threat - All Articles - CISO Platform2024-03-28T20:06:43Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/threatHiring Desperation May Create Cybersecurity Riskshttps://www.cisoplatform.com/profiles/blogs/hiring-desperation-may-create-cybersecurity-risks2021-09-18T04:44:26.000Z2021-09-18T04:44:26.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9578929660?profile=RESIZE_400x&width=400"></div><div><p><a href="{{#staticFileLink}}9578929464,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}9578929464,RESIZE_710x{{/staticFileLink}}" width="710" alt="9578929464?profile=RESIZE_710x" /></a></p><p>With 11 million job openings in the U.S., the most ever, how desperate will organizations be to hire personnel? I am concerned that cybersecurity risks of insiders will increase if processes for proper vetting and background checks become lax for new-hires.<br /> <br /> I suggest my fellow Chief Information Security Officers (CISO’s) have a discussion with the head of their Human Resources to understand if the cyber risks are going to increase in the organization due to more 'flexible' hiring practices.</p></div>2 Biggest Factors Driving the Future of Cybersecurityhttps://www.cisoplatform.com/profiles/blogs/2-biggest-factors-driving-the-future-of-cybersecurity2021-06-08T01:03:36.000Z2021-06-08T01:03:36.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9052989654?profile=RESIZE_400x&width=400"></div><div><p>Cybersecurity can appear random and chaotic, but there are basic fundamentals that drive the course of cyberattacks. </p><p style="text-align:center;"> <iframe title="YouTube video player" src="https://www.youtube.com/embed/jFNOGf7vYUY" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>In today’s video, I dive into the two biggest factors that shape cybersecurity risks, attacks, and what drives the direction of the security industry. </p><p> </p><p>Understanding the basic underpinnings provides insights into where the next attacks will focus and what will be targeted. They highlight the importance of understanding the people behind the attacks and the opportunities they pursue. </p><p> </p><p> </p><p>Thanks for watching. Let’s communicate and collaborate together -- that is how we make cybersecurity strong in protecting the global digital ecosystem.</p><p>I put out a new video about every week on various cybersecurity topics, risks, ideas, events, and best practices. If you like these cybersecurity videos and are interested in more cybersecurity insights, rants, and strategic viewpoints, please click the Like button and Subscribe to the Cybersecurity Insights channel! <a href="https://www.youtube.com/c/CybersecurityInsights">https://www.youtube.com/c/CybersecurityInsights</a></p></div>Cybersecurity is Not Reaching its Full Potentialhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-is-not-reaching-its-full-potential2021-04-22T21:54:51.000Z2021-04-22T21:54:51.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/8824485489?profile=RESIZE_400x&width=400"></div><div><p>Cybersecurity has evolved with the rapid rise of digital transformation, becoming a crucial element of trust for products and services. No longer just a function of preventing impacts and meeting regulatory requirements, cybersecurity is emerging as a cornerstone for future enhancement of user-experiences, compelling features, and growth into new fields.</p><h1>Wherever there are Risks, there are also Opportunities</h1><p>I’ve been collaborating with <a href="https://www.altmansolon.com/our-people/ben-matthews/">Ben Matthews</a> and <a href="https://www.altmansolon.com/our-people/michael-gurau/">Michael Gurau</a> from <a href="https://www.altmansolon.com/">Altman Solon</a>, a leading Tech, Media, and Telecom consulting firm, to highlight how cybersecurity can be optimized to manage the risks-of-loss but also how it can contribute to emerging business opportunities for organizations. They are looking to help their clients improve their risk strategy and understand how to seize business advantages.</p><p>If the security leadership, C-suites, and Boards are not thinking about how cybersecurity can bring opportunities to the business, they are behind the curve.</p><p>Cybersecurity is a leverage point for competitive advantages in the digital world. Those who look at the opportunities, in addition to the risk mitigation aspects, will have a strategic advantage.</p><p>We have seen examples across privacy, security, and safety that showcase how consumer's trust and loyalty are affected by cybersecurity incidents. Abandonment, delays in adoption, and resistance to new offerings are becoming more common. That opens the door to competition or reinforces the position of organizations that proactively act to preserve customer’s trust.</p><h1>Competition is Knocking and Security is Pivotal</h1><p>Industries are evolving rapidly over time through technical innovation and exploring new markets. This can introduce challengers to the market leaders and raise the expectations of customers that result in a shift of market-share.</p><p>Cybersecurity is a growing differentiator. As an example, the recent digitization of patient records and integration of health-related devices, which gather tremendous amounts of data, has given rise to the idea of healthcare data exchanges. Such exchanges are working feverishly to secure data and reinforce trust in the aggregated design to abate fears from patients and concerns from regulatory authorities. Conversely, decentralized healthcare initiatives are making security, privacy, and portability the major talking points in their models to compete with those exchanges, highlighting weaknesses in centralized architectures. </p><p>Changes are occurring across all sectors, with financial, telecommunications, healthcare, technology, automotive, online services, retail, manufacturing, government, and national critical infrastructures moving first.</p><h1>Cybersecurity Relevance</h1><p>The core elements of cybersecurity, being security, privacy, and safety, are powerful narratives and are becoming more prominent for organizations to showcase their leadership. </p><p>It is estimated that between 60% and 90% of SMB go out of business after a major cyberattack. Where do those customers go? -- to vendors and suppliers who are more trustworthy, have deployed extra robust security in their offerings, are better prepared to respond to incidents, and are leaning forward to mitigate future risks. They differentiate themselves by showing cybersecurity savvy, maturity, and thought-leadership in their sector.</p><p>Cybersecurity, cyber-ethics, and operational excellence will be the hallmarks of trust in our future digital world. </p><h1>Cybersecurity Leadership</h1><p>Right now, not many companies are ready to take advantage of such market-shifting opportunities, nor are they investing properly to protect the share they currently hold.</p><p>That is changing. Those who are not keeping up with their competitors will find themselves on the short end of the stick. Cyber savvy boards are realizing the potential advantages and some are already exploring how best to both protect and advance the bottom line with better security and through reinforced trust. And, insurance alone does not deliver. It takes adaptation of the business to build longstanding loyalty and seize moments of opportunity.</p><p>It is time for the cybersecurity industry to start discussing the trajectory of how it is crucial in managing the risks and enabling opportunities for the business. In the coming years, every successful CISO will be talking about how they can empower the greater success of the organization.</p><p> </p><p>The full Altman Solmon infographic deck and more information is available at: <em><u><a href="https://www.altmansolon.com/insights/new-global-threats-create-risk-opportunity-in-fragmented-cybersecurity-markets/">https://www.altmansolon.com/insights/new-global-threats-create-risk-opportunity-in-fragmented-cybersecurity-markets/</a></u></em></p></div>"ATP( Advanced Threat Protection) Technology Stack"https://www.cisoplatform.com/profiles/blogs/atp-advanced-threat-protection-technology-stack2016-07-14T12:00:00.000Z2016-07-14T12:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p></p>
