm (DGA) with common names such as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and that the failure to do so will delete the key.

The compromised system can have such symptoms as a high rate of Peer to Peer (P2P) communication, increased network communication (Communication with Command & Control center server) and high usage of system resources.

( Read More : Ransomware Attacks: How Prepared Are You? )

Mitigation and Prevention:

So far, there is no way to break the CryptoLocker encryption and provide you the key to decrypting data. Purchasing a key seems to be the only way to get data back - unless you have a backup. However, past incidents have shown that paying did not ensure the return of data. For example, some people paid but did not receive the key; in other cases, the given key did not work. Ultimately, the best way to keep your data safe is to be proactive. So lets discuss some proactive steps to take to prevent these types of attacks from happening to you.

1. The first and foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and stakeholders is the most important thing. Understand that we are in a war against malware. Additionally, users cannot win this fight unless they are aware of the threats. SOC/Security management teams can organize seminars, awareness campaigns, etc., to guide their employees. Periodic briefing is important. Also, explaining the cases with examples to both technical and lay employees can make it easier for them to understand and remember the scenarios they are likely to encounter in everyday life. Here are just a few ways you can keep your staff educated about these types of attacks:

•  Avoid surfing untrusted sites (e.g. porn, gambling, freeware downloads and so on.). It is recommended to use Chrome or Firefox browsers, which are less vulnerable to attacks.  Be especially cautious when using older versions of Internet Explorer. If you as a company can't afford expensive solutions, you might consider allowing your users the use of extensions like Web of Trust as an obscurity measure.
• Do not open an email or attachment that originates from an unknown source  (EXE file inside a zip archive is an obvious example). Recent events taught us that a Word document with macros can be dangerous (Locky).
• When transferring files from mobile storage units / D.O.K.,  don't forget to scan the device. Consider disabling auto run. Doing so will help improve your endpoint security.

2. Along with user awareness, implementation of security policies inside the    domain via GPO and email transport rules to block such potential types of emails and .exes to execute silently. One major recommendation: Use Security Group policies in your organization to safeguard against malware. Let us walk through the process of implementing this.

Certain applications and programs apply software restriction policies for their execution. This utilizes Group policy. What we can do is block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In a small business environment, or within homes or organizations with no domains, apply local security policies.

• Open a Group Policy management console on your primary DC to implement a Software restriction policy.

• Create a New GPO. Name it “Software Restriction Policy”.

• Next, edit the newly made GPO and add user space folders in which you don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click on 'Additional Rules' and click ‘Add new Path rule’. Here you will create a new rule and enforce software restriction.

• You will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.

The paths to be included in the policy are for Windows 7 and above.

• %AppData%\*.exe
• %AppData%\*\*.exe
• %LocalAppData%\Temp\*.zip\*.exe
• %LocalAppData%\Temp\7z*\*.exe
• %LocalAppData%\Temp\wz*\*.exe
• %LocalAppData%\Temp\Rar*\*.exe

• Allow some time to let the GP sync to all the systems or you can go to every system and open cmd as Administrator, and write ‘gpupdate /force’ to force update the group policy to the system.

There can be a disadvantage to applying the software restriction policy, i.e. all the other legitimate .exes will not run in those spaces. However, you can whitelist the legitimate software in Software Restriction policies.

For whitelisting apps in the Software Restriction policy, exceptions have to be set for those apps. You can manually instruct Windows to allow those apps while blocking all the others. To do that, just add the same rule for particular apps as previously explained and set the security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps, and their execution to take place in the user space.

If you have an onsite email server or exchange, Transport rules become very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so the User is warned by the content of the email.

• Open Exchange Management Console on your exchange server.
• Go to Organization Configuration > Hub Transport.
• Open Transport Rules.

• Add a new rule by right clicking the main screen. Enter the name of the rule along with its description.

• Select the condition for the rule from the next window. Select the “When any attachment file name matches text patterns” option.

• Select as many extensions as you like. Here we add .exe, .html, .doc, .docx, .jpg, .jpeg, .zip, .rar, etc.
• Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Then add “Possible Spam” as the text to be added in the subject line.

• If there are any exceptions, add them on the next screen; otherwise, leave it as is. Complete the process by clicking Next and then Finish. The transport rule is now added and enabled, with priority set to 0.

Now, when the user receives emails with those specific extensions that we added in the rule, they will see Possible Spam as the subject of those emails.

3. User permissions:  Review the NTFS permissions carefully every time you are dealing with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permissions and the user system gets infected then you are in trouble. Apply “Least Privilege” principle where you will give few permissions as possible to lessen the possibility of damage. Also, consider to disable users being local administrators on the endpoints by.

4. Minimize the amount of mapped shared folders on endpoints (ransomware can encrypt every accessible file, even if it is located in a shared folder).

 5. At this juncture, many antivirus software programs are able to detect and remove the virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.

( Read More: Top 11 Ransomware Prevention Resources )

6. Keep your systems up-to-date and patched up with the latest security patches that the manufacturer releases.

7.  Enable the “System Restore” option, in order to be able to restore the system to the previous state, before the ransomware infection occurred.

8. Consider applying a software whitelisting solution (e.g. Windows AppLocker / commercial solution). Applying a good software whitelisting solution can help prevent executing malicious software components like ransomware.

9. Consider applying a 3rd party anomaly based detection solutions in order to locate malicious activity and files.

10. Update your operating system and 3rd party software on a regular basis (for example, Internet Explorer 8 which is vulnerable to browser attacks, and also Adobe and Java software components, which are known for multiple new vulnerabilities every year).

11. Do not allow Peer to Peer (P2P) communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep it safe.

12. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.

13. Consider preventing executing files with macros (e.g. Microsoft Word / Excel). This can be done via Group policy.

14. Consider restricting insertion of mobile devices, USB devices, CDs and even floppy disks to the endpoint (can be done by 3rd party solutions and also by applying group policy restrictions).

USB ports can be blocked on the system from any unauthorized access. Malware, once exposed to a system via USB, can spread through a LAN and affect all other systems.

