Year: 2016

Posted on

2017 Cybersecurity Predictions: Machine Learning and AI-Driven Frameworks Shape Cloud Security

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.

Here’s what we predict for cloud in 2017:

Sure Things

A multi-cloud, hybrid security strategy will be the new normal among InfoSec teams

In the last few years, the digital footprint of organizations has expanded beyond the confines of the on-premise data center and private cloud to a model that now incorporates SaaS and public clouds. To date, InfoSec teams have been in a reactive mode while trying to implement a comprehensive security strategy across their hybrid architecture. In 2017, we will see a concerted effort from InfoSec teams to build and roll out a multi-cloud security strategy geared toward addressing the emerging digital needs of their organizations. Maintaining a consistent security posture, pervasive visibility, and ease of security management across all clouds will drive security teams to extend their strategy beyond security considerations for public and private clouds and also focus on securely enabling SaaS applications.

Shifting ground within data privacy laws will impact cloud security choices

Cross-border data privacy laws play a significant role while considering cloud computing options for organizations across the globe. With recent developments, such as Brexit and the expansion of cross-border data flow restrictions in Asia-Pacific, IT security leaders will look for flexibility and adaptability from their cloud security vendors in 2017. Cloud security offerings need to address the diversity among clouds, enforce consistent security policy, and adapt to the data privacy laws of the resident nation-state. The WildFire EU cloud is a great example of enabling regional presence to comply with local data residency requirements. It is a global, cloud based, community-driven threat analysis framework that correlates threat information and builds prevention rulesets that can be applied across the public, private and SaaS footprint of organizations based out of Europe.

Large-scale breach in the public cloud

The excitement and interest around utilizing the public cloud reminds us of the early days of the Internet. Nearly every organization we talk to is using or looking to use either Amazon Web Services (AWS) or Microsoft Azure for new projects. And it is based on this observation that we predict a security incident resulting in the loss of data stored in a public cloud will garner international attention. The reality is that, given the volume of data loss over the past year, one or more successful breaches has likely occurred already, but the specific location (private, public, SaaS) of where the data was located is rarely, if ever, disclosed. But that is bound to change as more companies move their business-critical applications to the public cloud.

The basis of the prediction is twofold. Public cloud vendors are more secure than most organizations, but their protection is for underlying infrastructure, not necessarily the applications in use, the access granted to those applications, and the data available from using those applications. Attackers do not care where their target is located. Their goal is to gain access to your network; navigate to a target, be it data, intellectual property or excess compute resources; and then execute their end goal – regardless of the location. From this perspective, your public cloud deployment should be considered an extension of your data center, and the steps to protect it should be no different than those you take to protect your data center.

The speed of the public cloud movement, combined with the “more secure infrastructure” statements, is, in some cases, leading to security shortcuts where little to no security is being used. Too often we hear from customers and prospects that the use of native security services and/or point security products is sufficient. The reality is that basic filtering and ACLs do little to reduce the threat footprint, whereas opening TCP/80, TCP/443 allows nearly 500 applications of all types including proxies, encrypted tunnels and remote access applications. Port filtering is incapable of preventing threats or controlling file movements, improving only slightly when combined with detect and remediate point products or those that merely prevent known threats. It is our hope that, as public cloud projects increase in volume and scope, more diligence is applied to the customer piece of the shared security responsibility model. Considerations should include complete visibility and control at the application level and the prevention of known and unknown threats, with an eye toward automation to take what has been learned and use it to continually improve prevention techniques for all customers.

