A key reason for the growing adoption of our Next-Generation Firewall within OT environments is our App-ID technology, which enables Layer-7 visibility and control over many ICS/SCADA protocols and applications, both standards-based and vendor-specific. Furthermore, through App-ID decoders, users can create dozens of command- and/or function- level custom App-IDs to bring even deeper insight and control.
So far, our ICS/SCADA protocol security capabilities have been for IP-based traffic, but with our new PAN-OS 8.0 release, we are excited to announce a new feature called non-IP protocol control for controlling ethernet traffic. This feature enhances the zone protection profile with the ability to create and apply a filter to any zone to block or explicitly permit traffic based on the header’s ether-type value.
An example of where this could be applied in ICS is in the growing area of IEC 61850 substation automation. IEC 61850 is a family of protocols that includes both IP-based and ethernet-based protocols. One of these ethernet-based protocols is GOOSE (ether type of 0x88b8). Without getting into the details, due to strict real-time performance requirements with IEC 61850, encryption was excluded from the standard. Furthermore, although GOOSE message authentication was defined via the IEC 62351-6 standard, there is still an associated complexity and also a loss of performance with the authentication enforced. Hence, most practical implementations will not have either of these security features turned on and are therefore vulnerable to cyberattacks. In fact, several research studies have validated the feasibility of GOOSE-related cyberattacks across different attack classes, such as modification, denial of service and replay.
As a basic example of attack and defense, consider a scenario where an attacker has successfully made his way to a business/engineering area of a substation network. This could be via a pivot from the control center or perhaps from a WiFi network at the substation, used for maintenance. Once present on the LAN, the attacker could initiate a GOOSE DoS attack or send specially crafted GOOSE packets into the IEC 61850 VLAN that may cause erratic behavior, poor performance, loss of service (opening relays), or even damage to equipment. With the non-IP protocol control feature, users can define a zone protection profile that blocks GOOSE traffic into the IEC 61850 zone, thereby preventing the attack and associated undesirable events. Attack scenarios from the IEC 61850 that zone “upstream” to the business zone seem to be less of a concern, but a zone protection profile in that direction could also be easily applied.
Although less research has been published on attack cases for sampled values and GSE management – the other protocols under IEC 61850 with specific ether types – the non-IP control feature can also be applied by simply filtering their respective ether types of 88b9 and 88ba. This could be useful as future attack cases for SV and GSE management are discovered.
Parts 1, 2 and 3 of our Cybercrime Underground the cybercrime series discussed some of the concepts and definitions around cybercrime, and how cybercriminals collaborate in cybercrime forums in buying and selling malicious tools and services. This latest report in our cybercrime series will provide a glimpse of the darknet markets where cybercriminals buy and sell data which have likely been stolen directly by compromising victim computer systems or by the result of a large database compromise. This blog focuses on explaining what darknet markets are, common payment model used, the type of digital data being bought and sold in the darknet markets and their typical costs. The objective of this blog is not to provide an exhaustive list of all the products and services being sold in the darknet markets but to shed light on how cybercriminals are utilizing the darknet markets to trade with impunity. It is important to understand the impact to the growing number of cybercrime campaigns and how the stolen data is monetized by the cybercriminals due to the demand in specific PII data in the darknet markets.
Many articles and research published by the information security industry discuss how cyber attacks can be broken down in phases which is widely known as the cyber kill-chain model. Darknet markets also play two important roles in the overall attack kill-chain. First these markets allow cybercriminals to purchase tools which are then utilized in specific stages of the kill-chain. For example: Malware creation and exploit tools which are sold in the darknet markets aid cybercriminals during the ‘weaponization‘ and ‘exploitation‘ phase of the kill-chain model respectively. The last phase of the kill-chain model ‘Actions on Objectives‘, specify the objective or goal of an adversary. Second, darknet markets allow cybercriminals to achieve their goal of making monetary profit by selling the data which may have likely been stolen from victim computer systems. It is also worth noting that not all digital data being sold in the darknet markets are gained from the result of successful cyber attacks. Insider data theft can end up in a darknet market as well. Insiders with the knowledge and know-how on sensitive information can aid in creating fake identification products which look authentic. For example a former Australian police officer was arrested in November 2016, for creating and selling fake police IDs, security and maritime passes in a darknet market.
The darknet markets today have increased in numbers as well as the number of users- one of the primary reasons has been the anonymity the darknets provide to the users to perform their illicit and illegal trades as well as the decentralized architecture provided by the Tor network which makes it increasingly difficult for law-enforcements to take actions against darknet markets.
What are Darknet Markets?
