Creating tools to support Cloud Service Providers (CSPs) transparency and assurance
Thanks to the support of our peer reviewers and contributors (including the EU projects SPECS, A4Cloud and CUMULUS), we are pleased to announce the release of the CSA Cloud Trust Protocol (CTP) data model and API specification.
The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.
A prototype implementation of the CTP API will be released as open source by mid-December 2015. This will allow us to validate and fine-tune the CTP API in a set of concrete use-cases. CTP peer reviewers will be provided early access to the CTP code repository.
The Cloud Security Alliance is a partner in the EU FP7 SPECS project.
About the SPECS project
The SPECS project aims at developing and implementing an open source framework to offer Security-as-a-Service, by relying on the notion of security parameters specified in Service Level Agreements (SLA), and also providing the techniques to systematically manage their life-cycle.
There are trends that have been on the industry’s radar for a while now; social, mobile, applications and cloud. However, within the next year, we’ll see more of an emphasis on one of the key underpinnings of these trends – identity. The issues with data management and security are often told and understood from an industry, business or sector perspective; but society as a whole is still arguably not at a point where it is fully awake to these issues and how they directly affect individuals. Next year, I believe we will begin to see people recognising the need to make big decisions around privacy. This is especially true when it comes to how much of their identity and data they are and should be willing to ‘give away’ or hold back, and balancing this with the convenience of their rapidly developing online lives.
Many of us recently updated to iOS 9 and downloaded it without hesitation. Today you can ask Siri or Cortana to access your holiday pictures in an instant, pay for your shopping with your phone or check your heart rate or symptoms on a health application if you’re unwell. Every time we use one of these conveniences, we are giving away more and more information about our lifestyles, and increasingly becoming owned by the ecosystems that we choose.
We are still largely unaware of where and how our data can be accessed; and the consequences can be potentially dangerous. A study published in BMC Medicine recently revealed that 20 percent of the health apps it looked at did not have a privacy policy, most of the apps communicated with one or more third party services, and four of the apps even sent identifying and confidential health information without encryption. The general invasion of privacy isn’t the only problem. The data could fall into the hands of parties who could be actively seeking it out (e.g., insurance companies).
While society as a whole isn’t in a state of security and privacy awareness that it needs to be, there are signs that this is beginning to change and industry is beginning to respond. Following its launch of iOS 9, Apple recently launched a new section of their website dedicated to explaining to customers its approach to privacy and how it manages data.
Society is still not catching up fast enough, and there is currently a fundamental disconnect between what motivates product and technology development and what is needed to truly secure it. Organisations are putting their efforts into protecting corporate reputation, rather than investing in prevention with a ‘security-by-design’ approach. The speed at which new applications and devices are brought to market is faster than ever before and we are dealing with more data than ever. A culture of making security a staple part of development processes and programming needs to be embedded within every organisation that has a service to offer involving storing or managing consumer data. Such requirements are too often considered down the line. As a body of certified cyber, information, software and infrastructure security professionals, (ISC)² recently took steps to promote such a culture by working with the government, the Council of Professors and Heads of Computing, BCS, the Institute for IT and other industry bodies to create course guidelines to enable cybersecurity to become a core component of UK computing degrees. The result was a set of guidelines that detail aspects of defensive programming to defend against basic risks, as well as having core modules such as secure systems and products, and cybersecurity management.
By taking steps like these, society can move to a culture of ‘security first’ over time. The key is to start with future IT professionals before they enter the workforce to engrain security within them for any programming or development. This will ultimately enable the future workforce to respond to the needs of a more security aware general public (customer base) that will be ready to take control over their own data and identity.
Dr. Davis will be asking a panel of experts, including Oracle’s Director of Security for EMEA Georg Freundorfer; CISO for Deutsche Flugsicherung Dr. Sebastian Broecker; and former U.S. White House Advisor and current Executive Director at Safecode Prof. Howard Schmidt their visions looking forward in 2016 and beyond as he moderates the opening keynote, “How Can we Secure Tomorrow Today?” at (ISC)² Security Congress EMEA in Munich 20-21 October. — Dr. Adrian Davis, CISSP, Managing Director, (ISC)² EMEA
Malicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor pursues is the theft of authentication information, whether it applies to business or personal accounts. Unless specifically mitigated, this theft often allows an unauthorized actor to masquerade as the victim, either achieving immediate gains or creating a platform from which progressive attack campaigns may launch.
There are a number of threats that endanger the critical secrecy of credentials, including poor operational security practices, social engineering, man-in-the-middle attacks, password hash dumping and cracking, and surveillance malware. In this post, Unit 42 examines various trends in a malware threat set within the surveillance malware category: Predator Pain and its latest derivative, HawkEye.
Threat Background
Surveillance malware covers a broad range of capabilities, including:
Capture of keyboard and / or input device (e.g., mouse) activity, with window / process awareness (keylogging)
Taking asset display screen shots or video (display capturing)
Assuming control of cameras and / or microphones attached to an asset (live surveillance)
Interception of network communications (sniffing)
Each of these capabilities can be qualified by its scope (i.e., types of information collected) and method (ranging in techniques and sophistication). Additionally, some surveillance software includes its own exfiltration mechanism, while others may depend on external software to accomplish the transfer of captured information.
Both Predator Pain and HawkEye are considered keyloggers, but they also include additional features, such as web browser and e-mail client credential dumping, display capture, andcaptured information exfiltration. HawkEye is openly sold on a commercial website, whereas Predator Pain is usually acquired through underground forums. Associated features have made this set of malware popular with malicious actors across a number of motivations; however, the most prevalent motivation remains cyber crime, in which stolen information is directly exploited or sold for financial gain. (A list of additional reading links is found at the end of this blog post for anyone interested in learning more about this specific threat set.)
