Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Microsoft discontinued support of the venerable Windows XP operating system (OS) in April 2014. This OS had been a workhorse for over 12 years with a foothold on consumers, enterprises, and embedded systems such as automated teller machines (ATMs).
A year later, it was estimated that 75 percent of the world’s ATMs (2.2 million) were still running on Windows XP. Given the quantity of devices and the geographically dispersed nature of the ATMs, it is reasonable to assume that many of these devices have yet to be upgraded from Windows XP as any upgrade project is logistically daunting. And since Microsoft no longer provides software patches for any security holes, these devices are now more susceptible to malware and viruses. Some financial institutions made custom, extended support arrangements with Microsoft for a short timeframe to provide some protection as upgrade plans were put into motion.
Another factor that many banks and credit unions had to consider was the impending Mastercard deadline for Europay Mastercard Visa (EMV) chip-enabled ATMs. Beginning October 2016, liability for fraud will shift to the ATM owner. Consequently, some institutions opted to accommodate both the Windows XP and EMV chip reader upgrades as part of an overall, strategic plan to refresh their ATM technology. Based on the age of the installed base, this may require both new hardware and software. ATM industry experts have estimated the cost of this upgrade to range from $1,000 to $3,500 per ATM.
For Windows XP-based ATMs that continue to face delays in upgrades, one option would be to add advanced endpoint protection such as Palo Alto Networks Traps. Windows devices are then protected from malware and exploits — without the use of signatures. Traps can disrupt the relatively small number of techniques that malicious entities must use to compromise Windows systems and the remaining Windows XP-based ATMs can be protected even in the absence of future software patches. By implementing Traps, we can help restore confidence in these aging, but still highly visible customer touch points.
In the more general case for financial institutions, Traps can also be used to protect any Windows-based servers, desktops (both physical and virtual), and laptops from malware and exploits. This extends the benefit across the entire inventory of Windows devices from customer-facing ATMs to corporate personal computers and servers.
To learn more about how Traps can protect your endpoints, please visit:
Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.
This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.
To provide a sense of what I intend to cover in this series, here are the major themes for each imperative:
Imperative #1 – We Must Flip the Scales
Imperative #2 – We Must Broaden Our Focus to Sharpen Our Actions
Imperative #3 – We Must Change Our Approach
Imperative #4 – We Must Work Together
BLOG #1 of 4: Imperative #1
WE MUST “FLIP THE SCALES”
This first blog in the series is about Imperative #1 for cybersecurity success in the digital age.
Before I get to the details of the first imperative, allow me to provide some background and context for all four imperatives, and then I’ll provide an executive summary of the first imperative in case you are pressed for time.
BACKGROUND AND CONTEXT
First, my role as the Federal CSO for Palo Alto Networks requires that I “evangelize” to the various groups of individuals, leaders and organizations with which I interact. My job is to use my past experience to ensure a deeper understanding of the cyberthreat landscape and provide thought leadership about effective concepts to deal with a growing threat while ensuring that leaders can manage risk in ways that enable their business or mission, not detract from or restrict those vital functions.
Second, because of my military experience, I think of effective concepts in terms of several key factors. I use these factors to explain concepts in a comprehensive way, and so I’ll use these factors to describe each of the imperatives for cybersecurity success in the digital age. Figure 1 below provides the four factors that I use; and, below that, I provide some brief definitions:
Figure 1
Threat: This factor describes how the cyberthreat is evolving and how we are responding to those changes.
Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities – or the what) and ways (methods, priorities and operations – or the how) to achieve ends (goals and objectives – or the why).
Structure: This factor includes both organizational (human dimension) and architectural (technical dimension)
Tactics, Techniques and Procedures (TTP): This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.
My last point of background and context is about the digital age, itself. So, what does the digital age environment look like? Two important trends come to my mind.
First, our growing reliance as a society on technology for just about everything we do is only going to increase. This isn’t news to anyone; and, regardless of whether you are talking about pubic or private organizations, or our personal lives, there is no escaping the level of trust that we continue to place in technology. Equally increasing is the level of connectivity not only between us as a human race but in the devices that we use to do almost everything in our daily lives. The phenomenon of the Internet of Things represents this trend.