USB storage access can be disabled on the system with a registry tweak:

1. Go to Run and write ‘Regedit’
2. Navigate to the key: ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR’
3. Select ‘Start’ from the right pane, and change its ‘Value data’ to 3. This will disable the USB storage.

15. Avoid using unknown anti-virus programs on your system, even if they claim to remove malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key. So, if any unknown anti-virus program claims that it can break encryption quickly, be wary. It is very likely an other type of malicious virus.

16. BACKUP ALL your data regularly. I have seen clients affected by ransomware and the only thing that saved them was a successful backup. Performing a backup of all your critical data to an external drive or NAS or SAN that is isolated from your system is very useful. If you are a large organization, develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can take for your organization. There are many backup solutions available in the market that can assist you in backing up your data to an external storage or remote location, i.e. cloud storage.

Aside from 3rd party solutions, Windows also provides backup utilities within Windows OS and Windows Server OS. Continuous backup of important files can be stored on external drives and NAS. In addition, System Restore points can be saved frequently. Windows also uses Volume Shadow Copy, which can be used to save previous versions of important and critical data. To revert to the previous version, just right click the file and go to Properties. If System Restore or Shadow Copies is enabled, the Previous Version tab will appear in Properties. This will list all the previous versions of the files. Choose the version  you want to restore and click to save it to an existing location. You can also choose another location to save.

17. Apply adequate network segmentation via firewalls, in the event of a malware's lateral movement (spreading to other endpoints and servers in the corporate network with credentials of a compromised user).

18. Implementation of IPS (intrusion prevention system) between the corporate network segments, if you have not yet done so.  Consider applying IPS for outgoing communication. Update the IPS signatures database on a regular basis.

19. Web filtering – consider applying a web filtering solution that will prevent access to untrusted websites and downloaded files (e.g. .exe, .zip, .rar, .jar, .scr, etc.. If possible, use “surfing virtualization” solutions like VDI, Citrix Smart Browsing, Jetro Secure Browsing etc. This will help to minimize the possible effect on internal endpoints, because internet surfing doesn’t really happen on the internal endpoint.

20. Mail Relay solution will help filter the incoming emails. Apply rules that will prevent incoming emails with attachments like .zip, .rar, .exe, .scr, .jar, .js, .bat, .cpl, etc. Allow what's required for the ongoing work and consider restricting incoming attachments with PDF’s and MS Office macros if possible.

21. Consider applying a “Sandbox” solution that will check every incoming file that originates from the email infrastructure or is downloaded from the internet.

22.  Disabling Autoplay through Group Policy or the registry. For more details click here.  

23.  Disabling Windows Script Host - Consider enabling per necessary user groups. For more details click here.  

( Read More: Checklist To Assess The Effectiveness Of Your Vulnerability Management Program )

Actions to be taken in case of a ransomware infection:

1. Isolate the station from the corporate network to prevent the spreading of the ransomware encryption process (e.g. pull the network cable out of the plug or isolate the station via Corporate NAC, you also can consider having separate VLAN that will be dedicated to such scenarios which can help your IR team).

2. After isolating the station from the network:

• Do a damage assessment to understand what was encrypted and check if there is any valid backup that you can restore your data from.
• Paying the ransom is not always a good idea as the money is the “fuel” that runs these criminals and you don’t have any guarantee that your files will actually be decrypted even after paying (so basically you will have paid for nothing).

• Not recommended - if you don't have "nothing to lose” and losing your files is much more expensive than paying the $400, you can do it and cross your fingers that it works.
• It is recommended to fully format the infected station in order to eliminate any residues of malware.

3. Investigate  – the investigation phase is basically the aftermath analysis that will help apply countermeasures to minimize the likelihood of your corporate getting infected again (all the suggestions written above).

Post Author : Tal Eliyahu, Lead Risk Manager, BugSec

This post was initially posted here & has been reproduced with permission.

The mobility explosion is the big bang that keeps expanding. It moved from stages like laptop, blackberry, touch based devices, tablets & more. The boundaries between working “in the office,” “on the road,” or “at home” have been blurred by the untethered power of smartphones, tablets, and other portable devices. Employees expect the flexibility to work on the devices they choose, and employers have come to expect always-on availability. That business requirement often conflicts with those in charge of securing corporate networks and data. In some organizations, this has led to the draconian answer “no.” But today those responses are few and far between. The norm today is, “It depends.” One also can’t forget the microcosm of different departments within an organization, which yet again causes great debate on how much access is needed, balanced against how to protect sensitive data.

To help maximize mobility, a nuanced strategy is the order of the day. For mobility’s transformative potential to be realized, IT needs to become a business partner that understands business drivers and then devises the technology roadmap to support everyone’s goals.

Why Read The Report ?

• Learn how to manage the devices (MDM)
• Assessing Mobility's ROI
• Understanding the evolution of the Enterprise Mobility Management (Big Bang)

>> Download the Complete Report

Last Year was a great year for us at CISO Platform Community & we saw some great milestones hit.

Some of them are:

• 150+ Blogs

• 10+ Playbooks Created

• 25+ RFPs Created

• 10+ Events Organized

• 470+ Security Professionals As Attendees In Events

• 6+ Industry Expert Task Force

• 40+ Partnerships

Below, we have listed the Top Blogs, Talks, Reports of 2016 for those who may have missed.

Top Blogs In 2016:

• CISO Platform Top IT Security Influencers (Part 1)

• Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)

• Top 10 Open Source or Free IT- Security Tools

• Top 6 Reasons Why Data Loss Prevention(DLP) Implementation Fails

• 4 Areas where Artificial Intelligence Fails in Automated Penetration Testing

• Top Emerging APT Security Vendors Globally

• 16 Application Security Trends That You Can't Ignore In 2016

Top Reports In 2016:

• Guide To Building Enterprise Security Architecture Governance Program

• Crisis Management Plan For Banking Industry

• Top Talks @ Black Hat Conference USA 2016: Your Complete Guide

• Top N Threats & Controls Mapping For Insurance Industry

• Top Talks @ RSA Conference- 2016

Top Talks/Discussions From CISO Platform Conferences In 2016:

• Wargame Strategy Simulation:Creating A Successful Evaluation & Implementation Checklist For An IT GRC Solution

• Application Threat Modeling (SACON Presentation)

• RBI Cyber Security Framework – Key Takeaways

• Using Behavioral Psychology and Science of Habit to Change User Behavior (Annual Summit Presentation)

We are glad to have your support (4000+ Security Professionals and 60k Subscribers). Membership is free and exclusive to IT Security Professionals Only.....Click Here To Become Member

Our editorial team has handpicked some great talks from Black Hat Conference - one of the largest IT Security Conference in the world. 

