Industry Perspectives Blog Briefings on critical cyber security topics critical for the security professional.
- Addressing Endpoint Security Gap with FireEye Endpoint HX 3.0by Dan Reis on January 16, 2022 at 8:58 pm
- In Case You Missed It: FireEye Top Stories of the Week
- FireEye Cyber Defense Summit: Not All Conferences Are Created Equalby Helena Brito on January 16, 2022 at 8:58 pm
- In Case You Missed It: FireEye Top Stories 10-02
- In Case You Missed It: FireEye Top Stories of the Week
- In Case You Missed It: FireEye Top Stories 10-23
- Fighting Supply Chain Threats Is Complicatedby Adam Philpott on November 30, 2021 at 2:00 pm
Relying on the kindness of strangers is not an ideal strategy for CISOs and CIOs. And yet that is the precise position where most find themselves today while trying to battle cybersecurity issues across their supply chain. While these supply chains have plenty of their own challenges, such as global disruptions of distribution, our recent research shows that it’s the cybersecurity problems that will long survive for the long term. It’s not as though enterprises rely on their partners any more today than they did ten years ago. Their needs have not changed and are unlikely to change, except those rare instances where an enterprise will choose to manufacture their own supplies rather than rely on partners. Consider, for example, Costco creating its own gigantic chicken farm. Other than outlier examples like this, partner reliance is relatively stable. What is changing with the supply chain is how much system access is being granted to these partners. They are getting access they didn’t always get and are getting far deeper access as well. As technology has advanced to allow such access, enterprises have accepted. Given the wide range of partners–suppliers, distributors, contractors, outsourced sales, cloud platforms, geographical specialists, and sometimes your own largest customers–the cybersecurity complexities are growing by orders of magnitude. In addition, the more integrations that enterprises accept, the higher the level that their risk is. To be more precise, the risk doesn’t necessarily grow with the number of partners as much as the risk grows with the number of partners whose cybersecurity environments are less secure than the enterprise’s own environment. To even begin to craft a cybersecurity strategy to manage partners and a global supply chain, the enterprise CISO needs to have a candid understanding of what their partners’ security level truly is. That is tricky, given that many of those partners themselves do not have a good sense of how secure or insecure they are. One suggestion is to revise contracts to make it a requirement for all partners to maintain a security level equal to the enterprise customer. The contract must not only specify penalties for non-compliance–and those penalties must be sufficiently costly that it makes no sense for a partner to take that chance–but it must specify means to determine and re-verify that security level. Surprise inspections and the sharing of extensive log files would be a start. Otherwise, even the strictest security environment such as Zero Trust may be unable to plug supply chain holes due to sloppier partner security practices. Let’s say that a large enterprise retailer is working with a large consumer goods manufacturer as a partner. A good environment will start with strict authentication, making sure that the user from the partner is really that authorized user. The enterprise environment must also watch the user throughout the session to make sure the user doesn’t do anything suspicious. But if the partner has been breached, malware could sneak in through the secure tunnel and, if it’s not caught by the enterprise, there’s a problem and now they can be breached. This is not hypothetical. Since the beginning of the pandemic, our research found that a vast majority of global enterprises (81 percent) said that they are seeing far more attacks since the beginning of COVID-19. Almost every business is dependent on the supply chain, making it a prime target for cybercriminals looking to cause disruption and breach wider networks. As the holiday season approaches, we are already seeing a spike in consumer and business activity across the supply chain, making it a prime target for cybercriminals looking to target essential and lucrative services. Attackers are going to continue to leverage the global supply chain as an initial entry vector, accessing the network through a trusted connection, system, or user. The fact that these attacks exploit trusted channels makes them very difficult to prevent or detect. As organizations continue their digital transformation, including ever-more cloud services, managed services and endpoint modernization, the risks of supply chain threats will increase as its prevalence as a vector does so.
- Zero Care About Zero Daysby Fred House on November 22, 2021 at 8:00 am
The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it … except patch. 2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. Some cite this as evidence of better detection by the industry while others credit improved disclosure by victims. Others will simply conclude that as the “upside” grows (e.g., REvil demanding $70M or Zerodium paying $2.5M for exploits) so too will the quantity and quality of players. But the scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were notable as well. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond. If we look back at the past 12 months, we have seen notable breaches that highlight the need for organizations to improve response times: ProxyLogon. When we first learned in 2020 that roughly 17,000 SolarWinds customers were affected, many reacted in shock at the pure scope of the compromise (it should be noted that a small subset of these customers are believed to have been compromised by follow-on activity). Unfortunately, 2021 brought its own notable increase in volume. Two weeks after Microsoft released a patch for ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K). ProxyShell. ProxyShell, a collection of three separate vulnerabilities (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523), was Exchange’s second major event of the year after ProxyLogon. In August, a Black Hat presentation outlining Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall. So, what happened in the interim you ask? The vulnerabilities in the Microsoft Client Access Service were exploited by threat actors who deployed web shells to execute arbitrary code on compromised mobile devices and web browsers. vCenter Server. Another notable example occurred in May when VMWare released a patch for a remote code execution vulnerability in vCenter Server. This subsequent analysis concluded that over 4,000 systems remained vulnerable one week after the patch was released. Much like Exchange servers, where a typical company will only host a handful of servers, 4,000 vulnerable vCenter servers likely represents thousands of distinct companies. Kaseya VSA. One bright spot may in fact be the Kaseya VSA breach. On July 2, REvil launched an unprecedented (anyone else tired of that word?) ransomware campaign against public facing VSA servers. Within two days the DIVD CSIRT reported that the number of exposed VSA servers had dropped from 2,200 to 140. Some estimates suggested that around 50 MSPs were compromised, affecting between 800 and 1500 business. While this doesn’t sound like much of a bright spot, patching 94% of the affected systems in two days surely helped reduce the success of REvil copycats. So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.” Still not convinced? Well, the US government is. Checkout Binding Operational Directive 22-01 published on November 3rd which compels all federal agencies to remediate known exploited vulnerabilities in two weeks or sooner “in the case of grave risk to the Federal Enterprise”. It’s no coincidence that CISA’s known exploited vulnerabilities catalog, which catalogues the vulnerabilities that must be remediated, includes every one of our examples above with a two-week remediation deadline. If the US government can do it, you can too!
- Cloud API Services, Apps and Containers Will Be Targeted in 2022by Mo Cashman on November 16, 2021 at 4:00 pm
McAfee Enterprise and FireEye recently teamed to release their 2022 Threat Predictions. In this blog, we take a deeper dive into cloud security topics from these predictions focusing on the targeting of API services and apps exploitation of containers in 2022. 5G and IoT Traffic Between API Services and Apps Will Make Them Increasingly Lucrative Targets Recent statistics suggest that more than 80% of all internet traffic belongs to API-based services. It’s the type of increased usage that grabs the attention of threat developers hunting for rewarding targets. Feature-rich APIs have moved from being just a middleware to applications and have evolved to become the backbone of most modern applications that we consume today. Examples include: 5G mobile applications – 5G connectivity and deployment of IoT endpoints have increased dramatically providing higher capacity for broader connectivity needs. Internet of Things – More than 30.9 billion IoT devices are expected to be in use worldwide by 2025. The industrial IoT market was predicted to reach $124 billion in 2021 Dynamic web-based productivity suites – Global cloud-based office productivity software market is expected to reach $50.7 billion by 2026 In most cases, attacks targeting APIs go undetected as they are generally considered as trusted paths and lack the same level of governance and security controls. The following are some of the key risks that we see evolving in the future: Misconfiguration of APIs resulting in unwanted exposure of information. Exploitation of modern authentication mechanisms such as Oauth/Golden SAML to obtain access to APIs and persist within targeted environments. Evolution of traditional malware attacks to use more of the cloud APIs, such as the Microsoft Graph API, to land and expand. We have already seen evidence of this in the SolarWinds attack as well as other threat actors such as APT40/ GADOLINIUM. Potential misuse of the APIs to launch attacks on enterprise data, such as ransomware on cloud storage services like OneDrive, etc. The usage of APIs for software-defined infrastructure also means potential misuse leading to complete infrastructure takeover or shadow infrastructure being created for malicious purposes. Gaining visibility into application usage with the ability to look at consumed APIs should be a priority for organizations, with the goal of ultimately having a risk-based inventory of accessed APIs and a governance policy to control access to such services. Having visibility of non-user-based entities within the infrastructure such as service accounts and application principles that integrate APIs with the wider enterprise eco-system is also critical. For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse. Expanded Exploitation of Containers Will Lead to Endpoint Resource Takeovers Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. MITRE T1190 has become a common entry vector given that cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. There are numerous past examples in which vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point. The Cloud Security Alliance (CSA) identified multiple container risk groups including: Image risksvulnerabilities configuration defects embedded malware embedded clear text secrets use of untrusted secrets Orchestratorunbounded administrative access unauthorized access poorly separated inter-container network traffic mixing of workload sensitivity levels orchestrator node trust Registryinsecure connections to registries stale images in registries insufficient authentication and authorization restrictions Containervulnerabilities within the runtime software unbounded network access from containers insecure container runtime configurations app vulnerabilities rogue containers Host OS Componentlarge attack surface shared kernel improper user access rights host file system tampering Hardware How do you protect yourself? Recommended mitigations include bringing security into the DevOps process through continuous posture assessment for misconfigurations, checks for integrity of images, and controlling administrative privileges. Use the Mitre ATT&CK Matrix for Containers to identify gaps in your cloud security architecture.
- ‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a
Pandemic Worldby Raj Samani on November 9, 2021 at 5:01 am
The holiday season is upon us, and many are preparing to celebrate with family and friends both near and far. While we tend to look at consumer tendencies during the holidays, the season also presents a significant challenge to industries coping with the increase in consumer demands. McAfee Enterprise and FireEye recently conducted a global survey of IT professionals to better understand their cyber readiness, especially during peak times like the holiday season, and the impact the pandemic has had on their business. Most notably, 86% of organizations are anticipating a moderate-to-substantial increase in demand during the 2021 holiday season. The question is: Are they ready for that demand? This year, the “everything shortage” is real – from a drop in available workforce to limited supplies to lack of delivery services. This creates an urgency for organizations to have actionable security plans and to effectively contain and respond to threats. Supply chain and logistics, e-commerce and retail, and the travel industry traditionally experience holiday seasonal increases in consumer and business activity, making them more vulnerable to cyber threats and leaving business, employee, and consumer data at risk. Here’s a statistical snapshot of these affected industries and how they can prepare for the anticipated increase in seasonal risks: Supply Chain and Logistics – According to BCI’s Supply Chain Resilience Report 2021, 27.8% of organizations reported more than 20 supply chain disruptions during 2020, up from just 4.8% reporting the same number in 2019. The loss of manufacturing and logistics capacity, and employee-power in 2021 are expected to increase demand for goods, creating the perfect attack vector for cybercriminals: a potentially weak and vulnerable infrastructure to break through. Supply chain managers must identify risks, understand the potential downstream effects of a security breach or cyberattack, and prepare response plans so they can act quickly in the event of an incident. E-Commerce and Retail – According to Adobe’s 2021 Digital Economy Index, global online spending is expected to increase by 11% in 2021 to $910 billion during the holiday season. With store closures and increases in online shopping, along with limited product availability and concerns about shipping, this industry is faced with more threats than before. According to McAfee Enterprise COVID-19 dashboard, the global retail industry accounts for 5.2% of the total detected cyber threats. Such threats include compromised payment credentials and cloud storage, as well as other forms of retail fraud and theft. Travel – Cyber threats aren’t new to the travel industry with airports, airlines, travel sites and ride-sharing apps having been victims in years past. However, what sets this year apart is the travel industry enduring a holding pattern caused by pandemic-related health concerns and travel restrictions. According to the International Air Transport Association (IATA), coronavirus-related loss estimates for 2020 total $137.7 billion—with total industry losses in 2020-2022 expected to reach $201 billion. As demand for holiday travel is expected to increase over the coming months, cyber criminals are watching closely for vulnerabilities as the industry battles new related challenges – labor shortages, supply chain issues, travel bans, and vaccination requirements. What Organizations Need to Know McAfee Enterprise and FireEye threat findings unwrap the imminently crucial need for organizations to prioritize and strengthen their cybersecurity architecture through the holidays and end of 2021. Our research indicates that 81% of global organizations experienced increased cyber threats and 79% experienced downtime in the wake of previous cyberattacks. While IT professionals know cyber threats have intensified, the findings prove that many organizations have not effectively prioritized security during COVID-19: 94% percent of IT professionals want their organization to improve its overall cyber readiness 60% saw an increase in online/web activity 33% have had their technology and security budgets reduced 56% have suffered from downtime due to a cyber concern, costing some over $100,000 USD 76% find maintaining a fully staffed security team/SOC even more challenging during peak periods Proactively Guarding Against Emerging Holiday Threats Organizations can be proactive in defending their networks, data, customers, and employees against the anticipated increase in holiday cybercrime by implementing security measures including, but not limited to: Adopt industry-wide cybersecurity requirements designed to protect against the latest iterations of cyber threats, especially those known to target specific industries. Provide cybersecurity awareness training for employees, especially when encountering holiday phishing emails or texts and suspicious URL campaigns designed to breach organizational databases. Develop an incident response plan capable of responding and remedying a security breach in minutes rather than hours. In addition, enterprises and commercial businesses can implement cloud-delivered security with MVISION Unified Cloud Edge (UCE) and FireEye Extended Detection and Response (XDR). Note: The research was conducted between September- October 2021 by MSI-ACI via an online questionnaire to 1,451 IT Security Professionals from nine countries.
- Who Will Bend the Knee in RaaS Game of Thrones in 2022by Raj Samani on November 8, 2021 at 2:00 pm
McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a Game of Thrones power struggle among Ransomware-as-a-Service bad actors in 2022. Prediction: Self-reliant cybercrime groups will shift the balance of power within the RaaS eco-kingdom. For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits. For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own. In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground. These events have undermined their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before more individuals who believe they aren’t getting their fair share become unhappy. The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself. Trust in a few things remains important even among cybercriminals underground, such as keeping your word and paying people what they deserve. Cybercriminals aren’t immune from feeling like employees whose contributions aren’t being adequately rewarded. When this happens, these bad actors cause problems within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it was inevitable that some individuals who believe they aren’t getting their fair share become unhappy and let the cybercrime world know it. Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online. In the past, McAfee ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in. In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks. Less-skilled Operators Won’t Have to Bend the Knee in RaaS Model Power Shift The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union. Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. Using CTB locker as an example, prominence was placed on affiliates generating sufficient installs via a botnet, exploit kits or stolen credentials. But affiliates recently taking on the role and displaying the ability to penetrate and compromise a complete network using a variety of malicious and non-malicious tools essentially changed the typical affiliate profile towards a highly skilled pen-tester/sysadmin. The hierarchy of a conventional organized crime group often is described as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs. While criminals collaborating in the world of cybercrime isn’t new, a RaaS group’s hierarchy has been more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates. But things are changing. RaaS admins and developers were prioritized as the top targets, but often neglected the affiliates who they perceived to be less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals. As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers. Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.
- Nation States Will Weaponize Social and Recruit Bad Guys with Benefits
in 2022by Raj Samani on November 1, 2021 at 4:01 am
McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the continuingly aggressive role Nation States will play in 2022. Prediction: Lazarus Wants to Add You as a Friend By Raj Samani We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry. But guess what? The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers. A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own. While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain. Potential Impacts & Implications The potential impacts and implications for an executive or company that had their social media channels targeted by threat actors are endless. We began to see some nation state groups using platforms like LinkedIn to target executives, more specifically targeting the defense and aerospace industry. For years we’ve been accepting connections on LinkedIn to expand our network and threat actors are using this to their advantage with job adverts. Threat actors will find the executive they want to target in the company they want to go after and develop profiles that look like legitimate recruiters. By getting an executive on the hook, they could potentially convince them to download a job spec that is malware. These types of espionage campaigns can be carried out by other social networks as well, including Twitter, Instagram, Reddit, etc. Techniques & Tactics In the past, fake social profiles were relatively easy to spot, however in the case of DPRK, the cybercriminals spent time to setting up a profile, get hooked up into the infosec scene, gain followers and connections through LinkedIn, making it more difficult than before to detect a fraudulent account. When threat actors weaponize social media, they use techniques and tactics you see in the legitimate world. They diligently do their research into what types of jobs would be of interest to you and share an offer that will require you to open a document and trick you to carry out some type of action that will have you download malicious content onto your device. Who Can Regulate? We live in a world where we are governed by rules, territories, and jurisdictions; to hold a threat actor accountable, we would need digital evidence. We need to use regulations for digital investigations, and the bad guys don’t. While in territories where there isn’t an extradition treaty, threat actors can continue their malicious behaviors without any consequences. Unfortunately, cybercrime has nonrepudiation and threat actors can deny all knowledge and get away with it. Prevention Cybercrime will always be an issue and we need to be more aware of what threat actors are doing and what they’re after. It’s important to understand the threat and what is happening. At McAfee Enterprise and FireEye we work to track malicious actors and integrate intelligence into our products and make content available for CISO, CEO etc. to know what to do and what to look for in the event they are targeted. Prediction: Help Wanted: Bad Guys with Benefits By Christiaan Beek With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations. In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries. In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies. Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country. Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations. The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector. Potential Impacts & Implications With more tools at their disposal, nation state actors are reshaping the cyberthreat landscape leaving destruction and disrupted operations in their wake. There have been many accusations of “spying” which poses as a major threat to economic and national security. The main aim of these attacks is to obtain intellectual property or business intelligence. We are seeing nation states devoting a significant number of resources, time and energy toward achieving strategic cyber advantages, resulting in the implications of divulging national interests, intelligence-gathering capabilities, and military strength through espionage, disruption and theft. Techniques & Tactics In May 2021 incident where four Chinese nationals were charged in a global hacking campaign; the indictment stated the threat actors used a front company to hide the Chinese government’s role in the information theft. We anticipate nation states will continue to team up with cybercriminals and create front companies to hide involvement and gain access to private information, military tactics, trade secrets and more. Adversaries will leverage techniques like phishing, known vulnerabilities, malware, crimeware and more to attain their goal. On the blending of cybercrime/nation-state; understanding the functionalities of malware becomes more important than ever. Let me give an example, when you get a Trickbot infection, a part of the code will steal credentials, they could be sold to a ransomware crew with a possible ransomware attack as result, a complete cybercrime operation. But what if the Trickbot infection was ordered by a Nation State, the credentials are used for a long time operation; started as a crime, ends as a long APT. Who Can Regulate? It’s important for governments to hold actors accountable for cyber incidents. Government entities and researchers can likely assist public and private sector organizations in navigating this new cyber landscape by developing standards and/or template processes to drive cyber defense and maintaining operational resiliency. Prevention A threat actor’s goal is to gain access to data they can sell, leverage for ransom, or gain critical knowledge so it is important to properly encrypt critical data, rendering it unusable to unauthorized users. You should also maintain regular, offline backups and have an incident response plan ready. Maintaining and testing offline backups can similarly mitigate the impact of destructive malware.
