Put yourself in the shoes of an attacker: Your objective is to infiltrate an organization, deploy ransomware and get paid. It is your job to launch the most effective, lowest cost attack possible, which also delivers the highest return. When adversaries balance the equation of effort versus potential reward, they are increasingly turning toward automated tools, like exploit kits (EKs), to help them achieve their malicious goals at massive scale. In short, EKs allow a malicious actor to silently exploit vulnerabilities in a browser-based application, deliver a malware payload, and operationalize the attack using rental-based EK infrastructure.
Before we look forward, it is important to understand the history of exploit kits and how they’ve become one of the most prevalent and effective methods of breaching an organization today. The popularity of EKs dates back to 2006, when the first documented case appeared; but it really took off in 2010 with the introduction of the Blackhole EK and its associated software-as-a-service (SaaS) based business model. Now, instead of setting up malicious infrastructure, compromising websites, identifying vulnerability exploits, and delivering malware, malicious actors could outsource nearly the entire attack flow to an expert. This is cyberattacking for the masses, with a modern and simple-to-use interface to match.
Over time, network defenders identify and take down prevalent exploit kits, as we saw with the disappearance of Blackhole after the arrest of its author; but there is always another one ready to take over the mantle and reap the profits. In recent years, we have seen an explosion in the scale of EK usage against organizations, especially as they have been increasingly used to deliver ransomware payloads. In fact, according to research by the Palo Alto Networks Unit 42 threat intelligence team, “Exploit kits are now, on average, about twice as expensive as they were two years ago.” We expect this trend to continue, with malicious actors continuing to leverage the automation, scale and silent malware delivery offered by exploit kits.
As organizations build their prevention infrastructure, they should consider how their security controls can identify and prevent this significant threat across the network, cloud and endpoint. Learn more about the past, present and future of exploit kits, and how to prevent them:
Our commitment to making prevention a core component of architecture is real. As such, we created a standard assessment methodology to help set expectations about prevention and create a prevention-based architecture strategy that builds alliances between IT and security professionals. Let’s talk about how to assess prevention readiness using that methodology.
The basis of our prevention posture assessment comes from two things:
The cybersecurity community continues to amass a significant amount of intelligence and information about attackers. We know the tools, techniques, indicators of compromise, and vectors attackers used to successfully attack organizations. However, IT and security professionals lack the ability to actively defeat many of those things we know about the attackers and techniques.
IT and security leaders tell us they’re not confident they know everything that is happening in their network.
General Sun Tzu, in 500 B.C, said the following:
“Know the enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.”
The General’s words are as true today as they were in his time. In addition, they are extremely relevant in the cyber domain. You must know the enemy and yourself to prevent successful attacks. We want to work with you in a way that allows you to know yourself so you can use what we know about the enemy to prevent successful attacks.
The figure below provides a visual about how we use the prevention-posture assessment to set expectations about prevention and create a prevention based architecture strategy with customers.
Figure 1: Prevention posture assessment
First, we separate architecture into three different areas, as shown on the left-hand side of Figure 1.
Enterprise, mobility and SaaS
Data center, cloud and SaaS
Endpoint
In this way, we ensure the “know yourself” aspect or our methodology is consistent across all architecture. The separation of architecture is a deliberate action that ensures we distribute prevention capabilities across all architecture. In addition, the separation of architecture helps make the point that we need to work directly with both the IT architects and the security architects of an organization.
Second, we align the three different architecture areas with specific stages of the attack lifecycle. As Figure 1 shows, the colors in each area of the architecture align directly with specific stages of the attack:
Aligning the areas of architecture with stages of the attack lifecycle creates a compelling discussion about the difference a modern extensible approach to prevention makes for protecting organizations. In our approach, we drive home the need to position prevention capabilities across all three areas of architecture. In this way, we can actively defend ourselves by preventing what we know about attackers. At the same time, we maintain positive control that the enterprise is operating as intended, and we know everything happening in controlled environments.
In Figure 2, we provide a list of the prevention capabilities assessed as part of the prevention posture assessment. As you read through the list, there are interesting items to note:
The capabilities are redundant across areas of the architecture and stages of the attack. This is important because we must deliver prevention capabilities from the inside out rather than the way the status-quo hardens perimeters today.
We don’t assess detect/respond capabilities, like IDS, because they are not prevention-focused. This is intentional. Frankly, we shouldn’t get “prevention readiness” credit for capabilities that don’t prevent.
The prevention capabilities are all part of the “system-of-systems” Palo Alto Networks platform approach that is fully integrated. We set the expectation for all customers that they need to field all these capabilities to get the full value of their investment.
The prevention capabilities are as relevant for IT infrastructure professionals as they are for security infrastructure professionals. For this reason, we always perform the assessment jointly with the IT and security architects.
In practice, we typically find that existing customers continue working to improve capabilities covering the Delivery and Command and Control stages of the attack. This makes sense given that the status-quo approaches emphasize hardening the perimeter. One exception for protecting against the Delivery and Command and Control stage, is that very few customers adequately protect SSL traffic. Today, it is common knowledge that threat actors take advantage of encrypted application traffic to deliver malware and control their attack. Since the amount of SSL traffic continues to grow in enterprises, customers must move deliberately to decrypt traffic and extend protection capabilities to eliminate blind areas.
In addition, we consistently see customers with immature and non-existent prevention capabilities covering the internal stages of the attack lifecycle. The limitations of extensible prevention capabilities across an architecture leaves us all at risk, and allows known attackers to move unmitigated throughout an enterprise.
Ultimately, it is your decision. A known attack methodology or technique is not advanced, and should be defeated using modern prevention capabilities. In this section, we discussed the capabilities we assess to prevent successful attacks. In the next section, we will discuss how we measure prevention capability readiness and our ability to build confidence that we know everything happening in a controlled enterprise.
