Month: July 2016

Posted on

Cyberthreat Information Sharing: An Industry Imperative to Increase Australia’s Cyber Resilience

It’s no doubt cybersecurity provides longevity to a business and can help differentiate it from its competitors – for both good and not so good reasons. Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.

As we have seen, though, the threat landscape is not abating and it will continue to evolve. Our cyber adversaries are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.

This new challenging reality is true for Australian organisations, as it is for global businesses alike. The Australian government is taking important steps to help raise its cyber resilience and approach to cybersecurity with the release of the Cyber Security Strategy in April 2016. As Australian Prime Minister Malcom Turnbull has said, “the Australian Government has a duty to protect our nation from cyber attack and to ensure that we can defend our interests in cyberspace. We must safeguard against criminality, espionage, sabotage, and unfair competition online.”

Australia’s Cyber Security Strategy has five main themes:

  • A national, cyber public-private partnership
  • Strong cyber defences (including cyberthreat information sharing)
  • Global responsibility and influence
  • Growth and innovation
  • A “cyber smart nation”

These are laudable goals, but if we aspire to put an end to the breaches we read about in the headlines almost daily, a partnership is needed to achieve these.

One key way for industry to play a valuable role is to participate in voluntary cyberthreat information sharing. Operationalising threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks.

What Is Meant by Cyberthreat Information Sharing?

Cyberthreat information sharing is the sharing of information about threats and incidents so that all entities can better protect and defend their networks. The information in question is generally technical in nature, such as bot command-and-control servers, malware samples, malware analysis results, and indicators of compromise. In short, it is about sharing attack information. What’s most critical is to learn about the kinds of actors targeting organisations, the tools they have available, and the tactics they employ – all to help organisations to prevent attacks and defend their networks more effectively.

What to Share and How

First, let’s define the attributes of what should be shared:

  • Threat Indicators: forensic artefacts that describe the attacker’s methodology.
  • Adversary’s Campaign Plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group.
  • Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets.
  • Adversary Dossier: campaign plans + context: a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.

Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary.

The information itself is important – but it must be actionable. This means that it must arrive in as close to real time as possible. As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats — only through automating prevention and detection can organisations be fast enough to adequately secure networks. Thus, government and industry must collaboratively build a robust, automated information sharing architecture, capable of turning threat indicators into widely distributed security protections in near-real time.

Resistance to Sharing and Other Barriers to Success

Increasing cyberthreat information sharing in our country is easier said than done, for a number of reasons. First, there is apprehension amongst organisations that information sharing could negatively impact them. Many feel that that by sharing information that could be classified as sensitive and privileged, they would be giving the upper hand to their competitors. This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.

Some of the other challenges and perceived barriers to greater cyberthreat information sharing that will need to be addressed are:

  • Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
  • Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more we continue to treat this information as IP, and the more we keep it in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
  • Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
  • Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort —and valuable time — to declassify that same information to share with private companies and the public at large.

Where to Go From Here

We urge the Australian government as well as industry to quickly put into action the recommendations for greater cyberthreat information sharing as laid out in the new Cyber Security Strategy. Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary. Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combating our adversaries with technological weapons that have no ammunition.

[Palo Alto Networks Research Center]

 

Posted on

Announcing the LabyREnth Capture the Flag (CTF) Challenge

We’re proud to announce that LabyREnth, the Unit 42 Capture the Flag (CTF) challenge, is open to the public and ready to test your malware analysis and reverse engineering skills. You’ll have until 11:59pm on August 14th, 2016 to run through more than 25 challenges built by some of the industries best threat researchers and security engineers.

Whether you are an experienced threat researcher looking to win renown or a student just getting started, there are challenges that are built to surprise and hopefully show you something new. You’ll also have the opportunity to win part of $16,000 of rewards if you’re among the first to complete the tracks. The CTF is open worldwide, including for Palo Alto Networks partners, please refer to the official rules for more eligibility.