- McAfee Enterprise and FireEye 2022 Threat Predictionsby FireEye on October 27, 2021 at 4:01 am
What cyber security threats should enterprises look out for in 2022? Ransomware, nation states, social media and the shifting reliance on a remote workforce made headlines in 2021. Bad actors will learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns wielding the potential to wreak more havoc in all our lives. Skilled engineers and security architects from McAfee Enterprise and FireEye offer a preview of how the threatscape might look in 2022 and how these new or evolving threats could potentially impact the security of enterprises, countries, and civilians. “Over this past year, we have seen cybercriminals get smarter and quicker at retooling their tactics to follow new bad actor schemes – from ransomware to nation states – and we don’t anticipate that changing in 2022,” said Raj Samani, fellow and chief scientist of the combined company. “With the evolving threat landscape and continued impact of the global pandemic, it is crucial that enterprises stay aware of the cybersecurity trends so that they can be proactive and actionable in protecting their information.” Predictions Lazarus Wants to Add You as a Friend Help Wanted: Bad Guys with Benefits Game of Ransomware Thrones Ransomware For Dummies Keep A Close Eye on API Hijackers Will Target Your Application Containers Zero Cares About Zero-Days
- How To Avoid the Costly Risks of Cloud Misconfigurationsby Stephen Schumm on March 22, 2021 at 4:30 pm
Misconfigurations in cloud services present a significant risk, costing organizations worldwide an estimated $5 trillion. Federal agencies face even greater risks. Vulnerabilities from cloud misconfigurations that are exploited by attackers can impact national intelligence or citizen data. The exposure of this information could have far-reaching implications in terms of the safety and privacy of individuals and systems. With that in mind, here are some key considerations to minimize these risks. The Challenges Associated With Cloud Configurations Many federal agencies are taking advantage of the speed and cost efficiencies of public cloud services such as AWS, Google Cloud and Azure. Although these providers ensure secure infrastructure, the organization must protect what’s inside—including applications, workloads and data. That means they’re also responsible for the configurations of whatever is uploaded to the cloud. That can be a tall order for several reasons: Lack of skillsets. The cloud is built on dynamic services and infrastructure that requires unique skills and expertise. Not all federal agencies have or can attract sufficient in-house talent to ensure proper cloud configurations. Lack of coordination. Cloud security typically falls under the remit of three groups: DevOps, security, and cloud infrastructure teams. If these groups don’t collaborate and tightly integrate their work, misconfigurations are likely. Lack of visibility. Gaining insight across cloud services can be a daunting task. The environment is dynamic, with near-continuous changes, updates and movement of workloads. If the organization doesn’t have a “single pane of glass” to quickly identify simple misconfigurations, vulnerabilities are a constant risk. In addition to these challenges, federal agencies must focus on regulatory compliance around data protection. It’s a complex maze of continually auditing to ensure the adherence to regulations such as FISMA, DISA STIGS, and NIST standards. Overcoming Misconfiguration Challenges Federal agencies require continuous visibility across their cloud services, and a way to automatically notify teams when a misconfiguration is identified. Doing so not only improves cloud security, it also enhances collaboration and governance. FireEye Cloudvisory gives federal agencies that necessary visibility. Cloudvisory is a cloud-native security solution that unifies controls to minimize vulnerabilities such as misconfigurations. Cloudvisory provides CISOs with a single pane of glass for: Deep visibility across cloud workloads and applications. This allows organizations to view network traffic, auto-discover cloud assets in public, private and hybrid clouds, and improve threat detection and alerting. Staff can drill down into risk analysis and cloud security analytics to quickly identify misconfigurations and improve the agency’s security posture. Continuous compliance. Cloudvisory allows federal agencies to better achieve compliance assurance. It uses automation and built-in, customizable compliance checks for faster analysis, detection and remediation of risks and vulnerabilities that may arise from misconfigurations. Governance and control. Cloudvisory automatically recommends least-privilege policies to protect cloud workloads, while also continually detecting changes and threats. In addition, Cloudvisory easily integrates with Mandiant Threat Intelligence. It provides comprehensive data into current, past and possible future threat activity. Combined, these solutions reduce the complexity around cloud security—making teams more efficient, coordinated and prepared. Download The Catch 22 of Cloud Misconfigurations to see how FireEye helps federal agencies optimize their cloud environments to minimize risks.
- Establishing a Zero Trust Architecture for Federal Agenciesby Bobby New on March 4, 2021 at 5:30 pm
Amid the ever-evolving, increasingly sophisticated cyber attack landscape, federal agencies are being urged to adopt a Zero Trust approach. Today’s environment “calls for and needs a new approach for security, and Zero Trust architectures are going to be critical for helping [agencies],” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA), during a Federal Computer Week (FCW) webinar. Organizations might be concerned that Zero Trust adoption will create greater complexity. However, with the right approach and platform, federal agencies can gain efficiency and avoid complexity while significantly improving overall security. What a Zero Trust Architecture Looks Like As the term suggests, Zero Trust is led by the principle of “never trust, always verify.” It is a framework of policies, technologies, and systems that are applied to users and devices. For example, multi-factor authentication (MFA) is considered a core Zero Trust technology because it requires more than one piece of evidence to trust a user’s identity. There are multiple technologies and capabilities that lend themselves to taking a Zero Trust approach. Implementing these functionalities and principles takes time. In a recent informational statement, the NSA recommends four stages toward Zero Trust maturity: Preparation. Initial discovery and assessment activities. Basic. Implement fundamental integrated capabilities. Intermediate. Refine capability integration and further refine capabilities. Advanced. Deploy advanced protections and controls with robust analytics and orchestration. The NSA acknowledges that these stages don’t happen overnight. That’s why we believe organizations should look at this from a holistic standpoint. Agencies should seek to unify security and move beyond perimeter-based security, while increasing compliance with policy-based access controls. We recommend four pillars to underpin a Zero Trust approach: Verify the user. How does an agency validate that an individual accessing systems is, in fact, who they say they are? There should be automated policies that address access permissions, and these should be adaptive and dynamic to respond across different applications, clouds and on-premises systems. Verify the device. Users may use multiple devices—laptops, smartphones, and desktops—to access organizational systems. Verification must be extended across all of these devices so that the user’s identity is validated every time they connect. Limit access and privilege. Cyber criminals are typically attracted to personnel with administrative privileges to gain control over a business system, so it is important to limit lateral movement. The principle of least privilege must be considered thoroughly in all cases, ensuring users only have enough access to successfully do their jobs. Learn and adapt. Information about the user, including their workstation, application use and server policies, should be collected and analyzed. Machine learning is beneficial for this; the technology continuously improves this process, allowing security teams to recognize unusual behaviors, determine risk levels and decide whether risks are acceptable. Accuracy and availability of data—logging, log feeds, depth of content—is crucial. All of these pillars can be addressed by establishing a Zero Trust architecture (ZTA), as visualized in this diagram: At a high-level, the ZTA is comprised of a control plane and a data plane. The control plane components are responsible for authorizing access to assets or resources. Actual transfer of information occurs in the data plane. Access to system resources is implemented by a policy enforcement point (PEP) in the data plane, which acts like a gatekeeper. It operates in consultation with policy engine and policy administration functions, and together these form the policy decision point (PDP). The PDP forms the control plane of a ZTA, which in turn is continually updated by inputs from the various control functions. The Critical Ingredient: Intelligence Across the Architecture Looking at that diagram, Zero Trust may seem daunting. However, with the right partner, agencies can move through the Zero Trust journey at their own pace. The common thread is intelligent functionality. For example, to verify users and devices organizations must validate all endpoints. This includes all the apps and devices that employees use to get work done, regardless of whether the devices are owned by the organization or by the individual. That also extends to contractors, partners and guest devices. To make this happen, the right endpoint security solution should: Stop actions from compromised apps and files Identify a malicious actor’s activities in a security event Isolate the bad actor’s network access while capturing forensic access information Automation and embedded intelligence reduces the complexity of these functions. Another example is network security. It’s critical to rapidly identify web-based threats and malicious actors before they move too deep into the network. To act fast, a solution should intelligently detect early phases of web-based attacks, extract the malware and safely detonate it—in real time. Similarly, an intelligent ZTA should help federal agencies address overall security system hygiene. For example, regular maintenance and vulnerability scans of security information and event management systems (SIEMs) is an onerous task. By integrating threat intelligence services directly into infrastructure systems such as SIEMs, organizations gain real-time insights into vulnerabilities and risks. An Intelligence-Backed Platform Approach for Zero Trust Verifying users and devices must also happen within the infrastructure. A platform-based approach can enhance security across clouds and security operations systems such as SIEMs. For example, an intelligent foundational solution offers assurances of compliance and enforcement by providing a framework for visibility across cloud environments. This allows organizations to view network traffic, auto-discover cloud assets in public, private and hybrid clouds, and improve threat detection and alerting. The right platform should provide workload microsegmentation using cloud-native security capabilities, a key element in Zero Trust. When this process is automated, agencies can seamlessly provision, secure, and monitor multiple cloud environments to protect applications and micro-services. At the same time, federal agencies should leverage a cloud-based SIEM platform that intelligently and automatically delivers centralized security. This solution bolsters a Zero Trust architecture, for example, by empowering teams with proactive alert management, analysis and reporting. The Need to Measure Effectiveness Ultimately, federal agencies must validate that their cyber security efforts are effective. The same applies to Zero Trust implementations. Security validation: Measures and improves cyber-defensive effectiveness with detailed evidence Verifies the effectiveness of workload segmentation Guards against security regression with continuous testing Measures the performance of security incident handling Organizations should seek an overarching, unifying solution that is built to demonstrate the effectiveness of all their cyber security investments. It should provide evidential data that answers questions such as: Are my security technology layers configured correctly? Is my SIEM collecting all the data sources it needs for malicious activity alerts? Will the latest security attack affect our organization? What gets measured gets improved. A security validation platform ensures that organizations are not only proving cyber security effectiveness, but also optimizing security and efficiencies. The Bottom Line Federal agencies may be at different points in their Zero Trust journey. Maybe they just implemented MFA and are ready to address cloud security, or they’ve implemented a cloud-based SIEM. No matter whether an agency is just starting or delving deeper into systems and infrastructure, the right partner can help eliminate unnecessary complexity. FireEye realizes that Zero Trust isn’t a one-size-fits-all approach. Our expertise and intelligent solutions can be adapted to meet an organization’s most pressing security needs, and get them on the path toward minimized exposure and increased security.
- XDR: Making an Impact on the SOCby Dan Lamorena on March 2, 2021 at 4:45 pm
With organizations struggling with alert fatigue and disconnected tools for monitoring security controls, it is not surprising that one of the hottest new cyber security technology categories is Extended Detection and Response (XDR). Designed to better integrate security control data and security operations through cloud-driven analytics, detection, and response, the category of XDR is set to drive new efficiencies in the security operations center (SOC). In a recent survey conducted by IT analyst firm ESG, 70% of organizations expressed that they are already using or considering XDR, or plan to establish a formal budget to invest in an XDR solution in the next six months. What is behind the aggressive XDR adoption plans? The idea of bringing together security data across multiple security controls and the prospect of XDR solutions delivering a turnkey approach, security teams are moving fast to apply enhanced security analytics to help them keep up with advanced threats, while reducing the complexity of aggregating, correlating, and analyzing security data from multiple control points. True XDR solutions are an integrated set of cyber security products that unify control points, security data, analytics and operations into a single enterprise solution. XDR implies supporting multiple types of security telemetries, which could include endpoint, network and cloud sensors. XDR promises to provide better technology integration between data sources and security operations to accelerate detection and response, all while reducing integration and security engineering headaches that plague SecOps teams today. Meeting the Security Alert Challenge The biggest challenge to solve related to the security data and alerts generated by disparate security controls was filtering the noise out of the alerts so that security analysts could focus on the right signals (38% of respondents). This means they could deliver the most important outcome that 40% of respondents currently using or considering XDR want: improve the fidelity and prioritization of security alerts to make it easier to triage and respond to events (leading to improved response time). What To Look for in an XDR Solution Here are some key elements when considering an XDR: Controls agnostic. The problem with simplifying security operations with an XDR is that most XDRs require organizations to purchase the security controls/sensors (network, endpoint, cloud, mail, etc.) from a single vendor, and often require a rip and replace of the existing technologies. A controls-agnostic XDR enables security organizations to choose best-of-breed technologies while retaining improved detection and response. Machine-based correlation and detection capabilities. Machines can comb through large data sets and see patterns faster and more accurately than humans. And it would be nearly impossible for humans to do correlation across EDR alerts, network events, account services, vulnerability scan data, etc., to “triangulate” amongst sensors and more accurately distinguish between true signal and the noise of false positives. If machines can more accurately and consistently find real and actionable incidents, it means less time for analysts doing tier one monitoring, i.e., staring at screens, and more time focusing on their customers and incident response. Which should result in happier analysts and improved job satisfaction. Machine-based detection could also mean 24×7 coverage with the added staffing. Pre-built data models. No one wants to write custom rules/content/code in their SIEM and SOAR platforms. It would be a huge advantage to have these complex models work out-of-the-box. This would mean reduced security engineering time and costs, or even better, freeing them to work on more value-added projects. Integrating timely threat intelligence automatically is another important component for determining known bad and relevancy. Integration with different SIEMs, SOARs and case management tools. XDR should play nicely with those investments. Key features would be built-in integrations, including automated case creation, scoping new and additional events into a case over time, and feedback being provided from the SOAR to the XDR for model improvement. A technology-agnostic XDR gives security teams the best of both worlds: analytics that work across a broad range of security technologies and vendors—to provide the true outcome—finding incidents in real time without noisy false positives.
