Endpoint detection and response (EDR) has been an important technology for security professionals as they attempt to find suspicious activity, or at least traces of it, on endpoints and hosts. Cybersecurity itself is as old as computers, but the EDR segment is still in its infancy with the first solutions dating back only about five years or so.
The technology works by monitoring the endpoint and then storing the data in a centralized repository where analysis can be done to detect a threat. Typically, EDR solutions require a software agent to be installed on the host system to provide the data used in monitoring and reporting.
EDR has been critical for advanced protection, as more threats are being directed at the user. In fact, one of the industry’s leading penetration testers recently told me that he can normally breach an organization within an hour by attacking the user and compromising the endpoint. Also, Windows is still the most widely used operating system in the business world, and many of its internal features are used by threat actors to breach that computer and others.
So, if EDR is so integral to threat protection and provides so much value, why am I proclaiming EDR dead? Is that crazy?
As valuable as EDR has been, it provides a very narrow view of the world. It’s akin to looking out a porthole on a ship where one sees only a slice of the horizon. To determine what the weather is like, if there are islands around or if there are passing ships, one would need to be on the bridge to get an overall view.
EDR is narrowly focused
EDR is too narrowly focused, as it provides a view of only the endpoint. It’s time for EDR to give way to XDR where X is a far broader set of data that includes endpoint, as well as cloud, threat intelligence, network data, logging information and possibly even community data. This certainly isn’t meant to be an exhaustive list of data feeds into XDR, but rather serves to highlight the point that more sources of data from more enforcement points lets the security team and technologies find more threats faster, and then block them.
It’s like being on the bridge of a ship and being able to see everything at once. The difference is that XDR brings into view all elements of an attack, not just those found on a single endpoint, it adds the analytics that are required to interpret the data across different data sources, and it makes more efficient use of security analysts’ time in investigations.
XDR sees everything
Also, because XDR solutions have an understanding of the enforcement points, they can actually respond and block the threat faster and across a wider range of vectors, not just the endpoint. With EDR, the endpoint may highlight a breach, but the only thing known is what occurred on the endpoint. The solution is able to see what occurred on the endpoint and then pivot to another endpoint to evaluate it. If the source is external, then EDR wouldn’t help because the endpoint data would not reveal anything and is blind to network data.
What’s required is visibility into the network portion of the threat and the link between the different stages of the attack. For example, something showing that administrator credentials were stolen off server A and then those credentials were used to infiltrate server B.
XDR can trace threats back to their source
With XDR, the system is able to better trace the bad traffic from where it was discovered, reconstructing the attack. This helps the security team better understand what happened, determine where it happened, and respond at the best possible enforcement point (or points if there are multiple ones). Without that, all one knows is that an attack occurred and a single endpoint is involved. Using the ship metaphor, water in the bottom would indicate there was a leak. One could clean up the leak, but if the source isn’t known, the problem can’t be fixed.
One of the criticisms I’ve had with EDR is that it focuses largely on the detection and often doesn’t help much with the response unless you’re a specialist. With XDR, they are equal parts detection and response. Think of EDR as being big D and little r and XDR being big D and big R across all potential data sources, giving the security team a much better chance at fighting the bad guys.
In its time, EDR was a breakthrough for security buyers because it provided a way to see what was happening on the endpoint, which is the biggest attack point. Now that we live in a world where literally everything is connected, it’s important that EDR evolve into XDR so security teams can see more and block more at their source. If you’re going to commit the budget and time of your security team, why restrict them to endpoint?
If you are a new CISO or starting a new Security Leadership gig, your first few months on the job are critical to your ongoing success in your new role. In the first few months you’ll be judged, tested by your organization and staff, and put on a “stage” to perform in front of your C-Level peers. The precedent you set and first impression in your first 101 days will dictate how your organization perceives you and whether your tenure is marked by overcoming early mis-perceptions or you get a “hall-pass” to do all the good things you were originally hired to do.
This is the New CISO’s Playbook and some initiatives that will help you be successful in the first 101 days in your new role.
Days 1-10
Start to get your arms around your Information Security Program.
As you would expect the first thing to start doing is taking an inventory of all the pieces of your Information Security Program. This includes direct and dotted line Information Security Staff and their responsibilities, what program capabilities are in place and if possible how mature those capabilities are, any available metrics on department performance. It’s critical that you at least start to take cursory program-level inventory of services in your first week, because as you meet with other Business Unit leaders in the coming weeks you can start formulating a more robust and relevant Information Security Program and Strategy.
Get to know colleagues.
This is an important step in kindling great relationships. If you have been promoted into your role, this is a good opportunity to attempt to recover difficult working relationships from days past. If you are new to your Company, as you have these relationship building discussions it’s important not to pass judgment on anything you hear since you might not know the political underpinnings of the information that’s being shared. Use this time to build political capital by listening to your colleagues, displaying empathy, and most importantly gather their goals and objectives so you can help them be successful when you build your Information Security Roadmap and Strategy.
Hold a Department Meeting.
This is a must-do! Your team might be apprehensive about having new leadership and how your strategy and management style will affect their jobs. Give everyone a chance to talk and ask questions. Be sure to listen, express empathy, and advise that you are still gathering information and not ready to make any decisions. Most importantly this is a good opportunity to demonstrate everyone is on the same team with a common goal.