Long Shots

Autonomic Security: Rise of artificial intelligence and machine learning-driven security frameworks

2016 introduced self-driven cars and selfie drones to consumers. The technology behind these innovations was heavily driven by artificial intelligence (AI) and machine learning (ML). AI and ML usage within cybersecurity is not new. Cybersecurity vendors have been leveraging them for threat analysis and big data challenges posed by threat intelligence. But, the pervasive availability of open source AI/ML frameworks and automation simplicity associated with them will redefine the security automation approaches within InfoSec teams. Today, security automation is about simplifying and speeding up monotonous tasks associated with cybersecurity policy definition and enforcement. Soon, artificial intelligence and machine learning frameworks will be leveraged by InfoSec teams for implementing predictive security postures across public, private and SaaS cloud infrastructures. We are already seeing early examples that reflect the above approach. Open source projects, such as MineMeld, are shaping InfoSec teams’ thinking on leveraging externally sourced threat data and using it for self-configuring security policy based on organization-specific needs. In 2017 and beyond, we will see the rise of autonomic approaches to cybersecurity.

Insecure API: Subverting automation to hack your cloud

Application programming interfaces (APIs) have become the mainstay for accessing services within clouds. Realizing the potential problems associated with traditional authentication methods and credential storage practices (hard-coded passwords anyone), cloud vendors have implemented authentication mechanisms (API keys) and metadata services (temporary passwords) as alternatives that streamline application development. The API approach is pervasive across all cloud services and, in many cases, insecure. It provides a new attack vector for hackers, and in 2017 and beyond, we will hear about more breaches that leverage open, insecure APIs to compromise clouds.

What are your cybersecurity predictions around cloud? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for Asia-Pacific.

, and

[Palo Alto Networks Research Center]

Posted on

Fishing vs. Hunting for an IT Assurance Job

The Internet is awesome, isn’t it? At any moment, you have the ability to see hundreds of job postings and post your resume for all to see. However, if the only thing you are doing to find a job is fishing by dropping your resume “lure” in the water hoping for a hiring manager to bite, you will be waiting a while.

You need to get out and hunt for your next job. Know the terrain, have spotters in the field, pick the right tree to sit under. Truth be told, I know nothing about actual hunting but, after nearly 10 years of helping IT assurance professionals find new opportunities, I know a few things about hunting for a job.

Here are my top three tips:

Don’t Post Your Resume Online
Monster, CareerBuilder, Indeed, Dice; I have nothing against these services, but you are not their target audience. If the service is free, you are the product, right? The main problem with posting online using these types of sites is that you immediately lose control over where your resume ends up.

One of the pitfalls of the typical recruiting firm is what I call the shotgun approach. They fire your resume in every direction to every client they have, hoping that someone will want to interview you. Now you are faced with a potential situation where your resume is in front of a hiring manager (if it makes it there, more following) from multiple sources, and you start to look desperate.

There are ways you can safely post your resume online anonymously. But, it is hard to do, and even the most “scrubbed” resume can still be figured out. (Word document author metadata, anyone?) Yes, I even see professionals in the information security space get it wrong. It is safer just not to mess with it.

Instead:

Use Your Relationships
The common belief is that only a small percentage of jobs are actually posted online. Not sure if that is completely true anymore, but I can tell you that most hiring managers have an idea of who they want to hire long before the posting goes up. You want to be the person they think of.

Make sure your personal brand in the marketplace is a positive one. I am always surprised at just how small our IT assurance world is. Make sure people know you for being honest, self-motivated, dependable and collaborative, and word will start to spread about the positive impacts you have had on your organization. Be intentional about networking. Seek out people at ISACA events who work at companies you are interested in. Don’t just add people on LinkedIn, take them to coffee. Make relationships and use them.

Applying Directly Online
It should be your very last option. I’m not telling you to never apply online. What I am saying is use what I’m about to tell you first, and if you still come up empty, that is the only time I would suggest applying directly online. The companies that pay to advertise their job openings will not even be upset at this. Their goal is to make sure they see qualified candidates, and if you became aware of their opening through their online listing, then their money was spent wisely.

I hear it all the time: “I applied to this job online but never heard anything back.” I know for a fact that job-seekers who could have gotten the job they applied for do not get contacted at all because the resume never makes it to the right person. Most companies have talent acquisition teams with increasingly complex systems that are heavily dependent on keyword filtering. I don’t blame HR or talent acquisition teams for wanting to use these filters. Their job is tough. They have to work on potentially hundreds of jobs at the same time. They can’t possibly dig into the level of detail it would take to understand what it takes to be successful in an ISACA-related position.