- A Global Reset: Cyber Security Predictions 2021by Adam Greenberg on November 12, 2020 at 3:15 pm
For most of us, 2020 was one of the most challenging years in recent memory. We struggled to deal with big changes in our personal lives and were forced to overcome various obstacles in our professional lives. Now that the year is coming to a close, we looked back at the past 12 months and identified several new and evolving cyber security trends that will likely persist as we move into 2021. We discuss these trends in detail in our report, A Global Change: Cyber Security Predictions 2021. Read it today to learn about: Remote work and other impacts of COVID-19: The global pandemic has forced us all to change the way we work, and has introduced new threats as we race towards development and distribution of a vaccine. The persistence and growth of ransomware: Ransomware attacks are more intricate and devastating than ever before, with ransom demands upwards of a million dollars—and it’s only going to get worse. Espionage as an ongoing driver of nation-state activity: Major players such as China and Russia will continue to carry out operations primarily for espionage, but we expect to see activity from other nations as well. Cloud security taking the limelight: Organizations that have made massive migrations to the cloud will need to focus on cloud security, and also understand the relationships with their cloud providers. Security validation to keep defenses and budgets in check: With the rapid change in how we work, organizations will rely on security validation to optimize security and reduce spend. This report would not be possible with out some of the brightest minds here at FireEye and Mandiant, including Sandra Joyce, EVP of Mandiant Threat Intelligence; Major General Earl Matthews, VP of Strategy; Dave Baumgartner, CIO; Martin Holste, CTO for Cloud; and John Hultquist, Senior Director of Intelligence Analysis. Read the report, A Global Reset: Cyber Security Predictions 2021, right now, and also check out the latest episode of our quarterly show, FireEye Chat, where Sandra and John look back at some predictions from last year and discuss how they panned out. For even more, hear what’s top of mind for Sandra and General Matthews in 2021. For a more in-depth conversation, watch the discussion that Dave recently led with General Matthews, Martin and John. Finally, don’t miss our webinar on Dec. 7, where our experts will go deeper into topics from the report.
- Late Game and Lingering Threats to the Upcoming Electionsby John Hultquist on October 12, 2020 at 5:30 pm
As the U.S. elections near an end, the nature of successful interference is likely to change. Any significant attempt to sway voters now will require a dramatic late game operation that receives significant attention—an operation such as a hack and leak campaign or the use of forged materials. Otherwise, adversaries are likely to focus on operations aimed at outlasting the actual elections and undermining faith in the institution. These operations could unfold at the eleventh hour and even following the final tally of votes. Late Game Events to Sway Voters The release of hacked and forged materials, laundered through personas and third parties, and amplified by media and social media is a tactic we have seen repeatedly used by adversaries within the context of elections as well as other events. The hack and leak has been used by Russian, North Korean and other unknown actors as a means to embarrass, misrepresent and successfully cow targeted organizations. The timing of hack and leak operations varies. Long term preparations may give way to ad hoc necessity. When Guccifer 2.0 suddenly appeared in the wake of revelations about APT28 compromising the DNC, the persona was likely a departure from original plans to release materials through the ElectionLeaks and DCLeaks websites. Timing may also be dictated by the third parties used to launder leaks. Third parties may have designs on the most opportune timing for leaks or the leak may be at the mercy of their ability to act quickly. An editorial process, for instance, could hinder timing. Actors may also wait until the eleventh hour, as was the case with MacronLeaks. Third parties and personas are an essential feature of these operations. Although they rarely hinder attribution of incidents, they provide a veneer of suitable obfuscation to maintain deniability. The fictitious personas frequently leveraged in these incidents include dubious hacktivist groups without any previous history and confused ideology meant to explain their actions. More and more, actors have leveraged the Anonymous moniker as a versatile persona to hide their actions. AnonymousPoland was used by GRU actors to carry out a protracted attack on Olympics related organizations. Other third parties leveraged in these events include the media, organizations focused on leaked materials, and fringe political figures. Though mainstream media has become more circumspect, less traditional outlets that enjoy strong social media infiltration are still a means to deliver this information to voters. In previous incidents, political figures with significant social media followings have worked diligently to spread documents they received from Russian military intelligence through social media. Adversaries are already targeting organizations that could provide leakable materials. Targeting of democratic campaign affiliates and Ukrainian industry with ties to the candidates has been connected to the very same organizations that were involved in the 2016 incidents, as well as hack and leak incidents associated with the Olympics, and French elections, among others. While outstanding work has caught some of this activity, it is possible that intrusion have escaped notice. Forged materials, such as fabricated documents, may be added to leaks or used alone. Leaked alongside authentic, stolen documents, forged material is difficult to detect. Forged materials have been at the core of operations such as Secondary Infektion and Operation Ghostwriter. In the latter operations, these materials were planted on real media sites in an attempt to encourage rapid propagation. Undermining the Institution of Elections Ultimately, almost all information operations undermine society, sowing distrust and attacking preexisting rifts, but operations designed to specifically focus on election legitimacy are well precedented and often misinterpreted. These operations may already be happening and may outlast the election itself. The opportunity and utility of attacking the 2020 election may not fade for some time, especially given this year’s unique circumstances. The targeting of voting systems has been frequently assessed as attempts to make specific changes to results in an effort to directly change the outcome of the election. However, such a scenario would require an enormous effort across a multitude of systems. A more likely scenario is an incident that draws attention to itself, raising questions about the integrity or availability of systems. In 2014, APT28 gained access to a website belonging to Ukraine’s Central Election Commission and falsely reported a candidate had won. The intrusion did not change results, but it was hard to ignore. The targeting of systems such as these is in itself a means of interference as it will necessarily raise questions about unknown actions by the adversary. For instance, though there is no evidence that Sandworm, Unit 74455 of the GRU, did anything to change results when they targeted election systems in 2016, knowledge that these systems were targeted could suffice to undermine confidence. Ransomware is a means of disruption that could be leveraged to interfere with limited election processes. Fake ransomware, ransomware that is not intended for financial gain, has been used on several occasions by the GRU. The NotPetya incident is one such example. This capability is particularly deniable, especially considering the many incidents state and municipal organizations have already encountered. Coordinated inauthentic behavior could be leveraged to promote discord over election legitimacy. Before the results were even known in 2016, pro-Kremlin bloggers had prepared the campaign #DemocracyRIP. Any discrepancy or complexity associated with results could be used as a means to denigrate the process. Outlook The circumstances of this election will provide a unique opportunity for interference. Any operation would benefit from the environment of distrust and disagreement of what transpired in 2016. However, information operations no longer enjoy the obscurity they once did, and a clear recognition of their mechanics and their limitations may well inoculate us to their effects. For More Information I will be briefing these items and more to attendees of a special Mandiant Executive Intelligence Briefing on Oct. 13. Register for the briefing today, and also remember to visit the FireEye Election Security page for the latest on election security-focused news and analysis from Mandiant.
- The Cost Factor: Taking a Proactive Approach to Cyber Security ROIby Lynn Harrington on September 3, 2020 at 4:00 pm
Security teams are doing their best to keep employees online and secure during this extended period of working from home, but as we move towards the end of the year, budget cuts will be inevitable and security staff will invariably have to do more with less. In fact, Gartner’s senior finance leaders are suggesting teams could be facing reductions of 10% or more* this year. Currently there is a greater focus on proving business value and CISOs can expect this trend to continue into 2023. Now is not the time for a “head-in-the-sand” approach to security expenditure. While recent global events may have accelerated decisions to cut costs, the concept has been brewing for some time. In 2019, we predicted a gradual move to consolidate and optimize security tools to simultaneously de-dupe and achieve cost efficiencies. This new spotlight on costs may feel uncomfortable for many CISOs who find it difficult to prove ROI on expenditure; however, there are a few guidelines that can be put in place to help weather the storm.