Review Budget and Associated Metrics.
In the course of understanding your Information Security Program also spend some time dissecting your budget breaking down Capital and Operating Expenditures. The question might come up in the next couple weeks about the financial footprint of the Information Security team. If a lot Security of Compliance spending has taken place before your arrival as CISO, the question might be asked if capital expenditures can be reduced. If you are building the Information Security function for the first time in the history of your company there might be less attention on spending as an initial capital spend is expected; however, it might be good to begin political posturing to appropriately set expectations if you think a lot of spending might be required. Also use this time to find a financial analyst to assist in budget formulation and help communicating a common definition your CFO understands.
Let people know you exist!
Information Security is pervasive to an organization–it requires that you interface with many difference departments not just IT. Putting people on alert and driving awareness to your role will give people an invitation to reach out and discuss security topics, concerns, or just open a communication thread. Reaching out early helps to enforce that you are an approachable person within your organization.
Days 11-20
Queue up an Information Security Assessment.
At the beginning of your third week, queue up an independent Information Security Assessment. Depending on the purchasing requirements of your company coordination of the assessment could take a few weeks and scheduling an assessor can require a lead time. This should be an an assessment of your Information Security Program not just a Penetration Test or Vulnerability Assessment. Find a quality Information Security Assessor (such as NuHarbor Security) who can review your overall program posture using a framework such as ISO27001. You would be well served to find an seasoned Information Security assessor that can measure the ISO27001 controls with a business context so you can gain an accurate read on business risk and appropriately prioritize remediation plans.
Hold One on One Meetings with your team.
Begin to meet with members of your team. Start with your direct reports first before making your way through your organizational structure. If your organization is so big you can not talk with everyone then definitely make some time to talk with front line Security Staff even it means skipping the middle management tiers. Your front line staff are the individuals who see issues and deal with problems, and as problems are escalated from the front lines up the message can get filtered–so for a candid view of the challenges your security organization faces, be sure to talk to or survey your front-line team. During these meetings with your team you can and should be building political capital and trust within your organization. Ask for informed fact based opinions, what the department risks are, and seek their opinion as to how risks can best be mitigated. You can also use these meetings to establish your approachability by actively soliciting their feedback.
Begin to Understand what projects or initiatives will be active in 6 Months time.
Time permitting in your busy third and fourth week, start to understand new company initiatives or projects that might be active in six months time. The idea is that these will be emerging projects and initiatives you will be dealing with once you are full orientated in your new position, and starting to gather a strategy will help you be purposeful in your first 101 days and ensure your success on those projects or initiatives. Starting this process now will help give you some context when you begin having one-on-one meetings but it will also give a glimpse as to what members of your team are already planning six months out, and how they are tracking risks associated with these initiatives.
Day’s 21-30
Prepare Steering Committee Materials.
By this point you’ve been in your position for a few weeks, if you have a Security Steering Committee you should begin preparing materials and begin framing what the first meeting agenda should be. If you are inheriting an existing committee this can be a tricky proposition because it’s critical you get the first meeting right and start off the relationship on the right foot, the complexity of this arrangement can be amplified if you have the wrong stakeholders involved in the meeting (i.e. the committee members aren’t at the right level in the organization). If you find yourself in this position of dealing with a low-level Security Steering Committee, you should pause and critically evaluate whether you want to “start over” with the committee–politically speaking it might be easier to dissolve legacy committees and spend time amassing political capital to build new. If you find yourself in this position, this step of meeting with the Security Steering Committee comes much later in your first 101 days. If you are starting a new Security Steering Committee for the first time, in addition to framing the agenda and first meeting format you should also be considering and actively selling the position to committee members you would like to participate.
Hold One on One Meetings with Business Leaders.
Start meeting with peers and Business Unit Leaders. The relationships you begin to form here will be critical to your ongoing success. In addition to gaining the trust of your company’s Business Leaders, you should also begin learning what their goals and objectives are. It’s important to gather this information and ingest into your strategic plan and strategic roadmap. This information will help to ensure your Information Security goals and initiatives directly correlate to business objectives. During this meeting also gather their advice how the Security team can help.
Begin participation in Information Security Projects.
At this point you should have an inventory of active Information Security projects. Based on your emerging work load pick some of the most important and strategic security projects to participate in. As you participate, keep in mind your position and granted creditability that comes with being a CISO. If you participate too actively you may inadvertently take over the project and accidentally derail progress. Establish some personal guidelines for yourself as you operate in these meetings, focus on steering the project and adding value or suggestions that might improve the project. Otherwise be a mentally and physically present tie-breaker when collaboration ends in a stalemate, encourage and motivate the team, and at the end of the day your presence in the meeting will give creditability to the project.
Day’s 31-40
Review the Operational Security Budget.
Hopefully you were able to obtain a good understanding of your budget in the first couple weeks (Day’s 1-10). Now that you have a solid month under your belt, you should be able to start answering specific questions about your budget and how spending is improving the program. By now you should have also recruited a financial analyst to help with your budget and develop ROI metrics and start developing metrics to show how you are improving the fiscal posture of the Information Security Program.
Establish a Program Vision.
