Advanced - All Articles - CISO Platform2024-03-29T06:07:44Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/Advanced"ATP( Advanced Threat Protection) Technology Stack"https://www.cisoplatform.com/profiles/blogs/atp-advanced-threat-protection-technology-stack2016-07-14T12:00:00.000Z2016-07-14T12:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p></p>
<p><strong><a href="{{#staticFileLink}}8669808656,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669808656,original{{/staticFileLink}}" width="636" class="align-center" height="350" alt="8669808656?profile=original" /></a></strong></p>
<p></p>
<p>We believe, isn't a single technology/solution but is a complex program which consists of people, process and technology. Sandboxing or any single technology can only provide partial protection against “real” advanced attacks. We suggest organizations to look at the complete stack of technologies mentioned below and build a holistic program to secure against advanced attacks.</p>
<p></p>
<p></p>
<p><strong>Advanced Threat Detection:</strong> ATP Products generally leverage one or more of the below mentioned techniques-</p>
<p></p>
<ul>
<li><strong>Sandboxing:</strong> This improves the detection rates of ransomware and will enable an organization to identify customized or tailored malware which is beyond the recognition capability of traditional Antivirus. <br /> <br /> It creates a safe environment to analyse suspicious files, either cloud-based or On-Premise: <br /> <br /><div style="margin-left:2em;"><ul>
<li><strong>Virtual Sandbox & Physical Sandbox :</strong> For Virtual Machine aware malware. </li>
</ul>
</div>
</li>
</ul>
<p></p>
<ul>
<li><strong>Security Analytics:</strong> Correlation & analysis of data from across the IT infra for identifying threats<br /> <br /><div style="margin-left:2em;"><ul>
<li>Behavioural Analytics (Network & User) ; Heuristics; Machine Learning </li>
</ul>
</div>
</li>
</ul>
<p></p>
<ul>
<li><strong>Application Containerization:</strong> Isolates applications in a micro-virtual machine. It can help to reduce the load on the overall resources available.</li>
</ul>
<p></p>
<ul>
<li><strong>Embedded URL Analysis:</strong> For analysing suspicious URLs sent via emails etc.<br /> <br /><div style="margin-left:2em;"><ul>
<li>URL Rewriting – For real-time click protection; URL Tracking / Tracing</li>
</ul>
</div>
</li>
</ul>
<p></p>
<p dir="ltr"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/workshop-threat-intelligence">Threat Intelligence (Workshop Presentation)</a> )</span></p>
<p></p>
<ul>
<li><strong>Network Traffic Analysis:</strong> This will enable ATP to detect inbound and outbound threats as well as suspicious IPs, URLs, Known C&C and other attacker behavior across the entire attack lifecycle.</li>
</ul>
<p></p>
<ul>
<li><strong>IOC Detection:</strong> Once detected, IOC can be used to quickly locate other infected devices</li>
</ul>
<p></p>
<ul>
<li><strong>File Reputation Analysis, Whitelisting, Blacklisting</strong></li>
</ul>
<p></p>
<ul>
<li><strong>Static Code Analysis:</strong> Examine the code without executing the file for threat protection</li>
</ul>
<p></p>
<ul>
<li><strong>Threat Intelligence:</strong> Provides Intelligence about emerging threats from across the globe </li>
</ul>
<p></p>
<p>It's time to go beyond using sandboxing as a standalone capability rather an organization needs to have a holistic approach for their ATP Program. You need to have efficient and robust analysis tools that can integrate with your existing security ecosystem and can continuously detect the most advanced threats.</p>
<p><br /> But as Kevin Mitnick, World's Famous Hacker says "A company can spend hundreds or thousands of dollars on Firewall, IDS/IPS, ATP and other security technologies, but if attacker can call one trusted person within the company, and that person complies, and if attacker gets in, then all that money spent on technology is essentially wasted." Therefore, processes and people also play a crucial role in establishing the strong ATP Program.</p>
<p></p>
<p dir="ltr"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/9-top-features-to-look-for-in-next-generation-firewall">9 Top Features To Look For In Next Generation Firewall (NGFW)</a> )</span></p>