Black Hat - built by and for the global InfoSec community - returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (July 30 - August 2) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 3-4).

(Source: Black Hat Conference USA 2016)

image courtesy: https://www.flickr.com/photos/jasonahowie/7910370882

1) 1000 ways to die in mobile oauth

Speaker: Eric Chen, Yutong, Yuan Tian, Shuo Chen, Robert Kotcher, Patrick Tague

In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications

>>Go To Presentation

2) Behind the scenes with IOS security

Speaker: Ivan Krstić

We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.Data Protection is the cryptographic system protecting user data on all iOS devices.

>>Go To Presentation

3) Bad for Enterprise: Attacking BYOD enterprise mobility security solutions

Speaker: Vincent Tan ( @vincent_tky )

Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in some cases can even expose an organization to unexpected risks. I will show attacks against EMS protected apps on jailbroken and non-jailbroken devices, putting to rest the rebuttal that CxOs and solution vendors often give penetration testers, ""We do not support jailbroken devices.""

Whether you are a CxO, administrator or user, you can't afford not to understand the risks associated with BYOD.

>>Go To Presentation

4) Samsung pay: tokenized numbers flaws and issues

Speaker: Salvador Mendoza ( @Netxing )

Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the most secure approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security.

>>Go To Presentation

5) The Art of defence: How vulnerabilities help shape security features and mitigations in android

Speaker: Nick Kralevich

In this talk, we will cover the threats facing Android users, using both specific examples from previous Black Hat conferences and published research, as well as previously unpublished threats. For the threats, we will go into the specific technical controls which contain the vulnerability, as well as newly added Android N security features which defend against future unknown vulnerabilities. Finally, we'll discuss where we could go from here to make Android, and the entire computer industry, safer.

>>Go To Presentation

Your Complete Guide To Top Talks @Black Hat Conference 2016 (USA)

Get your FREE Guide on Top Talks @ Black Hat Conference 2016 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at the Conference into a single guide. Get your Free copy today.

>>Click Here To Get Your FREE Guide

Our editorial team has handpicked some great talks from Black Hat Conference - one of the largest IT Security Conference in the world. 

Black Hat - built by and for the global InfoSec community - returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (July 30 - August 2) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 3-4).

(Source: Black Hat Conference USA 2016)

1)HTTP cookie hijacking in the wild: security and privacy implications

Speaker: Suphannee Sivakorn, Jason Polakis

In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies.

>>Go To Presentation

2) Timing attacks have never been so practical: Advance cross site search attacks

Speaker: Nethanel Gelernter

This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible.

>>Go To Presentation

3) Abusing bleeding edge web standards for appsec glory

Speaker: Bryant Zadegan ( @eganist ), Ryan Lester ( @TheRyanLester )

In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios.

>>Go To Presentation

4) The year in Flash

Speaker: Natalie Silvanovich ( @natashenka )

This talk describes notable vulnerabilities and exploits that have been discovered in Flash in the past year. It will start with an overview of the attack surface of Flash, and then discuss how the most common types of vulnerabilities work. It will then go through the year with regards to bugs, exploits and mitigations. It will end with a discussion of the future of Flash attacks: likely areas for new bugs, and the impact of existing mitigations.

>>Go To Presentation

Your Complete Guide To Top Talks @Black Hat Conference 2016 (USA)

Get your FREE Guide on Top Talks @ Black Hat Conference 2016 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at the Conference into a single guide. Get your Free copy today.

>>Click Here To Get Your FREE Guide

Timing attacks have never been so practical: Advance cross site search attacks

Cross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive information from web-services. The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not. This work focuses on the response inflation technique that increases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to distinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting users' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also involves algorithmic improvements compared to previous work. When there is no leakage of information via the timing side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail and Yahoo! users, and search history of Bing users.

Speakers

Nethanel Gelernter

Nethanel Gelernter received a PhD in Computer Science from Bar-Ilan University (Israel). His research mainly focuses on web application security, and in particular in exploring new attack vectors and threats in the web. Currently, he is leading the cyber security research and studies in the College of Management Academic Studies in Israel. Beyond the academic world, Nethanel provides consulting services, and he recently founded Cyberpion, a company that investigates unknown attack vectors and develops countermeasures against them.

Detailed Presentation:

Demystifying Secure enclave processor

The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors.

Speakers

Tarjei Mandt ( @kernelpool )

Tarjei Mandt is a senior security researcher at Azimuth Security. He holds a Master's degree in Information Security from GUC (Norway) and has spoken at security conferences such as Black Hat USA, CanSecWest, INFILTRATE, RECon, SyScan, and Hack in the Box. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Previously, he has discovered several Windows kernel vulnerabilities, and spoken on topics such as kernel pool exploitation and user-mode callback attacks. More recently, he has focused on Apple technology and presented on various security flaws and weaknesses in Mac OS X and iOS.

Mathew Solnik ( @msolnik )

Mathew Solnik is senior security researcher who's primary focus is in the mobile, M2M, and embedded space specializing in cellular network, hardware/baseband, and OS security research/exploit development. Prior to doing full time research, Mathew was a Senior Member of Technical Staff at Appthority, Inc. where he helped design and build an automated mobile threat and malware analysis platform for use in the enterprise and defense space. Previous to Appthority, Mathew has held positions in multiple areas of IT and security - including consulting for Accuvant, and iSEC Partners where he performed the first Over-the-Air Car Hack (as was featured in a previous Black Hat talk) as well as R&D for Ironkey where he handled in-house penetration testing and design review for multiple DARPA funded projects.

