11 Cyber Threat Intelligence Tips

To remain in ignorance of the enemy’s condition simply because one grudges the outlay of a hundred ounces of silver…is the height of inhumanity. Thus what enables the wise sovereign and the good general to strike and conquer…is foreknowledge. – excerpt from Sun Tzu’s Art of War

Background
Cyber Threat Intelligence (CTI), simply put, is timely, accurate and actionable threat, vulnerability and incident information that highlight indicators of compromise to the consumer. The objective of a CTI strategy should be to improve your overall cyber security posture through situational awareness of, and targeted response to, security threats including:  malware, insider threat, espionage, hacktivism, cybercrime and other emerging threats.

What Challenges Do Organizations Face With CTI?
On paper, most chief information security officers (CISOs) understand the need for a CTI strategy. In practice however, real-world challenges exist with implementing such a strategy. Frequently asked questions include:

  • How do I select the best threat intelligence vendors for my organization?  As simple as it sounds, the answer depends on your organization’s threat landscape. Working out your key threat actors (e.g., internal threats vs. nation-states) and threat vectors beforehand will point you towards the type of CTI feeds you need. Before purchasing, challenge vendors on the breadth, depth and industry relevance of their intelligence feeds.
  • How do I make sense of CTI without drowning in a sea of data? With the volume of information available from threat intelligence sources, including open source intelligence (OSINT), vendors, and public and private sharing platforms, employing the use of big data analytics and visualization techniques is expedient.
  • Do we have the right skills in-house to analyse all those data? Organizations often make the mistake of thinking that CTI is only needed at the technical level. In reality, the right mix of CTI skills should include both technical (e.g., SOC analysts responsible for tactical security incident response) and nontechnical skills (i.e., analysts who understand business priorities and are able to use CTI for strategic risk management).

Below is a summary of some best practices around CTI which auditors and security executives can use as a conversation starter.

CTI Dos:

  • Have a documented risk-based CTI strategy—Understand your cyber threat landscape and determine what CTI feeds you need on that basis. Additionally, document how CTI will be obtained, how frequently it will be collected, who will consume it and what they are expected to do with it.
  • Establish communication channels between CTI and business intelligence functions—Do not lose sight of the operating environment when collecting and analyzing threat intelligence. External business factors could provide additional insight into cyber threats and could help shape your CTI strategy.
  • Expect to pay for good threat intelligence—Paraphrasing the words of Sun Tzu, when winning matters to you, “do not begrudge the outlay of a hundred ounces of silver for foreknowledge about your enemy.”
  • Have a management-approved process for sharing your intelligence with peers, regulators, industry groups and law enforcement—When it comes to CTI, the growing refrain is “one for all and all for one.” No one is an island these days.
  • You cannot buy institutional knowledge—The best CTI resources are often those who already understand how your business works and who can bring that knowledge to bear on the analysis of CTI. Consider upskilling internal resources before hiring externally.

CTI Don’ts:

  • Don’t collect threat intelligence for the sake of collecting it—To get the best answers from CTI, we must first ask the right questions of the data. Establishing CTI requirements upfront and anticipating changes to those requirements are important aspects of any strategy.
  • Don’t expect to make sense of it all immediately—Achieving the right balance between collection, analysis and delivery of actionable intelligence will take time.
  • Don’t forget that your third-party IT suppliers complement your CTI strategy—Every technology provider you use is part of your CTI strategy.

In a recent global survey of security executives,1 36% of respondents stated that they did not have a threat intelligence program, with a further 30% only having an informal approach, while only 5% said that their organization had achieved an advanced threat intelligence function. Having a clear CTI strategy could improve these stats and help organizations improve their anticipation and response to threats.

Editor’s note:  October is Cyber Security Awareness Month in many countries around the world. ISACA is a 2016 Champion sponsor organization of the National Cyber Security Alliance’s (NCSA) National Cyber Security Awareness Month. For more information click here.

