How to Expose Cyber-Attacks and Combat Threats

Published by Michele Drolet, CEO of Towerwall

Proper analysis will flag suspicious behavior and allow the IT department to assess the threat and take action to close it down

MichelleDrolet_CEO_Towerwall-001Thumb_0Cybercriminals are employing more sophisticated techniques all the time and far too many companies and organizations still don’t have the protection they really need to safeguard their systems.

The prevalence of targeted attacks and advanced persistent threats (APTs) is disturbing.

The risk is that security is breached, typically through manipulation of employees using a technique such as spear phishing, and existing security systems are unable to detect the attack. Data can be harvested for many months, or even years, before the breach is discovered.

According to a white paper from the Enterprise Strategy Group, 59% of enterprise security professionals believe their organization has been the target of an APT, and 40% of large organizations have invested in various new security technologies as a direct result of APTs.

Vendor_Solutions_468

 

How Do They Get In?
Penetration may be achieved stealthily, typically with a targeted attack on an employee. The cybercriminal will gather data online, with social network accounts proving to be a particularly rich source. According to Trend Micro research spear phishing is the preferred method, accounting for a staggering 91% of targeted attacks. The employee targeted will receive an email that appears to come from an organization like LinkedIn, and if they trust the content, they’ll follow the link within to a fake website where they may be tricked into allowing a cybercriminal to gain remote access to their computer.

Once the attacker has access to one employee’s computer they can use it to gain remote access to devices belonging to other employees in the organization. The threat has spread dramatically and traditional security tools will be none the wiser. Provided the attacker is careful to keep the data theft slow and steady, with frequent small file transfers rather than a big data dump, there’s little chance that it will be picked up by existing security systems.

How Do You Catch Them?
The idea is to analyze downloads and network payloads in order to expose potentially malicious communications. It’s about detecting malware or human intrusions into your system by paying close attention to the addresses of any communication. Does the external location for a file transfer make sense? Does the address have a bad reputation? Are the SSL certificates legitimate?

It’s important to expose suspicious internal communications as well. Is there any reason that a specific employee’s computer should be the source of a remote desktop session on another employee’s device? A proper analysis will flag suspicious behavior and allow the IT department to assess the threat and take action to close it down.

Keep Your Guard Up
The nature of this threat dictates the need for constant vigilance to keep the cybercriminals out. Shut down one route and they will continue to explore other avenues of access, the more obscure the better. There are many potential penetration points to consider. Activity must be analyzed across the entire organization and you need real-time information on potential attacks and known malicious sources.

How about blocking suspicious URLs and web-based content to stop penetration from the outset? Do you have application firewalls or database security? It’s also wise to ensure that you have data encryption technology in place; far too many companies focus on a Maginot line defense, pouring resources into defending against external attacks and forgetting that if attackers do gain access they can circumvent this security from within. Is your user authentication stringent enough?

How Do You Know You’ve Caught Them?
One of the most worrying aspects of APTs is that advanced attacks typically go unnoticed for over a year. You may be locking the stable door after the horse has bolted. That’s why an analysis of internal traffic is so vital. Suspicious behavior must be followed up and investigated. In the longer term you want to reach beyond identifying and blocking attacks to unmask the criminals responsible so that you can share intelligence to nullify their threat.

Targeted attacks are still on the rise. As governments and large organizations begin to take action and get a handle on the threat, there’s a real risk that many cybercriminals will look for easier prey. Don’t allow your company to be an easy target.

 

 

Towerwall Information Security Alert Vol 13.50 – Making phishing more complex – on purpose

postpay

Earlier this week a colleague pointed out an intriguing phishing sample that he had come across. It was interesting not because of any great sophistication or complexity, but rather that it illustrated the reuse of an old social engineering trick. The brand being targeted in the phish campaign is Poste Italiane, a well-known Italian group that includes financial and payment services in its product portfolio.

