AutoFocus: Threat Prioritization, Research, and Mitigation (EDU-161) – Certificate of Completion
Kaspersky Labs Certified Sales Engineer
Setting the Record Straight: Convincing Management of COBIT’s Value in Risk Management
In those terms, the main challenge that must be addressed by COBIT practitioners is encouraging top management to actively participate in the transformation process for integrating and standardizing IT management practices. Also, the COBIT practitioner must be focused on helping the involved stakeholders understand that “IT guys” are friends interested in taking the company to the next level and providing solutions, not foes who should be pointed to when looking for scapegoats. Some of the elements to be considered when implementing COBIT as a reference for risk management practices are:
- According to the COBIT goals cascade, every endeavor regarding the enterprise enablers must be driven by IT-related goals, which are also leveraged by the enterprise goals and the stakeholder needs, which includes risk optimization.
- Going along with this definition, the concept and scope of governance of enterprise IT (GEIT) must be clarified and communicated within the organization to enable the achieving of the goals in which IT has participation and accountability. Once GEIT has been established, the cornerstone for the IT internal control model is established.
- In addition, a business case must be generated to create an interface between the stakeholders’ expectations and IT plans as referenced in the publication COBIT 5 for Business Benefits Realization. The definitions included in the aforementioned business case will be the confirmation that the GEIT goal is to generate potential benefits for the organization as a whole, considering the pervasive nature of IT.
- According to the white paper Getting Started With Governance of Enterprise IT (GEIT) and in this author’s experience, GEIT ensures greater alignment of IT functionality with business needs. However, commitment from the enterprise leadership at the highest levels (e.g., C-suite, board of directors) is fundamental to ensuring a successful implementation and a sustainable model.
Based on the aforementioned facts and on each organization’s background—determined by factors such as industry, rate of automation of its processes, and applicable regulation (e.g., SOX, anti-money laundering, fraud prevention) it is also important for the COBIT practitioner to set the record straight with the organization’s top management about the culture and practices that must be embraced when adopting the framework into their organizations:
- Definition of governance and risk management structures required for the implementation of COBIT practices is not a one-time effort.
- The effectiveness of the framework’s risk management practices depends on the management fomenting and fostering COBIT’s enablers as a primary commitment.
- Although IT must actively participate in defining practices, COBIT maintenance and periodic review must be sponsored by core business and controlling dependencies.
- Management must be aware that there is not a standard timeline for implementing COBIT. Therefore, COBIT practitioners must set realistic expectations with management when defining and analyzing which COBIT enablers will be implemented and how many resources (e.g., time, money, people) will be required to use COBIT practices and ensure their sustainability through early life support and other management review and follow-up activities. In some cases, it could even take years to get to the maturity level agreed on by the enterprise!
So, what should COBIT practitioners do to fight against these misconceptions? What actions will generate more COBIT supporters, based on the framework’s applicability, and counteract any perception that COBIT is an excuse invented by consultants to sell high-end products and obtain a constant income on a periodic basis? In this case, the experts’ experience, vision and judgment are fundamental, not only to set a solid cornerstone for IT risk management, but also to ensure the business processes will be optimized thanks to COBIT’s benefits, due to the relevance assigned by the standard to the management’s goals. The presentation prepared by the COBIT implementer and the individuals to whom it is presented will also affect the outcome, since the same presentation should not be used for top management, business areas, IT staff and support dependencies. Nonetheless, the main message must remain consistent: The entire organization is responsible for COBIT’s success and proper operation, with periodic consultations from external experts.
Another important factor is to assign proper accountability to ensure the defined practices are properly implemented and operate consistently over time. Robust activities and processes with no accountability are practically useless. The stakeholder accountable for each process must be defined according to business goals and requirements, and that person must act as a translator of the general strategic plan and as a mediator when change is to be implemented. The accountable stakeholder must be also aware of the process’s maturity level, what it is required to achieve the next level (assuming the enterprise has agreed that a higher level is optimal for the business) and what should be changed after a review is performed. Phrases such as “I do not have to change it since we have not have any outages” or “I have always done things this way and I have been with the organization for more than 20 years” pose a huge challenge for the accountable stakeholder, suggesting his/her role must also consider skills for dealing with change and transforming it into an opportunity to understand the importance and impact that each factor has for an organization.