Applying to a job without an external or internal advocate will more than likely result in silence. You need someone who knows your values, personality and skill set who can help you get visibility with the hiring manager, the real decision-maker in the hiring process. It all comes back to reputation and relationships.

This is just the very tip of the iceberg on how to successfully navigate an IT assurance job hunt, and the first in a series of ISACA Now blog posts I am planning on IT assurance interviewing and hiring. If you have additional questions or a topic you would like to see discussed in the future, feel free to post them in the comments section.

Author’s note: What tips for successful job hunting have I missed? What is the best or worst piece of job search advice you have ever been given?

Brad Owens, Recruiting Director, Duval Search

[ISACA Now Blog]

Posted on

SamSa Ransomware Attacks: A Year in Review

In March of this year, Unit 42 investigated the SamSa actors that were attacking the healthcare industry with targeted ransomware. With this group being active for roughly one year, we decided to revisit this threat to determine what, if any, changes had been made to their toolset. In doing so, we discovered that it’s been a very profitable year for SamSa, with an estimated $450,000 in ransom payments from samples we have identified. This blog serves to discuss changes made by this group and the SamSa malware family since we last discussed them.

Updates to Malware Toolset

In the past 12 months, Unit 42 has collected and analyzed 60 unique samples that have been identified as belonging to the SamSa malware family. SamSa has a very small number of samples overall when compared to more common ransomware families such as Locky, Cerber, and CryptoMix. This is simply a byproduct of the targeted nature of SamSa, which targets specific organizations instead of a wide number of Internet users.

During the past 12 months, a number of changes were made by the authors to make analysis and reverse-engineering more difficult. While we classify all of these samples as “SamSa,” the attackers have used various names to identify their projects. The following chart shows the various internal .NET project names used by SamSa from December 2015 until November of 2016.

Figure 1 Versions of SamSa Ransomware over time

The following list of internal .NET project names were witnessed, in order:

  • samsam
  • MIKOPONI
  • RikiRafael
  • showmehowto
  • wanadoesme
  • wanadoesme2
  • gonomore
  • gotohelldr
  • WinDir

The majority of the name changes took place after April of this year. When discussing changes made internally to the code base, we witnessed the following events since we last discussed SamSa:

Figure 2 SamSa modifications over time

  1. A number of internal .NET name changes, starting with RikiRafael.
  2. A number of changes to the encrypted filename extensions used after encryption took place.
  3. Changes to the format of the encrypted file header.
  4. Modifications to the dropped helper HTML file that informs the victim of what has occurred.
  5. Different temporary folder names used to hold SamSa while it is running.
  6. Encryption of embedded strings using the AES-128 algorithm.
  7. Internal PDB debug strings obfuscated.
  8. Internal PDB debug strings removed altogether.

Profits

When we originally discussed SamSa, there were confirmed profits of $70,000 for the threat actors, with estimates by other researchers as high as $115,000. Unlike most ransomware, SamSa ransomware executables often contain the Bitcoin Wallet address victims are supposed to use to pay the ransom. Since March 24th 2016, we’ve witnessed 24 unique SamSa samples containing 19 unique Bitcoin (BTC) addresses. This allows us to monitor the blockchain for transfers to those wallets and identify ransom payments.  In one unusual case, we saw a version of SamSa where the BTC address was input as a second argument, preventing us from seeing what payment, if any, was received by the actors. This not only makes tracking monetary payments extremely difficult, but also is yet another example of how the SamSa actors take a very targeted approach to their victims, generating unique data for each victim they infect.