The second trend isn’t news to anyone either, so I won’t waste your time going into the details. Just look at the growing list of headlines about cyber breaches across government and industry worldwide. Figure 2 below depicts the most recent list of cyber breaches – it’s a mess! And I believe it’s going to get worse before it gets better. You’ve all heard the tired (but, nonetheless, true) saying, “It’s not a matter of if, but when.” The trend is alarming; and, no matter whether you sit in the public or private sector, you have to understand that the cyberthreat is a serious problem, representing an imperative for change if we are going to be able to continue to place trust in all the opportunity that the digital age promises.
Figure 2
(From “Information is Beautiful” website)
IMPERATIVE #1 – WE MUST “FLIP THE SCALES”
Using Figure 3 below as a reference, we must “flip the scales,” or at least rebalance them, to improve the cybersecurity posture that we choose to live with today. Let me explain what I mean, using the concept model I described above, and step through the implications via the categories of Threat, Policy and Strategy, Organizational and Architectural Structure, and finally Tactics, Techniques and Procedures (or TTP).
Figure 3
EXECUTIVE SUMMARY
We have a math problem that is giving today’s cyberthreats a significant advantage over our ability to secure and defend our networks. This problem pits a growing adversary marketplace – that leverages information sharing, automation and the cloud at increasing speed and decreasing costs – againstthe cybersecurity community, which is slow, clumsy, largely manual and increasingly expensive.
Part of the reason we have this math problem is due to legacy thinking and resulting policies that heavily favor opportunity and convenience over security and risk management rather than a more balanced approach toward both. Flipping the policy scale from a “trust everything” to aZero Trust model (“never trust, always verify”) will help to flip the scales on the attacker/defender math problem.
To change the policy balance and drive a real strategy that aligns limited resources and methods to achieve results also requires that leaders enter the decision-making forum when it comes to cybersecurity. A successful organization enables wise leadership to make decisions through collaboration between their IT and cybersecurity experts, working work in tandem to provide precise, accurate and clear recommendations. This is how the leadership of an organization can drive successful policy and strategy. It is also how the leadership and tech teams can work toward common goals and routinely demonstrate progress with real, measureable results.
Finally, cybersecurity success in the digital age requires a new way of thinking about our TTP. Implementing real change requiresrebalancing performance and security together, just as we also rebalance security and privacy together, empowering IT and cybersecurity teams to partnerin a win-win dynamic, rather than pitting one community against the other with win-lose priorities. This is how an organization can go about safely enabling the high performance of its users, using the applications and content the organization requires to do its vital functions, including fixed, mobile and virtual capabilities throughout the organization’s enterprise, from the cloud to the network to the endpoint device – BYOD or otherwise.
DETAILED DESCRIPTION OF IMPERATIVE #1
THREAT: Looking at this concept from a threat perspective, we all know that, today, the Attacker has a distinct advantage over the Defender. That’s not news, and we all know that; but let’s look at why that is true and why it’s only going to get worse unless we do something to “flip the scales” or at least rebalance them toward a better security posture than we choose to live with today.
This is what our CEO at Palo Alto Networks, Mark McLaughlin, calls a math problem. Due to the decreasing cost of automation and cloud-based capabilities, a growing marketplace of threat actor information sharing, and the ever-increasing attack surface with vulnerabilities growing in proportion due to the “Internet of Things” phenomenon, the Attacker’s job is getting cheaper and easier ever day. The Attacker only has to be successful once to get into your network and accomplish his or her nefarious intentions.
On the other hand, the Defender has to be everywhere, all the time. Additionally, the Defender, who typically uses manual procedures to respond, doesn’t usually detect the threat in his or her networks until months or even years have passed (the average detection time is more than 6 months according to most cyberthreat research and analysis). This is very costly in terms of time, manpower, technology, complexity, reputation, brand and, of course, money.
To illustrate further, I’d like to use a few numbers to tell a story about the world of protecting your business from cyberattacks and this math problem. I got these numbers from our Regional CSO for Europe and the Middle East, Greg Day.
In 2015, the Application Usage Threat Report from Palo Alto Networks saw 675,000 distinct threats, across almost 3000 applications. These are frightening statistics. But what does this actually mean in real terms to your business, to your team, or to you personally?
To get a feel for that kind of meaning, you need context that’s relevant to your world, so let me give you another number – 1.5 million. According analysts Frost and Sullivan, this will be the shortfall of cybersecurity professionals by 2020.
