Year: 2015

Posted on

2015 Verizon Data Breach Investigations Report (DBIR): Insights from Unit 42

The 2015 Verizon Data Breach Investigations Report (DBIR) represents the first time Palo Alto Networks has contributed data to this important publication, and we are proud to be part of an intelligence-sharing ecosystem that, in the end, raises the collective bar for everyone in the industry.

While reviewing the findings, a few key points stood out to the Unit 42 team:

“70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.”

This important data point means that a single piece of malware could be subtly altered to produce an endless stream of variants, all of which would evade traditional signature-based detection. Of note, this premise matches our recent internal research, lending more credence to this trend.

Verizon defines unique malware from a signature/hash perspective, “when compared byte-to-byte with all other known malware.” In fact, there are a variety of commonly available and easy to use tools that can automate the process of obfuscating these threats. In what has become a mantra throughout the security industry, the report states that, “Signatures alone are dead,” and Palo Alto Networks would agree. When malware is used once (or a handful of times), matching against these patterns has limited effectiveness at best. When taken from a defenders perspective, it is clear that organizations need to consider an approach that can prevent malware based on payload, not signature, and quickly generate and share protections for the endless new variants released each day.

“In 70% of the attacks where we know the motive for the attack, there’s a secondary victim.”

This highlights an important trend: adversaries are using third-party websites, or co-opting infrastructure, to deliver their attacks. This often can mean that the person or organization that experiences the initial breach isn’t the real target, but a tool, a pawn in a larger battle. From an attacker perspective, this allows them to take advantage of trust that these “jump-off” points have built up, or use the resources of another company for their gain.

The most common methods observed in these types of attack are:

  • Watering hole attacks (also known as strategic web compromise), where an organization’s website is infected with exploit code to try and infect visitors to their site.
  • DDoS attacks, where web servers or other high-bandwidth hosts are compromised and used in an attack on another target.

Anyone who’s ever thought, “My company isn’t a big target” should look at this statistic and realize that they can’t trustingly stand on the sidelines. Either your infrastructure is secured against attack, or it will be “drafted” into one side of the battle.

“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”

Palo Alto Networks has observed that the extended lifetime of CVE exploitability, and rapid implementation of new vulnerabilities into attack toolkits are nothing new. New vulnerabilities take time, effort and resources to discover – and if you think of adversaries in the context of “running a business,” they want to get the greatest return on their investment (ROI). Generally, there is no need to deploy a zero-day exploit, when an older, and unpatched vulnerability can be used. Well-funded adversaries that have the in-house R&D to discover a new CVE and develop unique exploit code against it are the exception, rather than the rule. When a new CVE is discovered, we typically see them being added to exploit kits in about a month, following initial disclosure and reverse engineering.

It is also important to draw the line between commonly exploited CVEs, and those being used by the most advanced and targeted attackers. In general, the DBIR focuses on exploits targeting web applications, whereas we believe the most advanced and targeted threats leverage memory corruption exploits to gain a foothold on the endpoint. These exploits often come in the form of data files such as PDF or MS Word documents. As traditional anti-virus (AV) products do not detect such exploits, it is difficult to gather statistics around their use. Post-incident investigations often conclude that a system is infected with malware, but may not uncover that an exploit was used to download the malware onto the system. As organizations adopt advanced endpoint protection products that block these types of exploits, we expect an increase in awareness and reporting of their prevalence in the threat landscape.

“40% of controls determined to be most effective fall into the quick win category.”

In the summary of this year’s DBIR, Verizon has included a table showing which Critical Security Controls (CSC) would have applied to the incidents they’ve tracked. This table is telling because most of these controls are relatively simple for an organization to deploy, especially if they have the right security platform already deployed. If organizations deployed just the “quick wins,” the volume of breaches could decline substantially by the time next year’s report is released.

Image 1. SANS Critical Security Controls mapped to incidents observed by Verizon, which can be used as a guide for implementing foundational security controls with the most impact. Source

Overall, Palo Alto Networks and the Unit 42 threat intelligence team are honored to be included in the 2015 DBIR. We firmly believe that sharing intelligence on adversaries, campaigns, and attacks is one of the most effective tools we have to raise the cost of a successful breach for attackers. The more organizations that have relevant and timely intelligence, the harder it will become for attackers to compromise them. We look forward to sharing more threat intelligence and research throughout the security community, including in our role as a founding member of the Cyber Threat Alliance.

[Palo Alto Networks Blog]

Posted on

Palo Alto Networks Named Best Next-Generation Firewall by SANS

Palo Alto Networks has been named Best Next-Generation Firewall by SANS in their 2014 Best of Awards program.

The SANS Best of Awards program was created to recognize the solutions that organizations are using to successfully fend off cyber attacks. Each year SANS accepts nominations for products and services that have increased the effectiveness and efficiency of cybersecurity programs. Nominees for the 2014 awards were voted on by hundreds of security operations professionals and security managers from within the SANS community.

To learn more about next-generation firewalls and the Palo Alto Networks enterprise security platform, click here.

[Palo Alto Networks Blog]

Posted on

Closing the Cybersecurity Skills Gap

Organizations are realizing that it is not a matter of if a cyberattack will occur against their enterprises; it is a matter of when. This realization is causing executives and board members to take a growing interest in what is being done to protect and defend their top non-human asset: information. Support for growth in cybersecurity staffing is here; the problem is that the pool of skilled cybersecurity talent is facing a drought.