Of those 19 unique BTC addresses we observed since March 24th, 14 of these have received payments totaling roughly 394 BTC. Prior to March 24, 2016, we observed roughly 213 BTC received, giving us a total of 607 BTC received by the SamSa actors. Using today’s current BTC rate of $744.43, this allows us to estimate that the attackers have obtained roughly $450,000 since their operations began. It’s important to also note that there are likely a number of samples that exist, which we were unable to obtain, causing the actual figure to likely be much higher. A visual of the money obtained by the SamSa actors can be seen in the following figure:

Figure 3 SamSa BTC profits over time

As we can see, there is a large gap in between June and September of 2016. This is most likely due to the sample set used during research, as there were only a few samples obtained in recent months.

Conclusion

In the past year, the SamSa actors have showed no sign in stopping their attacks. They’ve successfully compromised a number of organizations, and continue to reap significant rewards for their efforts. In the past year alone, they’ve collected an estimated $450,000 from their scam. As the group continues to make money, it is unlikely we shall see them stop in the near future. Palo Alto Networks customers are protected from this threat via the following ways:

  1. All malware is classified as malicious in WildFire.
  2. Domains used by SamSa have been flagged as malicious in Threat Prevention.
  3. AutoFocus users can track this family using the SamSa tag.

A full list of indicators of compromise (IOCs) related to SamSa can be found here.

[Palo Alto Networks Research Center]

Posted on

2017 Cybersecurity Predictions: Preparation, Proliferation, Personnel and Protection = A Bumper Year in EMEA

The innovations in today’s digital world continue to advance at a tremendous pace, and 2016 didn’t fail to have its own impact on society. As a hobbyist in remote flight, the introduction of drones to deliver blood and medicines in Rwanda from a Silicon Valley startup was an amazing example of how the Internet of Things can have a hugely positive impact on society. I can’t wait for the completion of the $10 million Tricorder XPRIZE to be announced in early 2017, when fiction is expected to become fact, as a portable wireless device that is anticipated to be able to monitor and diagnose health conditions.

What can we expect in 2017 from a cybersecurity perspective? Personally, I believe 2017 and early 2018 will be the most exciting years in terms of evolving our cybersecurity capabilities as businesses prepare for the May 2018 deadlines imposed by upcoming EU legislation changes. This is a rare opportunity to step back and take stock of our capabilities and validate if they are still fit for their purpose, both for the approaching deadline and thereafter. This is a welcome driver to look to the future as security professionals are often so caught up in enabling the ongoing technology innovations and managing evolving cyber risks.

So here are my predictions for the next 12 months:

1. 2017 is the year businesses need to get prepared for the May 2018 deadline for upcoming EU legislation in the form of the GDPR and NIS Directive.

  • This will mean that businesses finally have to gain control of the mountains of data they have gathered and generated, as well as to understand both the value and risks they create for the business.
  • We can expect some early examples to be made, as the EU looks to ensure that businesses take their digital societal responsibilities
  • Cybersecurity leaders will need to validate that their cybersecurity capabilities are relevant to the risk they face and that they leverage current best practices, referred to as “state of the art,” with clearly documented processes and measures. Too often security experts continue to hold on to legacy practices, perceiving that continuing to do the same things as before is enough; as such, 2017 will be the year for change.

2. Businesses will be vulnerable as they are immobilized by the confusion of what a good next-generation endpoint strategy looks like.

  • With the growing volume of unique attacks, organizations have, for a long time, been looking for new solutions to either complement or replace signature-based approaches. However, with many different, new approaches to choose from, businesses are hesitating for too long while they look for validation to define their future next-generation endpoint strategies. With the growth of ransomware, one instance has become one too many, and now is the time when next-generation capabilities are needed.

3. We will see the cybersecurity landscape continue to change.

  • Ransomware will continue to have business impact. Expect ransomware to target a broader range of platforms and further leverage historical cyberattack techniques, such as APT-style attacks, as those behind them look to increase their profits. While this threat remains lucrative, it will continue to be a focus for attackers, which could distract them from developing threats leveraging other areas of technology.
  • DDoS will refocus on the retail space as retailers become increasingly dependent on online revenue streams.
  • Targeted credential theft will allow attackers to move the attack out of the business network. As more businesses in Europe embrace cloud, credential theft – whether through social engineering or attack – will mean that adversaries have to spend little or no time in the business’s network to achieve many of their cyberattack goals.