<p><strong><a href="{{#staticFileLink}}8669808656,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669808656,original{{/staticFileLink}}" width="636" class="align-center" height="350" alt="8669808656?profile=original" /></a></strong></p>
<p></p>
<p>We believe, isn't a single technology/solution but is a complex program which consists of people, process and technology. Sandboxing or any single technology can only provide partial protection against “real” advanced attacks. We suggest organizations to look at the complete stack of technologies mentioned below and build a holistic program to secure against advanced attacks.</p>
<p></p>
<p></p>
<p><strong>Advanced Threat Detection:</strong> ATP Products generally leverage one or more of the below mentioned techniques-</p>
<p></p>
<ul>
<li><strong>Sandboxing:</strong> This improves the detection rates of ransomware and will enable an organization to identify customized or tailored malware which is beyond the recognition capability of traditional Antivirus. <br /> <br /> It creates a safe environment to analyse suspicious files, either cloud-based or On-Premise: <br /> <br /><div style="margin-left:2em;"><ul>
<li><strong>Virtual Sandbox & Physical Sandbox :</strong> For Virtual Machine aware malware. </li>
</ul>
</div>
</li>
</ul>
<p></p>
<ul>
<li><strong>Security Analytics:</strong> Correlation & analysis of data from across the IT infra for identifying threats<br /> <br /><div style="margin-left:2em;"><ul>
<li>Behavioural Analytics (Network & User) ; Heuristics; Machine Learning </li>
</ul>
</div>
</li>
</ul>
<p></p>
<ul>
<li><strong>Application Containerization:</strong> Isolates applications in a micro-virtual machine. It can help to reduce the load on the overall resources available.</li>
</ul>
<p></p>
<ul>
<li><strong>Embedded URL Analysis:</strong> For analysing suspicious URLs sent via emails etc.<br /> <br /><div style="margin-left:2em;"><ul>
<li>URL Rewriting – For real-time click protection; URL Tracking / Tracing</li>
</ul>
</div>
</li>
</ul>
<p></p>
<p dir="ltr"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/workshop-threat-intelligence">Threat Intelligence (Workshop Presentation)</a> )</span></p>
<p></p>
<ul>
<li><strong>Network Traffic Analysis:</strong> This will enable ATP to detect inbound and outbound threats as well as suspicious IPs, URLs, Known C&C and other attacker behavior across the entire attack lifecycle.</li>
</ul>
<p></p>
<ul>
<li><strong>IOC Detection:</strong> Once detected, IOC can be used to quickly locate other infected devices</li>
</ul>
<p></p>
<ul>
<li><strong>File Reputation Analysis, Whitelisting, Blacklisting</strong></li>
</ul>
<p></p>
<ul>
<li><strong>Static Code Analysis:</strong> Examine the code without executing the file for threat protection</li>
</ul>
<p></p>
<ul>
<li><strong>Threat Intelligence:</strong> Provides Intelligence about emerging threats from across the globe </li>
</ul>
<p></p>
<p>It's time to go beyond using sandboxing as a standalone capability rather an organization needs to have a holistic approach for their ATP Program. You need to have efficient and robust analysis tools that can integrate with your existing security ecosystem and can continuously detect the most advanced threats.</p>
<p><br /> But as Kevin Mitnick, World's Famous Hacker says "A company can spend hundreds or thousands of dollars on Firewall, IDS/IPS, ATP and other security technologies, but if attacker can call one trusted person within the company, and that person complies, and if attacker gets in, then all that money spent on technology is essentially wasted." Therefore, processes and people also play a crucial role in establishing the strong ATP Program.</p>
<p></p>
<p dir="ltr"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/9-top-features-to-look-for-in-next-generation-firewall">9 Top Features To Look For In Next Generation Firewall (NGFW)</a> )</span></p>
<p></p></div>Top 11 Ransomware Prevention Resourceshttps://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources2016-07-19T09:00:00.000Z2016-07-19T09:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><a href="http://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources" target="_blank"><img width="600" src="{{#staticFileLink}}8669812673,original{{/staticFileLink}}" class="align-center" alt="8669812673?profile=original" /></a></p>
<p></p>
<p>Ransomware is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. Here we have compiled some of the Good-reads blogs, articles, freely available Decryptors and removal kits to keep you up-to-date on the latest happenings in the Ransomware space.</p>
<p><br /> 1. (<strong>Free tools)</strong> <a href="http://betanews.com/2016/07/01/avg-announces-6-new-tools-to-free-your-data-from-ransomware/" target="_blank">AVG announces 6 new free decryption tools to retrieve your encrypted files</a> : AVG has come out with six new tools designed to fight this affliction. Each is for a different form of this malware. <br /> According to AVG These new free tools are for the decryption of six current Ransomware strains: Apocalypse, BadBlock, Crypt888, Legion, SZFLocker, and TeslaCrypt.</p>
<p><br /> 2. <a href="http://www.bleepingcomputer.com/forums/t/577861/locker-ransomware-author-allegedly-releases-database-of-private-keys/" target="_blank">Locker Ransomware author dumps database of private keys, apologizes</a> : Allegedly, the author of the "Locker" ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts worldwide to the public. The "author" claims that the release was a mistake, that no further keys will be utilized for encryption, and that automatic decryption of all affected hosts will begin on June 2nd 2016</p>
<p><br /> 3. <strong>(Free tool)</strong> <a href="http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/" target="_blank">ESET releases new free decryptor for TeslaCrypt ransomware</a>: After TeslaCrypt authors announced that they are closing down their operations and made public their Universal master decryptor key, ESET created a free decryptor tool to unlock files affected by all variants between 3.0.0 and 4.2 of this Ransomware.</p>
<p><br /> 4. <a href="http://www.tripwire.com/state-of-security/latest-security-news/ransomware-removal-kit-published-online-helps-streamline-infection-response/" target="_blank">Ransomware removal kit published online, helps streamline infection response</a>: A security researcher has made a Ransomware removal kit available online with the hope that it will help security professionals and system administrators alike in responding to instances of Ransomware infection. Researcher Jada Cyrus has published the <a href="https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview" target="_blank">kit on Atlassian Bitbucket</a>. The kit itself consists of removal tools for common ransomware variants, as well as <a href="http://www.theregister.co.uk/2015/05/21/ransomware_rescue_kit/" target="_blank">guides on how to perform the necessary removal tasks</a>.</p>
<p><br /> 5. <a href="https://heimdalsecurity.com/blog/what-is-ransomware-protection/" target="_blank">What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]</a>: A very comprehensive and updated guide on Ransomware. This Blogs outlines target vectors, attack anatomy, Ransomware families and much more.<br /><br /></p>