Darknet markets are websites which are hosted on the deep-web and can be accessed typically using the Tor network. The products and services which are bought and sold in the darknet markets can range from stolen credit-cards, personal information & ID scans, personal credit reports, operating accounts of online payment systems, email accounts with stolen credentials, counterfeit items, malware & exploit kits, drugs and also weapons, among other illegal products.
Access to Darknet Markets:
Darknet markets are hidden websites which cannot be accessible using regular browsers or search engines as they do not have an actual DNS name. Most darknet markets have a .onion TLD suffix which states that it is a hidden service and can only be reachable by the TOR network. A .onion site consists of 16 alphanumeric characters followed by a .onion TLD. The 16 characters may include letter from ‘a to z’ and numeric numbers from ‘1 to 7’. Below is a syntax of a .onion hidden service.
SYNTAX: [digest].onion
The digest is the base32 encoded value of the first eighty bits of a SHA1 hash of the identity key for a hidden service. Once Tor sees an address in this format it tries to connect to the specified hidden service. Many darknet market users also use a VPN network to add an additional layer of privacy to hide their source.
Figure 1 High-level depiction on how darknet markets are accessed using Tor
Payment Model:
The payment process in the darknet markets has followed the process which was used by the “Silk Road”, one of the first and best known darknet markets. Purchases in the darknet markets are typically made using virtual currencies like Bitcoin. An individual who wants to buy a product in the darknet market needs to credit his/her darknet market account with Bitcoins to make purchases in the darknet market. The buyer purchases and moves Bitcoins to the darknet user account used by the buyer and makes the desired purchase. Once the buyer has initiated the purchase, the respective cost of the purchase in Bitcoins from the buyer’s account are held in the darknet market’s escrow until the order has been completed. Once the purchase order has been completed, the Bitcoins are released to the Seller (Vendor). The figure below shows a flowchart of the payment model being used in darknet markets.
Figure 2 Payment model of Darknet Markets
Common Types of Data Bought & Sold:
Darknet markets provide many types of illegal products to be sold. This blog will not cover all the product types being available in the darknets but cover some of the most common types of information/ services which are transacted by cybercriminals in the darknet markets. Some of the types which we will discuss in this blog are:
Credit Cards/ CVV numbers
Credit Score Reports
Passport Scans
Driving license Scans
Document scan templates
Compromised account credentials
Malware/ Exploit kit services
Credit Cards:
It is not a surprise to see ‘credit cards’ being sold in the darknet markets as they are further used to commit fraud and are also used by cybercriminals to finance their requirements and make profit. There are multiple ways in which credit cards are stolen – some of which are phishing scams, ATM skimmers and also by people in the industry who have access to customer credit card information. Credit card fraud has been costing the financial industry billions of dollars and due to the high number of credit card frauds, the financial industry may find it overwhelming to investigate every fraud incident and may only tend to focus on cases where the cost of the fraud is very high. The cybercriminals / fraudsters are well aware of this challenge and try to perform their fraud activities by transacting small number of transactions on each card to avoid being detected by anti-fraud systems. The below snap shot was taken from a credit card sales ad at a darknet market where a seller also provides advice on making less amount transactions per card to avoid getting detected.
Figure 3 Seller advises buyers to make low transactions to avoid detection
The typical cost of credit cards being sold in the darknet markets can range from USD $1 to $25 for each card. The cost is higher if there is a confirmed high balance or if it is a premium card (platinum, business, corporate, gold). Some of the costs can be much higher if they come in a bundle and may also include how-to tutorials on making the most out of the credit cards to conduct fraud.
Figure 4 below shows some of the most recent credit card sales listings on a darknet market.
Figure 4 Credit Card listings on a darknet market
Credit Score:
Stolen identities are in big demand in darknet markets as they allow cybercriminals to conduct fraud using real identities of individuals who could have been victims to phishing/malware attacks or organizations holding PII data of their customers getting breached. Credit Score reports are one of the most highly traded PII (personally identifiable information) in the darknet markets. A credit score report is an analysis report of the credit worthiness of an individual and the credit score depends on the credit files of a person. Financial organizations use credit score reports to assess a client’s credit history which is used to approve loans. Credit reports are not only used by financial organizations but many others like governments, insurance, and many other organizations which require a credit history to process a request. The price of the credit score lists depends on the score of the report, with the higher score reports going for a higher price. Figure 5 and 6 below shows two examples of credit report listings which are being sold on a darknet market. A credit score of 750+ costs USD $50 in one of the listing and another listing shows a score between 720 and 820 would range between USD $ 49.50 to $100.