4. While senior cybersecurity skills are in reasonable shape, practitioners are in demand, and outsourcing capabilities are not scaled for evolving demands (volume of work, hybrid cloud/on-premise services, incident response, next-generation SOC requirements, training and running AI/big data systems).

  • With the continuing growth of information to draw on in order to prevent and protect against cyberthreats, we can only expect more security events that need to be managed. The scale of security experts has not and will not keep pace; therefore, businesses must rethink how and where human skills should be leveraged in cybersecurity. Today there are too many siloed human-dependent cybersecurity processes that, with evolving best practices, can and should be consolidated and automated. In a market with limited skills, usability and automation should be treated as equally important as capability.

5. Most companies will confirm whether cyber insurance will become a part of their investment strategy and realize that insurers are a valuable point for CISOs wishing to translate and validate risk to senior executives to help better understand their business’s cyber risks.

6. Cross-domain incidents will stop organizations siloing IoT/OT, and business/home systems, and help them start to realize it is actually one, big cyber mesh.

  • It’s likely that essential services will suffer more outages, following the early examples in Ukraine, the recent Mirai bot DDoS attack, and others.
  • In recent years, we have seen more attacks on automotive systems, so attackers inevitably will start to look at moving laterally into other autonomous systems, as they grow in popularity. These may vary from driverless city centers to the Amazon button to the increasing use of drones for commercial businesses.

It will be interesting to see how many of these predictions come true over the next 12 months. If experience has taught me anything, some will have been realized in half that time, while others may take a little longer – and, as always, I’m sure we’ll be thrown a few curveballs. The only near guarantee I can give is that the digital world will continue to have an amazing and positive impact on our lives, and I’m proud to be part of the global cybersecurity community that supports its enablement.

What are your cybersecurity predictions for 2017? Share your thoughts in the comments.

[Palo Alto Networks Research Center]

Posted on

Support Design Should Begin at the Start

Everyone can think of a moment when they have experienced a problem with goods or services. Everyone can also think of a moment after the problem that…wait for it (drumroll)…there was poor customer support or no support at all.

So where does the disconnect between an enterprise’s strategic objectives and its failure in the eyes of the customer begin? Could this failure have been avoided from the start?

Here’s how it happens:  Oftentimes an enterprise reviews its strategic plan, which is a process that often generates new ideas and a new focus on how to achieve its objectives. A critical factor in achieving these objectives is IT. As part of this effort business cases are created and reviewed with due diligence and care, focusing on risk analysis, costing and other key planning issues. Approvals are given at various levels, and once the green light is reached, we then develop the product/service/upgrade, with implementation to follow.

Imagine that all of the above stages are completed and the enterprise has just successfully launched a new service to customers through its digital channel. The product is marketed well and it is disruptive, so this results in huge demand from customers. At this point it may seem that all is well and good; however, as with all things, problems are going to occur and customers (internal/external) will be affected.

This is where the true test begins and where many enterprises fail because proper support systems were not put in place at the start. There are several reasons why this can occur, including a lack of foresight at the beginning, a focus on being first to market over competition, improper resource analysis, a lack of training, a poorly developed service level agreement (SLA) or no SLA review.

Just as security and risk are key considerations, proper support mechanisms should be considered when implementing your enterprise IT governance structure since this is a form of risk mitigation in itself. You can implement the most state of the art IT infrastructure that strategically aligns with your enterprise’s objectives and delivers super-fast service; however, if there is no support for the 100 percent certainty that something will go wrong, then all becomes useless. Design your framework so that failures are welcomed and not left to chance.

Ammett Williams CCIE, CGEIT, Telecommunication Team Leader – First Citizens, TT

[ISACA Now Blog]

English
English
Exit mobile version