David Wang ( @planetbeing )

David Wang (@planetbeing) is a senior security researcher with Azimuth Security specializing in iOS exploitation. Before joining the Azimuth team, he was a member of the evad3rs iOS jailbreak team. With the evad3rs, David was nominated for a Pwnie for Best Privilege Escalation in 2013 and 2014, winning in 2013. David was also recognized by Forbes' 30 Under 30 in the technology category in 2014 for his work in iOS exploitation. Other notable contributions: David ported Android to iPhone in 2010; he was a member of the iPhone Dev Team where he wrote significant parts of several jailbreaks and baseband exploits; and he has spoken at Hack in the Box, Chaos Communications Conference, and XCon Xfocus.

Detailed Presentation:

Breaking hardware enforced security with hypervisors

Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution. 
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening.

Speakers

Joseph Sharkey

Joseph Sharkey is the Chief Technology Officer for Siege Technologies where he leads all corporate technical strategy while still finding time to get his hands dirty conducting R&D and writing code. Before entering the security domain in 2007, his work focused on micro-processor design, where he has more than two dozen publications and conference presentations (see https://scholar.google.com/citations?user=x5jerpcAAAAJ&hl=en). Dr. Sharkey's research interests include trusted computing, hypervisors, low-level system software, and advanced processor architecture features and how they interact with the overall security of the system.

Detailed Presentation:

Breaking Kernal address space layout rendomization: KASLAR with Intel TSX

Kernel hardening has been an important topic, as many applications and security mechanisms often consider the kernel their Trusted Computing Base (TCB). Among various hardening techniques, kernel address space layout randomization (KASLR) is the most effective and widely adopted technique that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory disclosure vulnerability exists and high randomness is ensured. In this talk, we present a novel timing side-channel attack against KASLR, called DrK (De-randomizing Kernel address space), which can accurately, silently, and rapidly de-randomize the kernel memory layout by identifying page properties: unmapped, executable, or non-executable pages. DrK is based on a new hardware feature, Intel Transactional Synchronization Extension (TSX), which allows us to execute a transaction without interrupting the underlying operating system even when the transaction is aborted due to errors, such as access violation and page faults. In DrK, we turned this property into a timing channel that can accurately distinguish the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged address space. In addition to its surprising accuracy and precision, the DrK attack is not only universally applicable to all OSes, even under a virtualized environment, but also has no visible footprint, making it nearly impossible to be detected in practice. We demonstrate that DrK breaks the KASLR of all major OSes, including Windows, Linux, and OS X with near-perfect accuracy in a few seconds. Finally, we propose potential hardware modifications that can prevent or mitigate the DrK attack.

Speakers

Yeongjin Jang

Yeongjin Jang is a PhD student at Georgia Institute of Technology. His research interests are focused on operating system and mobile security. In addition to the academic research works, he participates various capture-the-flags (CTF), and won the black badge in DEF CON 23 (as a member of team DEFKOR). Before joining to Georgia Tech, he received his BS degree in Computer Science from KAIST in 2010.

Sangho Lee

Sangho Lee is a Postdoctoral Fellow at Georgia Tech. He has interests in all aspects of computer security including system, web, and mobile security.

Taesoo Kim

Taesoo Kim is an Assistant Professor in the School of Computer Science, College of Computing, Georgia Institute of Technology. He is interested in building a system whose underlying principles justify why it should be secure. Those principles include the design of the system, analysis of its implementation, and clear separation of trusted components. He holds the B.S. from KAIST (2009), the S.M. (2011), and the PhD (2014) degrees from Massachusetts Institute of Technology, all in computer science.

Detailed Presentation:

Recover A RSA Private key from a TLS session with perfect forward secrecy

They always taught us that the only thing that can be pulled out from a SSL/TLS session using strong authentication and latest Perferct Forward Secrecy ciphersuites is the public key of the certificate exchanged during the handshake - an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible to derive the private key of server regardless of the size of the used modulus. Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and computational resources. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occurring certain conditions such as CPU overheating, RAM errors or other hardware faults. Because of these premises, devices like firewall, switch, router and other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author will explain the theory behind the attack, how common the factors are that make it possible and his custom pratical implementation of the technique. At the end, a proof-of-concept, able to work both in passive mode (i.e. only by sniffing the network traffic) and in active mode (namely, by participating directly in the establishment of TLS handshakes), will be released.

Speakers

Marco Ortisi

Marco Ortisi works as Senior Penetration Tester in ENCS (European Network for Cyber Security) where he is fully involved in increasing the security of European critical infrastractures such as energy grids, and reducing the gap with the classical IT systems. Netizen since 1996, he has literally grown up on ""bread and vulnerability's research,"" a fascinating field leading him to continuosly study new attack techniques and at the same time to develop alternative defense methods. Prior to this role at ENCS, Marco worked as Independent Penetration Tester and Security Consultant on different sectors (telco, governmental, utility, banking, pharmaceutical, financial, etc...) by helping to improve the IT security posture of several big companies and organizations operating in EMEA (Europe and Middle East).

Detailed Presentation:

TCP injection attacks in the wild: A large scale case study

In this work we present a massively large-scale survey of Internet traffic that studies the practice of false content injections on the web. We examined more than 1.5 Peta-bits of data from over 1.5 million distinct IP addresses. Earlier this year we have shown that false content injection is practiced by network operators for commercial purposes. These network operators inject advertisements and malware into webpages viewed by potentially ALL users on the Internet.
In this presentation we recap the injections we discovered earlier this year and show them in detail. Additionally, we shall show new types of non-commercial injections, identify the injectors behind them and discuss their modi operandi. Finally, we shall discuss in detail analysis of a targeted injection attack against an American website.
The attacks we discovered are done using out-of-band TCP injection of false packets (rather than in-band alteration of the original packets). This is what actually allowed us to detect the injection events in the first place. We also present a novel client-side tool to mitigate such attacks that has minimal performance impact.

Speakers

Gabi Nakibly

Gabi Nakibly is a network security research leader at the National Cyber and Electronics Research Center at Rafael Advanced Defense Systems (an aerospace and defense company). Gabi has a track record of more than a decade of high-end security research. He holds a PhD in computer science (Technion) and is an adjunct lecturer and researcher at the Technion. Gabi was a visiting scholar at Stanford University and is an active speaker at top security conferences: Black Hat USA, Black Hat Europe, RSA Conference.