This demand outstripping supply is good news if you’re a security professional looking for a job, but bad news if you are trying to recruit cybersecurity professionals into your organization or retain your existing workforce. Many organizations have a model that is becoming harder and harder to sustain in this world of more threats and less security staff at the ready.
Who are these Defenders? CISOs and other IT security professionals, of course, defend their organization – against what, though? Today, it’s not just an attacker; it’s a marketplace, and that means groups of people sharing best practices with each other –trading with each other.
A few years ago some governments were investing huge amounts of resources to develop incredibly sophisticated attack approaches. Today anyone can purchase the same attack kit online for a few dollars, complete with instructions and a how to get started video.
This is why it’s getting easier for Attackers: because of their decreasing costs and the abundance of resources available to them. They only have to be successful once to win, but this is probably a tiny percentage of their attack attempts. Contrast that with the CISO, who has to successfully defend 100 percent of the time. Attackers are crowdsourcing, yet CISOs are on their own.
I’d like to show you, in the following sections of the concept model, how many leaders and security professionals are taking action to alter their defensive model to take advantage of the valuable assets they already have – in other words, “flipping the scales” to give the Defender more of an advantage than he or she has today.
POLICY: The legacy view is that technology is driven by opportunity and convenience (which are built-in) while security and risk management chase from behind trying to catch up (and are, therefore, bolted-on afterwards).
The environment, as shown in Figure 2 above and captured in almost daily headlines about the latest breaches, is changing this balance; but the change is slow and uneven. This change is beginning to drive a need to bring the scales in Figure 3 to a better, more responsible balance.
This includes changing a “left side of the scale” assumption that you’re safe, to a “right side of the scale” assumption that the threat is going to get in, if it hasn’t already, resulting in the need for a Zero Trust environment.
All of the security leaders we talk to want to reduce the workload on their organization. Getting back to the math problem from earlier, here’s another number – 65,000. Like some the earlier numbers I used, this one also comes from Greg Day, and it identifies some of the reasons the network defender’s workload is so big.
When the Internet was conceived, that was the number of ports of communication that people thought might be needed for all the different traffic and protocols. This provided lots of scope and scale for flexibility.
Today we use very few of these traditional ports. Most of the traffic consists of either email or web-based protocols; however, within these, there are now thousands of Internet applications and each has its own sub-protocols.
You can block all these ports; but, since almost all the traffic comes through these same few ports, you cannot just block them. Using traditional technology, you have to trust these ports, or you would block out all the traffic you need to run your business.
This policy means that security professionals have to program their legacy firewalls to block traffic using rules that are based on where traffic is coming from, where it’s going to, and what type of traffic it is. And, of course, your organization wants to do new things all the time, so the policies have to change all the time.
So, your starting position is to trust all the traffic going through these few ports. Then you have to block traffic using policies – lots of policies. Policies on top of policies. Rules on top of rules. It’s very difficult to even understand what the policies and rules from the past did and if the new policies and rules conflict in any way. This approach is very costly, labor-intensive and ineffective because it’s using this old frame of reference that only adds complexity and cost to the equation, neither of which are your friends as a cybersecurity professional.
The only way to fix this is to design a totally new type of technology using a different frame of reference – one based on how we use the Internet today. You need technology that understands modern Internet usage and can identify each of the applications that effectively uses its own protocols over the few trusted ports each business has enabled today. This is exactly why Palo Alto Networks has engineered its next-generation firewalls to safely enable the applications and content required by an organization’s users, whether fixed, mobile or virtual, to do the vital functions required for the mission or business (more on this in the TTP portion below).
The balance on the right side of the policy scale is called a Zero Trust model. Trust nothing unless it’s defined as part of how you operate your business. This essential capability is unique. It also allows you to create rules that determine what traffic can flow into your organization. But, instead of being based on the port, the type of traffic, where it’s from, and where it’s going to, it’s based on who wants to communicate and what they want to do. That means the applications and content that they want to use.
The end result is that it’s easy for you to define your company’s way of doing business because you need far fewer policies and they are relevant to how your organization operates. They also make sense, and you can see your security policy written in black and white.
It’s more effective because your starting point is Zero Trust rather than trust everything, and it understands the sub-protocols that modern web applications use. It’s easy to follow and much less work.