- Europe’s New Sanction Regime Suggests a Growing Cyber Diplomacy Presenceby Jamie Collier on August 6, 2020 at 5:00 pm
For the first time in its history, the European Union (EU) imposed sanctions against individuals and entities involved in cyber attacks. Restrictive measures include travel bans, the freezing of assets, and blocking European sources of funding. The sanctions were directed at cyber campaigns linked to various Russian, Chinese and North Korean state-associated threat actors. This includes NotPetya and Ukraine blackout attacks carried out by the Russian GRU, as well as an espionage operation the group conducted targeting the Organisation for the Prohibition of Chemical Weapons (OPCW). WannaCry was a North Korean ransomware campaign that had a similarly destructive impact to NotPetya. Finally, Operation Cloud Hopper was a cyber espionage operation carried out by Chinese contractors working on behalf of the Ministry of State Security, and targeted managed service providers to gain access to various third parties. Europe’s Growing Cyber Diplomacy Toolbox These latest measures demonstrate that the EU is ramping up its efforts to actively respond to malicious cyber attacks. Up until now, the EU has focused much of its efforts on both defending European networks and developing regulation around security and privacy issues. Yet, this latest move indicates that the Union is now gradually increasing its appetite to engage more assertively. This also highlights the growing maturity of many member states around cyber security—an issue that might not have previously been seen as a matter of high politics or one that would merit sanctions. In many respects, the punitive impact caused by the sanctions against China, North Korea and Russia will be limited. This is because rather than calling out the states responsible directly, the sanctions were highly targeted against specific individuals and institutions. They are therefore unlikely to create serious financial harm in the way that a wider economic sanction regime might. The sanctions were also directed at what are now dated campaigns, and ones that have already been called out by other governments. In addition, the European sanctions mirror previous U.S. measures issued against North Korean and Russian threat actors. However, these measures were unlikely intended as a dose of direct punishment. After all, few of the Russian, Chinese, and North Korean operatives hit with a travel ban were likely planning a visit to mainland Europe anytime soon. Responding to Irresponsible Behavior Instead, these sanctions are most likely intended as a form of political messaging. By calling out specific forms of cyber activity, the EU has clarified its red lines. The sanctions have responded to campaigns that contained either an overtly destructive element or commercial espionage activity. The EU is therefore distinguishing between these forms of activity and what might be considered traditional espionage—i.e. information gathering campaigns against government and military entities, and an activity that is tacitly acknowledged as fair game by the international community. However, as Dr. Florian Egloff has highlighted, the EU has left its latest move open to ambiguity by refraining from spelling out what they are trying to achieve or specifying their desired future operating environment. The EU’s sanctions do, however, represent a strong statement of collective action. Cost-benefit calculations shift as more states punish pernicious cyber activity at the same time. We might not expect a small European state to retaliate to a Russian or Chinese state-sponsored campaign independently, yet as part of a larger group there is a safety in numbers. Ultimately, as more states commit to sanctions or attribution statements, it becomes easier for additional states to join in with the political costs reduced. It is here that these latest developments are significant. When the Five Eyes (Australia, Canada, New Zealand, the UK, and the U.S.) initially tied NotPetya to Russia in 2018, they did so alongside Denmark, Estonia, Lithuania and Ukraine. Yet, as Professor Thomas Rid questioned at the time, where was France and Germany? To see European states now work together, and under the rubric of the world’s largest political union, highlights an unambiguous collective spirit. With the sanctions also mirroring many previous U.S. efforts, it remains to be seen whether future cyber sanction regimes could involve a combined transatlantic effort. Sanctions of this nature therefore ramp up the pressure and political cost for conducting cyber operations that violate international norms, such as destructive attacks or ones that undermine the fabric of democracy. Sanctions are most likely to impact states that can be influenced by the international community, yet could also provoke retaliation from states such as Russia who have adopted a bullish attitude to their cyber operations. However, the message being sent by these sanctions goes further than just the specific operations being called out. The EU will be acutely aware that many states are currently developing cyber operational capabilities, highlighted over the last five years by the growth of Iranian and Vietnamese threat actors. The threat landscape will likely continue to see this ‘rise of the rest’ trend emerge as other states start to actively conduct cyber campaigns. Issuing sanctions therefore also sends a clear message to emerging threat actors. Attribution and Cyber Threat Intelligence Sanction regimes are not possible without confident attribution. While the specific government agencies informing the threat activity have not been named, this process almost certainly leveraged cyber threat intelligence at various stages. Government threat intelligence has previously provided context for states choosing to name and shame aggressors. Yet, it has been questioned whether threat intelligence—often couched in caveats and estimated language—provides the definitive proof required to justify more punitive measures, such as formal sanction regimes. This incident, however, serves as a reminder that threat intelligence can provide highly robust insight, which can inform political processes. Cyber threat intelligence functions should always strive to ensure their reports are actionable across a range of stakeholders. These latest developments demonstrate that CTI can be highly influential in the decision-making process at the highest level of government.
- The Value of Context: Using Comprehensive Cyber Threat Intelligence to
Increase Security Effectivenessby James Graham on July 13, 2020 at 8:00 pm
In order to level the playing field between unknown adversaries (with seemingly limitless resources) and organizations, security leaders need to continually assess every aspect of their security program. People, processes and technologies must be reviewed to ensure each critical component is optimized to combat modern attackers. But what are they basing their decisions on? And is it 100% reliable? Cyber threat intelligence (CTI) is an essential capability in an organization’s security program. Used properly, CTI can enable better-informed security and business decisions, and ultimately allow organizations to take decisive action to protect their users, data and reputation against adversaries. Unfortunately, threat intelligence is a broad term used inconsistently through the cyber security community. Information vs. Intelligence Simplification and misuse of the term “cyber threat intelligence” can make it difficult for security leaders to evaluate the wide range of options available for increasing security effectiveness. At best, an organization receives true intelligence, which facilitates proactive, effective decisions. At worst, they receive information that in its raw state is not actionable: Cyber Threat Information is… Cyber Threat Intelligence is… Raw, unfiltered data feed Unevaluated when delivered Aggregated from virtually every source Possibly true, false, misleading, incomplete, relevant or irrelevant Not actionable Processed, sorted information Evaluated and interpreted by trained intelligence analysts Aggregated from reliable sources and cross- correlated for accuracy Accurate, timely, complete (as possible), assessed for relevancy Actionable Always on Alert With Threat Information Threat information is most commonly known as data feeds and can be categorized as: Signature and reputation feeds: Typically providing a stream of malware signatures (file hashes), URL reputation data and intrusion indicators, sometimes supplemented with basic statistics. Threat feeds: Data streams that may provide a basic level of human analysis, including statistical breakdowns of the prevalence, source and targets of malware and other attack activities. Both types of data feeds have some value; signature and reputation feeds improve the effectiveness of next-generation firewalls (NGFW), intrusion prevention systems (IPS), secure web gateways (SWG), anti-malware and antispam packages, and other blocking technologies. Threat feeds are useful for security operations center (SOC) and incident response teams because they help them identify patterns associated with attacks, rather than simply isolated indicators. The information they provide can also increase a team’s understanding of how to remediate compromised systems.
- Cloud Security: Separating Fact From Fictionby Greg Smith on July 2, 2020 at 4:45 pm
Cloud technologies offer cost and efficiency benefits to organizations in every industry worldwide; however, inexperience in working with cloud solutions has led to numerous assumptions that place organizations at risk of a security breach and competitive disadvantage. The Cloud is Unsafe 94% of small businesses have reported security benefits after moving to the cloud When used properly, the cloud is just as safe as a typical data center. Across the Mandiant incident response engagements conducted in public clouds, our experts have yet to see a case where cloud infrastructure itself was exploited. Improper cloud configuration or vulnerable customer code has been discovered, but flaws in the cloud provider’s code or infrastructure was not. In fact, 94% of small businesses have reported security benefits after moving to the cloud. For many organizations, granting and administrating permissions to customize a cloud environment creates vulnerabilities, which can often be the cause of security issues. My Organization Doesn’t Use the Cloud By the end of this year, it is predicted that 83% of U.S. enterprise workloads will be in the cloud While an organization may not currently store data in the cloud, they are most likely using cloud technologies. The term “cloud” includes the category of software as a service, and virtually every organization uses some form of web service—be it for human resources, banking, shipping, content management, web hosting or any other activities that take place in the modern business world. My Cloud Provider Will Keep Me Secure Through 2022 at least 95% of cloud security failures will be the customer’s fault* Under the shared responsibility model, the cloud tenant is the ultimate custodian of their data and is responsible for safeguarding it. A cloud provider ensures that data center facilities are secure, the hardware is uncompromised, and underlying software and operating systems of any services offered are protected. It is the customer’s responsibility to ensure virtual machines are patched, applications are not susceptible to threats and permissions are appropriate. The Cloud is Just Someone Else’s Computer Securing the cloud is not like securing a computer in someone else’s data center. Hundreds or thousands of computers can be in use in a multi-cloud environment, enabling simple requests to execute—or complete—tasks to be completed in fractions of a second. Traditional data forensic analysis should still take place, but now it should happen in a very different way. Tools used to secure fewer users in the on-premises model won’t be as beneficial here. Additional visibility requirements, and further planning, are required to provide security controls and instrumentation around distributed cloud environments. Advanced Adversaries Aren’t Attacking the Cloud Approximately 1/4 of Mandiant incident response engagements involves assets housed on a public cloud Attackers will go wherever their objectives take them, so the more the cloud is being used, the more it will be targeted. Approximately one quarter of our Mandiant incident response engagements involve assets housed in a public cloud and nearly all of them involve the public cloud in some way. The cloud does not hinder threat actors—instead, adversaries will modify their tactics, techniques and procedures to compromise cloud accounts for various reasons, including gaining access to confidential data, stealing computing resources, and spying on targets. An organization can move quicker and lower costs by migrating to the cloud, but they should understand that anything of value that they place in the cloud will be a target, and therefore safeguarding it is vital. Organizations should not only implement best practices for cloud security, but also have their security operations ready to actively hunt for advanced attackers that pursue data in the cloud. Visit our Clarity in the Cloud page for more on cloud security. *Gartner, Clouds Are Secure: Are You Using Them Securely?, Jay Heiser, 7 October 2019
- Clouds Are Secure, Are You Using Them Securely?by Greg Smith on June 23, 2020 at 4:15 pm
Cloud technology isn’t new, but it’s still unfamiliar ground for many organizations. As if migrating to the cloud wasn’t already a massive undertaking, the added responsibility of integrating a comprehensive security strategy can turn a challenging process into an overwhelming one. The need for cloud security cannot be overstated—approximately one quarter of our Mandiant incident response engagements involve assets housed on a public cloud, and almost every IR we perform involves public cloud in some way. Complicating matters, according to Gartner, “Through 2022 at least 95% of cloud security failures will be the customer’s fault”. All of this creates a fear, uncertainty and doubt situation, leading organizations to slow their use of public cloud services—or avoid them altogether—in a bid to eliminate risk. This shouldn’t be the case at all. Organizations should feel confident that with the right security strategy, they can seize cloud efficiencies and streamline their business. Per our view, the following recommendations should be followed, as outlined in greater detail in the Gartner report, Clouds Are Secure, Are You Using Them Securely?* “Develop an enterprise cloud strategy, including guidance on what data can be placed into which clouds and under what circumstances. Implement and enforce policies on cloud ownership, responsibility and risk acceptance by outlining expectations for form, significance and control of public cloud use. Follow a life cycle approach to cloud governance that emphasizes the operational control of your virtual enterprise of SaaS-, PaaS- and IaaS-based services. Develop organizational expertise in the implementation and control of each of the cloud models you will be using. Implement central management and monitoring planes to overcome the inherent complexity of multicloud use.” The cloud has many advantages, and it will continue to be targeted by attackers so long as organizations continue to use it. However, the right strategies surrounding cloud use can help mitigate the risk posed by threats targeting the cloud. Read the report, Clouds Are Secure, Are You Using Them Securely?*, to learn more. *Gartner, Clouds Are Secure: Are You Using Them Securely?, Jay Heiser, 7 October 2019
- Security Without Barriers, Part Two: Planning for Cyber Resilienceby Christian Schreiber on June 3, 2020 at 5:30 pm