It’s doubtful you’ll have your full vision formalized by this point, but if you do it will help shape the conversations you are about to have in the coming weeks. Following your conversations with business leaders from the previous weeks, you should begin to have a picture of what success looks like and how to help your company deliver on strategic goals and initiatives. While your vision might not be formalized, you’ll have plenty of time to firm up your goals in the coming months. Consider this step a prerequisite to developing an overall strategy for your Information Security Program.
Take Inventory of the Security Team Skill Sets and Establish Development Plans.
In talking with your team, holding one-on-one meetings, and observing performance of your team members collect an inventory of skills. This inventory should include technical and soft skills. Soft skills are a little harder to articulate and measure but there are tested frameworks such as Lominger that can help to measure soft skills. In the course of developing a staff development plan give some consideration as to what your employee wants in their career. Based on the career aspirations of the employee that will drive their skills development. In this role you should act as advisor and motivator, the act of developing a plan should be driven by the employee and they need to be invested in the process to feel motivation to improve. Under-performing employees or employees with a negative attitude can perpetuate bad feelings among the team–and you owe it to your top performers to fix this ASAP. Also, don’t spend all your time on the under-performers, each team member should receive equal attention. This might be one of the most important tasks that you complete. Spend some time here and get this right.
Begin your Information Security Assessment.
This should an independent review of your Information Security posture. While you might be qualified to do the assessment yourself, you should resist the temptation to do so. There’s an opportunity cost in doing the assessment yourself, and the opportunity cost is all the program and relationship development you should be doing instead of the assessment. Additionally, the independent lens of someone impartial and removed from the organization will help add to the creditability of any findings. During this assessment it’s critical, as always, to partner with your independent Information Security Assessor and guide them to ensure you get the results and quality you are looking for. Since the assessor is more than likely new to the organization, helping them think in the right business and security context will help to ensure an accurate measure of risk. An information security assessment without business context is just a gap assessment not a risk assessment. A risk assessment is needed so you can begin to prioritize what remediation efforts to tackle first. Depending on your corporate purchasing processes a 31-40 day start time might be unrealistic, but this assessment should be performed as soon as possible. This is a prerequisite to formalizing your Information Security Program Strategy.
Day’s 41-50
Write or review the Information Security Charter.
Ideally you want your charter approved by the CEO and Board of Directors, so it should be written at a high enough level that it encompasses all your mission and objectives but still provides enough detail that you can translate the charter into an operational plan. If your CEO and Board of Directors take interest in this document, it’s worth taking the time to get it right the first time because each edit and change will need to be “re-approved” by the CEO and Board of Directors. Alternatively, many CISO’s have their charter approved by their Security Steering Committee. If you are inheriting an existing Information Security Charter, this is good opportunity to review the Charter and make any changes or modifications you require.
Appoint team leaders.
By now you’ve been able to observe the performance of your team for the past couple months and hopefully you have some obvious stand-out leaders. Considering your Information Security Program strategy and direction you want to take the program, you need to start putting the right team in place to ensure delivery of that Strategy. Considering the strength of the leaders you select should drive the autonomy which you afford them. Junior leaders might need a little more structure with work plans and project reviews. More Senior Leaders will be able to work autonomously and help you coach and provide oversight to Junior Leaders.
Be visible in established Security Projects.
Whether you inherited a list of Security Projects or getting ready to kick-off your own, you should judiciously select a couple projects to participate in. This will help to ensure projects stay on track or help and existing stalled project get back on track. Plus, while ramping up in your new role this will allow to gain some credibility in your team and show you’re there to help them be successful. You have be careful not to overstep your role and responsibility on the project because depending on your background and expertise you don’t want to be perceived as taking over the project from your team. Also, your role on the project should be a consensus builder not a C-Level overriding vote. There will be times when you need to pull out your “CISO card” but that should be only in dire circumstances; your modus operandi should be using your excellent communication skills to get everyone on the same page and consensus within the teams.
Day’s 51-60
Review Budget for Second Month.
Review your budget again and by now you might be seeing trends in your expenditures. You should have enough information by this point to start making informed decisions about top expenditures. Also, now that you’ve met with your team about development plans, there might be some members on your team which you can delegate budget monitoring responsibilities.
Meet with Information Security Steering Committee or Board of Directors.
If you operate with an Information Security Steering Committee then you have flexibility as to when this meeting is scheduled, because you drive the agenda and timing. Alternatively, if you have an opportunity to meet with the Board of Directors you have to work around their schedule and agenda. Depending on when the Board of Directors meeting falls on the calendar and how it aligns with your employment start date it might make sense to skip presenting at the first Board of Directors meeting and so your first impression with the Board of Directors is strong, fact based, and value-adding to the overall business strategy.
Obtain approval for you Security Charter.
In previous weeks you published a new charter or you edited an existing charter. Now it’s time to get it approved. Based on the timing of when the approving body meets, Information Security Steering Committee or Board of Directors, will drive when and how this task is completed. Before requesting a formal approval of the Information Security Charter you should make sure you have buy-in from appropriate reviewers. This will help to grease the skids of the approving body to ensure a smooth approval process.
Form Security Awareness team.