We see numerous phishing attacks targeting this group each month, with attackers keen to trick their customers into unwittingly submitting their credentials to fake login sites. This latest attack takes a similar strategy to many recent phish campaigns, where the email contains a HTML attachment which the recipient is enticed into opening.
emailthread
From: “Poste Italiane S.p.A – Informazioni”
Attachment: scarica.html
The typical social engineering to entice the user into opening the attachment is evident:
To activate the “Security web Postepay ” you need to:
– Download the attachment, open it in the browser and follow the steps requested.
Curiously, there is reference to some password protection within the attachment, and a password is provided in the message body:
To protect your personal information, the attached file is protected by a password. Your word is unique: A2345L90
Sure enough, recipients tricked into opening the HTML attachment will be prompted for a password:
java

Inspecting the HTML attachment reveals the code behind this – simple JavaScript to prompt the user for a password, which is then used to decode a string:
code1

If the recipient types in the correct password (A2345L90 in this example), the string is decrypted and written back to the page:
code2

This then loads the phish page via the frame, which references a bit.ly shortened URL:
post 3

This article was originally published by Fraser Howard who is one of the Principal Virus Researchers in SophosLabs.

Towerwall’s Michelle Drolet on Fox 25 to Present MassBay Scholarship Foundation with $10,000 Donation

Boston News, Weather, Sports | FOX 25 | MyFoxBoston

We are delighted to provide $10,000 to the MassBay Scholarship Foundation so the next generation can become cyber security experts. To learn more about the MassBay Foundation and the Information Security Summit Scholarship, click here.

Could Syria Launch a Major Cyberattack Against the U.S.?

Cyber-attacks take many forms, from cybercrime, to hacktivism, to cyber warfare, and espionage. We’re all used to hearing about phishing attacks and the threat of malware, but organized cyber-attacks perpetrated by groups with political motivations, and sometimes affiliated with foreign governments, are on the rise, and they could represent a much graver threat.

Major concerns about the threat of state-sponsored cyber-attacks on U.S. military and infrastructure have been raised repeatedly long before Syria came to the headlines. Earlier this summer the Pentagon once again accused the Chinese government and military of targeting U.S. gov computer systems. The Homeland Security Policy Institute released a report in March about the threat from China, Russia, and Iran.

Is Syria a Serious Threat?

There are fears that attacks originating in the Middle East could cause serious problems. A well-known group of pro-government hackers called the Syrian Electronic Army (SEA) has aligned itself with Syrian President Bashar al-Assad. In the last two months alone the SEA has successfully attacked The New York Times, Huffington Post, and Twitter, not to mention the main recruiting site for the US Marine Corps.

Arguably the group’s greatest success so far was to hack the Associated Press Twitter account and suggest that two explosions at the White House had injured Barack Obama. Reuters estimated that the single bogus tweet wiped out $136.5 billion of the S&P 500 index’s value before markets recovered with the news that the report was bogus.

U.S. Businesses Should Prepare

No doubt the Department of Homeland Security deals with countless attacks on a daily basis, but as the outgoing secretary Janet Napolitano stated in her speech earlier this month, “While we have built systems, protections and a framework to identify attacks and intrusions, share information with the private sector and across the government, and develop plans and capabilities to mitigate the damage, more must be done, and must be done quickly.”

The idea that the U.S. government is the main target of cyber-attacks is a popular misconception.

Looking beyond infrastructure and military targets, banks and financial institutions, other businesses, both big and small, must be on guard. Cyber-attacks can come in many forms and because organizations are often interconnected in complex ways, the target may seem unlikely, but could just serve as a penetration point.

Like water, the attackers will probe the defenses and identify the point of least resistance where they can flow in.

Finding a Level Playing Field

While there’s no doubt that Syria is grossly outgunned by the U.S. in military terms, cyber-attacks are a low-cost alternative to traditional warfare. This Bloomberg report highlights some of the concerns, and includes a pertinent quote from former secretary of the Department of Homeland Security, Michael Chertoff, who said, “The line between national security and private security is eroding.”

‘The Enemy of My Enemy is My Friend’

The fact that cyber-attacks so far have come from the SEA, which is separate from the Syrian authorities, is revealing. As this report from The National Interest suggests, Syria’s cyber warfare capabilities are very limited right now and they are being carefully monitored. The fear is that there’s a real chance that hackers from Iran, North Korea, Russia, or China, could share data or manpower with Syria to enable more serious cyber-attacks to take place.