These challenges bring together amazing learning opportunities for all levels across the security industry, all with serious prizes. Our goal is to drive threat intelligence education by sharing challenges based the daily life of our engineers, helping improve skills and develop the next generation of analysts.

Watch the @unit42_intel Twitter and #labyREnth hashtag for updates and winners.

Join the LabyREnth now.

[Palo Alto Networks Research Center]

Posted on

Africa CACS Keynote Herman Konings to Introduce “Cathedral Thinking”

Trend analyst and consumer psychologist Herman Konings will present the Africa CACS 2016 closing keynote address, titled Cathedral Challenges: What Happens After What Comes Next? Konings is a genuine storyteller who inspires the spectator on an engaging course about the amazing world of passions and interests, trends and future expectations, and about what is and what will be.

Africa CACS will take place at the InterContinental Nairobi, Kenya, from Monday, 8 August to Tuesday, 9 August. For more information click here.

The following is a question-and-answer session with Konings.

ISACA NOW:  What major societal trends do you see in the near and long terms?
KONINGS:  To understand trend watching, it is vitally important to know what a trend is. It is not, as many think, a term exclusively associated with the world of marketing, fashion or design. At its most essential, a trend can be defined as the direction in which something/anything tends to move and which has a consequential impact on the society, culture or business sector through which it moves.

Trends are, therefore—as London-based trend forecaster Martin Raymond describes—a fundamental part of our emotional, physical and psychological landscape; and by detecting, mapping and using them to anticipate what is new and next in the world or business, we are contributing to better understanding the underlying ideas and principles that drive and motivate us as consumers, citizens, users, creators, and decision makers.

From a global point of view, interesting (societal) trends are, among other things, the growth of life expectancy (and the related overpopulation), the digitization of jobs, the sustainability (including mobility) challenge and the collaborative mindset of Generation Y. I have the strong conviction that these global trends are “true” global trends, not only relevant for Northern America, Europe or the Far East, but in the “long-near” (= within 5 to 10 years) also self-evident for Africa.

ISACA NOW:   As a trend watcher, what have you learned about the portability of trends? Does a trend in Europe, for example, generally translate into a trend elsewhere? Can you predict portability? Also, can you predict which trends will move from fad to mainstay?
KONINGS:  A legitimate question is whether trends are portable from one region or even continent to another. Can a trend detected in Europe take root in, for example, Sub-Saharan Africa? The answer is quite complex. One has to take into consideration different demographic, economic, socio-cultural, technological, ecological, political and—maybe the most tricky of all—psychological circumstances. On the other hand—and this is promising—the profound globalization of the 21st century means that younger generations (the so-called “Millennials”—GEN Y—and “Digital Aboriginals” —GEN Z) are behaving more and more in the same way as their peers on other continents. The similarities within a global age group have never been more pronounced as within the group of teenagers and twenty-somethings of today. This will obviously enhance the portability of trends associated with young adults.

ISACA NOW:  What will attendees of Africa CACS take away from your presentation?
KONINGS:  On 9 August, I will introduce the idea of “Cathedral Thinking.” Short-term, instant-gratification thinking seems to fail. Both consumers and business leaders are reconsidering the idea of long-term thinking. Like builders of cathedrals in medieval times (in Europe), when fathers passed the task on to sons, who in turn passed the task on to their sons. Once initiated to the job, cathedral builders knew exactly that neither they, nor their children, grandchildren or even grand-grandchildren would be joining in the housewarming party of that cathedral.

The attendees of my presentation at Africa CACS will learn, among other things, about sensors leading to an Internet that is more adapted to the individual, turning the Internet of Things into an Internet of Me. I will also be discussing the humanization of the digital and “augmented intelligence,” the joint forces of hyper-cognitive intelligence (supercomputers) and both social and emotional intelligence of (bio only) humans.

For more information on Africa CACS, click here.