<p></p></div>Top 11 Ransomware Prevention Resourceshttps://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources2016-07-19T09:00:00.000Z2016-07-19T09:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><a href="http://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources" target="_blank"><img width="600" src="{{#staticFileLink}}8669812673,original{{/staticFileLink}}" class="align-center" alt="8669812673?profile=original" /></a></p>
<p></p>
<p>Ransomware is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. Here we have compiled some of the Good-reads blogs, articles, freely available Decryptors and removal kits to keep you up-to-date on the latest happenings in the Ransomware space.</p>
<p><br /> 1. (<strong>Free tools)</strong> <a href="http://betanews.com/2016/07/01/avg-announces-6-new-tools-to-free-your-data-from-ransomware/" target="_blank">AVG announces 6 new free decryption tools to retrieve your encrypted files</a> : AVG has come out with six new tools designed to fight this affliction. Each is for a different form of this malware. <br /> According to AVG These new free tools are for the decryption of six current Ransomware strains: Apocalypse, BadBlock, Crypt888, Legion, SZFLocker, and TeslaCrypt.</p>
<p><br /> 2. <a href="http://www.bleepingcomputer.com/forums/t/577861/locker-ransomware-author-allegedly-releases-database-of-private-keys/" target="_blank">Locker Ransomware author dumps database of private keys, apologizes</a> : Allegedly, the author of the "Locker" ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts worldwide to the public. The "author" claims that the release was a mistake, that no further keys will be utilized for encryption, and that automatic decryption of all affected hosts will begin on June 2nd 2016</p>
<p><br /> 3. <strong>(Free tool)</strong> <a href="http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/" target="_blank">ESET releases new free decryptor for TeslaCrypt ransomware</a>: After TeslaCrypt authors announced that they are closing down their operations and made public their Universal master decryptor key, ESET created a free decryptor tool to unlock files affected by all variants between 3.0.0 and 4.2 of this Ransomware.</p>
<p><br /> 4. <a href="http://www.tripwire.com/state-of-security/latest-security-news/ransomware-removal-kit-published-online-helps-streamline-infection-response/" target="_blank">Ransomware removal kit published online, helps streamline infection response</a>: A security researcher has made a Ransomware removal kit available online with the hope that it will help security professionals and system administrators alike in responding to instances of Ransomware infection. Researcher Jada Cyrus has published the <a href="https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview" target="_blank">kit on Atlassian Bitbucket</a>. The kit itself consists of removal tools for common ransomware variants, as well as <a href="http://www.theregister.co.uk/2015/05/21/ransomware_rescue_kit/" target="_blank">guides on how to perform the necessary removal tasks</a>.</p>
<p><br /> 5. <a href="https://heimdalsecurity.com/blog/what-is-ransomware-protection/" target="_blank">What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]</a>: A very comprehensive and updated guide on Ransomware. This Blogs outlines target vectors, attack anatomy, Ransomware families and much more.<br /><br /></p>
<p><span id="docs-internal-guid-929b8036-0284-c542-8284-b91fdd2e1ef1"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors">Checklist To Evaluate SIEM Vendors</a> )<br /><br /></span></span></p>
<p><br /> 6. <a href="https://deobfs.com/2016/06/14/behaviour-analysis-of-cerber-ransomware/" target="_blank">Behaviour analysis of CERBER ransomware</a>: The Ransomware so called CERBER has been out since early march according to TrendMicro and so far has used different techniques for delivering the payload to the victim. For instance it has been seen to use compressed JavaScript files (.zip) or in other instances using Windows Script Files (WSFs) which had XML content and then executed by Windows’ wscript.exe utility.</p>
<p><br /> 7. <a href="http://blogs.csc.com/2016/04/14/when-the-cryptolocker-strikes-reasons-for-success-of-ransomware/" target="_blank">When the cryptolocker strikes: Reasons for ransomware success and ways to prevent</a> : What factors lead to the high success of cryptolockers, a type of Ransomware that scrambles your files and asks for a ransom to recover them again?</p>