ORGANIZATION: The decision-making forum when it comes to dealing with cyberthreats has traditionally been within the technical (CIO/CISO/CSO) community, but the exploding threat problem along with the changing balance between opportunity/convenience and risk are driving the decision-making forums into C-Suites and boardrooms; no longer are they solely within the purview of the IT community. This is becoming and, in more and more cases, has already become a leadership issue rather than just a technical one. So this scale has already begun to flip – and that’s a good thing!
Leadership is one of the most critical aspects of this imperative about changing the balance on these scales and creating an environment where those in the business of driving cybersecurity within an organization can begin to acquire an advantage over the threat.
Leadership from the top drives the prioritization of resources and assets, enables an effective strategy that aligns the ways and means to achieve real goals, and requires that the team routinely bring back results that can be measured in relationship to the bottom line, whether you are a business or a national security organization.
This changing balance within the decision-making forum in no way diminishes the role of the technical community in the overall decision process. The tech community must take greater care than ever before to educate their leadership in clear, accurate ways so that wise decision-making is the result.
Let’s face it – not all of our senior executives have the technical background to readily comprehend all of the details required to address what can be a very mysterious and complex problem set. It’s incumbent on the leader’s technical experts to explain issues in plain English to the maximum extent possible.
Use of analogies can be tempting; and, sometimes, that may be a good way to explain something that is familiar to a leader’s background and experience. But beware, the technology environment associated with cyberspace has some of the most significant distinctions that I’ve personally ever witnessed when compared to the traditional physical “domains.”
Scale, speed, and complexity (especially given the blurring of lines between human interaction with cyberspace and the various layers of technical, logical, physical and geographic segments) make analogies dangerous because, inevitably, the analogy falls apart at some point, and senior executives who think they understand what decision to make based on an imprecise analogy can be making serious mistakes.
TTP: So why is it that it seems we continue to lose, and the problem is getting worse and not better? Why haven’t we all had a “Cyber Pearl Harbor” or “Cyber 9/11” epiphany? From what I can see, it’s because there is still, what I believe to be, a false narrative about the balance between security and performance – that you can only increase one at the expense of the other.
This has traditionally been described as a “win-lose” dynamic. And, in the world of business just as in the world of national and economic security, performance always wins, which is why most CISOs report to CIOs. And when they don’t, it’s always a win-lose proposition pitting one community against another.
The fact is that, in this new environment, security and performance go hand in hand. So how do we enable a “win-win” dynamic? How do we put security into a model that safely and effectivelyENABLES performance, across all users, using all their applications, all their content, including mobile and virtual devices? Is that even possible? If your cybersecurity solution provider isn’t working toward that objective, shouldn’t they be?
As we saw in the threat discussion above, organizations are faced with the situation where the attacker has low costs and automation. And the defender has high costs and human beings performing manual tasks.
This is why leaders are looking for another way because this model is hard to sustain. Perhaps it is even unsustainable.
Imagine if you could change the balance. At the moment this precious resource – your staff – is focused mostly on discovery. Taking productive business action is secondary. This model gives a poor return. What if your people only took productive business action and the discovery part was automated? That model would give you a much higher return. More on manual vs. automated in one of my next blog posts about other imperatives for cybersecurity success in the digital age.
One thing that I think can help us to pursue more of a win-win dynamic is to speak with more clarity and accuracy about what we are trying to do with information sharing in order to provide “cyber” security and distinguish that from some of today’s conflated ideas about providing “traditional” security and the associated “surveillance” issues that get carelessly lumped into the cybersecurity discussions.
So in addition to the false narrative about performance vs. security, I think there’s another false narrative about security vs. privacy. In the cybersecurity world, unlike the world of counterterrorism and surveillance issues, security ensures privacy – it doesn’t detract from it! For example, we should begin to clearly identify exactly what kind of cyberthreat information needs to be shared, and how a narrow focus on that specific information has little (or maybe even nothing) to do with privacy-related information.
I’ll cover more about information sharing in Imperative #4; but, for now, let me summarize the key tenets of this first imperative about “flipping the scales.”
CONCLUSION
Cybersecurity success in the digital age requires us to take action to change several important dynamics that are currently out of balance.
Legacy thinking and resulting policies put the cybersecurity community on the wrong side of a math problem when it comes to the threat, and in a win-lose dynamic with both the IT community and our leadership when it comes to choosing between performance and security. We have to “flip these scales,” and this effort must be driven by the organization’s leadership with the active participation of the IT and cybersecurity communities working toward common goals within an organization.