[ISACA Now Blog]

Posted on

Palo Alto Networks Researchers Discover Two Critical Internet Explorer Vulnerabilities

Palo Alto Networks researchers discovered two new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10, and 11. Both are included in Microsoft’s July 2016 Security Bulletin, and documented in Microsoft Security Bulletin MS16-084.

In our continued commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors.

Palo Alto Networks is a regular contributor to vulnerability research. Our researchers have discovered more than 80 critical Microsoft vulnerabilities over the past 20 months and also been recognized for contributions to Adobe, Apple and Android vulnerability research. By proactively identifying these vulnerabilities, developing protections for our customers, and sharing them with vendor such as Microsoft for patching, we are removing weapons used by attackers to compromise enterprise, government and service provider networks.

[Palo Alto Networks Research Center]

Posted on

Why User-Based Controls Are Critical to Your Breach Prevention Strategy

Employees, customers and partners connect to different repositories of information within your network, as well as to the internet, to perform various aspects of their jobs. These people and their many devices represent your network’s users. It’s important to your organization’s risk posture that you’re able to identify who they are — beyond IP address — and the inherent risks they bring with them based on the particular device they’re using, especially when security policies have been circumvented or new threats have been introduced to the organization.

Here are two high-profile, real-world breaches that you can learn from. The key takeaway here is that, to make the most of your next-generation firewall investment, it is critical to implement user-based controls.

Example 1: Data Breach at a Large U.S. Retailer

This data breach started with the attackers stealing a third-party vendor’s login credentials. This allowed them to gain access to the third-party vendor environment and exploit a Windows vulnerability. Since the vendor had the privileges to access the corporate network, the attackers gained access, too. The attackers were then able to install memory-scraping malware on more than 7,500 self-checkout POS terminals. This malware was able to grab 56 million credit and debit card numbers. The malware was also able to capture 53 million email addresses.

The SANS Institute Reading Room for InfoSec has published a report on the breach. The report mentions several ways in which the breach could have been prevented. One of the most important is to have the right access controls in place. Quoting from the report:

  • An identity and access management solution should be used to manage the identities and access of all internal and external employees (third-party vendors).
  • Each external employee should have their own account, so that there is accountability for anything performed on their behalf.
  • Account review procedures should also be in place, specifically for third-party vendor accounts. Auditing of these third-party vendors is critical. This will allow the detection of abnormal behavior.
  • Having all of these controls in place for managing and monitoring the third-party vendor accounts will detect any misuse of third-party vendor credentials.

Example 2: Data Breach at a Large U.S. Banking and Financial Services Company

This data breach started with the attackers infecting the personal computer of an employee. The malware stole the employee’s login credentials. When the employee used VPN to connect to the corporate network, the attackers were able to gain access to more than 90 corporate servers. The attackers stole private information for 76 million households and 7 million small businesses.

The SANS Institute Reading Room for InfoSec’s report on this breach mentions the need to manage user privileges as one of the key ways to minimize the risk of a breach or minimize damage in case of a breach. Quoting from the report:

  • Least privilege simply means to give someone the least amount of access to perform his or her job. If least privilege control access were applied, these organizations would have reduced the amount of stolen data by 86 percent.
  • Anonymous access must be disabled because many Windows vulnerabilities are caused by null user sessions. A null user session is essentially a Server Message Block (SMB) session with blank username and password.

What This Means for You as the Security Practitioner

Want to make sure your organization does not end up in the headlines for the wrong reasons, like a massive data breach? You’d do well to implement user-based controls and restrict user access to least privilege, as the SANS Institute reports recommend. Employ the right user access mechanisms not only on the endpoints and on the applications that they access but also on your next-generation firewall.

Call to Action

If you own a Palo Alto Networks® Next-Generation Firewall, refer to the following resources to enable User-ID™, and increase your organization’s breach defenses:

[Palo Alto Networks Research Center]

English
English
Exit mobile version