<p><br /> 8. <a href="https://virtuallysober.com/2016/07/07/catching-ransomware-infections-with-a-honeypot-script-integration-into-zerto-virtual-replication/" target="_blank">Catching Ransomware infections with a Honeypot script & integration into Zerto Virtual replication</a>: This script uses the honeypot technique to detect Ransomware infections by comparing 2 files, a honeypot file and a witness file. </p>
<p><br /> 9. <a href="https://cyberattackblog.wordpress.com/2016/07/06/zeptothe-new-threat/" target="_blank">"Zepto" the new threat</a>: Analysis and anatomy of New Ransomware known as "Zepto". The blog talks about how Zepto infects target computer and how to detect for its behaviour.</p>
<p><br /> 10. <a href="https://technologyevaneglist.wordpress.com/2016/06/27/how-to-trade-bitcoins/" target="_blank">How to trade Bitcoins</a>: Practically, all Ransomware attackers demand ransom in Bitcoins. Bitcoin are a relatively new currency which has significantly increased in value over the past few years. Bitcoins are known as a cryptocurrency and can be traded in order to earn money.</p>
<p><br /> 11. <a href="https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/" target="_blank">Ransomware thats 100% pure Javascript, no download required</a>: By the start of 2016, many crooks were steadily shifting their infection strategy as the world began to realise that enabling macros was a really bad idea. These days, a lot of ransomware arrives in JavaScript attachments and this blogs analyses and presents the challenges associated with the same.</p>
<p></p>
<p><span id="docs-internal-guid-ca67eedd-0284-04df-614b-2327f1bce3a4"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/atp-advanced-threat-protection-technology-stack">ATP( Advanced Threat Protection) Technology Stack</a> )</span></span><br /></p>
<p></p></div>Ransomware Attacks: How Prepared Are You?https://www.cisoplatform.com/profiles/blogs/ransomware-attacks-how-prepared-are-you2016-08-01T12:30:00.000Z2016-08-01T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>RansomWare is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. <a href="#_msocom_1">[RM1]</a> The RansomWare arrives via email attachments, insecure downloads, use of outdated browser's, or through Trojans such as Zeus etc. Once executed the malware usually reaches out to its Command & Control server over an internet connection to get the encryption key. The encryption is almost always asymmetric and impossible to crack. The malware is also able to encrypt locally mapped network drives/ cloud storage drives. The main motive of the attacker is to extort money from the victim in return of the private key for decryption. The attacker usually leaves a message in encrypted folders instructing users to pay ransom in Bitcoins or via Moneypak. In most of the cases even paying ransom does not work quite well for the victim as the private key fails to decrypt some of the important documents especially those in mapped drive and locally mapped cloud storage drives. There are RansomWare developed specifically for mobile platforms as well, and have affected thousands of mobile devices worldwide.</p>
<p>Some of the well known RansomWare are CryptoLocker, Cyrptowall, Teslacrypt, Torrentlocker and CTB locker. Frequently attackers release new variants of Ransomware by tweaking and subtly changing lines of codes in most popular ones to avoid detection. According to various research works, India ranks 3rd in the Asia and 9th worldwide among the countries affected by Malware attacks. The most affected being Banking and Pharmaceuticals sectors. A research team at Malwarebytes has identified LeChiffre, whose name means "encryption" in French, which caused millions of dollars of damages after infecting several banks and pharmaceuticals company. According to The Economic times, some companies have paid ransoms in millions of dollars after such attacks.</p>
<p></p>
<p>( <span id="docs-internal-guid-792e131c-4628-cba6-d4df-c8bcf51cdfdd"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/5-major-types-of-hardware-attacks-you-need-to-know"><span>5 Major Types Of Hardware Attacks You Need To Know</span></a></span> )</p>
<p></p>
<p></p>
<p></p>
<p><b>Here are some of the tips that you can put to use to prevent yourself from getting into such situations:</b></p>
<p></p>
<h2><span class="font-size-4">1. Back up your important data at regular intervals</span></h2>