Figure 5 Example credit report listing on a darknet market
Figure 6 Example credit report listing at a darknet market
Passport / Driving License Scans:
Identity documents like passport and driving license scans are also in high demand as they can be used to commit fraud which can range from opening bank accounts, PayPal accounts, purchasing real estate, and perform any other transactions which may require a scanned copy of a passport or a driver’s license for verification. Many developed nations have a robust digital architecture with public services being available online where such scanned copies can be used to process and transact services by using real identities which are being sold in the darknet markets, further fuelling the opportunities to commit fraud. Even developing nations are not immune to these threats- Nations like India are investing heavily in transforming its digital architecture to provide public services electronically and encourage citizens to use the internet and the online services being provided. Given Personal Identifiable Information (PII) data are used in many such services, these type of information are in demand in the darknet markets as they can be used to conduct multiple types of fraud.
Figure 7 Listings showing passport and ID scans of India and UK being sold on a darknet market
Document Scan Templates:
Another type of listing which is quite regular in the darknet markets include but are not limited to templates of passports, driving licenses, SSNs, bank statements, utility bills, credit cards, tax statements and invoice receipts of different vendors. Figure 8 is an example of a sample of an Australian passport template which has the same passport ID details but has different photos of individuals. The seller of the below template also shares that any details in the passport including the photograph can be changed and it would still look legitimate. The seller provides full editable versions of the template in .psd format which is an Adobe Photoshop document format. The seller also provides download links to cracked versions of Adobe Photoshop so the buyers can use the .psd files without needing to buy a licensed copy of the software. Each .psd template sold can cost between USD $20 to $100. However, many listings have these templates being sold in bundles as well- For example a list of 9 templates for Canadian documents consisting of passport scans, bank statements, invoice documents and utility bills is selling on a discounted price of USD $387 where the original price would have exceeded $500 if bought separately.
Figure 8 Scanned templates of Australian passports being listed at a darknet market
Compromised Account Credentials:
Credentials of many online services which include banking, telco, social media networks and many more are being listen in the darknet markets. Figure 9 shows some of the listings of compromised accounts being sold at a darknet market.
Figure 9 Compromised credentials being sold at a darknet market.
Malware / Exploit Kit Services:
There are many types of malicious tools and services being sold in the darknet markets, some of which we have already shared in part 2 of our cybercrime underground series. Figure 10 below shows a listing on a darknet market for a Ransomware and BTC stealer setup service where a seller provides the tools and also configures it for the buyer.
Figure 10 Ransomware service being listed on a darknet market
Impact:
The global cost of cybercrime has been on an alarming rise with the estimated loss to be in billions of dollars, with some reports indicating that the overall loss could be in trillions. A large portion of this cost can be attributed to the fraud conducted due to stolen PII data, some of which we have covered in this blog. For example- In Asia, Australia has been impacted the most due to identity crimes with an estimated loss of AUD $2.2 billion annually. The Australian Federal Police also mention that identity crime has been a key enabler to ‘organised crime’ which in turn has been costing Australia AUD $15 billion dollars annually. This really shows the vast impact nations and organizations are facing due to the identity and PII information being stolen, bought, and sold in the darknet markets.
Conclusion:
Darknet markets have allowed cybercriminals, fraudsters and criminals who trade in weapons, drugs and illegal products to trade without much concern of getting caught due to the anonymity provided by the deep-web. Though it may be difficult to identify the perpetrators who are managing or using the darknet markets for their profit, global law-enforcement agencies are continuously working to bring the criminals behind the darknet markets to justice and the number of successful cases has been growing where many criminals behind the darknet markets have been arrested. Large percentage of internet and online service users are often unaware of the threats in the digital world and tend to not follow common online safety measures to secure their personal information or their systems, which eventually result in their personal data being stolen and traded in darknet markets, where the information are further used to commit fraud. It is imperative to have an understanding on how these criminals operate and the type of information being traded to better secure ourselves.
Organisations should follow industry standards on securing data and implement security technologies to prevent cyber attacks and reduce the risk of data being stolen and traded in the darknet markets. Palo Alto Networks Next-Generation security platform provides a holistic solution to protect the digital way of life by safely enabling applications and preventing known and unknown threats across the network, cloud and endpoints. For more information on the next-generation security platform visit here.
Healthcare organizations are targeted by some of the most advanced cyber adversaries and malware. The newest release of the Palo Alto Networks Next-Generation Security Platform, PAN-OS 8.0, is now available and introduces new features and enhancements that will help stop advanced cyberthreats within healthcare organizations. I’ll outline a few of them here:
1). New credential theft protection: You can now detect phishing attacks and choose to block or allow your users from submitting their credentials to websites based on the site’s URL category. There are four new features that safeguard enterprise credentials that provide an entry point for attackers to access your healthcare network.