To address the global cybersecurity skills shortage, ISACA has launched a portfolio of innovative skills-based cybersecurity training courses and performance-based exams and certifications, through its Cybersecurity Nexus (CSX). These new CSX certifications are providing a benchmark that will help shape the future of cybersecurity hiring and the career progression of cybersecurity professionals. CSX will help assure cybersecurity pros that they can keep their skills sharp in the face of evolving threats, changing technology, and highly motivated adversaries who seem to get cleverer every minute. Organizations will have assurance that candidates have the right skills to address cybersecurity incidents from day one on the job, and that their security teams have the most important and current skills, knowledge and advanced capabilities.

This ISACA effort is critical, as 82 percent of organizations expect to experience a cyberattack in 2015. But, they feel they are relying on a workforce that is not qualified to handle complex threats, according to the State of Cybersecurity: Implications for 2015 survey from ISACA and RSA Conference. The results also revealed that 35 percent are unable to fill open cybersecurity positions.

Historically, cybersecurity training has been more general and did not evolve with the changing threat landscape. There has never been a defined career progression for cybersecurity. ISACA examined the lifecycle of a cybersecurity career and the skills that are needed at every level to develop a holistic approach to cybersecurity from beginning to end.

ISACA’s new cybersecurity certifications are:

  • CSX Practitioner—For this certification, a professional must demonstrate the ability to serve as a first responder to a cybersecurity incident following established procedures and defined processes. There is one certification at this level, and three training courses are available. This certification is a prerequisite for any of the five CSX Specialist certifications.
  • CSX Specialist—A professional must demonstrate effective skills and deep knowledge in one or more of five areas based closely on the NIST Cybersecurity Framework: Identify, Detect, Protect, Respond and Recover. There is one certification and one training course for each of these five areas. Professionals can choose to attain one or more of the five. CSX Practitioner is a prerequisite for a CSX Specialist designation.
  • CSX Expert—Only those who possess a master level of cybersecurity skills will be able to attain CSX Expert. Professionals must demonstrate skills that show they can identify, analyze, respond to and mitigate complex cybersecurity incidents. There is one training course and one certification at this level. No prerequisites are required.

ISACA is the first organization to use PerformanScore, a unique learning and development tool that measures a professional’s skill in performing cybersecurity job activities in a virtual setting using real-world cybersecurity scenarios.

Skills verification for cybersecurity pros should recognize that there are multiple ways to respond to threats, and PerformanScore can do just that—measure skills across the entire solution set of possibilities. Since the tool compares actions to grading criteria that are referenced against an adaptive scoring rubric in real-time, instructors can provide more precise feedback and professionals can learn more efficient cybersecurity techniques.

ISACA is the right organization to answer the urgent call for skilled cybersecurity professionals. ISACA blends the membership strength, vision, global reach, reputation, integrity and ties to global governmental entities like no other organization. We have the commitment, tools, resources and foundation to offer the complete holistic program that is provided through CSX. As a member of ISACA for over 15 years, it is exciting to see the strong strides ISACA is making to help strengthen enterprise security today.

For more information, visit www.isaca.org/csxnews .

Eddie Schwartz, CISA, CISM
President of White Ops, Inc.
Chair of ISACA’s Cybersecurity Task Force

[ISACA]

Posted on

Survey Says… Zero-Day Attacks and Evasive Malware are Biggest Risks

This is the first in a three-part series highlighting the results from a Palo Alto Networks survey of 233 Ignite 2015 attendees at the end of March. The survey uncovered the cybersecurity pain points they face, what keeps them up at night, and what specific concerns they have for their organizations.

Malware, insider threats, ransomware – the ways in which cybercriminals can attack a company’s network and exploit vulnerabilities are vast. But some attack factors are bigger risks than others, and some have the potential to wreak more havoc than others.

In our survey of Ignite attendees, the majority of respondents reported zero-day attacks and evasive malware represent the biggest risks. Social engineering attacks and insider threats are close behind.

One customer told us:

“Evasive malware is certainly the biggest security concern any enterprise is faced with today. APTs are a reality that we all need to deal with and devise mechanisms to break the chain of action.”

With so many attack factors looming day in and day out, detection and remediation are not sufficient strategies. We heard from our customers, time and time again, about the importance of preventing attacks before a malicious actor is able to use any of these methods to access and exfiltrate valuable data.

As Palo Alto Networks emphasized at Ignite this year, we’re taking on cyberattackers and aiming to make the cost of network infiltration higher than the potential rewards. We do this by combining network, cloud and endpoint security into a tightly integrated enterprise security platform that delivers automated prevention against known and unknown threats at every point in the kill chain.

[Palo Alto Networks Blog]

Posted on

Next-Generation CyberSecurity Platform

Palo Alto Networks is leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market.

Our security platform natively brings together all key network security functions, including advanced threat protection, firewall, IDS/IPS, and URL filtering. Because these functions are natively built into the platform and share important information across the respective disciplines, we ensure better security than legacy firewalls, UTMs, or point threat detection products.

With Next-Generation CyberSecurity Platform provided by Palo Alto Networks, organizations can safely enable the use of all applications, maintain complete visibility and control, confidently pursue new technology initiatives like cloud and mobility, and protect the organization from cyber attacks — known and unknown.

Below is the keynote that I delivered at Security World 2015 (http://www.security.org.vn) event in March 2015 (in Hanoi, Vietnam).

For more information about Next-Generation CyberSecurity Platform:

https://www.paloaltonetworks.com/products/platforms.html

Philip Hung Cao
Solutions Architect

English
English
Exit mobile version