<p>This is the most logical preventive measure that your organization can adopt to thwart any such attacks. Make sure that your Backup solution is up and running as it should. Keep in mind that the back-up should be kept in a separate external drive. If you are using automated backup solution then make sure that your backup drives are connected only during the backup process and are disconnected from the network once the process is complete.</p>
<h2><span class="font-size-4">2. Develop robust vulnerability management and Patch management Program</span></h2>
<p>Vulnerable applications, software's are some of the attack vectors for the attackers. Remember to keep your operating systems, browsers, plug-ins used by your browsers, java and other software's are up to date with the latest patches installed. The best way to accomplish this is by developing robust vulnerability management and patch management program, use of automated vulnerability detection tools and patch management solutions and making sure that the all the patches are installed in a timely manner can ensure you of better protection against such attacks</p>
<h2><span class="font-size-4">3. Fine tune your systems and security solutions to a more secure configuration</span></h2>
<p>Fine tuning your security solutions and systems can give you a great deal of protection against RansomWare attacks. Tweak your anti-spam solution to filter out mails with executable attachments, tweak your IPS and firewall to block any malicious traffic, disable remote access services on systems if not required, deactivate auto-play for devices, disable unused network adapters (Wi-Fi, Bluetooth etc.), Do not map network drives & cloud storage folders to your local system only if not necessary, configuresystems to show hidden file extensions, block unauthorized USB access, uninstall application that you don't use etc.</p>
<p></p>
<p>( <span id="docs-internal-guid-792e131c-462a-11fd-2121-74e6a5922b9f"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/5-reasons-to-consider-security-information-event-management"><span>5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution</span></a></span> )</p>
<p></p>
<p></p>
<h2><span class="font-size-4">4. Use a good Endpoint security solution to detect any malicious code</span></h2>
<p>A good advance Anti-malware software can help you identify malicious code and possible malware attacks. keep your security software up-to-date with the latest version and malware database. It is also a good idea to run windows firewall or any other host firewall software on your system to detect any unauthorized attempt to connect to internet by any malicious code.</p>
<h2><span class="font-size-4">5. Educate your employees & colleagues</span></h2>
<p>Educate your employees of the safe Internet browsing practices such as not to double click any suspicious links, not to run any suspicious program on their system and not to install any unverified browser plug-ins. Employees should also be educated about social engineered attacks, verifying mail attachments before downloading or opening it etc.</p>
<p> </p>
<p></p>
<p>References:</p>
<ul>
<li><a href="http://www.symantec.com/security_response/publications/threatreport.jsp">http://www.symantec.com/security_response/publications/threatreport.jsp</a></li>
</ul>
<p><a href="https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/">https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/</a></p>
<div><div><p></p>
<p></p>
<p></p>
<p><span class="font-size-4"><a href="http://event.cisoplatform.com/quick-member-sign-up-content/" target="_blank"><img width="750" src="{{#staticFileLink}}8669803085,original{{/staticFileLink}}" class="align-center" alt="8669803085?profile=original" /></a></span></p>
<p></p>
<p></p>
</div>
</div></div>Advanced Security Operations Centre (SOC) - Features & Technical Capabilitieshttps://www.cisoplatform.com/profiles/blogs/security-operations-centre-soc-features-technical-capabilities2017-07-01T22:30:00.000Z2017-07-01T22:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><span>This gives a glimpse of Advanced Security Operations Centre (SOC) Features &amp;amp; Technical Capabilities. This document is not explicit, it assumes you have…</span><br /><br />This was presented at <a href="https://www.sacon.io/?utm_source=CPBlogASOC&utm_medium=BannerImg&utm_campaign=SACON_Bang2017_PreReg" target="_blank">SACON</a> and speakers explain subjects in detail during