Month: October 2015

Posted on

Let’s Not Pit Broader Privacy Concerns Against Security in the EU

In an age where information is power, crowdsourcing threat data is a powerful tool to inhibit the attackers’ opportunity. The quicker we uncover and understand attacks and how they work, the faster we can prevent them.

Yet, at present, much broader privacy concerns can be an inhibitor that could keep us behind the pace of the attacker. All too often, I see people start to look at their feet as privacy in the EU overrides thought processes.  Ironic that, by not collaborating, potentially we leave ourselves more exposed to attackers, who all too often aim to steal private information.  When we get into “the why, the what, and the how” of threat information gathering and collaboration, perceptions typically change. My challenge to each of you is to understand the details and not let broader privacy debates unduly influence your perspective on the value of cyberthreat information collaboration. 

To want to share, we need to recognize the value sharing brings, which is to identify new attacks faster and be better enabled to prevent impact to users’ systems and personal information. It’s important to remember that cybersecurity is developed to protect you and your information.

So, what data is required to discover threats? When I started in the industry, customers would send threat samples to us via courier.  With the increasing speed and volume of attacks, we have been driven to automate the process. The Internet provided the mechanism to shorten submission times and leverages CPU scale to reduce the time to analyze, thereby increasing the volume of samples that can be processed.

As attacks have become increasingly unique and complex, what’s needed to analyze an attack now is often more than just a singular file; it often requires knowledge of environmental specifics and commonly may need to maintain communication with the attack source to function.  What we should recognize is that, typically, attacks are external connections into the business.

Today, good security vendors provide choices as to whether you do the initial threat analysis on your own premises or leverage the CPU capacity of the cloud. Ideally, either way, the intelligence gathered on the attack needs to be passed back to allow other customers to be able to detect the attack as well. How would you feel knowing that a breach could have been stopped, but those who knew about it chose not to share their insight? The more attack intelligence we build, the more we can quickly and accurately detect the next iteration that we know will come down the road.

Now, imagine the insights available if all of the key vendors were to collaborate at a technology level. This is exactly what responsible cyberthreat information sharing does today – between customers and security vendors, among security vendors.  Take, for example, the Cyber Threat Alliance (CTA), instigated between key security vendors at a technology level. This group was formed with the aim of sharing threat intelligence for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers. Its goal is to gain broader insight into attacks more rapidly, so prevention controls can be applied faster. Effectively, we can outpower the attackers, making the cost of success much harder. No longer would a quick recompile of the attack binary or new phishing subject line succeed. The entire lifecycle of the attack would need to be genuinely unique for the attributes (Indicators of Compromise) not to be recognized. We would effectively be crowdsourcing at a technology level the ability to discover and, therefore, prevent attacks.

In Europe, data privacy is a contentious topic. We are in danger of becoming nations of skeptics that see it as easier not to share than to trust. Yet the EU Network Information Security directive includes a requirement for national cooperation plans around threat intelligence, so there is a clear recognition at a nation level to collaborate to better prevent cyberattacks. Both are important topics for society, yet we are in danger of the emotional aspects of the privacy debate overshadowing our need to collaborate.

Here are three of the questions I am frequently asked and my perspective on them (and I challenge you to reflect on these and build your own views):

1. Do you understand what threat information your security solutions are capturing in order to understand and qualify if there is a privacy concern?

Take as the example the attack binary – its external code – so there shouldn’t be privacy concerns there. The cynical retort, however, would be that the attacker may embed this in an internal document to increase the likelihood of users opening it. I would challenge that, if the attacker can do this, the data in question is no longer private.

Session information is also extremely valuable for identifying and understanding the attack.  Considering the attacker is typically external, this data is typically being passed over the Internet, as the attack communicates with the victim, and, as such, is not private data.  The key point here is to challenge your vendor to share exactly what data is passed back to the cloud. Most are increasingly giving very granular policy control on just what you choose to share. In my experience, all are open to disclosing this and have technical documentation to validate it.