Feature 1: Administrators can prevent users from submitting enterprise credentials to malware and phishing sites.
Feature 2: Administrators can prevent users from submitting enterprise credentials to unknown sites. Let’s say, for example, that one of your users received a convincing phishing email that encourages them to log in to a phishing website that’s just been created solely to target your healthcare organization. The site would be categorized as “unknown” in the URL filtering capability of the Next-Generation Firewall, since it was just created. The new credential theft protection in PAN-OS 8.0 would detect that an internal user is attempting to post their enterprise credentials to a site categorized as “unknown” and block it.
Feature 3: Administrators can explicitly enable users to submit credentials to specific external corporate sites.
Feature 4: The WildFire phishing verdict now classifies phishing sites, sites disguised as legitimate websites that aim to steal sensitive information, separately from malicious sites. The newly‐discovered phishing sites that WildFire identifies are also rolled into the PAN‐DB URL category for phishing every five minutes, which enables you to block access and corporate credential submissions to phishing sites.
2). WildFire makes malware evasion more difficult: WildFire now runs on an all-new custom hypervisor. Adversaries have perfected anti-analysis techniques to evade detection. This makes working on evasion techniques highly profitable for cybercriminals because they can be used to target a wide variety of systems. WildFire now runs on an all-new custom hypervisor to analyze and prevent the most evasive threats, making the business of anti-analysis techniques financially unfeasible.
WildFire now offers bare metal analysis: Malware has become increasingly adept at recognizing when it is being analyzed in a virtual environment and attempts to prevent further analysis. WildFire now adds an advanced bare metal analysis capability, allowing detection and analysis of even the most evasive malware.
3). MineMeld is now integrated into AutoFocus: Previously a separate (free) add-on, MineMeld is now natively integrated into AutoFocus. This empowers AutoFocus with the ability to consume multiple external threat feeds and automatically convert any third-party threat intelligence into enforceable prevention (aka blocking) at the next-generation firewall. This is really powerful because in most security architectures, even outside of the healthcare industry, it was not technically possible to automatically create block rules on your firewall based on incoming threat intelligence subscriptions. Now you can.
4). WildFire now automatically generates C2 signatures: Not only are we able to automate the detection and blocking of command and control (C2) URLs in this release, but we are also able to automate the detection and blocking of “payload-based” C2 signatures. This was previously performed manually by a team at Palo Alto Networks. Where previously the team created dozens of C2 signatures based on malware seen in WildFire over the course of a few days, now WildFire automatically enables the creation of thousands of signatures. This means it’s even more likely that a C2 URL in that phishing email one of your doctors received this morning will be blocked automatically.
5). Panorama is now significantly faster and offers flexible log ingestion: Panorama has an improved log query and reporting engine to enable a significant improvement in reporting and log querying capabilities. The log storage format is revamped, and on upgrade, your existing Panorama logs can be migrated to the new format. You can also import logs from other sources, starting with Traps advanced endpoint protection, for better correlation, visibility and control across the platform.
6). New VM-Series models offer wider deployment flexibility: The VM-Series virtualized next-generation firewall has been optimized and expanded to deliver App-ID enabled throughput that ranges from 200Mbps to 20Gbps across five models, both of which are industry-leading metrics. The VM-Series models include:
The new VM-50 is optimized to consume minimal resources yet deliver up to 200Mbps of App-ID enabled firewall performance for customer scenarios that range from virtual clinic/customer premise equipment (CPE) to high-density, multi-tenancy environments.
The VM-100 and VM-300 have been optimized to deliver 2x and 4x their existing performance with 2Gbps and 4Gbps of App-ID enabled firewall performance for hybrid cloud, segmentation, and internet gateway use cases.
The new VM-500 and VM-700 deliver an industry-leading 10Gbps to 20Gbps of App-ID enabled firewall performance respectively and can be deployed as network functions virtualization (NFV) security components in fully virtualized data center and service provider environments.
And those are just some highlights. There are many more improvements and new features in PAN-OS 8.0 that I didn’t list here, but these are the top ones that I think will directly benefit healthcare organizations.
As the business benefits from technology grow rapidly, so do related risks.
The ability to communicate and interact with remote stakeholders seamlessly requires points of entry into the enterprises network that would otherwise not be present. Such entries could result in vulnerabilities for organizations that should be identified and assessed. In like manner, the identification and assessment of threats that could potentially exploit such vulnerabilities is also necessary. Once there has been sufficient analysis of the potential risks, the enterprise must decide how to respond to them.