Detailed Presentation:

Attacking SDN infrastructure: Are we ready for the Next Gen networking

Software-Defined Networking (SDN), by decoupling the control logic from the closed and proprietary implementations of traditional network devices, allows researchers and practitioners to design new innovative network functions/protocols in a much easier, more flexible, and powerful way. This technology has gained significant attentions from both industry and academia, and it is now at its adoption stage. When considering the adoption of SDN, the security vulnerability assessment is an important process that must be conducted against any system before the deployment and arguably the starting point toward making it more secure. 
In this briefing, we explore the attack surface of SDN by actually attacking each layer of SDN stack. The SDN stack is generally composed of control plane, control channel and data plane: The control plane implementations, which are commonly known as SDN controllers or Network OS, implementations are commonly developed and distributed as an open-source project. Of those various Network OS implementations, we attack the most prevalent ones, OpenDaylight (ODL) [1] and Open Network Operating System (ONOS) [2]. These Network OS projects are both actively led by major telecommunication and networking companies, and some of the companies have already deployed them to their private cloud or network [3, 4]. For the control channel, we also attack a well-known SDN protocol [5], OpenFlow. In the case of the data plane, we test some OpenFlow-enabled switch device products from major vendors, such as HP and Pica8.
Of the attacks that we disclose in this briefing, we demonstrate some of the most critical attacks that directly affect the network (service) availability or confidentiality. For example, one of the attack arbitrarily uninstalls crucial SDN applications running on an ODL(or ONOS) cluster, such as routing, forwarding, or even security service applications. Another attack directly manipulates logical network topology maintained by an ODL(or ONOS) cluster to cause network failures. In addition, we also introduce some of the SDN security projects. We briefly go over the design and implementation of Project Delta, which is an official open-source SDN penetration testing tool pushed forward by Open Networking Foundation Security group, and Security-Mode ONOS, a security extension that protects the core of ONOS from the possible threats of untrusted third-party applications.

Speakers

Changhoon Yoon

Changhoon Yoon is a PhD student at KAIST (School of Computing) in South Korea. He is working with Dr. Seungwon Shin at Network and System Security Laboratory, and his research interests primarily lie in the area of network security including Software-Defined Networking (SDN) and Network Function Virtualization (NFV) security. He is currently leading Security-Mode ONOS project, which is a collaborative project with the researchers from ON.LAB and SRI International to design and implement a security extension for ONOS, and he is also participating in other SDN security projects, such as SDN WAN security project and etc. In addition, he has presented ""Security-Mode ONOS"" at ONS 2016, and he published several research papers on SDN security at a major journal and a workshop.

Detailed Presentation:

HEIST: HTTP encrypted information can be stolen through TCP windows

Over the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been discovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of observing or manipulating network traffic. This prevented a wide and easy exploitation of these vulnerabilities. In contrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic. HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. Most importantly, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites. Finally, we explore the reach and feasibility of exploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is used. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In short, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy.

Speakers

Mathy Vanhoef

Mathy Vanhoef is a PhD researcher at KU Leuven, where he performs research on streamciphers, and discovered a new attack on RC4 that made it possible to exploit RC4 as used in TLS in practice (the RC4 NOMORE attack). He also focuses on wireless security, where he turns commodity Wi-Fi cards into state-of-the-art jammers, defeats MAC address randomization, and breaks protocols like WPA-TKIP. He also did research on information flow security to assure cookies don't fall in the hands of malicious individuals. Apart from research, he knows a thing or two about low-level security, reverse engineering, and binary exploitation. He regularly participates in CTFs with KU Leuven's HacknamStyle CTF team."

Tom Van

Tom Van Goethem is a PhD researcher at the University of Leuven with a keen interest in web security and online privacy. In his research, Tom performs large-scale security experiments, both to analyse the presence of good and bad security practices on the web, as well as to demystify security claims. More recently, Tom started exploring side-channel attacks in the context of the web, resulting in the discovery of browser-based timing attacks. In an attempt to make the web a safer place, Tom on occasion rummages the web in search for vulnerabilities."

Detailed Presentation:

A Cloud Access Security Broker (CASB) is a solution to secure SaaS apps end-to-end, from cloud to device. Today, most CASBs focus only on software as a service (SaaS), although they can enforce best practices and security policies across all cloud services, including infrastructure (IaaS) and platforms (PaaS)

CASBs are generally designed for the following use cases from security perspective:

• Visibility: Who is doing what and where are the workloads that are off premise (Office 365, Box, Salesforce etc.)
• Data loss prevention (DLP): What kinds of data are users accessing and from what device?
• Risk analysis and mitigation: From what locations/devices is company data being accessed?

Evolving security features are:

• Compliance: CASBs impose controls on cloud usage to enforce compliance with industry regulations (for example, HIPAA). They also can detect when cloud service usage is at risk of falling out of compliance.
• Threat protection: This includes threat intelligence, anomaly detection and malware protection, as well as controlling unauthorized devices and users from accessing corporate cloud services

Some Pointers To Keep In Mind If You Need A CASB:

• CASB architectures vary from one vendor to the next with agent or agentless.
• Most have a primary proxy mechanism upon which their architecture is built - either a forward proxy or a reverse proxy, supported by API integration into the applications for scanning data at rest.
• Proxies enable real-time, inline control. Proxy mode is fine, but it provides a single point of failure and can introduce application latency.
• APIs, while not real-time, provide control over backend functions like external sharing. Admins can also give CASBs their permission to use their cloud administration credentials so that the CASB can see and control cloud policy, monitor various levels of administrator and end-user access, and define policy. The only downside to API mode is the skill set required and learning curve necessary to understand how to make the API connection and maintain it overtime as new APIs get released. Such skills can be difficult to find and keep on staff.
• Most enterprises will require a hybrid CASB that provides both proxy-based and API-based protections for comprehensive cloud data protection.
• CASB tools are available from a variety of vendors, including Adallom (recently purchased by Microsoft),Elastica, Firelayers, Imperva Skyfence, Netskope and Skyhigh, to name a few.