With that being said, when initiating a COBIT implementation, practitioners should instruct the project’s stakeholders with these messages:
- COBIT maintenance requires resources and infrastructure, but, in the end, it will greatly improve an organization’s stance regarding risk management.
- COBIT promotes the importance of leadership and teamwork because, without proper guidance, commitment, and assignment of roles and accountability, the policies, procedures and rules that come along with COBIT fall into the perception that IT is an expenditure.
Conclusion
COBIT is a very powerful tool with numerous features that can be adapted to different circumstances, but it also takes a great deal of commitment to ensure it operates as expected. If management understands that everything is capable of being improved, nothing eternally remains in the same state and expert judgement is required on a periodic basis, the mystery of how to properly use COBIT to achieve business, compliance and operational goals could finally be solved.
Julian Marquez, CISA, CRISC, COBIT Foundation, ISO 27001 LA, ITIL Foundation
Is an experienced risk management professional. He has worked with Deloitte on IT auditing and consulting services for projects in Colombia, Chile and Canada. He has worked on initiatives to use COBIT as a reference framework for different retail, manufacturing, financial services, and energy and resources companies. He has also participated as a trainer on internal and external COBIT-related training.
[ISACA COBIT Focus]
The Decision to Adopt Machine Learning for Telemedicine
Telemedicine is fast-growing as a mobile health care information system (HIS) in most parts of the world. Fast Internet, smart phones and increased comfort of physicians in using electronic communication are also helping telemedicine become more widely adopted. Telemedicine consultation can contribute to reducing cost, lessening the stress of patients and improving accessibility to specialized consultations. However, it is difficult to schedule correct telemedicine sessions without a deep understanding of the health care needs of the region. The use of machine learning for decision making and better treatment has been a highly researched topic. Machine learning is also used to monitor patients remotely. However, this technique is not currently used to monitor telemedicine session broadcasting. In our recent Journal article, we present the case of an Indian health care organization that broadcasts telemedicine sessions to associated hospitals in remote locations. For the purpose of telemedicine governance, we suggest the following steps while using machine learning techniques through the department-session-organization (DSO) model proposed in our article:
- Understand the specific IT governance problem using organization mission and vision to determine the purpose of the prediction model.
- Past data collection, data cleaning to remove incomplete data and analysis of the data is required.
- Perform data transformation for simplification and improved decision making if needed. For example, we simplified our model by clustering hospitals based on regions and identified teaching and nonteaching hospitals for better distinction and prediction.
- Based on the data set, the organization needs to determine the kind of machine learning technique suitable for its decision making. In our study, as the variables were categorical and best suited for a classification model, we tested multiple classification techniques. Based on the results, we observed that a classification tree provided us the best prediction accuracy.
It is also important to balance the cost of information retrieval and resulting profit out of the prediction technique. While determining the return on the additional investment, we accounted for the risk associated with misclassification by the telemedicine decision support system (TDSS). A clear understanding of the risk and return on investment will help the hospital to understand the pros and cons of going forward with such a prediction technique.
Read Shounak Pal and Arunabha Mukhopadhyay’s recent Journal article:
“A Machine Learning Approach for Telemedicine Governance,” ISACA Journal, volume 1, 2017.
Shounak Pal and Arunabha Mukhopadhyay, Ph.D.
[ISACA Journal Author Blog]
Campaign Evolution: pseudo-Darkleech in 2016
Darkleech is long-running campaign that uses exploit kits (EKs) to deliver malware. First identified in 2012, this campaign has used different EKs to distribute various types of malware during the past few years. We reviewed the most recent iteration of this campaign in March 2016 after it had settled into a pattern of distributing ransomware. Now dubbed “pseudo-Darkleech,” this campaign has undergone significant changes since the last time we examined it. Our blog post today focuses on the evolution of pseudo-Darkleech traffic since March 2016.
Chain of events
Successful infections by the pseudo-Darkleech campaign have generally followed a set sequence of events. This happens regardless of the EK used or the payload delivered. The sequence is:
- Step 1: Victim host views a compromised website with malicious injected script.