1 EY, “2015 Global Information Security Survey (GISS),” www.ey.com/GL/en/Services/Advisory/ey-global-information-security-survey-2015-1

Omo Osagiede, Director and Independent Security Consultant, Borderless-I Consulting Limited

[ISACA Now Blog]

PSA: Conference Invite used as a Lure by Operation Lotus Blossom Actors

Actors related to the Operation Lotus Blossom campaign continue their attack campaigns in the Asia Pacific region. It appears that these threat actors have begun using Palo Alto Networks upcoming Cyber Security Summit hosted on November 3, 2016 in Jakarta, Indonesia as a lure to compromise targeted individuals. The payload installed in attacks using this lure is a variant of the Emissary Trojan that we have analyzed in the past, which has direct links to threat actors associated with Operation Lotus Blossom.

As our readers and customers in Indonesia are likely recipients of this phishing e-mail, we want to release some key facts to clarify the situation.

  1. The malicious email will have an attachment named “[FREE INVITATIONS] CyberSecurity Summit.doc” that if opened will exploit CVE-2012-0158. The legitimate invitation emails from Palo Alto Networks did not carry any attachments.
  2. In response to this incident, we have halted our email invitations, so please disregard all new emails related to invitations to this conference, as it may be malicious.
  3. Individuals wishing to attend the conference should register on our official CYBERSECURITY SUMMIT – JAKARTA website.

Summit Invitation: Legitimate and Counterfeit

Palo Alto Networks hosts cyber security summits all over the world, and in many cases we send invitations via email to individuals we believe would be interested in attending. Figure 1 shows a legitimate invitation email in our most recent batch of invitations that has an image for its message body.

Figure 1 Legitimate invitation email sent out regarding our Cyber Security Summit in Jakarta, Indonesia

We received a tip (thanks Marcus!) regarding a recent delivery document that we believe was attached to spear-phishing emails sent to individuals that would likely be interested in attending our conference. While we do not have detailed targeting information or access to the attack emails, we believe the malicious document was delivered as an email attachment with a filename of “[FREE INVITATIONS] CyberSecurity Summit.doc”. This file name contains the first portion of the subject of the legitimate invitation emails we sent out, suggesting the Operation Lotus Blossom actor had access to an inbox that received the invite email or received the email themselves.

The delivery document (SHA256: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943) attempts to exploit CVE-2012-0158 to install a payload and open a decoy document on the compromised system. The decoy is a Word document that contains an image from a previous invitation email, as seen in Figure 2.

Figure 2 Decoy document showing image of previous invitation to the Cyber Security Summit in Jakarta

Emissary Payload

The payload associated with this attack is installed in the background while the decoy document is displayed. The payload itself is a variant of the Emissary Trojan that we have discussed in our blogs titled “Attack on French Diplomat Linked to Operation Lotus Blossom” and “Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?”. The payload runs each time the operating system starts up thanks to the following registry key:

The Emissary payload is comprised of the following three files:

Filename %APPDATA%\Programs\Dsdcmsoon.dll
SHA256 aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286
Description Loader Trojan responsible for injecting payload into Internet Explorer process

 

Filename %APPDATA%\Programs\DCMOS3124.DAT
SHA256 c9d1daab044a4d4e21e3b1f2da0b732a9d48d82c27e723d221be499bcb7f1aa3 (trimmed)
Description Emissary Trojan that runs within Internet Explorer process. This file is 500MB in size as it has a significant amount of junk data appended to the core DLL. The SHA256 is associated with the core DLL with the junk data trimmed.

 

Filename %APPDATA%\Programs\CVNX044.DAT
SHA256 121e844022c04dbe2d152195fbfab297701c050fc6d8d08ddb8a4c27f2be138e
Description Configuration file used by Emissary payload.

We decrypted the CVNX044.DAT file and found the following configuration for this Emissary payload:

This version of Emissary attempts to obtain the external IP address of the compromised system using the website “b4secure[.]com”. Figure 3 shows this HTTP GET request issued by Emissary to obtain the systems IP.