2. Where does threat information and the intelligence go?

Typically, many want to ensure cloud data resides in the EU to reduce regulatory complications.  As such, security companies are now building on-premises filter points to complete the initial localized analysis and clouds in the EU to help with this requirement. However we should recognize that most attackers do not work within limitations of geographic boundaries, so, to be effective, even though the raw information is gathered and analyzed within the EU, the intelligence from it (the detection capabilities generated from the analysis) must be shared globally to succeed. How frustrated would you be if the response was “we knew about that attack but couldn’t share the data, as we didn’t trust your country”?

3. How can I trust my security company?

It seems people want to be skeptical about security providers. The topic used to be whether vendors write the attacks; now, it’s whether they are spying on their customers.  You could ask the same of your postal or courier service – how do you know that they don’t open all of your parcels and letters?  The short answer is that we must have some level of trust in their ability to deliver on the services they each provide. The same goes for the security industry. Being transparent with each other on what, how and why threat information is gathered, but also allowing each customer flexibility in how they contribute, is a core component in maintaining that trust.

In a world where new threats appear every second but the rudimentary techniques used change very slowly, attackers succeed by making their attacks chameleon-like. If we simply look for the color of the skin, we fail. Yet, if we can go beneath the skin, the characteristics are more detailed and consistent.

To beat the attacker, we have to get under the skin of the attack, and through crowdsourced cloud collaboration, we have the CPU power to achieve this and outperform them.  The UK Cyber Information Sharing Partnership (CISP.org), which I’m proud to be a part of, has shown clear value in sharing threat information between like organizations.

To collaborate, we need to ensure we understand the specific requirements and the value we receive from being part of the security threat intelligence community.  We need to be pragmatic and not let the current emotional responses around broader privacy concerns unduly influence our decision to beat the attacker and so assure our information.

[Palo Alto Networks Blog]

Posted on

Go with the NetFlow

What is NetFlow and How Can it Help Me Monitor Traffic?

Do you want to know how much traffic is flowing through your network, where it’s coming from and going to, and who is generating it?

Palo Alto Networks firewalls support NetFlow v9, an industry-standard protocol for exporting information about IP traffic flows as they enter or exit an interface. You can use this information to gain real-time situational awareness of all users, devices, and traffic in your network.

The firewall sends the flow information as NetFlow records to a NetFlow collector. A flow is a unidirectional sequence of packets that have common attributes such as ingress interface, source/destination IP address, IP protocol, source/destination port, and IP type of service. In the Palo Alto Networks implementation, the NetFlow records also include application names and usernames that the App-ID and User-ID features identify. The NetFlow collector processes the flow records to present traffic analysis in a user-friendly format. This traffic analysis enables you to discover patterns in bandwidth usage and device performance. It also helps you detect traffic anomalies so you can improve firewall policies to protect your network while allowing users to access useful applications.

For example, if users complain about slow or sporadic access to services, NetFlow can help you identify which users, endpoints, applications, and protocols use the most bandwidth and at what times. Identifying the top “talkers” and predicting spikes in activity can help you plan bandwidth expansion. If DoS or other attacks target your network, NetFlow can help you to detect these before they escalate and cause a network outage.

Using NetFlow is Easy!

To start using NetFlow to analyze traffic:

  1. Define access to a NetFlow collector by configuring a NetFlow server profile.
  2. Assign the profile to each firewall interface that carries the traffic you want to monitor.
  3. Use the NetFlow collector to analyze the traffic.

For detailed configuration instructions and a list of supported NetFlow templates and fields, refer to NetFlow Monitoring in the PAN-OS 7.0 Administrator’s Guide.

[Palo Alto Networks Blog]

Posted on

Adversaries and Their Motivations (Part 1)

This blog is the first in a series describing adversaries and their motivations. This part in the series presents underlying concepts and the value proposition for exploring who is attacking a network and why.