This might be most overlooked task in most CISOs Information Security Playbook. It’s fairly challenging to continually develop new and engaging Security Awareness ideas, content, and dissemination schemes. It’s common for a CISO to tag their marketing department to develop creative content and fresh ideas for delivery. It is recommended you enlist any and all help you can get from creative marketing teams. Everyone on the Information Security team has a responsibility to take up the Security Awareness flag and take a turn disseminating a Security Awareness message. There’s many avenues which this can be completed, but at a minimum everyone on the team should have an obligation to deliver training at least once a year.
Day’s 61-70
Formalize your Information Security Program Strategy.
Four months to develop a strategy might seem like too long, but considering your prerequisites of developing your vision (figuring out how good you want your Information Security Program to be), and completing your Information Security Assessment (figuring out how good your Information Security Program is today) you’ll need sometime to put all these data points together. Your strategy should ultimately be your roadmap to delivering you program. Some ingredients to a successful Information Security Roadmap and Strategy include:
a maturity model for each competency you plan to develop in-house,
consideration of how/if an Managed Security Service Provider (MSSP) helps you mature quicker for less money,
fiscal capital costs to develop a competency and how the investment improves the maturity of the program,
fiscal operational costs to develop a competency (headcount, etc) and how the investment in staff and operations improves the maturity of the program.
It’s important to remember Information Security is a Risk Management exercise and to mitigate Information Security risks costs time and money. In some cases it might make sense to mature an Information Security competency to 90% of the potential capability because the additional 10% improvement might be cost prohibitive. Developing this Information Security Roadmap and being purposeful about investment and return on investment will help gain traction for your future budget. If you’re looking for assistance or a sounding board on your strategy NuHarbor Security can assist.
Identify Objectives for your Information Security team.
Once your Information Security Strategy is complete (or currently in development), you should begin developing your Annual Information Security Playbook. This Playbook should outline how your Information Security team delivers on your strategic Information Security objectives for the year. The projects you assign your team members to in the Playbook should tie to professional development plans. Your Information Security Playbook can also be a mechanism which to hold people accountable for the work they perform.
Day’s 71-80
Monitor your Information Security Program Delivery.
Based on your Information Security Program Strategy and your Information Security Playbook, you have solid platform which to track progress of your strategic deliverables, the tasks that are on track and those that are falling behind. Given all the work you’ve put in to date you now have a good mechanism to measure your program and more importantly have an early warning system when your Information Security Program begins to deviate from the plan. This can be used as a component of your overall Information Security Governance processes.
Day’s 81-90
Continue monitoring Information Security Program Delivery.
Depending on the number of initiatives you have in your Information Security playbook and the number of Senior Team Leaders you might need to jump in to help Junior Leaders get started and gain traction.
Preset at an all Company Meeting.
If you have the opportunity to do so, you should take advantage of an All-Company meeting to talk about the Information Security program, what to expect and how to engage with the Information Security team. The sooner you can get onto the agenda to present–the better, but when you do talk hopefully you’ve had enough time in your role to form some contextually relevant material about vision and how Information Security can help your business succeed in their goals and objectives. While everyone on the Information Security team has an obligation to perform or deliver some level of Security Awareness, this is your opportunity as CISO to do your part toward Security Awareness and share the Information Security brand with your company.
Day’s 91-100
BCP/DR Planning.
If you have responsibility for Business Continuity Planning and Disaster Recovery, it is time to look into performing or refreshing your Business Impact Analysis (BIA) for Business Continuity Planning (BCP). Depending on the size of your business and Executive support received will drive the level of effort required here. In other words, if you need to convince other executives to “give-up” resources to help with BIA and BCP efforts then it might take a little longer to complete this effort. However, while you organizationally and politically posture your BIA and BCP efforts, you can start to collect your asset inventory for the complementary Disaster Recovery (DR) efforts.
Day 101
Enjoy a celebratory beverage!
You’re on your way to building a top-notch Security Program. By this point you’ve completed some significant tasks including:
completed an Information Security assessment of your Organization,
built solid working working relationships with your Business Peers,
improved on your Information Security budget,
developed staffing development plans for your Information Security staff.
completed an Information Security Strategy, Plan, and operationalized an Information Security Playbook,
established a great working relationship with other Executives and the Information Security Steering Committee or Board of Directors.
You have built a solid foundation for your Company’s Information Security program and you’ll be well served for future growth with the ability to recruit and retain top talent.
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here. We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerability we discuss below) using the Double Kill exploit.
What we found this quarter was that vulnerabilities under attack remained consistent, including very old vulnerabilities. One new vulnerability used zero-day attacks did rocket to near the top of the list.
The United States remained the number one hoster of malicious domains, with a marked increase in the Netherlands as well. Outside of these two countries hosted malicious domains dropped markedly across the globe, including in Russia and China.
The United States was also the number one hoster for exploit kit (EKs) globally by a more than two to one margin compared with the number two country, Russia. In fact, the United States alone accounted for more EKs globally than all other countries combined. KaiXin, Sundown, and Rig exploit kits remained active from Q1 to Q2. We saw a significant difference in regional prevalence with KaiXin being found primarily in China, Hong Kong, Korea and Grandsoft (a newly emergent EK), Sundown and Rig prevalent everywhere else.
Based on our findings, our guidance is for organizations to focus on ensuring Microsoft Windows and Adobe Flash and Reader are fully up to date with the latest versions and security updates. In addition, organizations should look at using limited privilege user accounts to limit the damage of malware. Finally, protections against malicious URLs and domains and using endpoint security to prevent malware like exploit kits can all help with the threats outlined in this posting.