Figure 3 Emissary version 6.4 issues an HTTP GET request to b4secure[.]com to obtain an IP address for the compromised system

The Emissary payload will communicate with the C2 server from its configuration file using HTTP GET requests. These requests will an added “MSG” field that contains the configuration values in encrypted and base64 encode form, along with the a custom “Cookie” field. Figure 4 shows an example C2 beacon from Emissary version 6.4, with the MSG field and the Cookie containing the GUID from the configuration, a field “fun” that specifies which function within Emissary issued the request and the system’s IP address.

Figure 4 Emissary version 6.4 beacon to its C2 server

Insight into Threat Actor

During our analysis of the decoy document that used our Cyber Security Summit as a lure, we were able to determine how the threat actor created the decoy document. As shown in Figure 2 earlier in this blog, the decoy document was two pages that contained images that make up the legitimate invitation to the conference.

We were able to determine that the threat actor used Microsoft Word to crop these images from larger images, specifically screenshots of that the actor took of the images opened in Foxit’s PDF reader. Figure 5 and 6 show the original screenshots of the invitation that were cropped using Word’s cropping tool. These screenshots are of the threat actor’s system, which allows us to glean some intelligence on the actor.

Figure 5 Original screenshot that actor cropped to create the first image within the decoy document

Figure 6 Original screenshot that the actor cropped to create the second image within decoy document

As you can see from the screenshots above, the threat actor is running Windows localized for Chinese users, which suggests the actor’s primary language is Chinese. The “CH” icon in the Windows tray shows that the built-in Windows input method editor (IME) is currently set to Chinese. Also, the screenshot shows a popular application in China called Sogou Pinyin, which is an IME that allows a user to type Chinese characters using Pinyin. Pinyin is critical to be able to type Chinese characters using a standard Latin alphabet keyboard, further suggesting the threat actor speaks Chinese.

Another interesting observation is the clock in the bottom right corner of the screenshots, which suggest that the threat actor took these screenshots at a local time of 8:35 and 8:36 AM on October 19, 2016. The decoy document was created on October 19, 2016 at 7:51 AM, but this timestamp is in UTC not local time. Obviously the screenshots could not have been taken in the future, suggesting that the actor is at least in UTC+1 or greater. We can speculate that if the actor’s clock was set to China Standard Time (UTC+8), then it would suggest that the final decoy document was created 7 hours and 15 minutes after the screenshots were taken.

Conclusion

Threat actors associated with Operation Lotus Blossom continue to carry out attack campaigns, which in this case involved a lure associated with a conference hosted by Palo Alto Networks. We have used emails to invite individuals to this conference; however, our legitimate invitation emails contained an image within the body of the email and did not contain any attachments. We have halted our invitation emails, but recipients of previous and future related emails should scrutinize them to determine if they were sent by these threat actors.

We have published a lot of content on the threat group involved and Emissary payload used in this attack. The payload installed appears to be a relatively new version of Emissary, specifically version 6.4. The decoy document itself contained cropped images of a screenshot that allowed us to determine the threat actor speaks Chinese as their primary language.

Lastly, if you received a malicious email that has an attachment named “[FREE INVITATIONS] CyberSecurity Summit.doc”, please check the system that accessed that file for the indicators of compromise listed at the bottom of this blog. For those individuals wishing to attend the conference, please register on our official CYBERSECURITY SUMMIT – JAKARTA website.

Palo Alto Networks customers are protected from the delivery document and payload associated with this attack, as both have malicious verdicts within WildFire. AutoFocus customers can track this delivery document and payload using the Emissary tag.

Indicators of Compromise

Delivery Document
61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943

Emissary Loader
aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286

C2 server
103.249.31[.]49

[Palo Alto Networks Research Center]

Krebs: Ransomware Getting More Targeted, Expensive

Editor’s note:  The following is an excerpt of a recent blog by Brian Krebs that first appeared in KrebsonSecurity.com. Krebs is an investigative journalist, founder of Krebs on Security, and a former Washington Post reporter with a passion for computer security. He will be the opening keynote speaker at CSX 2016 North America, which takes place in Las Vegas 17-19 October. Krebs will share unique insights gained from years of research and writing, as well as his unprecedented access to some of the smartest and most innovative cyber minds on the planet. He shares how it is important to take risks, make mistakes and learn from them. After the presentation, Krebs will autograph copies of his bookSpam Nation, a New York Times best seller.