The network perimeter was a key component for defense-in-depth cyber security strategies, separating the internal “trusted” environment from the external “untrusted” world. For many organizations, recent world events have accelerated their adoption of cloud computing and increased their reliance on remote workers. This shift continues a trend where the traditional network perimeter has largely disappeared. Information security strategies must enable authorized users to work productively from anywhere while still protecting critical assets. In the previous post from this series, we explored how security leaders can describe cyber resilience to stakeholders using a museum analogy rather than using a castle analogy to describe defense-in-depth. Museums welcome visitors while still protecting assets from theft or damage. Their security focus shifts from preventing access to preventing exploitation of access. These same concepts can apply when building cyber resilience into an organization. Getting Started With Cyber Resilience Many organizations have used cyber resilience to protect their technology environments. A successful strategy should address a few main goals: Prevent: Identify threats early to stop attacks before they cause damage Mitigate: Minimize damage by disrupting and recovering from attacks that get through Sustain: Maximize efficiency and effectiveness of security processes and controls While these goals are relatively straightforward, building a detailed plan to achieve them can be daunting. Frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework can be used to map out and communicate an approach to stakeholders. The NIST framework offers a holistic model that has been widely adopted around the world. Another benefit to the NIST framework is that non-technical stakeholders often find the five functions (Identify, Protect, Detect, Respond, and Recover) more relatable than other security frameworks that list numerous control categories. Building Blocks for Success Here are some elements to prioritize when developing a cyber resilience program, along with examples of how museums approach each of the five NIST Framework functions. Identify Museums maintain an accurate inventory of assets, they check in visitors as they arrive, and they conduct employee background checks. Here are some key considerations for a cyber resilience plan: Maintain an accurate inventory of data assets rather than just physical devices. Map applicable regulations to data assets. Identify cloud services being used and responsibilities for securing data in the cloud. Protect Museums strive to make visits enjoyable and seamless, but they don’t neglect preventative controls. They install physical barriers around high value assets, and they may require additional checks before entering some exhibits. Cyber resilience plans should also include proactive controls: Operationalize security so every individual understands their role and incorporates security into their daily processes. Continuously train stakeholders so they have the skills needed to secure the assets entrusted to them. Maintain good technology hygiene, including regular patching, using supported operating systems, and implementing malware prevention tools. Strengthen technology architecture with risk-based segmentation. Strengthen authentication with multi-factor authentication, credential and privilege management tools, and device authentication. Detect Museums deploy pervasive monitoring tools such as security cameras and motion sensors to detect potential threats. Organizations should adopt similar threat detection capabilities in their cyber infrastructure: Implement protection and detection tools between different architecture segments. Ensure tools cover all major attack vectors (network, email, endpoint and cloud) and that teams can correlate attack information across vectors. Consolidate and protect logs from on-premises and cloud environments, authentication systems and security tools. Respond To minimize risk, museums empower guards to respond when preventative controls fail, they deploy on-demand barriers, and they install fire suppression systems. To minimize damage from attackers who bypass preventative controls: Strengthen detection and response capabilities (people, process and tools) to limit the time attackers can be active inside an environment. Practice regularly using tabletop exercises and red team engagements. Include non-security stakeholders such as marketing, finance and legal executives in these exercises. Recover Museums use processes and tools, including insurance policies and law enforcement, to recover from damaging events. Include recovery capabilities in a cyber resilience plan: Engage with leadership before a crisis occurs to identify recovery goals, implement appropriate tools and processes, and put the right contracts and policies in place. Evaluate and understand the benefits provided by cyber insurance policies. Implement proactive incident response retainers so help is available when needed. Regularly test backup and recovery tools and processes. Defining Cyber Resilience Success While these examples are not exhaustive, they provide an overview of the most important elements needed in an effective cyber resilience strategy. How do you report on whether your strategy is working? Stakeholders often just want to know, “Are we secure?” The next post in this blog series will explore how to provide metrics about a security program, including pitfalls to avoid and suggestions for measuring the effectiveness of efforts.
- Visibility, Compliance and Enforcement: A New Way to Take Controlby Lauren Burnell on May 22, 2020 at 5:15 pm
Federal agencies are increasingly shifting workloads to the cloud to take advantage of cost efficiencies and agility, leaving them in a hybrid and multi-cloud environment. No matter where federal agencies are on this cloud journey, we’re seeing that these complex IT environments are causing challenges for security teams. For example, they’re struggling to gain real-time, continuous visibility across their cloud infrastructure. Sometimes they have to stitch together multiple views and monitoring capabilities to understand their security posture. In addition to extra work, this can lead to delayed detection of critical vulnerabilities and threats. Another obstacle in this new cloud landscape is achieving continuous compliance. Security teams are often manually configuring systems to meet a wide range of regulations. Considering how quickly compliance mandates are updated and the volume of applications that must be checked, these tasks can become overwhelming. And then there’s the governance challenge. Enforcing policies and standards across a mixed IT infrastructure can be daunting. We’re also still seeing misconceptions around the shared responsibility model. Although cloud services providers do secure their infrastructure, they are not responsible for securing all the data and apps that agencies migrate there. That means that the data, objects and apps inside the cloud are the organization’s responsibility, not the service provider. The governance issue becomes even more complicated with dark or shadow IT, where individual departments spin up their own cloud services without IT’s knowledge. This outcome is frequently referred to as cloud sprawl. Complicating matters, once these workloads are discovered, security teams must audit them to then enforce provisioned controls. Combined, the challenges around visibility, compliance and enforcement make it difficult for CISOs and their security teams to enforce security at the data level—consistently and comprehensively. Yet, they already have their hands full with the sudden expansion of the remote workforce. Meanwhile, they’re also trying to prepare for the Trusted Internet Connections 3.0 initiative, which seeks to enhance cyber security across the Federal government. What’s Needed Agencies must simplify security in this complex landscape. That’s where providers that incorporate automation, machine learning and self-service capabilities into their solutions can help. A foundational solution offers assurances of compliance and enforcement by providing a framework for visibility across cloud environments. For example, a single-pane view enables Federal agencies to: Establish a visibility framework. This allows organizations to view network traffic, auto-discover cloud assets in public, private and hybrid clouds, and improve threat detection and alerting. Staff could drill down into risk analysis and cloud security analytics to quickly make decisions that improve the agency’s security posture. Provide continuous compliance. Having the visibility framework allows organizations to better achieve compliance assurance. That said, the right platform will take it a step further, using automation and built-in, customizable compliance checks for faster analysis, detection and remediation of risks and vulnerabilities. Automate enforcement. Federal agencies need to streamline compliance guardrails for continuous policy enforcement across their cloud environments. A foundational security solution that uses automation and intelligent microsegmentation will automatically recommend least-privilege policies to protect cloud workloads, while also continually detecting changes and threats. Federal agencies will continue their push into cloud environments to take advantage of cost efficiencies and the agility cloud offers. FireEye Cloudvisory provides the critical visibility to ensure continuous compliance and enforcement to mitigate and manage cloud risks. To learn more, join FireEye cloud experts and host Dave Bittner, from the CyberWire, as they discuss how government IT managers can overcome these challenges and pave the way for a successful path forward.
- Approach and Challenges for Incident Response in SaaS Cloud Applicationsby Lonny Brissac on May 6, 2020 at 5:30 pm
Nowadays many organizations rely on the Software as a Service (SaaS) delivery model for cloud applications they use to manage key business functions, including their ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), HR (Human Resource) Payroll, Communication, and Travel and Expense Management solutions. Those applications are considered high-value targets by threat actors, as they can contain valuable data such as employee PII, suppliers’ and clients’ data, and financial and business data. Understanding the shared responsibility of the SaaS delivery model for cloud applications is critical for organizations to develop an efficient strategy to be prepared for responding to cyber security incidents affecting their SaaS applications in the cloud. Understanding the Shared Responsibility Model of Software as a Service (SaaS) Applications Figure 1: Cloud Shared Responsibility model For the Software as a Service (SaaS) delivery model, the customer is responsible for the security of the data, endpoint, account, access and sometimes identity, while the other components are in the scope of the cloud service provider. That means from an incident response perspective, organizations using a SaaS application should develop a strategy to detect, monitor and respond to cyber security incidents affecting the application architecture components under their responsibility. These organizations should also develop a process to evaluate cloud service providers and make sure they have the capabilities to manage cyber security incidents in the scope of their responsibilities. Managing SaaS Applications Cyber Security Incidents in the Scope of the Organization’s Responsibility For detecting malicious activities affecting data, accounts or access, organizations can leverage the audit and access logs features often available in SaaS applications to gain visibility of unauthorized accesses, data exfiltration or data manipulation activities. Besides the common privileged and regular user access, SaaS applications often also provide APIs that can be used for integration with other solutions. The scope of the logging strategy should also include those APIs, as these can be abused by attackers to perform malicious activities. For monitoring activities, organizations can evaluate whether the SaaS application logs available can be integrated within their SIEM or CASB solutions. Monitoring activities can then be implemented within those platforms by establishing use cases and alerts for common cyber security incidents affecting data, accounts or accesses (i.e., data exfiltration/loss, account compromised or improper usage). Moreover, some cloud services providers also provide built-in security monitoring and alerting features in their SaaS applications, including the “Transaction Security Policy” for Salesforce, “Instance Security Center” for ServiceNow, or Dropbox “Activity Reports.” For response, developing procedures to investigate and remediate cyber security incidents affecting application architecture components under the organization’s responsibility can help to have a consistent and efficient approach when responding to incidents. The steps to perform the following activities can be defined in order to facilitate incident response activities: Revoking access Restricting access based on IP address ranges or type of user devices Resetting account passwords Developing encryption at rest strategy Implementing data backups and recovery plan Depending on the Identity and Access Management (IAM) strategy implemented (i.e., cloud based, SSO), some activities could be performed by the organization autonomously within the SaaS applications or enterprise IAM solution. Otherwise, the involvement of the cloud service provider might be required; in that case, the procedure to execute those activities should be documented and outlined in the contractual agreements that will be reviewed during the vendor onboarding process. Managing SaaS Applications Cyber Security Incidents in the Scope of the Cloud Service Provider’s Responsibility For the SaaS application architecture components managed by the cloud service provider, organizations can use an evaluation process to make sure the vendor has the capabilities to respond to cyber security incidents affecting the vendor application, network, operating system, hardware and datacenter. Typically, the evaluation process of the cloud service provider incident response capabilities will consist of reviewing the clauses of the contractual agreements related to the incident response activities and eventually requesting documentation (i.e., Information Security policies, standards, procedures), reports (i.e., SOC 2, CAIQ) or certifications (i.e., ISO2700x). For detecting malicious activities, organizations can make sure that the cloud service provider has formalized and implemented a logging and monitoring standard. The scope of the standard should include the SaaS application architecture components under the vendor responsibility such as logging requirements for servers, databases and network devices. Moreover, technology stacks (i.e., SIEM, IDS) and processes leveraged to monitor the logs should be outlined. Finally, for reviewing vendor response capabilities, organizations can verify that a Cyber Security Incident Management procedure is formalized and tested by the cloud service provider. A clear and well-defined notification procedure to report and provide incident details to customers will also give visibility to organizations in order to evaluate the impact and outcome of an incident affecting their SaaS applications vendors. Let FireEye Help FireEye Cloud Security offers comprehensive cloud monitoring and threat detection for cloud and hybrid infrastructures. Cloud Architecture and Security Assessments can help to evaluate existing cloud security and hardening techniques for the most popular cloud-based assets, including Microsoft Office 365, Microsoft Azure, Amazon Web Services and Google Cloud Platform. The Cloudvisory Security Platform (CSP) is a highly scalable platform for centralized security management across cloud, hybrid-cloud and multi-cloud environments.