Key Takeaways:
Malicious Hosted Domains
The United States remains the number one country for hosting malicious domains.
Overall, except for the Netherlands, the number of malicious domains hosted outside of the United States was significantly smaller than we saw in Q1.
We saw a significant increase in malicious domains hosted in the Netherlands.
We saw significant decreases in malicious domains hosted in Russia and China dropping both to be tied at number 7 on our list.
While we saw a significant decrease in malicious domains hosted in Hong Kong, it remained the third largest hoster of malicious domains.
Australia moved to number four on the list, but the increase wasn’t significant.
The number of malicious domains hosted in Germany dropped by over half.
The number of malicious hosted domains in the United Kingdom and Italy was unchanged. However due to the overall decline outside of the United States and the Netherlands, they actually moved from being tied at number 3 to number 6.
Vulnerabilities
A new vulnerability is aggressively used.
CVE-2018-8174, a Microsoft VBScript vulnerability that was used in zero-day attacks and patched in May has been aggressively used in web-based attacks this quarter.
Very old vulnerabilities are still useful.
CVE-2009-0075, a nine-and-a-half-year-old vulnerability Microsoft Internet Explorer 7 vulnerability was in our top five list last quarter and is number four this quarter.
CVE-2008-4844, another nine-and-a half vulnerability affecting Microsoft Internet Explorer 5, 6 and 7 is number five this quarter.
Vulnerabilities under attack remain consistent.
Four of our top five this quarter were in our top six list last quarter (CVE-2016-0189, CVE-2014-6332, CVE-2009-0075, and CVE-2008-4844)
Exploit Kits
The United States was the number one source for Grandsoft, Sundown, and Rig and the number two source for KaiXin making it the number one source for Exploit Kits globally. In fact, the US accounted for more than twice the number of Exploit Kits globally as the number two, Russia.
Russia was number two globally for Grandsoft, Sundown and Rig exclusively.
KaiXin showed up primarily in China, Hong Kong, and Korea, with limited distribution in the United States and Netherlands.
Consistent with other findings in this report, the Netherlands came in at number 5 on our list, primarily for Grandsoft, Sundown and Rig but also KaiXin.
Australia came in at number 6 on our list. Interestingly, even though KaiXin was prevalent in the APAC region, there were no instances of KaiXin in Australia only Grandsoft, Sundown and Rig.
KaiXin, Sundown, and Rig were consistently in use across Q1 and Q2.
Sinowal which we tracked in Q1 disappeared this quarter.
Grandsoft is a new entry this quarter.
Analysis
Vulnerabilities (CVEs)
In the second quarter of 2018 we observed 6 different CVEs being exploited. Table 1 below shows the top three CVEs for the first and second quarters of 2018.
Table 1. CVE comparison between first and second quarter 2018
The chart below shows the CVEs and number of URLs seen leveraging the respective CVEs.
Figure 1. CVE distribution graph
Compared to the data observed from the first quarter of this year, the URL count exploiting certain CVEs have changed positions in ranking.
CVE-2014-6332, a four year old code execution vulnerability in Microsoft OLE automation fixed by MS14-064, dropped significantly from first place with 774 malicious URLs, to third place with 67 malicious URLs. In the second quarter.
CVE-2015-5122, a three year old code execution vulnerability in Adobe reader fixed with an emergency release by APSA15-04 and later by APSB15-18, was number three last quarter but dropped off the top six list entirely this quarter.
CVE-2016-0189, a two year old scripting engine vulnerability affecting Microsoft Internet Explorer, as well as Jscript and VBScript and fixed by MS16-051 and MS16-053 respectively, moved by number one by more than doubling its previous standing from 219 malicious URLs in the first quarter to 472 malicious URLs in the second quarter.
Of particular note is CVE-2018-8174 a code execution vulnerability in the Microsoft VBScript engine that was detected as a zero-day attack and patched by Microsoft in May 2018. This vulnerability wasn’t publicly known until the second quarter and we can see was quickly used by attackers taking advantage of it, making it number two on our list in the second quarter, exploited by 291 malicious URLs.
To shed more light on this CVE we investigated an active exploit dubbed Double Kill which we will discuss in the case study section of this blog below.
Finally, we should note again the presence of CVE-2009-0075, a vulnerability from February 2009 in Microsoft Internet Explorer 7 fixed with MS09-002 and CVE-2008-4844 a vulnerability in Microsoft Internet Explorer 5, 6 and 7 fixed with MS08-078. These two roughly nine-and-a-half-year-old vulnerabilities continue to be useful for attackers, as shown by them being number five and six list last quarter and number four and five on our list, respectively, this quarter.
The net lessons from this quarter’s statistics are the very old and very new vulnerabilities show themselves to be useful. There’s also a steadiness to the vulnerabilities attackers are favoring since four of the top five vulnerabilities this quarter were in use last quarter. The fact that number two on our list is new vulnerability only addressed in May and was used in zero-day attacks also tells us that attackers are ready to move quickly to adapt their attacks to vulnerabilities shown to be useful.
The continued use of these two nine-and-a-half-year-old Internet Explorer vulnerabilities also tells us that Internet Explorer 7 and earlier are in use and unpatched.