<p><span id="docs-internal-guid-929b8036-0284-c542-8284-b91fdd2e1ef1"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors">Checklist To Evaluate SIEM Vendors</a> )<br /><br /></span></span></p>
<p><br /> 6. <a href="https://deobfs.com/2016/06/14/behaviour-analysis-of-cerber-ransomware/" target="_blank">Behaviour analysis of CERBER ransomware</a>: The Ransomware so called CERBER has been out since early march according to TrendMicro and so far has used different techniques for delivering the payload to the victim. For instance it has been seen to use compressed JavaScript files (.zip) or in other instances using Windows Script Files (WSFs) which had XML content and then executed by Windows’ wscript.exe utility.</p>
<p><br /> 7. <a href="http://blogs.csc.com/2016/04/14/when-the-cryptolocker-strikes-reasons-for-success-of-ransomware/" target="_blank">When the cryptolocker strikes: Reasons for ransomware success and ways to prevent</a> : What factors lead to the high success of cryptolockers, a type of Ransomware that scrambles your files and asks for a ransom to recover them again?</p>
<p><br /> 8. <a href="https://virtuallysober.com/2016/07/07/catching-ransomware-infections-with-a-honeypot-script-integration-into-zerto-virtual-replication/" target="_blank">Catching Ransomware infections with a Honeypot script & integration into Zerto Virtual replication</a>: This script uses the honeypot technique to detect Ransomware infections by comparing 2 files, a honeypot file and a witness file. </p>
<p><br /> 9. <a href="https://cyberattackblog.wordpress.com/2016/07/06/zeptothe-new-threat/" target="_blank">"Zepto" the new threat</a>: Analysis and anatomy of New Ransomware known as "Zepto". The blog talks about how Zepto infects target computer and how to detect for its behaviour.</p>
<p><br /> 10. <a href="https://technologyevaneglist.wordpress.com/2016/06/27/how-to-trade-bitcoins/" target="_blank">How to trade Bitcoins</a>: Practically, all Ransomware attackers demand ransom in Bitcoins. Bitcoin are a relatively new currency which has significantly increased in value over the past few years. Bitcoins are known as a cryptocurrency and can be traded in order to earn money.</p>
<p><br /> 11. <a href="https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/" target="_blank">Ransomware thats 100% pure Javascript, no download required</a>: By the start of 2016, many crooks were steadily shifting their infection strategy as the world began to realise that enabling macros was a really bad idea. These days, a lot of ransomware arrives in JavaScript attachments and this blogs analyses and presents the challenges associated with the same.</p>
<p></p>
<p><span id="docs-internal-guid-ca67eedd-0284-04df-614b-2327f1bce3a4"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/atp-advanced-threat-protection-technology-stack">ATP( Advanced Threat Protection) Technology Stack</a> )</span></span><br /></p>
<p></p></div>Ransomware Attacks: How Prepared Are You?https://www.cisoplatform.com/profiles/blogs/ransomware-attacks-how-prepared-are-you2016-08-01T12:30:00.000Z2016-08-01T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>RansomWare is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. <a href="#_msocom_1">[RM1]</a> The RansomWare arrives via email attachments, insecure downloads, use of outdated browser's, or through Trojans such as Zeus etc. Once executed the malware usually reaches out to its Command & Control server over an internet connection to get the encryption key. The encryption is almost always asymmetric and impossible to crack. The malware is also able to encrypt locally mapped network drives/ cloud storage drives. The main motive of the attacker is to extort money from the victim in return of the private key for decryption. The attacker usually leaves a message in encrypted folders instructing users to pay ransom in Bitcoins or via Moneypak. In most of the cases even paying ransom does not work quite well for the victim as the private key fails to decrypt some of the important documents especially those in mapped drive and locally mapped cloud storage drives. There are RansomWare developed specifically for mobile platforms as well, and have affected thousands of mobile devices worldwide.</p>
<p>Some of the well known RansomWare are CryptoLocker, Cyrptowall, Teslacrypt, Torrentlocker and CTB locker. Frequently attackers release new variants of Ransomware by tweaking and subtly changing lines of codes in most popular ones to avoid detection. According to various research works, India ranks 3rd in the Asia and 9th worldwide among the countries affected by Malware attacks. The most affected being Banking and Pharmaceuticals sectors. A research team at Malwarebytes has identified LeChiffre, whose name means "encryption" in French, which caused millions of dollars of damages after infecting several banks and pharmaceuticals company. According to The Economic times, some companies have paid ransoms in millions of dollars after such attacks.</p>
<p></p>
<p>( <span id="docs-internal-guid-792e131c-4628-cba6-d4df-c8bcf51cdfdd"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/5-major-types-of-hardware-attacks-you-need-to-know"><span>5 Major Types Of Hardware Attacks You Need To Know</span></a></span> )</p>
<p></p>
<p></p>
<p></p>
<p><b>Here are some of the tips that you can put to use to prevent yourself from getting into such situations:</b></p>
<p></p>
<h2><span class="font-size-4">1. Back up your important data at regular intervals</span></h2>
<p>This is the most logical preventive measure that your organization can adopt to thwart any such attacks. Make sure that your Backup solution is up and running as it should. Keep in mind that the back-up should be kept in a separate external drive. If you are using automated backup solution then make sure that your backup drives are connected only during the backup process and are disconnected from the network once the process is complete.</p>
<h2><span class="font-size-4">2. Develop robust vulnerability management and Patch management Program</span></h2>
<p>Vulnerable applications, software's are some of the attack vectors for the attackers. Remember to keep your operating systems, browsers, plug-ins used by your browsers, java and other software's are up to date with the latest patches installed. The best way to accomplish this is by developing robust vulnerability management and patch management program, use of automated vulnerability detection tools and patch management solutions and making sure that the all the patches are installed in a timely manner can ensure you of better protection against such attacks</p>
<h2><span class="font-size-4">3. Fine tune your systems and security solutions to a more secure configuration</span></h2>
<p>Fine tuning your security solutions and systems can give you a great deal of protection against RansomWare attacks. Tweak your anti-spam solution to filter out mails with executable attachments, tweak your IPS and firewall to block any malicious traffic, disable remote access services on systems if not required, deactivate auto-play for devices, disable unused network adapters (Wi-Fi, Bluetooth etc.), Do not map network drives & cloud storage folders to your local system only if not necessary, configuresystems to show hidden file extensions, block unauthorized USB access, uninstall application that you don't use etc.</p>
<p></p>
<p>( <span id="docs-internal-guid-792e131c-462a-11fd-2121-74e6a5922b9f"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/5-reasons-to-consider-security-information-event-management"><span>5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution</span></a></span> )</p>
<p></p>
<p></p>
<h2><span class="font-size-4">4. Use a good Endpoint security solution to detect any malicious code</span></h2>