Selection Considerations

When it comes to choosing the right CASB for your organization, there are a number of considerations, including:

• Range of coverage - Salesforce, Office 365, AWS, Box, etc.
• Ease of use
• Market Leader
• Cost: The majority of CASB providers use subscription models based around these methods of licensing:
  
  
  • Number of users
  • Number of cloud applications protected
  • Features specifically used 
• Integration: Proxy, DLP, SIEM or any security tools

Article Contributor:  Venkatasubramanian Ramakrishnan, Head Information Risk Management, Cognizant

A sandbox is a security mechanism to analyze the behaviour of any suspicious file types and web objects by allowing it to execute in an isolated environment with constrained resources. It allows one to execute any untested, un-trusted/outsourced code without causing any damage to the host machine and production environment. Usually the program is run into Virtual environment or emulation software which provide the feel and functionality similar to the actual environment.

There are two ways to deploy a sandbox solution in your network:

• On-Premise : Sandbox appliance is present on-premise. All the network security solutions such as firewalls, IDSes, IPSes, SWGs and SEGs feeds suspicious files into the sandbox and based on the analysis it assigns threat score for the same. Generally on-premise deployment are preferred by those who has data security concerns and do not want their data to reside on third party cloud. This deployment however adds to the cost of appliance and sensors (if needed) hence increasing the TCO

• Cloud based: Sandbox appliance resides in Cloud. This deployment is very cost-effective as it reduces the cost of owning and managing appliance. Also the licensing options are flexible in this regard which further reduces the TCO. Since all on-premise network security devices have to upload/retrieves files to the Cloud sandbox this adds to the cost of network bandwidth requirement  for an organization

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist )

Sandboxing technology is used to detect advanced malware and is one of the most sought after security tools today. Here in this blog we look at some of the criteria to help us evaluate sandboxing technology. 

1. The ability to analyze wide-ranging  file types and web objects:

A sandbox solution should be able to analyze all kind of file types such as Executables, pdf's, Ms office files, graphic files, Archived files ad web objects such as javascripts, HTML pages, URL's etc.

2. The ability to Automatically upload files to Sandbox platforms:

Earlier, using sandbox environment to analyze malware used to be a tedious and complex task for the malware analysts, as they had to manually upload files to the Sandbox environment for analysis. This has changed in the current times with the sandbox solutions having capabilities to automatically upload the files and analyze the files for its suspicious behaviour if any.

3. The ability to support multiple OS environment and Application stack

Certain malwares are designed to detonate in specific environment conditions such as  type of operating systems/applications, versions of operating systems/ applications etc. It is very important for any sandbox solution to detect such malware through support for variety of OS environments and applications stacks.

4. The ability to analyze malwares with VM-evasion technologies:

Malware authors are getting smarter by the day. Current day malware has VM-aware capabilities,  which basically finds out if it's executing in any sandbox. Such malware can stay idle for long time and evade its detection by traditional sandbox environments.

5. The ability to integrate with existing security controls:

Sandbox solutions must be able to integrate with existing security controls such as Firewalls, IPSes, IDSes, SWGs, SEGs, Endpoint Protection platforms and Forensics tools. These security Controls can actually feed suspicious files and web objects into the Sandbox solution. This reduces the overall TCO and increases the efficacy of Sandbox solutions.

6. The ability to preserve malware samples for contextual analysis and forensics:

Preserving malware samples for forensics and contextual analysis is useful in understanding the tactics, techniques and procedures of the attacker. This helps us create signatures, gain deeper insight into the attack and helps create incident response plan for similar attacks in future.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Pre-Registrations For Annual Summit Is Now open! Click Here To Know More

RansomWare is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. [RM1] The RansomWare arrives via email attachments, insecure downloads,  use of outdated browser's, or through Trojans such as Zeus etc. Once executed the malware usually reaches out to its Command & Control server over an internet connection to get the encryption key. The encryption is almost always asymmetric and impossible to crack. The malware is also able to encrypt locally mapped network drives/ cloud storage drives. The main motive of the attacker is to extort money from the victim in return of the private key for decryption. The attacker usually leaves a message  in encrypted folders  instructing users to pay ransom in Bitcoins or via Moneypak. In most of the cases even paying ransom does not work quite well for the victim as the private key fails to decrypt some of the important documents especially those in mapped drive and locally mapped cloud storage drives. There are RansomWare developed  specifically for mobile platforms as well, and have affected thousands of mobile devices worldwide.

Some of the well known RansomWare are CryptoLocker, Cyrptowall, Teslacrypt, Torrentlocker and CTB locker. Frequently attackers release new variants of Ransomware by tweaking and subtly changing lines of codes in most popular ones to avoid detection.  According to various research works, India ranks 3rd in the Asia and 9th worldwide among the countries affected by Malware attacks. The most affected being Banking and Pharmaceuticals sectors. A research team at Malwarebytes has identified LeChiffre, whose name means "encryption" in French, which caused millions of dollars of damages after infecting several banks and pharmaceuticals company. According to The Economic times, some companies have paid ransoms in millions of dollars after such attacks.

( Read More: 5 Major Types Of Hardware Attacks You Need To Know )

Here are some of the tips that you can put to use to prevent yourself from getting into such situations:

1. Back up your important data at regular intervals

This is the most logical preventive measure that your organization  can adopt to thwart any such attacks. Make sure that your Backup solution is up and running as it should. Keep in mind that the back-up should be kept in a separate external drive. If you are using automated backup solution then make sure that your backup drives are connected only during the backup process and are disconnected from the network once the process is complete.