Intelligence Driven Computer Network Defense

The modern Computer Network Defense (CND) staple of intelligence driven operations (PDF) is based on the observation that incidents are not singular events, but rather phased progressions. In this model, defenders benefit from a cohesive view of adversaries operating inside of a network (also referred to as viewing an adversary in the aggregate). This enables defenders to not only detect today’s threats but also leverage a scientific, evidence-based approach to engage tomorrow’s evolving threats. At its roots are the identification, analysis, and tracking of instances an actor interacted with a network and their respective direct and indirect activity as they worked towards one or more objectives.

For networks with strongly architected and implemented security, an abundance of information is available to support preventive strategies and enable more efficient and effective CND. Organizations focused on the development and continuous improvement of their CND people, processes, and technology can glean significant intelligence from this information, which can then be incorporated into a continuous feedback loop for progressively stronger defense.

For any incident, there’s an inherent trade-off between completeness of investigation (i.e., qualification, quantification) and time to closure (i.e., point of containment, lasting remediation). Organizational leadership traditionally focuses on answering the “what”, “when”, “where”, and “how” questions surrounding a security event or incident, which is understandable, considering that this information helps explain risk in quantifiable terms to key stakeholders across the business. However, the sometimes overlooked “who” and “why” questions for an incident are also valuable and – if properly applied – can significantly benefit an organization on both strategic and tactical levels, leaning into proactive (versus reactive) territory.

Maximizing the Benefits of Threat Intelligence

Optimizing integration of the 5 W’s and 1 H into CND operations allows an organization to maximize the benefits of its threat intelligence capabilities. Each of these factors augments and further qualifies the others to various degrees. Specifically, answers to “who” and “why” can be extremely useful to a network defender towards additional context on an attack, whether responding to an alert for a proactive network block or identifying the next generation of malware found through automated dynamic analysis or incident forensics. Specifically, these factors support more informed decision-making to find a sweet spot where defenders have enough information backed by actionable context to make the best decisions possible regarding defensive priorities, controls, processes, and activities.

Integrating “who” and “why” into the equation contributes to:

  • Isolating employed Tactics, Techniques, and Procedures (TTPs)
  • Detecting and mitigating attacker tools
  • Assessing actor sophistication and funding
  • Gauging attacker commitment and persistence
  • Tracking actively targeted technology, information, and personnel

The broader implications of these gains include:

  • Refined prioritization of resources (e.g., personnel, assets, funding)
  • More efficient and effective CND operations (i.e., working smarter, not harder)
  • Improvement of overall security posture (i.e., increasing the resource cost for an adversary)

Malicious Actor Motivations

At the end of the day, malicious actors are people too. Underlying motivations drive their activities in support of respective objectives. Unit 42 recognizes six top-level motivations:

  • Cyber Espionage: Patient, persistent and creative computer network exploitation for strategic economic, political and military advantage
  • Cyber Crime: Extension of traditional criminal activity, focused on personal and financial data theft
  • Cyber Hacktivism: Activist cyber attacks seeking to influence opinion and / or reputation for specific organizations, affiliations or causes
  • Cyber Warfare: Cyber operations that alone or in complement to kinetic / physical operations destroy or degrade a target country’s capabilities
  • Cyber Terrorism: The convergence of cyberspace and terrorism, causing loss of life or severe economic damage
  • Cyber Mischief: Arbitrary and / or amateur cyber threat “noise” on the Internet

Figure 1. High-level malicious actor motivations

We prepend “Cyber” to each of these not so much due to a fondness for this oft-overused term, but rather as a reminder that these core motivations existed long before their use with regards to computer networks and systems. In short, “cyber” is just another medium over which malicious actors have chosen to achieve their objectives.