- Step 2: The injected script generates an HTTP request for an EK landing page.
- Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications.
- Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player).
- Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process.
- Step 6: The victim’s host is infected by the malware payload.
In some cases, the pseudo-Darkleech campaign has used a gate between the compromised website and the EK landing page. However, we far more frequently see injected script from the compromised website lead directly to the EK landing page. To get a better idea of the relationship between EKs and campaigns, see our previous blog on EK fundamentals.
Figure 1: Chain of events for the pseudo-Darkleech campaign.
EKs used by pseudo-Darkleech
The pseudo-Darkleech campaign used Angler EK until that EK disappeared in mid-June 2016. Like many other campaigns, pseudo-Darkleech switched to Neutrino EK after Angler EK disappeared.
Pseudo-Darkleech stayed with Neutrino EK until mid-September 2016. At that point, Neutrino EK ceased operations. The pseudo-Darkleech campaign then switched to Rig EK, and it has stay with Rig since then. We still see indications of a Neutrino EK variant, but at much reduced levels compared to before.
Searching for EK activity in AutoFocus, we saw a significant drop in Neutrino and a corresponding rise in Rig activity starting in mid-September 2016.
Figure 2: Hits on Neutrino and Rig EK activity in September 2016.
Payloads sent by pseudo-Darkleech
When we last reviewed the pseudo-Darkleech campaign in March 2016, it was delivering TeslaCrypt ransomware. Since that time, pseudo-Darkleech has changed the ransomware payloads it delivers. In April 2016, this campaign switched to CryptXXX ransomware after TeslaCrypt shut down and released its master decryption key. By August 2016, pseudo-Darkleech had switched to a new variant of CryptXXX ransomware dubbed CrypMIC.
By October 2016, pseudo-Darkleech switched to distributing Cerber ransomware, and it has continued sending Cerber as of early December 2016. Below is a summary of EKs and payloads used by the pseudo-Darkleech campaign so far in 2016.
- Jan 2016: Angler EK to deliver CryptoWall ransomware
- Feb 2016: Angler EK to deliver TeslaCrypt ransomware
- Apr 2016: Angler EK to deliver CryptXXX ransomware
- Jun 2016: Neutrino EK to deliver CryptXXX ransomware
- Aug 2016: Neutrino EK to deliver CrypMIC ransomware
- Sep 2016: Rig EK to deliver CrypMIC ransomware
- Oct 2016: Rig EK to deliver Cerber ransomware
Patterns of injected script
Any EK infection chain almost always starts with injected script from a particular campaign in a page from a compromised website. These pages are from legitimate websites that have been compromised and are being used by the campaign.
When we last examined injected script by the pseudo-Darkleech campaign, it was a large block of heavily-obfuscated text that averaged from 12,000 to 18,000 characters in size. It remained large and obfuscated through June 2016.
Figure 3: Start of injected pseudo-Darkleech script in page from compromised website in June 2016.
Figure 4: Middle of injected pseudo-Darkleech script in page from compromised website in June 2016.
Figure 5: End of injected pseudo-Darkleech script in page from compromised website in June 2016.
But by July 1st 2016, injected pseudo-Darkleech script stopped using obfuscation and became a straight-forward iframe. This iframe has a span value that puts it outside the viewable area of your web browser’s window.
Figure 6: Example of injected pseudo-Darkleech script from July 2016.
The injected script has changed slightly since then, but it remains short and unobfuscated as of early December 2016.
Figure 7: Example of injected pseudo-Darkleech script from December 2016.
Conclusion
With the recent rise of ransomware, we continue to see different vectors used in both targeted attacks and wide-scale distribution. EKs are one of many attack vectors for ransomware. The pseudo-Darkleech campaign has been a prominent distributer of ransomware through EKs, and we predict this trend will continue into 2017.
Domains, IP addresses, and other indicators associated with this campaign are constantly changing. Customers of Palo Alto Networks are protected from the pseudo-Darkleech campaign through our next-generation security platform, including Traps, our advanced endpoint solution that prevent EKs from compromising a system. We will continue to investigate this campaign, inform the community of our results, and further enhance our threat prevention.
[Palo Alto Networks Research Center]