I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.

This anecdote has haunted me because it speaks volumes about what we can likely expect in the very near future from ransomware — malicious software that scrambles all files on an infected computer with strong encryption, and then requires payment from the victim to recover them.

What we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.

In an alert published today, the U.S. Federal Bureau of Investigation (FBI) warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network.

“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “Additionally, recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”

According to the FBI, this recent technique of targeting host servers and systems “could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”

Today there are dozens of ransomware strains, most of which are sold on underground forums as crimeware packages — with new families emerging regularly. These kits typically include a point-and-click software interface for selecting various options that the ransom installer may employ, as well as instructions that tell the malware where to direct the victim to pay the ransom. Some kits even bundle the HTML code needed to set up the Web site that users will need to visit to pay and recover their files.

To some degree, a variance in ransom demands based on the victim’s perceived relative wealth is already at work. Lawrence Abrams, owner of the tech-help site BleepingComputer, said his analysis of multiple ransomware kits and control channels that were compromised by security professionals indicate that these kits usually include default suggested ransom amounts that vary depending on the geographic location of the victim.

“People behind these scams seem to be setting different rates for different countries,” Abrams said. “Victims in the U.S. generally pay more than people in, say, Spain. There was one [kit] we looked at recently that showed while victims in the U.S. were charged $200 in Bitcoin, victims in Italy were asked for just $20 worth of Bitcoin by default.”

In early 2016, a new ransomware variant dubbed “Samsam” (PDF) was observed targeting businesses running outdated versions ofRed Hat‘s JBoss enterprise products. When companies were hacked and infected with Samsam, Abrams said, they received custom ransom notes with varying ransom demands.

“When these companies were hacked, they each got custom notes with very different ransom demands that were much higher than the usual amount,” Abrams said. “These were very targeted.”

Which brings up the other coming shift with ransomware: More targeted ransom attacks. For the time being, most ransomware incursions are instead the result of opportunistic malware infections. The first common distribution method is spamming the ransomware installer out to millions of email addresses, disguising it as a legitimate file such as an invoice.

Editor’s note:  To read the entire blog at KrebsonSecurity.com, click here. For more on CSX 2016 North America click here. There will be two additional CSX conferences this year, including the inaugural CSX 2016 Europe conference 31 October-2 November in London, and the inaugural CSX 2016 Asia Pacific conference 14-16 November in Singapore.

REGISTER NOW

Brian Krebs, Investigative Journalist, Author, Krebs on Security

[ISACA Now Blog]

Cloud Security Alliance Announces Annual Ron Knode Service Award Recipients

Contributions from Six Dedicated Individual CSA Volunteers Recognized in Honor of the Late CSA Member and Volunteer Contributor Ron Knode

SAN JOSE, CA – CSA Congress US – September 15, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the recipients of its fifth annual Ron Knode Service Award, recognizing six members from the Americas, Asia-Pacific and EMEA regions for their excellence in volunteerism. The honorees were selected by the CSA executive team and chosen based on their valuable contributions towards fulfilling CSA’s mission of promoting best practices to help ensure a secure cloud computing environment.

Ron Knode was an information security expert and member of the CSA family who passed away in May 2012. He is remembered as an innovative thinker with endless energy and humor to guide his volunteer contributions. He also was the creator of the CSA Cloud Trust Protocol, which today remains an important asset for the continuous monitoring and auditing for cloud assurance and transparency certification. Established in 2012, the Ron Knode Service Award is awarded to CSA members on an annual basis whose contributions reflect Ron’s passion for volunteerism and embody the spirit for which this award was established.

“The six individuals that we are recognizing today epitomize Ron’s spirit of tireless efforts and commitment to volunteerism. In his honor, we congratulate and thank them for their vast commitment to promoting and defining best practices in the cloud to help ensure a secure cloud computing environment globally,” said Jim Reavis, CEO of the CSA. “We will always remember Ron’s energy, humor and incredible generosity. CSA is grateful for his hard work and dedication, and we continue to benefit from his commitment and passion.”