An important take-away is that these top-level motivations are not mutually exclusive. Think of them as “hats” an attacker can wear at any given time. In other words, an attacker might wear one or more “hats” for any single attack. As an extension of this view, they can choose to operate based off of multiple motivations across one or more attack campaigns. Additionally, dynamic factors may influence actor motivation for a given attack, such as integration of information gleaned from progressive operations and identification of targets of opportunity. More advanced and/or creative adversaries may actively engage in misdirection and suggest one motivation, when in reality their objectives are based on another.

Although motivations may shift for a single actor, most actors will often employ the same Tactics, Techniques, and Procedures (TTPs); malware and tools; and/or other resources (e.g., infrastructure providers) across all of their operations. This majority will often not stray far from a core set of capabilities and methods. However, the following trends have added to the complexity of identifying malicious actor motivation and establishing attribution:

  • Success experienced by one malicious actor group in attacking the people, processes, and/or technology of an organization emboldens and inspires others to integrate similar or evolved methods
  • Adoption and customization of publicly-available malware and tools, shared across many actor motivations and groups
  • Closed source sharing of malware, tools, and infrastructure

Levels of Attribution

When it comes to the concept of attribution, isolating who is behind a security event or incident, there are potential benefits to keeping track of even the most fundamental characteristics of an attacker. An organization doesn’t need to jump straight in to identifying individuals to benefit from information collected on a malicious actor; in fact, gradually building out attribution capabilities is a more sustainable practice.

Figure 2. Levels of attribution

Attribution can occur at varying granularity and applies to each “hat” an adversary might wear at any given time. The conceptual levels (from least to most granular) behind this idea follow:

  • High-Level Motivation: Previously described above and typically the easiest level to establish
  • Qualifiers: Include aspects such as preferred targeting (e.g., industry, affiliation, types of information, etc.), activity sponsorship (i.e., scale and funding), and potential correlation / relationship with other threat actor groups or events (e.g., real world or virtual; security event related or otherwise newsworthy such as politics or legislation)
  • Group: Includes isolation of TTPs, distinguishing malware and / or tools, attack infrastructure, and degree of cohesion (i.e., formal organization versus self-identifying / collective)
  • Individual: The most difficult level to establish, especially for advanced / sophisticated adversaries; may include deeper threat intelligence aspects gleaned or leaked for very specific attack operators (e.g., distinguishing “calling cards”, competitor doxing, law enforcement operations)

Bringing It All Together

When viewed holistically in conjunction with other information security activities (e.g., broader risk assessment), even just recognizing a high-level motivation can assist in tailoring defenses accordingly. Tying this concept back to viewing an adversary in the aggregate, each contact with that adversary is an opportunity to further track and refine attribution. Progressively finer granularity of attribution allows for an increasing degree of focus in defensive operations. This in turn reduces the resources required for reactive incident response and gives defenders enough breathing room to expand on proactive defensive measures.

Coming Up…

The next blog for this series will take a closer look at three top-level malicious actor motivations: Cyber Espionage, Cyber Crime, and Cyber Hacktivism.

[Palo Alto Networks Blog]

Posted on

Three Ways to Improve Your Personal Cyber Safety

For National Cyber Security Awareness month there a couple of relatively easy-to-do things that I highly recommend if you want to improve your personal cyber safety. These important protections are easily available but not well documented.

One of the biggest cyber security problems impacting users today is the reuse of easy to guess passwords across multiple sites. All it takes is for one site to be compromised and the hackers can then use your password to log into others. This process is often automated and run against all sites. To help combat that ensure that you have a *unique*! password for each site. No one can remember multiple unique complex passwords so invest in using a tool like roboform or 1password to manage these passwords and keep them safe. Once you have installed a good password manager go back to each site you use and replace your common password of “petname123″ and let the password manager create a long and complex password for you like “yott2&uv0ugs7.” Save that password and go on to change the next one. Set a complex password that you DO remember for your password manager. It’s only one and it can be recalled from memory.