We also need to start throwing the weight of our technology, processes and people on the side of the scales favoring next-generation technology that recognizes the way the Internet works today, leverages the powerful advantage that automation can bring to discovering threats on a wider scale and in reduced time, and saves our most precious resource – our people – to do what only people can do instead of spending all of our resources in “cleanup on aisle 9” mode.
Next in this blog series will be Imperative #2 for cybersecurity success in the digital age … We Must Broaden Our Focus in Order to Sharpen Our Actions.
Written by John A. Davis, Major General (Retired) United States Army, and Vice President and Federal Chief Security Officer (CSO) for Palo Alto Networks
“Action is the true measure of intelligence.” There is much truth in these words by Napoleon Hill; and, even though they are aimed at personal improvement, they also apply to cybersecurity. Intelligence allows for better organization, prioritization, and display of network and threat data. Intelligence, applied in the right way to network security, leads to informed and fast action necessary to prevent cyberattacks from succeeding.
Having actionable, well-organized information about network traffic and threats at your fingertips is more crucial today than ever before. IT and security organizations are inundated with unmanageable and uncorrelated amounts of data from multiple, independent security deployments, making it impossible to find critical threats buried in mountains of information.
Frequently it is not a lack of data that leads to a data breach but a lack of appropriately prioritized, actionable data. When it comes to network security management, complexity really is your enemy. Today’s security environment results in multiple independent interfaces and policy engines, or loosely integrated security solutions with several bolted-on technologies falsely marketed as unified products. Companies these days usually have a legacy web security product, many firewalls, a mobile and an endpoint security deployment, and more. IT teams have to manage too many data sources. Security teams don’t have the time or the resources to pinpoint critical threats among the mountains of data. Both teams are simply too overwhelmed to find the needle in the haystack and, as a result, can’t prioritize responses appropriately. That becomes a dangerous problem because real threats slip through among thousands of alerts.
What is needed is a platform that simplifies and consolidates data flows, highlights critical data, offers quick answers to security questions, and streamlines creation and management. A well-designed security platform should provide:
Visual Display of Data– A visual interface is critical because the overwhelming amounts of data in today’s cybersecurity space are just too confusing.
Customization– Every network administrator has different needs. Customization of the UI allows the system to display exactly what the user is looking for in the best possible way.
Interaction– When you are searching for answers, you need them fast. Easy drill-down capabilities within the UI should provide these answers with just a few clicks.
Automation– Automation is critical in today’s security environment. Automation eliminates duplication of work, cuts back on manual research, and reduces human error and oversight.
Palo Alto Networks Next Generation Security Platform offers all of these benefits in its UI. Learn more about how we provide actionable intelligence within our UI by downloading the Actionable Threat Intelligence whitepaper.
The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.
From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.
The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.
Malware Assessment
Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges. This increases the options available to an adversary when it comes to selecting accounts for installation.
Summary information for the three binaries we analyzed follows:
Table 3: Sample 3 – Late 2015 Sofacy 64-bit Fysbis
Overall, these binaries are assessed as low sophistication, but effective. They epitomize the grudging reality that Advanced Persistent Threat (APT) actors often don’t require advanced means to affect their objectives. Rather, these actors more often than not hold their advanced malware and zero day exploits in reserve and employ just enough resources to meet their goals. It is only fair that defenders use any shortcuts or tricks at their disposal to shorten the amount of time it takes to assess threats. In other words, defenders should always look for ways to work smarter before they have to work harder.
Getting the Most Out of Strings
Binary strings alone revealed a good amount about these files, increasing the efficacy of activities such as static analysis categorization (e.g., Yara). One example of this is Fysbis installation and platform targeting information for the samples in Table 1 and Table 2.
Figure 1: Sofacy Fysbis installation and platform targeting found in strings
In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence.
Another example of easily obtained information from these samples is capability based.
Figure 2: Sofacy Fysbis capability related leakage through strings
Figure 2 shows interactive status / feedback strings that can give a defender an initial profile of capabilities. In addition to contributing to static analysis detections, this can be useful as a starting point for further incident response prioritization and qualification of the threat.