Domains/URLs
Domains
We observed 440 malicious domains serving up to exploit the aforementioned CVEs. A list of countries and regions is below:
Ranking in Q2
Country/region
Number of domains in Q2
Number of domains in Q1
Previous Ranking in Q1
1.
US United States
248
257
1
2.
NL Netherlands
31
13
5
3.
HK Hong Kong
9
41
3
4.
AU Australia
6
1
11 (tied)
5.
DE Germany
5
12
6
6 (tied)
GB United Kingdom
3
3
9 (tied)
6 (tied)
IT Italy
3
3
9 (tied)
7 (tied)
CN China
2
106
2
7 (tied)
RU Russian
2
20
4
8 (tied)
CA Canada
1
0
NA
8 (tied)
ES Spain
1
1
11 (tied)
8 (tied)
FR France
1
8
8
8 (tied)
IE Ireland
1
0
NA
8 (tied)
KG Kyrgyzstan
1
0
NA
Table 2. country/region distribution graph of malicious domains
URLs
As far as malicious URLs go, the United States takes the lead with 495 malicious URLs and Russia is runner up with 147 URLs. Compared to the first quarter blog, malicious URLs hosted in United States almost doubled in the second quarter, while malicious URLs hosted in Russia were almost seven times higher. The complete count for each country/region is shown below in Table 2:
Figure 3. Malicious URLs country/region distribution graph
Exploit Kits
There were 1072 malicious URLs out of the total 1373 serving EKs. As with malicious domains, we were unable to discover hosting information for some of the domains as they were gone prior to starting research on this blog, which is why Figure 3 adds up to less than 1373.
The EKs we found in our analysis for this quarter included KaiXin, Grandsoft, Sundown, and Rig. Three of these EKs were in our Q1 report: KaiXin, Sundown, and Rig. One EK in our Q1 report, Sinowal, has dropped out of our list. And Grandsoft was not present in our list in Q1 and is now in our list.
Ranking
Country
KaiXin
Grandsoft, Sundown, and Rig
Total
1.
USA
44
252
296
2.
Russia
0
139
139
3.
China
47
0
47
4.
Hong Kong
31
10
41
5.
Netherlands
2
31
33
6.
Australia
0
6
6
7.
Korea
5
0
5
Total
129
438
567
Table 4 Ranking of Countries Hosting Exploit Kits
The various EKs seem to target a certain country or region cluster. For instance, KaiXin EK was only reported in 5 country/regions (see Figure 4 below), mostly within Asia. This EK mostly leverages the vulnerability CVE-2014-6332.
Figure 4. KaiXin EK distribution graph
The Grandsoft, Sundown, and Rig EKs were far more visible in other parts of the world. Out of the 16 country/region where they were seen, the United States had the highest number of malicious links EKs, at 252. Second and third place were Russia with 139, and the Netherlands with 31. These EKs mostly exploit CVE-2016-0189. Figure 5 below shows each country/region and associated numbers.
Figure 5. Grandsoft/Sundown/Rig EK distribution graph
Case Studies
Evolution of Attacks Against CVE-2018-8174
As noted in the previous CVE section, on May 8, Microsoft published information and a patch for CVE-2018-8174, a Windows VBScript Engine Remote Code Execution Vulnerability. It’s a critical vulnerability that impacts 31 Microsoft products and could lead to remote code execution. A couple of notable exploits of this CVE that we’ve observed are discussed in the below case studies.
Double Kill: Version 1
Unit 42 found the first active exploit in the wild on May 12, four days after a patch was issued. It is interesting to point out that it took four days for threat actors to create and weaponize the exploit after Microsoft’s disclosure of the vulnerability.
The first version of the exploit didn’t obfuscate html code, except for functions and variables with “I”, “1”, “l” or combinations thereof; note that while two of the letters look the same, one is an uppercase ‘i’ and the other a lowercase ‘L’. Also, we observed some plaintext strings in the exploit; “msvcrt.dll”, “ntdll.dll”, “VirtualProtect”, “NtContinue”, and “kernelbase.dll”. According to our research, we found that the exploit used msvcrt.dll to find the DLL load address of kernelbase and ntdll, and then tried to find the function address of NtContinue in ntdll and VirtualProtect in kernelbase from their exported table, at last controlled EIP to execute NtContinue, then execute VirtualProtect to change the memory attribute to Read Write Execute (RWE) and execute the real shellcode in the last stage of exploit. as seen here:
Figure 6. source code
Below are some malicious behaviors we captured from this first version of the exploit. These malicious behaviors show the exploit downloaded a document file to the Windows temp directory, deleted some registry entries to make sure there is no entry to be restored when opening Word next time.
WriteFile
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZ9ET1Q3\Microsoft-help[1].wll
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70Z9M5D6\Microsoft-help[1].doc
In the second exploit, attackers used several types of obfuscation to hide the exploit. For example, the textarea HTML tag with display attribute “none” was used to hide the real exploit code. The obfuscated string in textarea started with “>tpircs and ended with “>tpircs<” will not be showed in html page, but it can be deobfuscated to a meaningful string as a part of exploit, for example “tpircs” will be decrypted to “script” tag as shown below in Figure 7.