- The Security and Privacy Implications of COVID-19 Location Data Appsby David Grout on May 5, 2020 at 11:30 am
Researchers around the world are rushing to create vaccines and medicines that can stop the COVID-19 pandemic or at least halt its spread. In the midst of these efforts, there has been plenty of evidence that technology has a useful role to play in mitigating the crisis and making a valuable contribution in this global battle. The use of mobile devices as part of this effort has raised several important questions around privacy and security. This blog post will explore them and the limits when considering the use of mobile technology and location data in the global fight against COVID-19. First, it’s important to clarify what types of mobile data and application usage we are talking about. They fall into three main categories: 1) understanding general population movement, 2) potential proximity to COVID-19 positive individuals and advice on measures for self-quarantine, and 3) the collection of information from patients for statistical analysis. 1. Mobile tracking to understand population movement and the impact of lockdown Mobile carriers in Germany, Italy and France have started to share mobile location data with health officials in the form of aggregated, anonymised information. This falls in line with the law and local regulations. Because European Union member countries have very specific rules about how app and device users must consent to the use of personal data, developers must consider other forms of useful data unless they get individual consent from users. The aggregated and anonymized approach is related to groups within a population and not individuals, but it gives a clear view on population displacement trends and therefore the risk level of each area. 2. Determining potential proximity to COVID-19 positive individuals This approach is being explored in countries such as Germany and France. The objective is to limit the spread of the virus by 1) identifying people who have potentially come into contact with an individual who has tested positive, and 2) advising those people to self-quarantine, if proximity was determined. In Germany, the government is relying on the rules defined by the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). France is exploring this subject with INRIA under the project: ROBERT-ROBust and privacy-presERving proximity Tracing protocol. These types of applications have been in place in several countries since the beginning of the pandemic, including China (Alipay Health Code) and Israel (Hamagen). Figure 1: Countries with or planning to release official COVID-19 tracking apps, which either track or help to diagnose citizens 3. Collection of users’ information for statistical analysis This approach has been used by the UK government through the application ‘C-19 Covid Symptom Tracker’, which was developed by the startup ZOE in association with King’s College London. The data needed to meet all three objectives is then stored by mobile providers in a variety of places that must be secured, both to protect the app users’ privacy but also to prevent manipulation/spoiling of the data by a third party. And given that data is sourced from different places, like repositories of GPS, Bluetooth and other apps on the device, different security arrangements by source may need to be considered. Regulators are recognizing that app developers need timely guidance to balance the collection of data with safeguarding privacy, with appropriate tools for the public to have control over its data. In the EU, the statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak, published in March 2020, advances this objective. Figure 2: On March 9, Iran’s Minister of Information and Communications Technology, MJ Azari Jahromi, posted that the Iranian Government was able to collect location data for more than four million Iranians through its COVID-19 tracking app. Key Principles of Responsible COVID-19 Location Data Apps Collection of consent for tracking data on an individual level Today, most apps are voluntarily downloaded and activated by users. The challenge is that these applications often need to be used by a certain percentage of the population to truly be of value in the fight against the virus. This can tempt developers not to disclose the true purpose of an app. A recent survey in Europe showed that around 80 percent of the population in France, Italy and Germany was willing to adopt a tracking application during the COVID-19 pandemic. However, if the app hides a type of data collection and sharing, then the consent given by an individual cannot be valid. Apps must explain which data types are collected, how they are collected, and what is the goal behind the collection. As an example, the Pan-European Privacy-Preserving Proximity Tracing team have explained clearly on their website that they do not collect any personal information such as addresses, phone numbers or geolocation. We are also encouraging developers to ensure that an application respects the privileges it has been granted by users and doesn’t abuse them by operating outside of necessary tasks. App developers should outline under what conditions data collected by the app may be shared or sold to third parties. Third party sharing limited to public health bodies, as an example, may be more palatable to the end user than a sale of data to an unrelated third party. Time restrictions App developers should build in the ability to discontinue their use if national health authorities determine that the data they collect is no longer needed to address the pandemic. Data retention and storage should also be guided by decisions flowing down from national health authorities. Use the right technology Understanding the technology that users and providers are relying on to exchange information is the key to successful adoption. Providers and policy makers will need to define the specific rules for each technology and its associated use. The way technologies are collecting information is important when defining the how, the when and the why of using one technology over another. Several technologies might support these uses around the world among: GPS Bluetooth Video Surveillance (with or without AI) Mobile antenna location Each technology brings both advantages and limitations, and these must be taken into account when choosing the one which will correspond to the need. Among the technological elements to be measured during the decision-making phase. As an example, Bluetooth presents limits to the availability of data collection since the device needs to have the application open and the Bluetooth setting on. Selected features also can impact battery life—if the feature heavily impacts the battery, user adoption will be low. Properly secure the collected data App providers need to ensure an appropriate level of security, possibly through the use of encryption, to avoid any data leaks and any data manipulation by non-trusted third parties. Providers should also be transparent about their choices regarding the technology implementation of their applications and how secure it is. A state-of-the-art implementation guide should be followed, as well as the compliance rules already put in place by international organizations and governments. Prepare to facilitate data protection rights, including deletion rights Depending on the jurisdiction, end users may have the right to request access to personal data that has been collected and to delete the data. App developers must think through how they will receive, validate and action these requests. App developers are advised to work with their legal counterparts to understand evolving guidance from regulators. Achieving a balance between swiftly releasing a new app to maximize its impact in helping halt the virus’ spread, whilst ensuring there’s a stringent and tested security/privacy strategy in place, is a challenge. However, if the steps discussed in this blog post are followed then it should mean users will have one less issue to worry about during what is already a difficult period for many. Appendix Additional information on the available protocols: Protocol Objectives Author/promoter Homepage Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project privacy-preserving contact tracing Fraunhofer Institute for Telecommunications, Robert Koch Institute, Technical University of Berlin, TU Dresden, University of Erfurt, Vodafone Germany https://www.pepp-pt.org/ Google / Apple privacy-preserving tracing project privacy-preserving contact tracing Google, Apple Inc. https://www.apple.com/covid19/contacttracing Decentralized Privacy-Preserving Proximity Tracing (DP-3T) privacy-preserving contact tracing EPFL, ETHZ, KU Leuven, TU Delft, University College London, CISPA, University of Oxford, University of Torino / ISI Foundation https://github.com/DP-3T BlueTrace / OpenTrace privacy-preserving contact tracing Singapore Government Digital Services bluetrace.io TCN Coalition / TCN Protocol privacy-preserving contact tracing CovidWatch, CoEpi, ITO, Commons Project, Zcash Foundation, Openmined tcn-coalition.org https://github.com/TCNCoalition/TCN DP3T privacy-preserving contact tracing International consortium of technologists, legal experts, engineers and epidemiologists https://github.com/DP-3T/documents/ PACT: Private Automated Contact Tracing privacy-preserving contact tracing MIT Lincoln Laboratory https://pact.mit.edu/ ROBERT-ROBust and privacy-presERving proximity Tracing protocol privacy-preserving contact tracing INRIA, Fraunhofer AISEC https://github.com/ROBERT-proximity-tracing/documents
- Security Without Barriers, Part One: A New Cyber Security Narrativeby Christian Schreiber on April 30, 2020 at 5:00 pm
Information security professionals often use defense-in-depth analogies to describe their security goals. For example, it’s common to conjure an image of a castle and moat to explain cyber security strategy to stakeholders. These visualizations are often accompanied by an explanation that if an attacker gets past one layer, the next layer will stop them. One problem with defense-in-depth analogies is that the traditional perimeter—i.e. the moat—is mostly gone today. Digital transformation projects, adoption of cloud computing solutions, and the growing use of mobile and remote computing devices have dramatically changed how technology is deployed and used. Perimeter security solutions, such as firewalls and VPNs, cannot be relied upon to protect digital assets. A more fundamental problem with using defense-in-depth analogies to explain your security strategy is they describe security success in absolutes: Prevent an attacker from getting in. Unfortunately, security teams face an asymmetric threat where inexpensive attacks can, and often do, evade organizations’ expensive cyber defenses. This reality can be summed up with two assumptions: No technical solution can prevent all attacks all the time. There will always be bad actors looking to exploit this security gap. Because of this unbalanced threat landscape, many security leaders have adopted cyber resilience strategies. They balance investments that protect against attacks with other investments that mitigate the damage caused by attacks that get through the defenses. We’ll explore the components of cyber resilience more in the next blog post of this series. First, let’s think about how to describe cyber resilience to stakeholders. Changing the Security Narrative Describing a cyber resilience strategy requires a vastly different mental image than describing defense-in-depth strategies. Rather than explaining how a castle’s defensive layers keep attackers out, think instead about how a museum protects its assets. The core principle is the same: Protect valuable assets. However, the methods and strategies used to achieve this goal are very different. Instead of hardening the perimeter to keep attackers out, a museum must create an open and welcoming environment. They need to draw visitors in, often allowing them within inches of their most valuable displays and exhibits. As a result, museums assume bad actors can easily get inside the perimeter. Their strategy shifts from preventing access to preventing exploitation of access. There are other differences between describing a “castle-like” defense-in-depth cyber security strategy versus a “museum-like” cyber resilience strategy. At first glance, describing your cyber security strategy as a museum seems odd. However, if you think about how most IT organizations define success, they’re more like a museum than a fortress. IT leaders design solutions that are welcoming to visitors, that are easy to use, and that still protect critical assets from theft or misuse. Adopting similar language and goals to describe your security strategy helps align cyber security messaging with other IT leaders’ goals. Heading Toward Cyber Resiliency Security leaders need a new narrative to describe their security strategies. By adopting cyber resilience strategies instead of prevention-focused defense-in-depth strategies, you also help your organization better prepare for the asymmetric threat posed by cyber attackers. The next post in this series will explore steps organizations can take to build strong cyber resilience. We’ll build on the analogy of how a museum protects assets and show concrete steps for implementing cyber resilience within your organization.