<p>A good advance Anti-malware software can help you identify malicious code and possible malware attacks. keep your security software up-to-date with the latest version and malware database. It is also a good idea to run windows firewall or any other host firewall software on your system to detect any unauthorized attempt to connect to internet by any malicious code.</p>
<h2><span class="font-size-4">5. Educate your employees & colleagues</span></h2>
<p>Educate your employees of the safe Internet browsing practices such as not to double click any suspicious links, not to run any suspicious program on their system and not to install any unverified browser plug-ins. Employees should also be educated about social engineered attacks, verifying mail attachments before downloading or opening it etc.</p>
<p> </p>
<p></p>
<p>References:</p>
<ul>
<li><a href="http://www.symantec.com/security_response/publications/threatreport.jsp">http://www.symantec.com/security_response/publications/threatreport.jsp</a></li>
</ul>
<p><a href="https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/">https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/</a></p>
<div><div><p></p>
<p></p>
<p></p>
<p><span class="font-size-4"><a href="http://event.cisoplatform.com/quick-member-sign-up-content/" target="_blank"><img width="750" src="{{#staticFileLink}}8669803085,original{{/staticFileLink}}" class="align-center" alt="8669803085?profile=original" /></a></span></p>
<p></p>
<p></p>
</div>
</div></div>NIST Aligned Process For Threat Managementhttps://www.cisoplatform.com/profiles/blogs/incident-response-threat-management-nist-kill-chain-model2017-07-13T07:00:00.000Z2017-07-13T07:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>This article highlights the Threat Management Process in Incident Response and brings in the understanding of the Kill chain model. Excerpts have been taken from a session presented at <a href="https://www.sacon.io/?utm_source=CP&utm_medium=BlogText1&utm_campaign=IRNISTKillChain_Sacon_Bang_2017" target="_blank">SACON - The Security Architecture Conference</a>. You can view the full slide <a href="http://www.cisoplatform.com/profiles/blogs/incident-response-validation-containment-forensics" target="_blank">here</a>.</p>
<p>For more in depth session on Incident Response, Threat Intel & many more - sign up for SACON <a href="https://www.sacon.io/?utm_source=CP&utm_medium=BlogText2&utm_campaign=IRNISTKillChain_Sacon_Bang_2017" target="_blank">here</a></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/incident-response-threat-management-nist-kill-chain-model" target="_blank"><img width="668" src="{{#staticFileLink}}8669802465,original{{/staticFileLink}}" class="align-full" alt="8669802465?profile=original" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-5">3 Stages Of Incident LifeCycle<br /></span></strong></p>
<ul>
<li>Detection & Analysis</li>
<li>Response & Recovery</li>
<li>Post incident</li>
</ul>
<p></p>
<p><a href="{{#staticFileLink}}8669817271,original{{/staticFileLink}}"><img width="650" src="{{#staticFileLink}}8669817271,original{{/staticFileLink}}" class="align-full" alt="8669817271?profile=original" /></a></p>
<p></p>
<p>( <span id="docs-internal-guid-ca4027dd-3ad2-5798-177f-ebc58ecbc78e"><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/bad-usb-defense-strategies">Bad USB Defense Strategies</a> )</span><a href="http://www.cisoplatform.com/profiles/blogs/bad-usb-defense-strategies"><span><br class="kix-line-break" /></span></a></span></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-5">Threat Management - NIST Aligned Process</span></strong></p>
<p></p>
<table style="border:2px solid #000000;text-align:center;padding:0px;width:400px;">
<tbody id="my_table"><tr><td style="border:2px solid #000000;padding:2px;">Detection & Analysis</td>
<td style="border:2px solid #000000;padding:2px;">Detection & Analysis</td>
<td style="border:2px solid #000000;padding:2px;">Detection & Analysis</td>
<td style="border:2px solid #000000;padding:2px;">Response & Recovery</td>
<td style="border:2px solid #000000;padding:2px;">Response & Recovery</td>
<td style="border:2px solid #000000;padding:2px;">Response & Recovery</td>
<td style="border:2px solid #000000;padding:2px;">Post Incident</td>
</tr>
<tr><td style="border:2px solid #000000;padding:2px;">Analyse Logs and Information Security Events</td>
<td style="border:2px solid #000000;padding:2px;">Validate Incident Scale and Consequence</td>
<td style="border:2px solid #000000;padding:2px;">Based on priority, assemble ISIRT and notify appropriate parties and escalate incidents. (e.g.. critical & high priority crisis and emergency incidents escalated to Country Emergency Manager)</td>
<td style="border:2px solid #000000;padding:2px;">Direct ISIRT, develop incident response plan, activate rapid response team if needed and communicate incident to internal & external stakeholders</td>
<td style="border:2px solid #000000;padding:2px;">Eradicate technical vulnerabilities and incident root causes</td>
<td style="border:2px solid #000000;padding:2px;">Recover affected information systems and business operations</td>
<td style="border:2px solid #000000;padding:2px;">Document lessons learnt</td>
</tr>
<tr><td style="border:2px solid #000000;padding:2px;">Identify potential information security incidents</td>
<td style="border:2px solid #000000;padding:2px;">Assign consequence, severity and priority ratings</td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;">Perform incident containment, investigation and root cause analysis, forensics and evidence management</td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;">Close Incident</td>
</tr>
<tr><td style="border:2px solid #000000;padding:2px;">Categorize incident</td>
<td style="border:2px solid #000000;padding:2px;">Review & confirm ratings</td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;">Create incident review report</td>
</tr>
<tr><td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;">Endorse ratings</td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;"></td>
<td style="border:2px solid #000000;padding:2px;">Develop and implement IS-IM improvement recommendations</td>
</tr>
</tbody>
</table>
<p></p>
<p>....view full table & slides <a href="http://www.cisoplatform.com/profiles/blogs/incident-response-validation-containment-forensics" target="_blank">here</a></p>
<p></p>
<p><span id="docs-internal-guid-ca4027dd-3ad2-c623-bb28-fbe95c66f92e"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/incident-response-how-to-respond-to-security-breach-first-24-hour">Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist)</a> )</span><a href="http://www.cisoplatform.com/profiles/blogs/incident-response-how-to-respond-to-security-breach-first-24-hour"><span><br class="kix-line-break" /></span></a></span></p>
<p></p>
<p></p>
<p></p>
<p><a href="https://www.sacon.io/?utm_source=CP&utm_medium=BlogBanner&utm_campaign=IRNISTKillChain_Sacon_Bang_2017" target="_blank"><img width="700" src="{{#staticFileLink}}8669802070,original{{/staticFileLink}}" class="align-full" alt="8669802070?profile=original" /></a></p>
<p></p>
<p></p>
<p></p></div>Top 5 Threat Hunting tools for Q1 2017https://www.cisoplatform.com/profiles/blogs/top-5-threat-hunting-tools-for-q1-20172019-11-29T07:30:00.000Z2019-11-29T07:30:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform<div><p></p>
<p>Here is the list of top 5 vendors emerging Threat Hunting tools, but before that let us understand what threat hunting exactly refers to.</p>
<div class="entry-content"><h1>Threat Hunting?</h1>
<ul>