Business leaders have a heightened awareness of the existence of cyber risks due to frequent news reports of attacks affecting all sectors, including the government. Thus, we are starting to see significant investments in countermeasures designed to respond and mitigate risks to protect the assets of the enterprise.
The real question is, are the investments appropriate. Studies show most boards of directors and senior management are not educated enough in cyber security to make sound business decisions in this area. However, in most organizations, these are the individuals with the authority to make decisions when it comes to a significant investment in resources. A main goal of most enterprises is to make money and reduce costs. Therefore, the natural question is what will be the return on investment. This is where the audit professional comes in, which includes the audit committee of the board of directors. It is the role of audit to educate those responsible for the protection of the company’s assets on the need for effective and efficient cybersecurity controls.
It is important to note it is management that bears the responsibility of implementing controls to protect the assets of the enterprise. Audit is responsible for determining if controls are in place and whether the controls’ design will be effective in mitigating the risks associated with the asset. Of course, the ultimate goal is to prevent an attack or breach from occurring. Common controls implemented in an effort to prevent this includes authentication techniques such as passwords or biometric technology.
An auditor evaluating such controls usually determines if a password management policy exists and if there is required password syntax in place, as well as periodic password changes and automatic account lockouts after a pre-determined number of failed login attempts. Firewalls also are common. The existence, type and placement of a firewall in a corporate network is important when evaluating these controls. The auditor will also spend some time with the firewall administrator to understand the firewall rules and if they are based on an overall firewall policy. These are just two of many possible controls that may be in place to prevent attacks.
However, controls, as we know, can be circumvented, which is why there are preventative, detective and corrective controls. The hope is management has done a good job in implementing effective and efficient controls in each of these areas.
Ultimately, the audit professional produces a report reflecting its opinion of the effectiveness of the control environment based on the objective and scope of the audit. It is also common for the auditor to provide recommendations regarding how to improve the controls to better protect assets. It is important for auditors to also be proficient in articulating the potential consequences of ineffective controls and the impact it has on the assets of the organization.
Organizations are understandably concerned about how difficult and time consuming it is to find quality cyber security talent. While the fundamental causes of this skills crisis will take time and sustained focus to effectively address, there are steps that organizations can take in the short term to better position themselves to deal with their challenges.
In ISACA’s State of Cyber Security 2017 study, 37 percent of respondents say less than one in four applicants are qualified for jobs, while only 59 percent of organizations receive at least five applicants for open cyber security positions. Consider a Glassdoor survey that found most corporate job openings draw 250 applicants, and the scarcity of qualified cyber security professionals becomes all the more striking.
Until the pipeline of qualified applicants can be more adequately filled, organizations will need to be creative, resourceful and resolute in their pursuit of cyber security talent.
That includes placing heavy emphasis on grooming and retaining existing talent through a defined program of training and skills refresh. Investing in professional development and technical upskilling are among the ways to incentivize employees to stay, and job rotations – which round out employees’ skill sets and ward off the frustration that comes with repetitive tasks – can be another effective tactic. These retention efforts are critically important, as allowing cyber security professionals to walk out the door, given how difficult they are to replace, often becomes a crippling setback.
Hiring from within is another approach that is a necessity for many organizations. Given the shortage of qualified cyber security professionals, grooming employees with related skills – such as application developers, data analysts, and network specialists – is a sensible and effective way to fill crucial gaps. Many employees with these tangential skills are interested in learning more about cyber security and applying their skills in new areas, so this approach can be a win-win scenario for professionals and their organizations.
Among the study’s respondents, 55 percent noted practical, hands-on experience as the most important security qualification for cyber security candidates. The ability to demonstrate those capabilities – such as though ISACA’s Cybersecurity Nexus Practitioner (CSXP) certification – provides measureable credibility to employers, but there are additional considerations that should not be overlooked when pursuing cyber security talent.
The cyber security community is relatively small and tight-knit. In a landscape where hiring talented cyber professionals is so difficult, drawing upon industry contacts and personal networks for recommendations can be essential to both find and vet quality candidates. Identifying the right educational backgrounds also should not be discounted, as many hard-to-find skills, such as malware analysis or management of a security program, would benefit from computer science or business degrees, respectively.
The State of Cyber Security Study 2017 shows the immense amount of long-term work ahead, but organizations dealing with urgent cyber security threats now must be proactive and strategic to make the best of a challenging workforce landscape.
Eddie Schwartz, EVP Cyber Services, Dark Matter, LLC, and ISACA Board Director