This year’s six recipients are:

Juanita Koilpillai, CSA Americas: Juanita Koilpillai is the Founder and CEO of Waverley Labs, elevating IT Security to C-level executives and managers to ensure on-line business processes are trusted and helping small technology companies develop their product potential. She is a member of the CSA Software Defined Perimeter Working Group and contributed to Spec 1.0 and 2.0. She is currently leading the open source software defined perimeter effort after securing funding from DHS to launch the effort specifically for distributed denial of service attacks, with the first version of the open source software defined perimeter now available to the CSA members. Juanita presented “An Open Source Software Defined Perimeter” at the Cloud Security Alliance Federal Summit in May 2016 and at the Berlin Conference in November 2015.

Brian Russell, CSA Americas: Brian Russell is a Chief Engineer focused on Cyber Security Solutions for Leidos. He oversees the design and development of security solutions and the implementation of privacy and trust controls for customers. Brian leads efforts that include security engineering for Unmanned Aerial Systems (UAS) and Connected Cars, the design of secure next- generation energy systems (microgrids) and the development of high assurance cryptographic key management systems. He supports the Center for Internet Security as a member of the 20 Critical Security Controls Editorial Panel and represents the Cloud Security Alliance (CSA) on the FCC Technological Advisory Council on IoT. He also serves as Chair of the CSA Internet of Things (IoT) Working Group and lead author of the report ‘Designing and Developing Secure IoT Products’ and the ‘Practical Internet of Things (IoT) Security.’

Anthony Lim, CSA APAC: Anthony Lim is the Director of Marketing Strategy for Asia Pacific at Cloud Security Alliance and an independent cybersecurity professional services consultant, advocating, researching, lecturing and auditing various cloud security and smart cities opportunities. He has led various initiatives and activities at CSA including speaking at numerous seminars and conferences in Asia Pacific in 2016 and acting at the first CCSP instructor in Asia Pacific. He previously was on the Board of Directors for CSA’s Singapore Chapter, was a member of the CSA-ICS2 JTA committee that build the CCSP, chaired Trend Micro at CloudSec 2016. Anthony has also appeared on several TV news shows representing CSA including Singapore Chinese Channel and the BBC.

Eric Wang, CSA APAC: Eric Wang is the current CEO of TanoSecure Inc., a holding company supporting emerging technology companies founded by visionaries in the ICT industry. He currently serves as the cybersecurity advisor to the Taiwanese government and has played an instrumental role in the development of multiple technology start-ups. He is the current Co-Chair of the CSA Mobile Application Security Testing Working Group leading efforts on the design and development of a mobile application development certification program.

Bruno Huttner, CSA EMEA: Bruno Huttner is the Product Manager for Quantum Key Distribution Products at ID Quantique, where he develops next-generation encryption, and especially quantum key distribution systems. He is also responsible for a project aimed at providing secure communications with satellites and high altitudes platforms. Bruno is Co-Chair of the Quantum-Safe Security Working Group at the CSA. Leading the group over the past 18 months, he has contributed heavily to the four papers published from the working group. He has been very active at various conferences, including presenting the Safe Security Working Group material at numerous CSA events. Bruno has also participated in CSA’s EMEA Congress in Berlin last year and RSA in San Francisco this past March, where he organized and chaired a panel session.

Andreas Fuchsberger, CSA EMEA: Andreas Fuchsberger is the Regional Standards Officer for Central and Eastern Europe in Microsoft’s Corporate Standards Group. Andreas participates in the internationalal standards community, predominantyly attending ISO/IEC JTC 1/SC 17 (Security) as an invited expert. Currently for SC 27 he is the editor of two international standards on network security and SIEM. He is a member of the (ISC)2 Application Security Advisory Board where he also chairs the International Standards Committee. He Co-Chairs the CSA Internatiional Standards Councils where he is liaison officer to ITU-T SGs 13 and 17 and chairs the CSA’s Open Certification Framework (OCF) working group.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Contacts
Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

English
Exit mobile version