<li>Threat hunting is a proactive approach to identifying adversaries rather than reactively waiting for an alert to go off. This is an iterative process, meaning that it has to be continuously carried out in a loop, beginning with a hypothesis. It involves a security analyst who keeps an eye throughout threat intelligence and other data and, using their knowledge, building a hypothesis about potential threats to the resources of the company they’re protecting. It is possible to partly automate some of this using machine learning, and along with user and entity behavior analytics to highlight potential risks. And with this new market, organisations are attempting to maximise the buzz around threat hunting, positioning their own products as able to operate in this latter space.</li>
</ul>
<p> </p>
<h2><span style="text-decoration:underline;">So, lets have a look at the top 5 Threat Hunting tools for Q1 2017</span>:</h2>
<p> </p>
<h2>Sqrrl</h2>
<p><a href="https://www.firecompass.com/security/products/threat-hunting-th/sqrrl-enterprise"><img class="aligncenter wp-image-8309 align-center" title="top-5-vendors-emerging-threat-hunting" src="https://www.firecompass.com/wp-content/uploads/2017/10/Cyber-Security-Blogs-300x150.png" alt="" width="218" height="109" /></a></p>
<p> </p>
<ul>
<li><a href="https://www.firecompass.com/security/vendor/Sqrrl?vendorId=61ff28bb-61c3-4967-9c6b-f7b9e19a9f07" target="_blank">Sqrrl</a> is the threat hunting company that enables organizations to target, hunt, and disrupt advanced cyber threats. Sqrrl’s industry-leading Threat Hunting Platform unites link analysis, User and Entity Behavior Analytics (<a href="https://en.wikipedia.org/wiki/User_behavior_analytics" target="_blank">UEBA</a>), and multi-petabyte scalability capabilities into an integrated solution. Sqrrl reduces attacker dwell time by detecting adversarial behavior faster and with fewer resources through the use of machine learning, and enables effective threat hunting. As an incident response tool, it enables analysts to investigate the scope, impact, and root cause of an incident more efficiently and thoroughly than ever before.</li>
<li>Product : <a href="https://www.firecompass.com/security/products/threat-hunting-th/sqrrl-enterprise" target="_blank">Sqrrl Enterprise</a></li>
</ul>
<p> </p>
<h2>Vectra</h2>
<p><a href="https://www.firecompass.com/security/products/threat-hunting-th/vectra-networks-vectra-cognito"><img class="aligncenter wp-image-8311 size-medium align-center" title="top-5-vendors-emerging-threat-hunting" src="https://www.firecompass.com/wp-content/uploads/2017/10/vectra_logo_-300x94.jpg" alt="" width="300" height="94" /></a></p>
<p> </p>
<p> </p>
<ul>
<li><a href="https://www.firecompass.com/security/vendor/Vectra%20Networks?vendorId=837cf982-73bc-4af7-a32f-7bf97bc66ec3" target="_blank">Vectra</a> Cognito™ is the fastest, most efficient way to find and stop attackers in your network. It uses artificial intelligence to deliver real-time attack visibility and put attack details at your fingertips to empower immediate action. Vectra Cognito unburdens and empowers security operations teams that are often understaffed and under siege. This is achieved by automating the time-consuming analysis of security events and eliminating the need to endlessly hunt for hidden threats. Vectra Cognito automates the hunt for cyber attackers, shows where they’re hiding and tells you what they’re doing. The highest-risk threats are instantly triaged, correlated to hosts and prioritized so security teams can respond faster to stop in-progress attacks and avert data loss.</li>
<li>Product : <a href="https://www.firecompass.com/security/products/threat-hunting-th/vectra-networks-vectra-cognito" target="_blank">Vectra Cognito™</a></li>
</ul>
<p> </p>
<h2>Infocyte</h2>
<p><a href="https://www.firecompass.com/security/products/threat-hunting-th/infocyte-hunt"><img class="aligncenter wp-image-8312 size-medium align-center" title="top-5-vendors-emerging-threat-hunting" src="https://www.firecompass.com/wp-content/uploads/2017/10/Infocyte-logo-blue-black-2x-300x80.png" alt="" width="300" height="80" /></a></p>
<p> </p>
<ul>
<li><a href="https://www.firecompass.com/security/vendor/Infocyte?vendorId=62659c92-a5d4-4f38-a260-24d789fd5109" target="_blank">Infocyte</a> is a developer of proactive cyber security solutions designed to identify threats and unauthorized activity on enterprise networks. Through their technology, Infocyte is pioneering the first objective breach discovery assessment that is both fast and affordable enough to perform regularly. Infocyte HUNT provides an easy-to-use, yet powerful solution to limit risk and eliminate dwell time by enabling an organization’s own IT and security professionals to proactively discover malware and persistent threats, active or dormant, that have successfully breached existing defenses and established a beachhead on one or more endpoint devices.</li>
</ul>
<p></p>
<div><div><span style="font-size:14pt;"><strong><a href="https://www.cisoplatform.com/profiles/blogs/top-5-emerging-vulnerability-management-solutions-for-q1-2017" target="_blank">READ MORE >> Top 5 Emerging Vulnerability Management Solutions for Q1 2017Product : Infocyte Hunt</a></strong></span></div>
</div>
<h2>Exabeam</h2>
<p><a href="https://www.firecompass.com/security/products/threat-hunting-th/exabeam-threat-hunter"><img class="aligncenter wp-image-8313 size-medium align-center" title="top-5-vendors-emerging-threat-hunting" src="https://www.firecompass.com/wp-content/uploads/2017/10/exabeam-300x123.png" alt="" width="300" height="123" /></a></p>
<ul>
<li><a href="https://www.firecompass.com/security/vendor/Exabeam?vendorId=c3a4f608-6b5d-4033-bbac-fcf5b205158e" target="_blank">Exabeam</a> Threat Hunter is an advanced querying tool that uses Stateful Session data models to complement user behavior analytics. It enables security analysts to search and pivot across multiple dimensions of user activity to find sessions that contain specific unusual behaviors or find users that match certain criteria. For example, an analyst might ask to see “all sessions where a user logged into the VPN from a foreign country for the first time, then accessed a new server for the first time, after which FireEye created a malware alert.” This level of analysis across disjoint activities and systems is simple with Exabeam. Now analysts can ask new questions. With Threat Hunter, machine learning provides intelligent answers, in addition to alerts.</li>
<li>Product : <a href="https://www.firecompass.com/security/products/threat-hunting-th/exabeam-threat-hunter" target="_blank">Exabeam Threat Hunter</a></li>
</ul>
<p> </p>
<h2>Endgame Inc.</h2>
<p><a href="https://www.firecompass.com/security/products/threat-hunting-th/endgame-inc-endgame"><img class="aligncenter wp-image-8314 size-medium align-center" title="top-5-vendors-emerging-threat-hunting" src="https://www.firecompass.com/wp-content/uploads/2017/10/Endgame-300x75.png" alt="" width="300" height="75" /></a></p>
<p> </p>
<ul>
<li><a href="https://www.firecompass.com/security/vendor/Endgame%20Inc.?vendorId=6cc99d59-0f25-4fce-aa2f-f4538e4fc888" target="_blank">Endgame Inc.</a> is a leading endpoint security platform that transforms security operations teams and incident responders from crime scene investigators into hunters that prevent damage and loss, and dramatically reduces the time and cost associated with incident response and compromise assessment. Endgame’s platform uses machine learning and data science to prevent and detect unique attacks at the earliest and every stage of the attack lifecycle. Endgame’s integrated response stops attacks without disrupting normal business operations.</li>
<li>Product : <a href="https://www.firecompass.com/security/products/threat-hunting-th/endgame-inc-endgame" target="_blank">Endgame</a></li>
</ul>
<p> </p>
<h2>DNIF</h2>
<p><img class="size-medium wp-image-8297 aligncenter align-center" src="https://www.firecompass.com/wp-content/uploads/2018/09/logo-yello-1-300x120.png" alt="" width="300" height="120" /> </p>