Trending and Analysis: July 2015-September 2015
The following sections describe Predator Pain and HawkEye trending and analysis conducted by Unit 42 from July 2015 through September 2015. We leveraged the Palo Alto NetworksAutoFocus service, under which this threat set is tagged as PredatorPain.
Target Selection
Almost all of the adversaries Unit 42 observed employing this malware threat set harvest publicly disclosed or leaked e-mail addresses to construct phishing campaign targeting lists. These lists are mostly indiscriminant, with malicious actors seeking any opportunistic gains they can glean from “shotgun” style attack campaigns. The natural exposure of businesses with publicly advertised e-mail addresses (e.g., sales@<domain> or info@<domain>) makes for easy targeting of what typically represents key organizational e-mail distributions. In other words, these distributions normally reach a number of staff at the target organization who are motivated by their importance to business, increasing the likelihood of them inadvertently executing malicious code on their systems.
Threat Volume
Figure 1 depicts July to September 2015 sessions (individual occurrences) for this threat set.
Observed sessions revealed an interesting pattern in distribution volume ramping up on Sunday for peaks over Monday through Wednesday, with significant volume dropping from Thursday onward. We believe this corresponds with focused business targeting early in the workweek, per the previously noted targeting process employed by most cyber crime actors.
Delivery
Figure 2 shows the delivery methods observed for the Predator Pain and HawkEye threat set over the period of interest, with e-mail by far being the preferred delivery method for adversaries.
Table 1: Lure theming examples for e-mail attacks, July – September 2015
Respective malware delivered via malicious e-mail mainly consisted of Microsoft Windows Portable Executable (PE) 32-bit and 64-bit binaries. Microsoft Word or RTF documents constituted the remainder of malicious files. Attempted downloads of this threat from web and FTP sites were also observed; however, these represented drastically lower occurrences (session counts).
Observed Targeting
With these distribution methods in mind, Figure 3 shows an AutoFocus visualization for the 80 countries Unit 42 observed as targeted by the Predator Pain and Hawkeye threat set during the noted time period.
Not surprisingly, the top-ten list of most highly targeted countries includes 7 of the 23 wealthiestin the world, based on GDP per capita:
United States
Australia
Canada
Thailand
Taiwan ROC
Kuwait
Japan
Spain
Italy
Sweden
The top ten targeted industries accounted for 82% of sessions:
High Tech
Higher Education
Manufacturing
Professional and Legal Services
Transportation and Logistics
Wholesale and Retail
Construction
Media and Entertainment
Telecommunications
Government
We suggest three reasons based on this combination of observed countries and industries targeted:
Innovative organizations are prime targets for a number of adversary motivations due to the capabilities and intellectual capital they aggregate.
Service oriented businesses, striving to develop customer relationships are more likely to fall victim to phishing attacks due to both organizational culture and incentives for client and customer engagement.
Natural target saturation occurs within countries with established or thriving infrastructure, enabling malicious actors to reach a broader range of targets remotely through technology.
Prevalent Malware Capabilities
The Predator Pain and HawkEye set of malware is feature rich, compared to most other keyloggers. The following are the capabilities Unit 42 observed as most often enabled for this threat set during the focal time period (ordered by prevalence):
E-mail client credential dump
Web browser credential dump
Collection of system configuration information
Logging of web browser activity
Logging of e-mail activity
Screenshot grabbing
Exfiltration Method Break-Out
This threat set includes three main methods of exfiltration: E-mail, PHP-based Web Panel, and FTP. Figure 4 shows the HawkEye keylogger’s settings page, where the method employed by an instance can be specified.
Figure 4: HawkEye keylogger settings screen
The Predator Pain and HawkEye configurations analyzed by Unit 42 over the focal time period revealed the following break-out for exfiltration method, with e-mail constituting the preferred method across a number of malicious actors:
Prevention is the best strategy when it comes to the threat posed by keyloggers, such as the Predator Pain and HawkEye set. System hardening, integrity assurance, software version and patch management, and user awareness are just the first steps towards threat mitigation.
Recommendations to protection against this class of threat include:
Employ multi-factor authentication: Knowledge-based authentication relies on the secrecy of information. Including elements of what you have (i.e., hardware token) or what you are (i.e., biometrics) can reduce the value of respective stolen credentials for an adversary if that information only satisfies one level in the authentication process.
Limit the impact of stolen credential information: Don’t share credentials across accounts and change those credentials periodically. Adversaries commonly engage in activities such as credential stuffing in an attempt to maximize benefits of stolen credentials.
Maximize network control and visibility: The latest Verizon DBIR included the finding that in over 25% of breaches, the organization was notified of the breach through a third party. Inbound, outbound, and internal network traffic needs to be controlled and monitored. This is also useful for disrupting malware C2 and exfiltration channels.
Integrate anti-malware automated dynamic analysis (e.g., sandboxing): Identify previously unknown threats before they become much larger problems on the network. Given the anti-detection tools at the disposal of adversaries, this is a modern necessity.
Implement network segmentation: Avoid flat networks, where once an adversary is in they have unrestricted access to internal resources. Network segmentation is a best practice for exposing only enough information as is required for specific organizational processes, moving toward a “zero trust” model. In this context, it is about further limiting the access of an adversary should they successful compromise credentials.
Additional Reading
The following are some analyses for the Predator Pain and HawkEye malware threat set that expand on associated capabilities, attributed actors, and observed campaigns:
Technology is great. People are better. “People of Palo Alto Networks” celebrates the employees who preserve our unique culture of innovation and collaboration.