Don’t be afraid of the cloud! Losing all of your newly-created complex passwords to a hard drive crash would be a terrible loss. Make sure you sync your password file in the cloud to be able to access them across multiple devices (phones, tablets, laptops) and always have a backup. Roboform has its own cloud storage built in and 1password uses Dropbox or iCloud. Your passwords are encrypted withAES encryption so even if someone somehow broke into the cloud provider and stole your password list, they cannot decrypt your passwords without the one complex password you committed to memory.

The next step to ensure you won’t be an easy victim is to set up two-factor authentication for some sites that are more important to your personal cyber security like Gmail, eBay and PayPal.

Gmail
You may not have thought about it, but your personal Gmail account ties many things together. For example if you use Gmail as your email address for your Amazon account, if someone hacks your Gmail they can force a password change to access your Amazon account. Similarly, your bank and many other systems may use your email as a way to allow for password resets.

Criminals can also use your Gmail account to send out legitimate looking email requests for emergency help to all the people in your address book like the email below:

Hi,

How you doing? I made a trip to London (United Kingdom) unannounced some days back, Unfortunately i got mugged at gun point last night! All cash, Credit card and phone were stolen, i got messed up in another country, stranded in London, fortunately passport was back in our hotel room. It was a bitter experience and i was hurt on my right hand, but would be fine. I am sending you this message cos i don’t want anyone to panic, i want you to keep it that way for now!

My return flight leaves in a few hours but Im having troubles sorting out the hotel bills, wondering if you could loan me some money to sort out the hotel bills and also take a cab to the airport about ($1,550). I have been to the police and embassy here, but they aren’t helping issues, I have limited means of getting out of here, i have canceled my credit cards already and made a police report, I wont get a new credit card number till I get back home! So I could really use your help.

You can contact the hotel management through this telephone number (+449444045232), you could wire whatever you can spare to my name and hotel address via Western union:

Name: John Hastings
Location: 201 Bunaby Street, Chelsea,
Greater London
SW10 0PL.
United Kingdom

Your Gmail account plays an important part in your overall internet safety. It is very important you set a strong password and enable two-factor authentication. Here is how to do it:

  • Login to your Gmail account then go-to the following URL
    https://www.google.com/landing/2step/
  • Click on “Get Started” then “Start Setup.” Enter the number for your phone and verify the number by entering the numeric code that Google sends to the phone by either text message or voice call.

  • You can also choose to use the smart phone app Google Authenticator, which you would register through the same wizard shown above. To install Google Authenticator click here for iOS or here for Android. Either way works and will stop people from easily taking over your personal email (and of course your online identity!).

PayPal and eBay
If you use either of these services, they are high-value target accounts for crime. PayPal is especially problematic as it links directly (in most cases) to your bank account. EBay accounts, on the other hand, are often hijacked then used fraudulently to sell nonexistent items, leaving the account owner to work out the mess. I highly recommend you protect yourself by setting up two-factor authentication for both accounts.

Setup instructions for PayPal:

Go to https://www.paypal.com/us/cgi-bin/webscr?cmd=_register-security-key-mobile

This will give you the option to set up a secondary authentication method. You have three choices, pay a small amount and they will ship you a small fob that will provide one-time passwords to use as a secondary authentication for your account (i.e. a hacker can’t get into your account by just guessing your password or resetting it). The second choice is a more convenient one if you have a smartphone. You can download the Symantec VIP Access program for smartphones. Or you can just have PayPal send messages to your mobile like we did with Gmail.

When you get the token software installed on your smartphone, authenticate it to your PayPal account and register its unique ID. Now when anyone wants to use your PayPal account, they will have to have both your username and password and the one-time token password your phone or fob would generate. Note: you can also tie this token to your eBay account.

There was a lot of work to do to get to this stage. It is unfortunate that this process is obscure and not built-in or easier to enable. I am sorry to say that there is one more step if you use Gmail with any applications that auto-check email. I have several, such as the Microsoft Outlook client for Mac. These applications do the authentication automatically. For convenience with only a small security risk I can use Gmail to set up application- or device-specific passwords. These fixed passwords can ONLY be used by the same app on the same device. You can do this by editing the “authorizing applications & sites” button in the Gmail account settings.