sessions for deeper understanding. Next sessions are in order, you can pre-register/register for special deals and/or notifications <a href="https://www.sacon.io/?utm_source=CPBlogASOC&utm_medium=BannerImg&utm_campaign=SACON_Bang2017_PreReg" target="_blank">here</a> . You can check out the complete presentation <a href="http://www.cisoplatform.com/profiles/blogs/soc-architecture-tech-stack-process-org-structure-people-skills" target="_blank">here</a></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/soc-features-technical-capabilities" target="_blank"><img width="690" src="{{#staticFileLink}}8669803265,original{{/staticFileLink}}" class="align-full" alt="8669803265?profile=original" /></a></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-6">Advanced Security Operations Centre (SOC) Features</span></strong></p>
<p></p>
<ul>
<li>Threat Assessment & Hunting<br /> <br /><ul>
<li>Knowing threats & adversaries</li>
<li>Their tools & methods</li>
<li>Critical assets for targets</li>
<li>Existing controls & weaknesses</li>
<li>Monitoring presence, IOC,Management & Hunting</li>
</ul>
</li>
</ul>
<p></p>
<p></p>
<p></p>
<ul>
<li>Threat Intelligence<br /> <br /><ul>
<li>Internal threat intelligence</li>
<li>External threat intelligence</li>
<li>Application of threat intelligence</li>
<li>Automated consumption of threat intelligence (automated SIEM rules/runbook)</li>
</ul>
</li>
</ul>
<p></p>
<p>( Do More : Workshops on SOC, Threat Intelligence, Threat Hunting, Incident Response. To get notifications on the workshop session, keynote speaker etc. Register <a href="https://www.sacon.io/?utm_source=CPBlogASOC&utm_medium=BannerImg&utm_campaign=SACON_Bang2017_PreReg" target="_blank">here</a> )</p>
<p></p>
<p></p>
<ul>
<li>Situational Awareness<br /> <br /><ul>
<li>Context and enrichment</li>
<li>Visibility</li>
</ul>
</li>
</ul>
<p></p>
<p></p>
<p></p>
<ul>
<li>Security Analytics<br /> <br /><ul>
<li>Behavioral profiling for users & systems</li>
<li>Database searches & statistical modeling, reporting & visualization</li>
<li>Forensics capability</li>
</ul>
</li>
</ul>
<p></p>
<p></p>
<p>( Read more : <a href="http://www.cisoplatform.com/profiles/blogs/security-incident-event-management-siem-framework-for-product-eva" target="_blank">Security Incident & Event Management (SIEM) Framework For Product Evaluation</a> )</p>
<p></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-6">Advanced Security Operations Centre (SOC) - Technical Capabilities<br /> <br /></span></strong></p>
<ul>
<li>Data collection capabilities & compliance benefits of log management</li>
<li>The correlation, normalization and analysis capabilities of SIEM (Security Incident & Event Management)</li>
<li>The network visibility and advanced threat detection of NBAD (Network Behaviour Anomaly Detection) and user behaviour anomaly detection (UBA) by machine learning</li>
<li>The ability to reduce breaches and ensure compliance provided by Risk Management</li>
<li>The network traffic and application content in sight afforded by Network Forensics</li>
<li>The automation of Incident Response by Artificial Intelligence/ Run Books</li>
<li>IOC / VM Management by Threat Intelligence</li>
<li>Reporting & Visualization provided by Presentation Layer</li>
</ul>
<p></p>
<p>SIEM as a platform should be a truly integrated solution built on a common codebase, with a single data management architecture and a single user interface.</p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-6">Did you know you could compare all SOC/SIEM products and vendors on a single platform instantly ?</span></strong> </p>
<p><span>You could compare and discover the SIEM products <a href="https://www.firecompass.com/security/market/SIEM?market_name=Security%20Information%20and%20Event%20Management" target="_blank">here</a>. <a href="https://www.firecompass.com/?utm_source=CPBlogASOC&utm_campaign=FCEU" target="_blank">FireCompass</a> is an AI Assistant for Cyber Security Decision Making. Discover & Compare 1,000+ Cyber Security Products. <strong>Grab your FREE Account Now</strong> (For a Limited Time ONLY)………</span><a href="https://www.firecompass.com/?utm_source=CPBlogASOC&utm_campaign=FCEU" target="_blank">Claim Your Free Account Now By Signing Up</a></p>
<p></p>
<p>Do write to us at pritha.aash@cisoplatform.com if you'd like us to cover some topics, we'll add it to our research plan.</p>
<p></p>
<p></p>
<p></p></div>