Symbolic Information Can Shorten Analysis Time
Interestingly, the most recent ELF 64-bit binary we analyzed (Table 3) was not stripped prior to delivery, which offered additional context in the form of symbolic information. Defenders more familiar with Windows Portable Executable (PE) binaries can equate this with compilation of a Debug version versus a Release version. For comparison, if we were to inspect Fysbis “RemoteShell” associated strings in one of the stripped variants, we would only see the following:
Little static analysis gifts like these can help to speed defender enumeration of capabilities and – more importantly – further contribute to correlation and detection across related samples.
Additionally, this latest sample demonstrated minor evolution of the threat, most notably in terms of obfuscation. Specifically, both samples in Table 1 and Table 2 leaked installation information in the clear within binary strings. This was not the case with the sample in Table 3. Taking a closer look at this non-stripped binary using a disassembler, the following corresponds to decoding malware installation information for a root-privilege account.
Figure 5: Assembly code view of Sample 3 installation decoding
In this case, the symbolic information hints at the method used for decoding, with references to mask, path, name, and info byte arrays.
Figure 6: Assembly view of Sample 3 root installation related byte arrays
As it turns out, the referenced byte mask is applied to the other byte arrays using a rolling double-XOR algorithm to construct malware installation paths, filenames, and descriptions for a Linux root account. Corresponding INSTALLUSER byte arrays exist, which facilitate the non-root installation for the trojan. The same masking method is also used by the binary to decode malware configuration C2 information, further showcasing how a little symbolic information can go a long way towards completeness and higher confidence in assessment of a malware sample.
If you would like to learn more about how Fysbis works, the samples analyzed remain fairly consistent with the sample analysis found here.
Infrastructure Analysis
As Unit 42 has discussed in depth in other blog articles, we have observed that adversaries in general are seemingly hesitant in changing their infrastructure. This may be due to not wanting to commit additional resources, or simply a matter of retaining familiarity for the sake of timeliness. In either case, we see the same type of behavior here with the Fysbis samples in use by Sofacy.
The oldest sample (Table 1), was found to beacon to the domain azureon-line[.]com, which had already been widely publicized as a known command and control domain for the Sofacy group. Using passive DNS, we can see that two of the original IPs this domain resolved to, 193.169.244[.]190 and 111.90.148[.]148 also mapped to a number of other domains that had been in use by the Sofacy group during that time period.
Figure 7: Sample 1 C2 resolutions
The first of the newer samples (Table 2), continues the trend and beacons to an IP also widely associated with the Sofacy group, 198.105.125[.]74. This IP has been mostly associated with the tool specifically known as CHOPSTICK, which can be read about here.
Figure 8: Sample 2 C2 resolutions
The newest sample (Table 3), introduces a previously unknown command and control beacon to mozilla-plugins[.]com. This activity aligns with the previously observed Sofacy group tactic of integrating legitimate company references into their infrastructure naming convention. Neither this new domain nor the IP it resolves to have been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign. Comparing this sample’s binary with the other two however, shows there are significant similarities on the code level as well as in terms of shared behavior.
Figure 9: Sample 3 C2 resolutions
Conclusion
Linux is used across business and home environments and appears in a variety of form factors. It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a majority of Internet-facing web and application servers. Linux is also at the foundation of Android devices and a number of other embedded systems. The value proposition of Linux – especially when it comes to its use in the enterprise – can be broken out into three perceived benefits: lower total cost of ownership (TCO), security, and feature set. While numbers and comparison alone can contribute to measurement of TCO and feature set, security requires further qualification. Expertise in the Linux platform is highly sought after across all industries for multiple disciplines, from system administration to big data analytics to incident response.
The majority of businesses still maintain Windows-heavy user environments where certain core infrastructure components also operate under Windows servers (e.g., Active Directory, SharePoint, etc.). This means, from a practical perspective, most of a business’s focus remains on supporting and protecting Windows assets. Linux remains a mystery to a number of enterprise IT specialists –most critically for network defenders. Identifying and qualifying potential incidents requires a familiarity with what constitutes normal operation in order to isolate anomalies. The same is true for any other asset in an environment, normal operation is entirely dependent on a given asset’s role / function in the enterprise.