2. Develop robust vulnerability management and Patch management Program

Vulnerable applications, software's are some of the attack vectors for the attackers. Remember to keep your operating systems, browsers, plug-ins used by your browsers, java and other software's are up to date with the latest patches installed. The best way to accomplish this is by developing robust vulnerability management and patch management program, use of automated vulnerability detection tools and patch management solutions and making sure that the all the patches are installed in a timely manner can ensure you of better protection against such attacks

3. Fine tune your systems and security solutions to a more secure configuration

Fine tuning your security solutions and systems can give you a great deal of protection against RansomWare attacks. Tweak your anti-spam solution to filter out mails with executable attachments, tweak your IPS and firewall to block any malicious traffic, disable remote access services on systems if not required, deactivate auto-play for devices, disable unused network adapters (Wi-Fi, Bluetooth etc.), Do not map network drives & cloud storage folders to your local system only if not necessary, configuresystems to show hidden file extensions, block unauthorized USB access, uninstall application that you don't use  etc.

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

4. Use a good Endpoint security solution to detect any malicious code

A good advance Anti-malware software can help you identify malicious code and possible malware attacks. keep your security software up-to-date with the latest version and malware database. It is also a good idea to run windows firewall or any other host firewall software on your system to detect any unauthorized attempt to connect to internet by any malicious code.

5. Educate your employees & colleagues

Educate your employees of the safe Internet browsing practices such as not to double click any suspicious links, not to run any suspicious program on their system and not to install any unverified browser plug-ins. Employees should also be educated about social engineered attacks, verifying mail attachments before downloading or opening it etc.

References:

• http://www.symantec.com/security_response/publications/threatreport.jsp

https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/

Log management is one of the primary requirements for building an enterprise class SOC. In security, Log analysis is often the first step in incident forensics. Operating systems such as windows, Unix, Linux and other network devices such as routers, firewalls etc. offer native log management capabilities but are not sufficient for organizations because of a variety of reasons. First, due to storage constraint older logs are overwritten by the most recent logs. Second, log collection for network devices, OSs are not reliable and are often not in the same format rendering analysis difficult. Another challenge is that the logs are distributed across devices and are not centrally stored or managed.

image courtesy: https://www.flickr.com/photos/purpleslog/2870445260

Some of the benefits of log management are :

• Logs  often provide the first hand evidence in cyber forensics and are often invaluable in investigating security incidents and auditing. Log management help make forensics and investigation much easier.
• Logs feeds SIEM solution for continuous security monitoring. A better log management speeds-ups the correlation engine and provide better insights by  reducing noise in analysis results.
• Log management helps managing compliance requirements as they require organizations to index log events for easy accessibility and search capability
• Log management can help optimize the storage requirements by discarding unimportant logs

( Read More: Checklist To Evaluate SIEM Vendors )

Below is the list of couple of open-source Log Management tools which provide the capability of reliable log collection, Log normalization and relaying of Log messages to a central location for their log time storage.

1. Syslog-ng

syslog-ng allows you to flexibly collect, parse, classify, and correlate logs from across your infrastructure and store or route them to log analysis tools

2. rsyslog

Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IPnetwork. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds features such as using TCP for transport.

3. Log2timeline

Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is a Python-based backend engine for the tool log2timeline.

4.Logalyze

LOGalyze is an open source, centralized log management and network monitoring software. If you would like to handle all of your log data in one place, LOGalyze is the right choice. It supports Linux/Unix servers, network devices, Windows hosts. It provides real-time event detection and extensive search capabilities.

5.Gray Log

Graylog2 collects and aggregates events from a multitude of sources and presents your data in a streamlined, simplified interface where you can drill down to important metrics, identify key relationships, generate powerful data visualizations and derive actionable insights.

6. Fluentd

Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.

( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )

Pre-Register for SACON International 2017. Click on the image below to pre-register

SACON is India's 1st & Only Security Architecture Conference. With over 60 participants, this was the first year of SACON and here are a few highlights we wanted to share with you. It was held on 12th July, Ritz Carlton, Bangalore, India.

We had with us Top Security Industry Leaders who helped SACON with great content. For more details visit: sacon.io

( Read More: ATP( Advanced Threat Protection) Technology Stack )

What We Covered? (Key Highlights)

• Need for Security Architecture and Key Challenges

• Security Architecture Models and Views ( TOGAF, Zachman, SABSA etc. )

• Security Architecture Process and Deliverables

• CISO Platform Security Strategy Model & Comparison to existing models

• Threat Modeling and Security Architecture Planning

• Google's Innovative Approaches - Google's Beyond Corp

• Benchmarking Your Security Program

• Building The Threat Model Of An Example Application

• AppSec Program Creation - An Organisational Situation Solved Using OpenSAMM & BSIMM Controls

• HandsOn Workshop On Designing Security Architecture For Your Organisation

• Combination of latest technologies like EDR, SA, AMP and more to build your ATP Security Architecture

( Read More: Checklist To Assess The Effectiveness Of Your Vulnerability Management Program )

Presentations

Click on each presentation name to open slide in new tab

• SACON Orientation by Bikash Barai [ Co-Founder Cigital India ( Earlier iViZ ) ]
  
  
• Enterprise Security Architecture by Arnab Chattopadhayay [ Senior Technical Director @MetricStream ]
  
  
• From Business Architecture to Security Architecture by Vinayak Godse [ Senior Director-Data Protection @DSCI ]
  
  
• Practical Enterprise Security Architecture by Dr. Rajesh P. Deo [ Senior Manager @Ernst&Young ]
  
  
• Security Maturity Models by Ravi Mishra [ Head Of Advisory @CISO Platform ]
  
  
• Application Threat Modeling by Nilanjan De [ Principal Architect @Cigital ]
  
  
• ATP Technology Pillars by  Bikash Barai [ Co-Founder Cigital India ( Earlier iViZ ) ]

Photo Album

Some great photographs have been compiled into an album. Help us Tag you ( Tag yourself  ) and let us know if you want to add some pictures you took at the event. Email - pritha.aash@cisoplatform.com

Here's the Photo Album link - https://goo.gl/CHqLkr

Video: What Were Your TakeAways?

Pre-Registrations For Annual Summit Is Now open! Click Here To Know More

Read More: Pre-launch Preview: State of Security Technology Adoption in Enterprises - Annual Report 2015

We are happy to announce the results of the annual survey of Security Buying Status in which 230 Companies have participated in the enterprise segment. We define enterprise as organisations that have 5000+ employees. This is a preview of the key findings on the buying of various security technologies.