Figure 7. Obfuscated case part 1
The exploit also uses RegExp and very heavy JavaScript obfuscation. The threat actors utilized several functions like Regex and unescap to make variables seem meaningless, as shown here in Figure 8:
Figure 8. Obfuscated case part 2
In the VB part, obfuscation was not as widely used. Keyword separation using string concatenation and substitution was used instead to evade detection. For example, in Figure 9 below we’ve pointed out where “vbscript” and “fromCharCode” were manipulated.
Figure 9. Obfuscated case part 3
Captured with shellcode execution, we can see the exploit downloaded the malicious PE file to the temp directory and executed it directly through createProcess from some malicious behaviors that were logged:
WriteFile
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZ9ET1Q3\v3[1].exe
\Users\ADMINI~1\AppData\Local\Temp\z.exe
Command execution
C:\Users\ADMINI~1\AppData\Local\Temp\z.exe
Largest Criminal Attack Campaign in the Second Quarter
This attack exploits the same vulnerability (CVE-2018-8174) as Double Kill but uses a different method to deliver the payload. It uses PowerShell to download and execute files as shown below in Figure 10.
Figure 10. Obfuscated case part 4
This attack campaign was clearly planned in advance. The malicious domain, ‘payert-gov[.]uk’, was registered around 10:30 AM June 26. The attack started around 10:30 AM June 28. After around one hour, the domain became unresponsive. The domain registration shows that the attacker likely used public information details from an employee of a legitimate financial institution (which was not targeted in this attack).
In total, we captured 699 malicious emails within this attack. All the malicious emails with malicious links we captured were sent from the spoofed “no-reply@hmrcmailgov.uk” email with the subject field containing: “Important : Outstanding Amount”. All malicious URLs used the C2 domain ‘payert-gov[.]uk’. You can see an example of the emails at My Online Security.
Conclusion
Looking at this quarter’s trends, we see a surprising drop in malicious sites globally, particularly in Russia and China. Meanwhile, the United States remained the top hosting country for malicious sites and exploit kits. Another surprise this quarter is the sudden, unexpected spike in the Netherlands, both in terms of malicious sites and exploit kits.
In the realm of vulnerabilities, we see remarkable consistency, with a nearly identical roster of vulnerabilities under attack in this quarter as last quarter. The only notable addition to this roster is a vulnerability known to be used in zero-day attacks.
We also saw a clear geographic division in the use of exploit kits, with KaiXan favored in East Asia while Grandsoft, Sundown, and Rig were used more in Europe and the United States.
Next quarter, we’ll return to review this quarter’s statics and trends against the latest data from ELINK to help you better understand the threat trends that are out there.
CISOs should focus on these ten security projects to reduce risk and make a large impact on the business.
The new chief information security officer (CISO) of a global bank is overwhelmed by his list of to dos. He knows he can’t do everything, but struggles to narrow down the endless list of potential security projects.
“Focus on projects that reduce the most amount of risk and have the largest business impact,” said Gartner vice president and distinguished analyst Neil MacDonald, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD.
To help CISOs get started, MacDonald shared Gartner’s top 10 list of new projects for security teams to explore in 2018. “These are projects, not programs, with real supporting technologies,” explained MacDonald. He added that they are new to most CISOs, with enterprise adoption at less than 50%.
Neil MacDonald, Gartner vice president and distinguished analyst, explains the Gartner top 10 security projects for CISOs to focus at the Gartner Security and Risk Management Summit 2018.
No. 1: Privileged account management
This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access. At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third-party access, such as contractors.
Tip: Phase in using a risk-based approach (high value, high risk) systems first. Monitor behaviors.
No. 2: CARTA-inspired vulnerability management
Inspired by the Gartner continuous adaptive risk and trust assessment (CARTA) approach, this project is a great way to tackle vulnerability management and has significant risk reduction potential. Consider exploring when the patching process is broken and IT operations is unable to keep up with the number of vulnerabilities. You can’t patch everything, but you can significantly reduce risk by prioritizing risk management efforts.
Tip: Require your virtual assistant/virtual machine vendor to provide this and consider mitigating controls in your analysis, such as firewalls.
No. 3: Active anti-phishing
Aimed at organizations that continue to experience successful phishing attacks against their employees. This requires a three-pronged strategy: technical controls, end-user controls and process redesign. Use technical controls to block as many phishing attacks as possible. But make users an active part of the defense strategy.
Tips: Don’t single out groups or individuals for doing the wrong thing; spotlight those who exhibit the right behaviors. Ask your email security vendor if they can undertake this project. If not, why?
Organizations looking for a “default deny” or zero trust posture for server workloads should consider this option. This project uses application control to block the majority of malware as most malware is not whitelisted. “This is a very powerful security posture,” said MacDonald. It has proven to be successful against Spectre and Meltdown.
Tip: Combine with comprehensive memory protection. Is an excellent project for the Internet of Things (IoT) and systems that no longer have vendor support.
No. 5: Microsegmentation and flow visibility
This project is well-suited for organizations with flat network topologies — both on-premise and infrastructure as a service (IaaS) — that want visibility and control of traffic flows within data centers. The goal is to thwart the lateral spread of data center attacks. “If and when the bad guys get in, they can’t move unimpeded,” explained MacDonald.
Tip: Make visibility the starting point for segmentation, but don’t over segment. Start with critical applications and require your vendors to support native segmentation.