If the U.S. presses ahead with action against Syria in the face of opposition from allies like Russia and Iran, then the likelihood of Syria being assisted with cyber-attacks is undeniably high. Iran has already stated that there will be reprisals.

Time to Improve Security

Vast sums of money have been spent on safeguarding the power grid, water and chemical works, transit systems, and military installations. Banks and other financial institutions have also been taking steps to counter the threat, but the majority of other businesses are woefully unprepared. Kaspersky’s report on Global Corporate IT Security Risks for 2013 found that only around 40% of companies surveyed felt that enough time and budget was available for them to develop and implement IT security policies.

No one knows for sure when the cyber-attacks will occur, or which organizations will be targeted, but we can be confident that the threat is growing.

 

By Michelle Drolet, founder and CEO, Towerwall
Special to Wired Innovation Insights

This article was recently published in Wired Innovation Insights

 

How Can you Expose Targeted Attacks and Combat APTs?

Cybercriminals are employing more sophisticated techniques all the time and far too many companies and organizations still don’t have the protection they really need to safeguard their systems. The prevalence of targeted attacks and advanced persistent threats (APTs) is disturbing.

The risk is that security is breached, typically through manipulation of employees using a technique such as spear phishing, and existing security systems are unable to detect the attack. Data can be harvested for many months, or even years, before the breach is discovered.

According to a white paper (PDF) from the Enterprise Strategy Group, 59% of enterprise security professionals believe their organization has been the target of an APT, and 40% of large organizations have invested in various new security technologies as a direct result of APTs.

How do they get in?

Penetration may be achieved stealthily, typically with a targeted attack on an employee. The cybercriminal will gather data online, with social network accounts proving to be a particularly rich source. According to Trend Micro research (PDF), spear phishing is the preferred method, accounting for a staggering 91% of targeted attacks. The employee targeted will receive an email that appears to come from an organization like LinkedIn, and if they trust the content, they’ll follow the link within to a fake website where they may be tricked into allowing a cybercriminal to gain remote access to their computer.

Once the attacker has access to one employee’s computer they can use it to gain remote access to devices belonging to other employees in the organization. The threat has spread dramatically and traditional security tools will be none the wiser. Provided the attacker is careful to keep the data theft slow and steady, with frequent small file transfers rather than a big data dump, there’s little chance that it will be picked up by existing security systems.

How do you catch them?

The idea is to analyze downloads and network payloads in order to expose potentially malicious communications. It’s about detecting malware or human intrusions into your system by paying close attention to the addresses of any communication. Does the external location for a file transfer make sense? Does the address have a bad reputation? Are the SSL certificates legitimate?

It’s important to expose suspicious internal communications as well. Is there any reason that a specific employee’s computer should be the source of a remote desktop session on another employee’s device? A proper analysis will flag suspicious behavior and allow the IT department to assess the threat and take action to close it down.

Keep your guard up

The nature of this threat dictates the need for constant vigilance to keep the cybercriminals out. Shut down one route and they will continue to explore other avenues of access, the more obscure the better. There are many potential penetration points to consider. Activity must be analyzed across the entire organization and you need real-time information on potential attacks and known malicious sources.

How about blocking suspicious URLs and web-based content to stop penetration from the outset? Do you have application firewalls or database security? It’s also wise to ensure that you have data encryption technology in place; far too many companies focus on a Maginot line defense, pouring resources into defending against external attacks and forgetting that if attackers do gain access they can circumvent this security from within. Is your user authentication stringent enough?

How do you know you’ve caught them?

One of the most worrying aspects of APTs is that advanced attacks typically go unnoticed for over a year. You may be locking the stable door after the horse has bolted. That’s why an analysis of internal traffic is so vital. Suspicious behavior must be followed up and investigated. In the longer term you want to reach beyond identifying and blocking attacks to unmask the criminals responsible so that you can share intelligence to nullify their threat.

Targeted attacks are still on the rise. As governments and large organizations begin to take action and get a handle on the threat, there’s a real risk that many cybercriminals will look for easier prey. Don’t allow your company to be an easy target.

By Michelle Drolet, founder and CEO, Towerwall
Special to Infosec Island

This article was recently published in Infosec Island