<ul>
<li><a href="https://www.firecompass.com/security/vendors/dnif-product-of-netmonastery-">DNIF</a>, a product of NETMONASTERY offers solutions to the world’s most challenging cybersecurity problems. Recognized by Gartner and used by some of the well-known global companies like PwC, Vodafone and Tata, this next generation analytics platform combines Security and Big Data Analytics to provide real-time threat detection and analytics to the most critical data assets on the Internet.</li>
<li>With over a decade of experience in threat detection systems, DNIF has one of the fastest query response times and bridges the gap between searching, processing, analyzing and visualizing data thereby enabling companies with better SOC (Security Operations Center) management.</li>
<li>Product: <a href="https://www.firecompass.com/security/vendors/dnif-product-of-netmonastery-">DNIF</a></li>
</ul>
</div></div>Data Security and Threat Modelshttps://www.cisoplatform.com/profiles/blogs/data-security-and-threat-models2020-05-08T05:30:00.000Z2020-05-08T05:30:00.000ZDr. Anton Chuvakinhttps://www.cisoplatform.com/members/DrAntonChuvakin<div><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">This post is my admittedly imperfect attempt to “reconnect” data security controls to threats. It is also my intent to continue pulling on the thread I touched in<span> this post</span>— so expect more posts about that.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Let’s first get this out of the way: there are absolutely security controls that are NOT connected to threats, regulations or business requirements. They<span> </span><em class="hx">just are</em>,<span> </span><a href="https://en.wikiquote.org/wiki/The_Tao_of_Pooh" class="cl dj ht hu hv hw" target="_blank">like Winnie the Pooh</a>. And this is OK. My former team had excellent research on this very topic,<span> </span><a href="https://www.gartner.com/en/documents/3885867/building-the-foundations-for-effective-security-hygiene" class="cl dj ht hu hv hw" target="_blank">under the label of “security hygiene.”</a><span> </span>This said, my<span> </span><em class="hx">“cyber-intuition”</em><span> </span>tells me to be very, very conservative with tossing controls (whether technical or paper/administrative) into the hygiene, baseline, default or “best practice” bucket.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Specifically, many security professionals were burned — some perhaps even scarred for life — when they told the business to implement a particular security technology because “it is a best practice” and then were beaten up bloody as a result :-) Even when the above research<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2014/06/20/security-essentials-basics-fundamentals-bare-minimum/" class="cl dj ht hu hv hw" target="_blank">was being written</a>, there were a few<span> </span><em class="hx">savage fights</em><span> </span>… eh …<em class="hx"><span> </span>gentlemanly discourses</em><span> </span>on the team about some technologies being IN or OUT of the hygiene bucket. If I recall correctly, patch management was non-controversial as a hygiene control (even though the remediation time variable is set by risks or compliance frameworks such as 30 days in<span> </span><a href="https://pcibook.wordpress.com/" class="cl dj ht hu hv hw" target="_blank">PCI DSS</a>).</p><p id="d5b7" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">So, let’s pre-summarize this by stating that a small number of such controls exists, and there is that. Now, another brief side note, where else can security controls come from? Naturally, compliance requirements (<a href="https://www.amazon.com/PCI-Compliance-Understand-Implement-Effective/dp/159749948X" class="cl dj ht hu hv hw" target="_blank">PCI DSS</a>, GDPR, HIPAA etc), business requirements (such as from partners, contracts, etc) and of course threats — our dear subject here. Notice that I am now going to punt a small problem — I will not bring up the voluntary control frameworks like NIST CSF, ISO27001 and others (in all honesty, they are meant to be tuned based on your risks/threats, rather than followed blindly like compliance). Lately, BTW, I’ve been realizing that perhaps there is also a category of security controls that make people<span> </span><em class="hx">feel<span> </span></em>secure … but I digress.</p><p id="dcbf" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Now, data security. Let’s pick a few data security controls such as encryption (my recent favorite for some reason), Data Loss Prevention (DLP) including data discovery, data classification (<a href="https://www.gartner.com/en/documents/2160719/information-classification-an-essential-security-thing-y" class="cl dj ht hu hv hw" target="_blank">note the paper title here</a><span> </span>and<span> </span><a href="https://blogs.gartner.com/jay-heiser/2013/05/29/why-do-you-classify/" class="cl dj ht hu hv hw" target="_blank">see this too</a>), tokenization, data masking, data-level access control, etc.</p><p id="e9d7" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb"><strong class="hb hy">Encryption</strong>. Naturally, a large number of mandates prescribe that you encrypt data, whether in transit or in storage. PCI DSS is very clear about that. HIPAA strongly implies it.<span> </span><a href="https://www.unifiedcompliance.com/" class="cl dj ht hu hv hw" target="_blank">Numerous other guidance documents</a><span> </span>do too. Some even veer into key management advice, but some do not — so you must encrypt, but it’s OK to leave the key under the doormat … However, given the costs and the risks (such as if you encrypt properly, losing the key also loses the data for you … duh!), I prefer to treat encryption as a threat-based control as well as a compliance-based one.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Here is a trivial case: encrypt the mobile device to prevent data loss in case of device theft. Naturally, the thief — the likely threat actor in question — does not have a key (unless Post-It notes are involved). Here is a harder case: servers in a data center. Ah, what is the threat here? Not server theft, I hope. Around 2013, Gartner published a piece that perhaps you should not encrypt data center servers unless you know why specifically you are doing it. It caused a small uproar among the “but encryption is a best practice!” crowd. To have encryption be truly threat-based here, one needs to think about what problem you are solving with encryption, frankly. Because you sure are paying the cost, so won’t it be nice to be clear about the benefits?!</p><p id="a50b" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Here is an even harder case: encryption of public cloud instances. Now, please don’t say server theft. Is it about a fellow cloud user taking your data? An attacker with access to your instance? A cloud provider rogue employees? BTW, we just launched this ingenious piece of technology called<span> </span><a href="https://cloud.google.com/ekm" class="cl dj ht hu hv hw" target="_blank">External Key Manager</a><span> </span>that allows you to keep your cloud encryption keys on premise and not in the cloud. Could you guess the threat model for that? More on this in future posts…</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">BTW, I feel like<span> </span><strong class="hb hy">“guess the threat model” should be a mandatory game for many security leaders who push control frameworks and other “solutions before problems” security approaches<span> </span></strong>…. The<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2014/04/16/threat-assessment-a-tough-subject-and-sharks-with-fricking-lasers/" class="cl dj ht hu hv hw" target="_blank">forgotten art of threat assessment</a><span> </span>needs to be practiced more! Encryption and key management used to protect against device theft and encryption deployed to protect against another government getting to your corporate data look very, very different from the implementation perspective. Encryption is not a compliance checkbox … or rather shouldn’t be.