No. 6: Detection and response
This project is for organizations that know compromise is inevitable and are looking for endpoint, network or user-based approaches for advanced threat detection, investigation and response capabilities. There are three variants from which to choose:
The latter is a small but emerging market ideal for organizations looking for in-depth ways to strengthen their threat detection mechanisms with high-fidelity events.
Tip: Pressure EPP vendors to deliver EDR and security information and event management (SIEM) vendors to provide UEBA capabilities. Require a rich portfolio of deception targets. Consider MDR “lite” services directly from the vendor.
No. 7: Cloud security posture management (CSPM)
This should be considered by organizations in search of a comprehensive, automated assessment of their IaaS/platform as a service (PaaS) cloud security posture to identify areas of excessive risk. Organizations can choose from several vendors including cloud access security brokers (CASBs).
Tip: If you have a single IaaS look to Amazon and Microsoft first. Make this a requirement for your CASB vendor.
No. 8: Automated security scanning
This project is for organizations that want to integrate security controls into DevOps-style workflows. Begin with an open source software composition analysis and integrate testing as a seamless part of DevSecOps workflows, including containers.
Tip: Don’t make developers switch tools. Require full application programming interface (API) enablement for automation.
No. 9: Cloud access security broker (CASB)
This project is for organizations with a mobile workforce looking for a control point for visibility and policy-based management of multiple-enterprise, cloud-based services.
Tip: Start with discovery to justify the project. Weight-sensitive data discovery and monitoring as a critical use case for 2018 and 2019.
No. 10: Software-defined perimeter
This project is aimed at organizations that want to reduce the surface area of attacks by limiting the exposure of digital systems and information to only named sets of external partners, remote workers and contractors.
Tip: Re-evaluate risk of legacy virtual private network (VPN)-based access. Pilot a deployment in 2018 using a digital business service linked to partners as a use case.
This weekend, all ISACA lost a dedicated leader, an engaged board member, a passionate colleague and, most notably, a dear friend. Robert E Stroud, CGEIT, CRISC, 2014-2015 ISACA Board Chair, and Board Director 2015-2018, will be deeply missed.
Only 55 years old, Rob passed away Monday, 3 September 2018, after being struck by a vehicle while jogging on Long Island, New York, USA. He is survived by his devoted family: his wife of 35 years, Connie, sons Josh and Kyle, daughter-in-law Allie Elizabeth, and grandchildren Ayden, Haylee and Jeremy.
Robert E Stroud
Rob brought boundless energy and enthusiasm into everything he did for ISACA—and those contributions were many. He was board chair for the 2014-2015 term, and was a driving force in the launch of ISACA’s Cybersecurity Nexus (CSX). Prior to that, he was international vice president of ISACA, member of the Strategic Advisory Council and Governance Committee, and chair of ISACA’s ISO Liaison Subcommittee. He was a COBIT champion and contributed to COBIT 4.0, 4.1 and 5, as well as numerous COBIT mapping documents. Additionally, he was involved in the creation of ISACA’s Basel II, Risk IT and Val IT guidance.
His excitement about emerging technologies and extensive knowledge of assurance, governance, cloud security and DevOps made him a highly sought-after speaker at events around the world—including ISACA’s. Rob’s technical expertise, his excitement to travel and share his knowledge around the world, and his humor and wit in delivering remarks will be greatly missed.
Rob’s dedication to the profession extended beyond ISACA. He previously served on the itSMF International Board, the board of the itSMF USA and multiple itSMF local chapters.
Additionally, he served as a member of the ITIL Update Project Board for ITIL 2011 and in various roles in the development of ITIL v3.
Rob’s high-impact career in assurance, governance and innovation leaves a lasting legacy. Rob was Chief Product Officer at XebiaLabs, where in the last year he primarily focused on DevOps scalability in the enterprise. Prior to that role, he was Principal Analyst for Forrester Research Inc., where he helped large enterprises successfully drive their DevOps transformations and guided them through organizational change.
He spent more than 15 years in multiple roles at CA Technologies, including Vice President of Strategy and Innovation, where he predicted changing trends in the domains of assurance, cybersecurity, governance security and risk. He also advised organizations on strategies to ensure maximum business value from their investments in IT-enabled business governance.
On a personal note, Rob has been my good friend and mentor. It was his inspiration and support that led me to serve on the ISACA board of directors. I have had the privilege of co-presenting with Rob many times, and frequently we have had lively discussions about new technology, cloud, DevOps and how we can help ISACA have even greater impact. The day before his passing, I was working on a DevOps presentation using slides that Rob had put together and just shared with me to use. Having collaborated with him for so many years, enjoying his advice, company, humor and zest for life, I feel like I have lost a part of me. I’m sure many of you feel the same, and we will explore a fitting way to honor his contributions and legacy. I will let you know of those opportunities as they are decided by the board in a timely fashion.
Rob was always looking forward to new trends, new challenges and new opportunities, so he could best serve his clients, his colleagues, and his friends, whether bonds were just formed or existed for decades. His exuberance lit up the room wherever he went, and he was truly a guiding light and progressive proponent for the association and our professional community.
Rob’s enduring spirit of innovation will continue to influence ISACA and our global family for years to come.
Thank you, Rob. You are gone too soon. We miss you.