Have you received your prevention posture assessment yet? If you’re an existing customer, contact your our partner or local representative to request an assessment. If you’re a potential customer, do the assessment with on of our representatives soon. The only cost is some time for your team, but it will be time well spent, as a leader.
People with deep technical skills are in high demand, so internal audit needs to take extra care to ensure the profession is attracting and retaining the right people. According to PricewaterhouseCoopers’ 19th annual global CEO survey released earlier this year, 72 percent of CEOs consider the availability of key skills a threat to their organization’s growth prospects.
As we discussed in New Orleans at the IT Audit Director Forum—part of ISACA’s North America CACS conference—there are steps companies can take to ensure IT audit develops the quality workforce needed to thrive amid this evolving landscape.
Work With Universities to Strengthen Workforce
The nature of audit is becoming more real-time and continuous, and less forensic. A number of factors have impacted the speed at which universities have been able to prepare their students for the effects of technology and automation on the IT audit profession.
That is problematic as the day is fast-approaching when professionals who lack broad, technical knowledge and skills around data analysis will be unable to successfully function in the field. This is especially true because the more organizations rely upon technology, the more necessary it becomes to tap into technology when auditing them.
Universities might be receptive to weaving more data analysis, cybersecurity and technical prep into their curriculums—they may just need some additional support and guidance from alumni and business leaders to keep pace with the changing demands of the profession.
Take Compensation Seriously—and Not Just the Dollars
Organizations cannot take a knife to a gunfight when it comes to offering the competitive compensation packages needed to land talented technology professionals. As organizations seek skilled IT auditors equipped for the modern landscape—and greater demands are placed on IT audit professionals—compensation must reflect the reality that talented candidates will have plenty of options.
Additionally, HR departments need to place an emphasis on going beyond salary when attracting talent. Particularly among millennials, other perks such as flexible work schedules, the ability to work remotely and even casual workplace attire are becoming increasingly meaningful.
At PwC, a flexible dress policy was recently implemented, allowing employees to wear jeans at the office when they are not meeting with clients. In the traditionally buttoned-up world of public accounting, that’s practically a tidal wave of workplace progress, and it’s a sea change many welcome.
Find Sensible Enticements to Encourage Progress
The perception is that internal audit lacks the glamour of other fields tied to emerging technologies. Internal audit needs to overcome that stigma to pull in the tech talent needed to perform at a high level.
Internal audit affords professionals rapid and exciting opportunities to tackle major projects involving high-level influencers. Being open to the idea of quickly giving employees such major responsibilities is worth considering.
Those who enter the job with high technical IQs might soon be ready to take on more senior tasks than was the norm in the past, and recognizing that potential quickly will not go unappreciated by employees. A word of caution, though—the potential downside of giving somebody a task beyond his or her ability is substantial. These judgments are about being open-minded and require a measured, case-by-case approach.
Working across departments to identify quicker paths to promotion as circumstances justify can be another worthwhile way for your organization to retain top talent.
There never has been a more exciting time to be in IT audit. Nothing is becoming less automated or less reliant on technology, so this is a career path with permanence. Still, challenges remain in attracting and retaining quality professionals. Organizations that take inventory of the evolving state of IT audit and are responsive to the priorities of prospective employees will be best positioned to assemble the high-caliber workforces that they need.
A. Michael Smith, Partner, PricewaterhouseCoopers LLP, and Khalid Wasti, Partner, PricewaterhouseCoopers LLP
STARWatch SaaS Application Empowers Organizations to Manage Compliance & Risks Using CSA Standards and Best Practices
SAN FRANCISCO – November 15, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the launch of its new STARWatch application, a Software as a Service (SaaS) application designed to help organizations manage compliance with CSA requirements. STARWatch delivers the content of CSA’s Cloud Control Matrix (CCM) and CSA’s Consensus Assessments Initiative Questionnaire v3.0.1 (CAIQ) in a database format, enabling users to manage compliance of cloud services with the CSA best practices. CSA is delivering STARWatch using an innovative and heavily discounted crowdfunded model to make this solution accessible to the broadest spectrum of customers.
STARWatch is designed to provide cloud users, cloud providers, cloud auditors and security providers assurance on demand. STARWatch provides users the ability to:
Manage all cloud service providers and their own private clouds to assure a consistent security baseline is maintained
Build and maintain a CSA Security Trust and Assurance Registry (STAR) entry and provide customers with rapid responses to their compliance questions
Perform audits and assessments of cloud provider security
Leverage the STARWatch solution database format and technical specifications to integrate its capabilities within their own solutions
During the current open beta period, customers may now purchase a STARWatch license with a discount of up to 70%. The discount will expire at the time of the official STARWatch release on February 13, 2017 at the CSA Summit at the RSA Conference. At that time, STARWatch open beta licenses will convert to a full year license. By acting now, customers will receive 15 months of access to STARWatch at a fraction of the one year license price. More information can be found at https://cloudsecurityalliance.org/star/watch.
“Compliance and assurance are becoming complex matters, but they are critical in building the best cloud computing practices and a trusted cloud ecosystem,” said Daniele Catteddu, CTO for the Cloud Security Alliance. “We created the STARWatch application to assist organizations in managing their compliance with CSA requirements. We’re providing a higher level of assurance and transparency and streamlining the entire compliance process.”
The CSA STAR program is the industry’s most powerful program for security assurance in the cloud and encompasses the key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring. Currently there are 228 Cloud Service Providers in the STAR program including STAR Self Assessment, STAR Certification, STAR Attestation and C-STAR Assessment.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.