</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb"><strong class="hb hy">DLP</strong>. With DLP, things are a bit murky as well. There is still<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2016/02/09/my-dlp-survey-results/" class="cl dj ht hu hv hw" target="_blank">a raging debate</a><span> </span>about whether DLP can be effective against anything but accidental leaks by a well-meaning employee. However, this still counts as good news, because there is an explicit threat here — albeit a deeply unimpressive one. DLP (<a href="https://www.unifiedcompliance.com/products/search-controls/control/12128/" class="cl dj ht hu hv hw" target="_blank">last I checked</a>) is not explicitly mandated by any compliance documents. However, it is a very popular implied control for many regulations, again PCI DSS and GDPR come to mind. Admittedly, very few people treat DLP as “basic security goodness” because of<span> </span><a href="https://blogs.gartner.com/anton-chuvakin/2012/10/25/on-dlp-processes-or-no-dlp-for-dummies/" class="cl dj ht hu hv hw" target="_blank">huge operational burden</a><span> </span>associated with it, especially if DLP is aimed at catching technically adept malicious insiders (and, yes, I’ve seen such cases — and DLP worked well… as long as the team of 50 top-notch security engineers were there to make it work…). Just as with encryption, a DLP implementation to cover a couple of PCI DSS compliance cases will look dramatically different from a multi-pronged large scale deployment aimed at preventing the insiders from stealing your secrets. DLP to support privacy in the cloud would look different from cloud DLP focused on user mistakes and omissions. In other words, threat models matter here as well!</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Let’s summarize: start from the painfully obvious<strong class="hb hy"><span> </span>“don’t deploy security controls — whether data security or others — unless you know what problem you are solving.</strong>”</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">A deeper conclusion is<strong> “explicit threat models do make security better, save money, reduce risk, etc.”</strong> Finally, <strong>“accept that some security controls just are — and this is OK as long as the list is small.”</strong></p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb">Definitely, to be continued …</p><p class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm fb"><strong class="hb hy">Related blog posts:</strong></p><ul><li id="aa59" class="gz hn ct by hb b hc hd ho he hf hp hg hh hq hi hj hr hk hl hs hm hz ia ib"><a class="cl dj ht hu hv hw" target="_blank" href="https://medium.com/anton-on-security/musings-on-modern-data-security-ce35d755d63f">Musings on Modern Data Security</a></li></ul><p><span>(</span><a href="https://medium.com/anton-on-security/data-security-and-threat-models-730312ca3ab2" target="_blank">cross-posted</a><span> from </span><a href="https://medium.com/anton-on-security" target="_blank">Anton on Security</a><span>)</span></p></div>Role of Context in Threat Detectionhttps://www.cisoplatform.com/profiles/blogs/role-of-context-in-threat-detection2021-01-13T18:43:43.000Z2021-01-13T18:43:43.000ZDr. Anton Chuvakinhttps://www.cisoplatform.com/members/DrAntonChuvakin<div><p id="dfdf" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">I got into a very insightful debate with somebody who will remain nameless in the beginning of this post, but will perhaps be revealed later. The debate focused on the <strong class="hc hy">role of context in threat detection.</strong></p>
<p id="c043" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">Specifically, it is about the role of <strong class="hc hy">local </strong>context (environment knowledge, organization context, site details, etc) in threat detection. <strong class="hc hy">Can threat detection work well without such local context?</strong></p>
<p id="fe13" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">Now, some of you will say “yes, of course!” and will point at “<em class="hz">success</em>” (well, let’s not get into a fight over this) of anti-malware technology. After all, anti-malware tools promise to detect malware using vendor-created signatures that operate without any input from the customer about their environment (as a minor sidenote, if you “tune” AV then you do introduce that very local context). Note that for this discussion it does not matter that anti-malware will detect and then block (“prevent”) the threat (in other discussions, <a class="co ia" href="https://blogs.gartner.com/anton-chuvakin/2016/01/25/no-virginia-it-does-not-mean-that/'" target="_blank">it definitely does</a>).</p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">The same line of thinking then affected intrusion detection as it was developing in the late 1990s. Intrusion detection systems (IDS) that had lots of signatures and so could detect something out of the box were “successful” (at least as a business) while those that expected customers to write signatures failed or had to evolve.</p>
<p id="a8cc" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">Then it was SIEM’s turn: SIEM vendors with lots of rules and reports <a class="co ia" href="https://blogs.gartner.com/anton-chuvakin/2015/12/02/starting-a-siem-project-from-vendor-use-case-content-win-or-fail/" target="_blank">were more successful</a> (and now we have <a class="co ia" href="https://socprime.com/" target="_blank">SOC Prime</a> with lots of community rules). Next, it was <a class="co ia" href="https://blogs.gartner.com/anton-chuvakin/2017/09/06/security-analytics-platform-first-or-content-first/" target="_blank">security analytics tool sets</a> with their “trained ML unicorns”: those with lots of pre-tuned algorithms seemed to be selling better. See the pattern yet? It seems like you can be successful with threat detection without any input from each specific client.</p>
<p id="d2ec" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">Now, let’s pause and think for a second! What if the industry was … well … if not wrong, but also not entirely right. <strong class="hc hy">What if truly successful threat detection must be a collaboration between the vendor and the customer?</strong></p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">In fact, it is easy to find examples of where canned and context-less threat detection does not work all that well. For this, let’s review how successful the detection technologies really are in regards to their use of local context data.</p>
<ul>
<li class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ib ic id dh"><strong class="hc hy">Anti-malware </strong>mostly works (when it does) yet the ransomware epidemic continues and top-tier state-sponsored/-affiliated malware is almost never detected by traditional anti-malware tools. Along the same line, many initial loaders (that you may call “commodity”) aren’t well detected either, and it’s easier to obtain access to these as malicious tools than ever before. Finally, when used in large enterprises, AV is often tuned hence this local knowledge is in fact introduced.</li>
<li class="ha hb ff hc b hd ie hf hg hh if hj hk hl ig hn ho hp ih hr hs ht ii hv hw hx ib ic id dh"><strong class="hc hy">Network IDS </strong>and related technologies (like NDR) don’t really work or don’t work well without local context; at the very least, you will need to “tune” (i.e. add local context like “ignore this server, it always triggers that in legitimate traffic”). Untuned NIDS has long been a subject of many jokes, dating back to the 1990s, if not the 1980s.</li>