About The Report

• The Data was collected from various online and offline sources like CISO Platform Security Benchmarking, Programs, Buying Advisory by CISO Platform Analysts, Surveys (online & offline during events)
• Total sample size 230 enterprises
• We define enterprise as 5000+ employees
• Complete report coming soon

(Key Insights) IT Security Buying Trends:

• Threat Intelligence and Forensics (Network, Endpoint) are the most sought out solutions with 47 % of the enterprises said they are planning to Implement Forensics and Threat Intelligence this year

• Even though the demand for APT (Advanced Persistent Threat) Security solutions is high, market understanding of various use cases and technologies is not, as APT Security is a broad spectrum of solution and not a point product. 44% of the organization said that they are planning to implement APT Security this year
  
  
• India is at 75-80% par to US in terms of Prevention and Detection capabilities, whereas 10% par in terms of Response and Prediction. And when we compare in terms of adopting emerging technologies, India is less than 10% at par
  
  
• Almost 2 out of 5 Enterprise in India are still not ready to implement Forensics this year

• Telecom is the most mature market in terms of implementation of these emerging cyber-security technologies whereas Manufacturing is the least matured market

Recommendations:

• Many organizations are still struggling with this issue of mobile devices and the bring-your-own device concept and hence that drives the demand of Mobile Device Management in India.
• APT Security is not a single technology/solution but a complex program (people, process and technology ). Sandboxing or any single technology can only provide partial protection against “real” advanced attacks. We suggest organisations to look at the complete stack of technologies and build a holistic program to secure against advanced attacks.

Survey Objectives

The primary objectives of this survey is to find:-

• The latest trends in Information Security Buying
• Maturity Level of various Industry domains like BFSI, Telecom, IT/IES etc.
• Emerging Technologies to look out for in 2016

Data Insights

Figure 1: Domain of Survey Participants

In Figure 1, we can see that majority of respondents are from BFSI domain with 35% of respondents whereas IT/ITES makes up to 24% in the survey. Public organization accounts to 7% of the respondents.

Figure 2: Emerging Technologies of 2016

In Figure 2, we can see that 47.2% of the enterprise planning to implement Forensics this year and emerged out as most emerging technology. Similarly, 47% planning Threat Intelligence this year.

State of Implementation of Key Security Technologies

1. Forensics (Network, Endpoint):

Forensics is the science of application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in such a way that it serves as digital evidence in court of law

• 15.5% Already have Forensics in place
• 47.2% of the enterprise says they are Planning to Implement this year and
• 37.3% organization still believes they are not ready to implement Forensics this year.

Figure 3: Implementation Status of Forensics in 2016

The breakup of Implementation Status of Forensics across domains in India in 2016 is mentioned in a Table1: Telecom and Retail emerged out as the matured industry in terms of implementing Forensics whereas surprisingly BFSI emerged out as least matured in implementing Forensics.

2. Threat Intelligence:

Threat Intelligence is the act of proactively gathering threat information and identifying, collecting and enriching the relevant information and subsequent analysis of the gathered information. Thus businesses continue to run with comprehensive intelligence and they are enabled to proactively stop threats and monitor their network to quickly respond to and resolve attacks.

• 32% Already have Threat Intelligence in place
• 47% of the enterprise says they are Planning to Implement this year
• 21% organization still believes they are not ready to implement Threat Intelligence this year.

Figure 4: Implementation Status of Threat Intelligence in 2016

 The breakup of Implementation Status of Threat Intelligence across domains in India in 2016 is mentioned in a Table 2: Telecom and Major IT/ITES emerged out as the matured industry in terms of implementing Threat Intelligence whereas Media/Entertainment is least matured industry in terms of having Threat Intelligence in place.

3. APT (Advanced Persistent Threat) Security:

For Comprehensive APT Security, multiple products are required and it can be split into various channels like End-Point, Network, Email and Solution with some of Tech Stack capabilities like NGFW etc.

• 37% Already have APT Security in place
• 44% of the enterprise says they are Planning to Implement this year
• 19% organization still believes they are not ready to implement APT Security this year.

Figure 5: Implementation Status of APT Security in 2016

The breakup of Implementation Status of APT Security across domains in India in 2016 is mentioned in a Table 3: Telecom and BFSI emerged out as the matured industry in terms of implementing APT Security whereas Manufacturing is least matured industry in terms of having APT Security in place.

4. Mobile Device Management (MDM):  

It brings together people, processes and technology focused to manage mobile devices, wireless networks, and other mobile computing services in a business context.

• 48.8% Already have Mobile Security in place
• 42.3% of the enterprise says they are Planning to Implement this year
• 8.9% organization still believes they are not ready to implement Mobile Security this year.

Figure 6: Implementation Status of MDM in 2016

The breakup of Implementation Status of MDM Security across domains in India in 2016 is mentioned in a Table 4: Public Sector and BFSI emerged out as the matured industry in terms of implementing MDM Security whereas Media/Entertainment is least matured industry in terms of having MDM Security in place.

5.  SIEM (Security Information and Event Management) /SOC (Security Operations Center): 

It’s a cyber security product or service that combines the effect of (a) Security Information Management (SIM) and (b) Security Event Management (SEM) and thus combined performs two functions-
(a) centrally storing logs allowing real time analysis and
(b) carrying out trend analysis by collecting data into a central repository and thus providing automated reporting for compliance and centralized reporting.

• 50% Already have SIEM/SOC in place
• 41.7% of the enterprise says they are planning to implement this year
• 8.3% organization still believes they are not ready to implement SIEM/SOC this year.

Figure 7: Implementation Status of SIEM/SOC in 2016

The breakup of Implementation Status of SIEM/SOC Security across domains in India in 2016 is mentioned in a Table 5: BFSI and Minor IT/ITES emerged out as the matured industry in terms of implementing SIEM/SOC whereas Media/Entertainment Sector is least matured industry in terms of having SIEM/SOC Security in place.

This report is not comprehensive as this covers only the Top 5 Emerging Buying Trends. For comprehensive report, please contact us at analyst@cisoplatform.com

Pre-Registrations For Annual Summit Is Now open! Click Here To Know More