- Five Tips to Enable Remote SOC Workersby Bruce Heard on April 14, 2020 at 5:30 pm
These are difficult times for sure, but times of uncertainty often present opportunities to reevaluate practices. For instance, the enforced work-at-home orders in many areas are an opportunity to enhance and improve security operations. COVID-19 may be an extraordinary case, but it’s certainly not the only event where security team members may not be able to get into the security operations center (SOC). Other disasters, such as fires, tornadoes or hurricanes, can also make it very difficult for staff to physically sit in the SOC. In times of turmoil when bad actors are looking to take advantage, the following are some practices to implement in the SOC to help ensure the continuation of remote operations. Tip 1: Invest in LCD Screens for Remote SOC Staff SOC work is very real estate-intensive, meaning these employees like their screens. Big screens to be able to see a lot of data and a lot of applications are considered essential. Fortunately, it’s not that expensive to get big screens today. If you know where to shop and aren’t looking for a lot of bells and whistles, 27” to 29” screens fall in the $200 to $300 range. When considering the alterative of not having SOC staff be able to work at all, this becomes a reasonable investment to get people back to work from their home. In cases where purchasing big monitors isn’t possible, there are still ways to get more screen space. Consider using virtual screens. Both Windows and macOS have this functionality built in. MacOS refers to it as full-screen applications, which users can swipe between. In Windows, users can create virtual desktops and can easily switch between them. Tip 2: Address Data Access via Cloud-Based Models The security information and event management (SIEM) system has become a focal point of a lot of security operations. Many SIEM vendors are moving to a cloud-based model where they host the infrastructure and access to the data is achieved through a web interface (which is how they work on premise anyway). As long as employees are using multi-factor authentication and the web interface has strong encryption in place, the exposure to the organization would be equivalent to someone using the corporate VPN for internal resource access, which should also be using multi-factor and strong encryption. Other SOC applications and services have similar cloud-based models that many companies are using. The cloud-based model provides scalability, fault-tolerance and geographic distribution, if of value. They may also ease provisioning access for surge support staff or temporary replacement staff if there is an increase in alert volume or the crisis in some way affects staff availability. These features can be essential in the case of a major incident. Tip 3: Embrace Collaboration and Task Management Tools Communication through an event is critical and there are certainly a lot of people who believe face-to-face communication is essential. We are all principally virtual people in the technology space, though. We live with remote systems through web interfaces and email. There is no reason we can’t adapt to using virtual communications in these times of unrest. Modern communications systems such as Microsoft Teams or Slack provide more capabilities for collaboration and management than we’ve had in the past. Users can have a virtual whiteboard, a wiki, task management, polls and bots all available through the same interface, which generally allows sharing incident data and collaboration on further investigation, and response options faster and more efficient than face-to-face communications. Additionally, Office 365 users that conduct document management via SharePoint can use Teams as a way to get access to those documents easily, editing them in-place as needed. Similar is the case through G-Suite and others. Many organizations are already implementing these solutions within the SOC or across the business because of these advantages. Tip 4: Take Proper Precautions to Secure Video Conferences Video conferences are often considered the next best thing to being there in person, and they can be, but there are some potential security concerns about web and video conferencing. Attackers today are scanning through video conferencing setups, looking for meetings they can join. If an attacker is in an organization’s environment, they may be well-aware of how employees are communicating, which means they may attempt to jump into the SOC conference video chats to hear about ongoing investigations. Doing so could lead to the attacker learning about SOC investigations into their own activity, giving them a major edge in maintaining a presence on the network. Always pay close attention to who is joining conferences. This can be a challenge if people are using their mobile phones for the audio connection. One way around this is to ensure people have the equipment they need to successfully join using their computer, where they are forced to authenticate—preferably with multi-factor authentication. For organizations that do allow employees to dial in, ensure some form of authentication is in in place to verify the right people are joining. Someone should also be assigned the task of monitoring for new participants. Some conferencing software requires an authenticated user to allow admission to outside parties, such as dial-ins, which can also provide a degree of mitigation. Tip 5: Prepare by Taking Turns Remote Working During Otherwise Normal Operations To ensure that staff and supporting technology are sufficiently prepared for remote security operations, it may be prudent to assign staff to occasionally work remote shifts during otherwise normal conditions. This allows SOC staff to ensure that they have the technology they need to work from home, so they can effectively and efficiently identify any gaps in advance of a sustained work-from-home situation. This also allows team members to grow and stay more accustomed to virtual collaboration using the aforementioned tools. Overcoming some of the anxiety associated with adopting work-from-home tools and practices, without the added stress that a crisis brings, is beneficial. Additionally, including remote-work considerations as part of any tabletop exercise can be beneficial. Conclusion A security operations center should definitely be focused on security, but confidentiality and integrity are not all there is to consider. Availability needs to be a consideration as well, which means SOC analysts and engineers need to be able to perform their duties regardless of the circumstances. There are controls that can be put in place to allow essential SOC staff to remain functional and productive without exposing the essential details of incidents to the wider world. This includes multi-factor authentication, virtual private networks, secure cloud-hosted security capabilities, real-time collaboration solutions and, of course, strong encryption over all data transmissions. Embracing these techniques and solutions can allow the security organization to be more agile and responsive when incidents and natural disasters occur simultaneously.
- Discussing Security With Remote Workersby Bruce Heard on April 9, 2020 at 4:00 pm
With more people working from home, it raises issues for information technology (IT) and information security (IS) staff. Some of these issues can be addressed by making changes to technologies and applications, but some will likely require an increased awareness and some security-minded behavior from remote workers themselves, which organizations will need to promote. This is an opportunity to build better relationships with employees. Those who are unfamiliar with working from home may be especially unsure about best practices to protect themselves and business information. Additionally, IT/IS professionals may have some concerns about the sudden expansion of the edge of the enterprise network—from the circle seen in the middle of Figure 1 to the larger cloud containing all of the remote workers. Figure 1: Remote workers in relation to the enterprise It’s important at this time for business leadership and security management to be doing what they can to help all of the people who aren’t used to working from home better protect themselves and, by extension, protect the business. How can IT/IS staff help them out? This blog post explores several good practices to share with all new remote workers that go beyond the traditional security awareness training. That said, reiterating the key points of these trainings to employees who already work remotely is a good idea as well. Communication Communication is an important first step. Bring employees into the conversation and provide them with awareness of several concepts. The first thing to make them aware of is which company resources are the most important or valuable. This includes any sensitive information, including intellectual property, financial records or customer information. There may be a lot more on this list depending on the company, but this is a good start. More than just information, though, any computer is a potentially valuable resource. If one of the bad guys gets onto a system and doesn’t find anything, they probably aren’t going to leave. If nothing else, laptops and desktops have computing resources for cryptomining or a botnet. Credentials Credentials are a common way for attackers to get into business systems. There are a number of ways to do this, including credential stuffing, meaning reusing credentials from other, previously compromised services to attempt logins. If an organization has critical business services such as email or shared resource access (e.g., file sharing sites like Google Drive or OneDrive) where multifactor access is currently optional, consider making it mandatory and explaining to staff members why—multifactor authentication can significantly increase the bar for attackers getting access to systems. So long as tokens are being allowed as the additional factor—either hard token or app-based token—and not SMS message, multifactor is an important security control, especially for any remote access to company data and resources. SMS messages have been hijacked by attackers to defeat multifactor, which is why we don’t recommend it. Virtual Private Networks Virtual private network (VPN) resources are being strained since most businesses are not used to so many people working from home. Many workers may not really need to use a VPN, however. If they are primarily using either local native applications and email or even web-based applications and email, they may not need a VPN. This is where understanding threats is helpful. As long as they are only performing business functions and not browsing arbitrary websites, most web-based business resources will protect confidentiality, as will cloud-hosted business email such as Google’s Business Suite or Microsoft’s Office 365. This is another case of communication and education. As long as they understand the parameters, IT/IS staff can reduce the strain on VPN infrastructure and still protect the business. Anti-Malware It may go without saying, but anti-malware is essential. Many businesses are doing a form of anti-virus through their mail transfer agent (MTA) and email is a common vector for attack, but that shouldn’t be a reason to forego anti-malware on desktop systems. This is especially true if employees are now using their own devices to access business resources that may be housed with a cloud-based provider. However, anti-malware is not perfect—users must protect themselves and their systems using common computer hygiene practices. Organizations should be helping employees understand that even if they have anti-malware software, they are not completely protected. They still need to practice safe computing—always validate attachments, website links and requests for money transfers by making a phone call. If there is any doubt, employees should feel encouraged to contact the help desk. Shadow IT Shadow IT is a problem for many organizations. IT-approved resources need to be available for employees, and they need to know how to get to those resources from home. This will short-circuit people making use of unauthorized IT-style resources such as file sharing sites, for instance. People use shadow IT because they either don’t know that there is an approved resource available, there isn’t an approved resource available to meet their needs, or because it’s too difficult to get access to it. Organizations should make sure all of those concerns are addressed and their shadow IT problem can be decreased or eliminated completely. Communication is essential and it should be provided in a helpful tone. Security can be seen as an enabler and should be an enabler rather than something that is restrictive. As soon as doing something right becomes too onerous, people will find ways around it, defeating the security control from the outset. In Closing Working from home can be a very productive time. Studies have shown that remote workers are more efficient or at least can be more efficient than their co-workers who are in offices. It doesn’t have to be painful or impossible to get work done, nor does it have to generate a massive increase in information security risk. There are a handful of things IT/IS staff should be doing to help employees navigate this difficult time. First, make sure staff is using the company-provided VPN, but also that they have some guidance about when it is essential and when it can be skipped to reduce the strain on resources. If organizations are using a service such as Office 365 or Google Business Suite, email is encrypted without the VPN—and should require multifactor authentication. So, if all that is being used is email or other encrypted web services, a VPN may not be needed. Additionally, employees should understand why a security control is in place—such as anti-malware—and what threat it is trying to counter. For anti-malware, if a business-controlled repository for signature updates is being used, make sure staff understands how to keep the anti-malware up-to-date since phishing attacks are increasing at this time. Finally, the message needs to be spread to avoid using shadow IT resources. Make sure employees understand how to use internal, corporate-controlled resources and make it easy for them to use those resources.