<li class="ha hb ff hc b hd ie hf hg hh if hj hk hl ig hn ho hp ih hr hs ht ii hv hw hx ib ic id dh"><strong class="hc hy">SIEM </strong>mostly does not work without a lot of local context, vendor-written SIEM rules never became “shoot and forget”, and you need to tweak them based on your environment and/or write your own rules. This is accepted by most sane SIEM vendors and customers.</li>
<li class="ha hb ff hc b hd ie hf hg hh if hj hk hl ig hn ho hp ih hr hs ht ii hv hw hx ib ic id dh"><strong class="hc hy">EDR </strong>would be a mixed bag, in this regard. Many EDR rules are naive pattern matching. Take a powershell execution with specific command line parameters. A rule may be tuned from 22,000 results all the way down to 17 because (say) PowerShell gets executed in a “suspicious” way all the time and local context (whitelist for system, process, application, etc) is needed. With ML-based EDR, the situation is … as far as I see… the same. Anomalies detected need local context to mean something.</li>
</ul>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">(note that for attackers armed with <a class="co ia" href="https://lolbas-project.github.io/" target="_blank">“living off the land” techniques</a>, the balance skews even further towards local context criticality for detection)</p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">So, what can we learn from this? <strong class="hc hy">Threat detection today needs local context a lot more than people realize. </strong>Now, successful threat detection programs at elite enterprises, especially those that follow the <a class="co ia" href="https://medium.com/anton-on-security/can-we-have-detection-as-code-96f869cfdc79" target="_blank">“detection engineering”</a> model all know this (this is why most/all of their detection logic is custom or customized, not OOB). But are they <a class="co ia" href="https://medium.com/anton-on-security/why-is-threat-detection-hard-42aa479a197f" target="_blank">a rare exception</a> rather than a trend?</p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">And what does it mean for others? Well, you can hire “help” which here means an MSSP or an MDR (BTW, <a class="co ia" href="https://www.gartner.com/reviews/market/managed-detection-and-response-services" target="_blank">MDR label</a> was born out of frustration with some <a class="co ia" href="https://www.gartner.com/document/3994058" target="_blank">MSSP </a>threat detection offerings, so YMMV). However, please don’t automatically assume that “using an MSSP means that your local realities will be included in the detection process.” They will be — with quality MDRs and MSSPs, but you may also get canned off-the-shelf SIEM or even IDS alerts from some providers. You may need <a class="co ia" href="https://blogs.gartner.com/anton-chuvakin/2018/06/21/is-security-just-too-damn-hard-is-productservice-the-future/" target="_blank">a combination of tools, services</a> and — yes, still! — your own efforts.</p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">Finally, this is where an ML unicorn will again emerge out of the bushes (or wherever they live…) and say “but we can just auto-learn local realities using my little machine brain.” And, presumably, “auto-learn” here will not mean “import from customer repository” (because many organizations simply lack such a thing, like they lack a current and correct list of assets). Well, can it happen? Sure, it can. In theory. Personally, it is easy for me to believe that it can happen, but I will also be the first to admit that I’ve never actually seen it happen … yet.</p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">So, to summarize, we all need to think ….</p>
<ul>
<li id="b7a5" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ib ic id dh">How well does threat detection really work without local context?</li>
<li id="a773" class="ha hb ff hc b hd ie hf hg hh if hj hk hl ig hn ho hp ih hr hs ht ii hv hw hx ib ic id dh">How to best include local context in various detection tools and practices?</li>
<li class="ha hb ff hc b hd ie hf hg hh if hj hk hl ig hn ho hp ih hr hs ht ii hv hw hx ib ic id dh">How to select the vendor who will detect WITH you?</li>
<li class="ha hb ff hc b hd ie hf hg hh if hj hk hl ig hn ho hp ih hr hs ht ii hv hw hx ib ic id dh">How to practice detection jointly with the vendor or service provider rather than merely “consume” it?</li>
</ul>
<p id="b64e" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">P.S. Huge thanks to <a class="co ia" href="https://www.linkedin.com/in/blevene/" target="_blank">Brandon Levene</a> for an idea for this post, for some of the examples and for a great discussion that almost became an argument :-)</p>
<p id="d5eb" class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">P.P.S. I think this situation does not really change in the cloud; you need local cloud context to detect.</p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh"> </p>
<p class="ha hb ff hc b hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx ey dh">Originally posted at "Anton on Security"</p></div>Threat Assessment and Mitigation Checklisthttps://www.cisoplatform.com/profiles/blogs/threat-assessment-and-mitigation-checklist2014-01-01T18:30:00.000Z2014-01-01T18:30:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform<div><p><a href="http://www.cisoplatform.com/profiles/blog" target="_blank"><img src="http://i39.tinypic.com/11hf62u.jpg" class="align-left" alt="11hf62u.jpg" /></a></p>
<p>The network security industry recommends that an organization periodically perform risk modeling,assessment, and risk management to anticipate and take pro-active measures against threats.</p>
<p>(Read more: <b><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/profiles/blogs/5-application-security-trends-you-don-t-want-to-miss"><span style="color:#3366ff;">Top 5 Application Security Technology Trends</span></a></span> )</b></p>
<p></p>
<p>While this is a noble venture, a recent Internet search for “risk assessment” resulted in the return of over 38 million responses, with many of these risk-modeling processes including methods to calculate the cost of risk mitigation compared to the cost of recovery, in the<br /> event the risk occurs and various ways to determine the return on investment (ROI) within the risk assessment and mitigation process. Some of these solutions are so convoluted and abstract as to be almost unworkable.</p>
<p><strong><span style="color:#ff6600;">What is needed is a simple-to-operate risk modeling and assessment process and checklist.</span></strong></p>
<p> </p>
<p><span style="color:#0000ff;" class="font-size-6"><strong style="font-size:16pt;color:#0000ff;">>> <a href="http://www.cisoplatform.com/page/2012-trend-and-risk-report"><span style="color:#0000ff;">Download the Report & Checklist</span></a></strong></span></p>
<p>(<strong><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/page/be-a-speaker"><span style="color:#3366ff;">Want to become a speaker and address the security community?</span></a> <a href="http://www.cisoplatform.com/page/be-a-speaker"><span style="color:#3366ff;">Click here</span></a></span></strong>)</p>
<p> </p>
<p> </p>
<p> </p>
<h2><strong>IBM COMPLIMENTARY SECURITY HEALTH SCAN!</strong></h2>
<p><a href="http://www-935.ibm.com/services/in/en/it-services/data-breach/index.html?cmp=in3al&ct=in3al54w&cr=techsites&%20cm=b&csot=wp&ccy=in&cpb=gts_&cd=2013-10-09&cs=context&csr=ciso_platform&cot=i&cpg=lits&co=on&S_TACT=IN3AL54W" target="_blank"><img src="http://i43.tinypic.com/2hcdzc5.gif" class="align-full" alt="2hcdzc5.gif" /></a></p></div>