When you click edit, it will force another authentication then allow you to set up, manage and track application-specific passwords.

So that’s it. I wish it was easier, but these are a couple of steps that can make your internet identity much harder to abuse.

Gavin Reid, Vice President/Threat Intelligence, Lancope

[Cloud Security Alliance Blog]

Posted on

2016 Recruiting Forecast for IT Professionals

When thinking about the recruiting landscape for 2016, my first thought is that it all depends on which side of the interview you are on. 2015 has shown the strongest demand for skillsets that ISACA members have (IT audit, governance, security and risk) that we have seen since 2005-2007, during the first years of Sarbanes-Oxley Act (SOX) compliance. Currently, conditions are extremely tough for hiring managers who are trying to lure top talent to their teams, and I do not expect this to change anytime soon.

Why the talent shortage? IT audit, governance, security and risk skillsets are an increasingly bright spot on the radar of organizational leaders. This is partly due to increasing regulatory and compliance requirements and high-profile data breaches, but also because of years of efforts to transform IT audit from a “necessary evil” to a value center.

Because of the increased understanding of the value IT risk and controls professionals provide, there has been a significant uptick in non-audit positions since 2012—especially IT risk and compliance roles. These “second line of defense” roles were gaining traction in 2007-2008, but funding in this space tightened (or just plain vanished) during the recession in the US. Now, in a steadily improving economy, budgets for these roles have replenished and the resulting demand has stretched a thin talent pool even thinner by recruiting heavily from IT audit groups.

Another factor is that some of the primary talent generators in our field, the “Big 4” and similar client service firms, made deep staffing cuts during the recession and also dramatically reduced hiring off college campuses from 2009-2012.

These factors have created rosy conditions for most IT professionals seeking new opportunities. Barring a significant global political or economic disturbance, I expect the strong demand in our space to extend at least through 2016.

I am often asked, “What are the top skills in demand?” That is a difficult question to answer for a constituency as diverse as ISACA’s, for example, which covers many disciplines in the IT controls world, ranging from the deeply technical to more general relationship management roles. Cyber security is the word on almost everyone’s lips right now. You can question whether or not cyber security is “new” or just the next iteration of complexity in technology assurance, but regardless, rebranding your skillset toward cyber security activities is a sound career strategy in the near term.

In the long term, whether you are focused on IT audit, governance, risk, compliance, or security, your success will depend on aptitude, attitude, and altitude. By aptitude, I mean your ability to continually learn and adapt quickly to technology and business developments in an increasingly complex and competitive business climate. By attitude, I mean approaching your work with dedication, resilience, optimism and empathy. By altitude, I mean seeing IT risks from the viewpoint of the C-suite, and communicating the impact of risks in business language to a variety of stakeholders.

So, how do you position yourself for continued success in 2016? You have heard the saying, “if it ain’t broke, don’t fix it.” I say, “if it ain’t broke, do preventative maintenance.” Each of you probably knows at least one professional who learned a painful lesson during the recession. Many faced involuntarily unemployment for the first time, and were caught having allowed their skills to get stagnant. Now is the time to do preventative maintenance and to be proactive about future-proofing your skillset. Earn an additional certification. Seek out a mentor to help you determine three specific soft and hard skills for you to acquire or improve, and then put an action plan in place to achieve those goals.

Some people will read this and think, “I should do that,” but then it will get shuffled to the side, as life’s many professional and personal demands take a higher priority. I understand. I will leave you with this: I am optimistic that the steady climb in demand for the discussed IT skillsets will continue in 2016, but go ahead and plan your career as if it will not. Either way, you will be a winner.

Derek Duval, CPC
Duval Search Associates, LLC

[ISACA Now Blog]

English
English
Exit mobile version