Lack of expertise and visibility into non-Windows platforms combine in some environments to present significant risks against an organization’s security posture. As a recent caution, the Linux vulnerability described under CVE-2016-0728 further demonstrates the potential breadth of real-world risks to associated platforms. A natural extension of this exposure is increased targeting by both dedicated and opportunistic attackers across various malicious actor motivations. Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries. To mitigate associated risks requires tailored integration of the people, processes, and technology in support of prevention, monitoring, and detection within an environment.
Linux malware detection and prevention is not prevalent at this time, but Palo Alto Networks customers are protected through our next-generation security platform:
IPS signature 14917 deployed to identify and prevent command and control activity
The C2 domains and files mentioned in this report are blocked in our Threat Prevention product.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Two tectonic shifts that helped create the data-rich Dragnet Nation where we live today both date back to 2001, argues Julia Angwin in her powerful treatise on privacy.
The U.S. government began its mass data collection efforts in earnest after the terrorist attacks of September 11, 2001, when traditional surveillance methods failed. Meanwhile, technology companies, reeling from the dotcom crash, turned to data as their hope for more sustainable revenue and profits.
In Dragnet Nation, the author, an award-winning investigative journalist, tackles both government and corporate mass surveillance, stressing that they are “deeply intertwined”. “Government data are the lifeblood of commercial data brokers. And government dragnets rely on obtaining information from the private sector,” she writes.
Review
Fifteen years on, we now live in a world where billions of dollars are made off the back of data collected from sites and apps where we read, chat and shop online, and hundreds of thousands of jobs depend on it. What would once have horrified – a newspaper filled with gay interest ads delivered only to a homosexual reader – is now expected on sites such as Google and Facebook.
Angwin excels at putting this new race for data dominance in historical context. She shows how even the most benign data collection tools, such as the census, were used for ill during both world wars, tracing draft violators and tracking down Japanese Americans.
She travels to Berlin to examine the records of the world’s most pervasive secret police, who had 1 in 4 East Germans working as informants for them. While there, she shows an administrator in the Stasi archives how easy it is to build a picture of an individual’s social connections using sites such as LinkedIn – far easier than it was for the Stasi.
The bulk of the book is a tale of Angwin’s journey to reduce her online footprints, to escape the dragnet by minimising tracking of her location, her contacts, and her shopping habits. She meets characters and companies trying to create technologies that could help her and others evade the data trawl of corporations and the government.
For a reader with little knowledge of the privacy tools she describes, the book could almost function as a how-to guide. In particular, the chapter where she finally manages to peak her children’s interest in privacy would be engaging for many parents struggling to make keeping safe online as fun as sharing everything with friends on social networks.
But this is a guide accompanied with heavy doses of disappointment as Angwin finds even experts struggle to create effective technologies and make them usable.
This is a New York Times bestseller aimed at making privacy accessible, not providing in-depth knowledge for cybersecurity professionals. Angwin’s descriptions of her debates about using PGP and other encryption types may not be particularly relevant within the industry.
However, for those wishing to better understand the behaviour of people who profess to care deeply about privacy but struggle to act, Angwin is bracingly honest. She explains how frustration led her to bad passwords, her struggle to balance disconnecting with having to be available for work and childcare emergencies, and how she felt she lost more than she gained when she took herself off major social networks, even having to cancel a birthday party when few bothered to decrypt her invite.
Dragnet Nation is also worth reading for its conclusion. After a year investigating how to keep away from ever-watching eyes as an individual, Angwin concludes that collective action is necessary to rewrite the rules of the digital data game.
She believes that mass efforts to evade surveillance could spark a conversation and a campaign akin to the protests that helped lead to a reduction in pollution in the U.S. Comparing better rights to privacy to improved air and water quality, she tries to give hope that using the Internet will not always have to mean giving up the right to a private life.
Angwin points to the idea of “sousveillance”, or surveilling the surveillors, as one nascent movement that has changed the balance of power in some situations, for example, with more police violence caught on video by cell phones.
Conclusion
Dragnet Nation is a fair and even-handed look at the problems of living in a state and a market where data has become the primary currency. Angwin does not even completely dismiss the idea that mass surveillance can sometimes be necessary; instead she encourages readers to question each “dragnet” they encounter, asking questions such as, “Can it withstand public scrutiny?” and “Are the operators held accountable for the way it is used?”
I would recommend Dragnet Nation for the Canon as an early stop on the journey for any cybersecurity professional to understand the challenges posed by mass data collection.