Be Yourself. By Yourself.
Are government agencies doing enough to secure networks and provide a baseline of security standards?
Palo Alto Networks VP, Cybersecurity Strategy and Global Policy, Ryan Gillis joined MeriTalk Director of Content Bill Glanz for a wide-ranging discussion on the current threat landscape, frameworks such as NIST, where government agencies are falling short when preventing known and unknown attacks, and where and how to place people, processes and technology.
[Palo Alto Networks Blog]
Today there is much debate on the role of intelligence in cyber strategies. Like so much in the world of cyber, as the requirements have changed, so have the capabilities being offered. With this in mind, what are the characteristics of modern cyber intelligence?
When the Heartbleed vulnerability was announced last year, like most, I started to search for more information. Within the first 24 hours, there were already hundreds of thousands of articles online, many providing technical insight on the exploit. There was no shortage of information about the vulnerability and how it worked, and I even found a video tutorial on how to leverage the exploit.
At a recent leadership event, I observed a very heated debate on intelligence. In many cases, the points made reinforced that intelligence is primarily a lot of noise with limited value.
There is indeed an abundance of technical information on how threats and vulnerabilities work, as well as known bad domains/IPs, and so on. It seems the challenge is that, with so much raw data, how do we ingest it to gain value?
E.O. Wilson, a social biologist suggested, “We are drowning in information, while starving for wisdom[1]”, so what is the difference? The FBI defines intelligence as “information that has been analysed and refined so that it is useful to policy makers in making decisions[2]”.
Depending which security vendor you follow, it is suggested that there were hundreds of millions of new malware iterations created in 2014. Looking at the CVE list[3], the count got to 9751 documented vulnerabilities and exposures identified over 2014. Taking that last number alone, that would be nearly 27 per day, which is too much data to be useful to make security decisions on a daily basis.
When thinking about these numbers, three points stand out as opportunities for intelligence to add value:
From discussions that I’ve had, there are specific elements required to move information into business-valuable intelligence and to enable decisions to be made and actions to be taken. All of these are interdependent, and if any single one is missing, the value quickly collapses. These are the following:
Summary
Today’s cyber challenge is a numbers game. With the volume of what is happening globally and the volume of security events discovered internally, we are creating a big data challenge that will only expand as we add more IPs and more security capabilities, and the volume of attacks continues to grow. SIEM tools typically help consolidate internal events, but that is only part of the challenge. We also need to add context and consolidate external information.
What is key is that we typically have finite cybersecurity staff and live with the analogue limitation in the digital world. The more we can filter and automate activity (machine to machine), the closer we get to working at the same digital speed as the attack. There is always going to be a requirement for some level of human intervention, but today those humans are typically tied up with tasks that should be automated, so they are completed in a timely manner. Having the right intelligence is an enabler to increase automation and free up cybersecurity staff to focus on the activities they should be focused on.
[1] https://en.wikiquote.org/wiki/E._O._Wilson
[2] https://www.fbi.gov/about-us/intelligence/defined
[3] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=2014
[Palo Alto Networks Blog]
Exploits have been the major enabler of advanced persistent threats for over a decade now, but it is only in the recent years that the term has become widely used and acknowledged as a main attack vector.
However, this acknowledgement too often assumes people understand what exploits actuallyare. This is mainly due to the highly technical nature of exploits. One should be familiar with how applications are processed and executed in order to understand the means in which this flow can be maliciously manipulated.
As an active and increasing risk, knowledge on exploits various patterns and implementations is critical for sound security decision making – even non-technical people can’t be out of the loop.
This is the first in a series of posts to address security-oriented, but non-technical readers. It is meant to walk you through the building blocks of exploitation, including basic motivations, various techniques, the evolution of protection mechanisms and counterattack measures. Hopefully this series will elucidate many of the terms that you often hear and enable you to know the answers to questions such as:
Let’s begin. We will be focusing first on memory corruption exploits due to their critical role in the threat landscape.
Threat actors can have many motivations, but whatever the motivation is, in order to fulfill it an attacker must execute code on a victim’s machine. This code could be anything from silent data exfiltration to wiping out hard disks or sabotaging a SCADA system. However, the attacker’s code should be executed to fulfill the attack’s objective.
The obvious problem is that under normal circumstances the attacker does not have access to its target machine. So, for example, a cutting edge data exfiltration malware is useless until the attacker achieves the ability to remotely run that malware on the target’s machine.
Exploitation is a solution to the remote attacker’s problem. The exploit gives the attacker user privileges on the compromised machine. It is the means by which attacker obtains a firm, minimal foothold in a victim’s machine, and that foothold enables the main components of an attack – backdoor, C2C communication, key loggers, etc. – to be downloaded and executed.
To achieve that, attackers target the applications by which users normally interact with external content. The most commonly used applications are browsers, readers, players and Microsoft Office documents. Attackers will attempt to embed their code in the file the targeted application will open. Let us understand how this is achieved.
Applications accept input and process it. In theory this input could be either well-formed and executed or malformed and rejected.
In practice, however, there is also a third possibility in which the file is indeed malformed, but is still accepted by the application. The application will start executing the file but somewhere along the line the execution flow will deviate from its predesignated path and the application will crash.
To understand why this happen we should recall what happens when a program is executed. We will refer to an executed program as process and use this term from now on. The operating system allocates the process a memory address space which contains the process code and data. The process memory space is the playground in which the process is executed and will be present with us through the entire series. (We will later dive deeper into how this space is structured.)
In the meantime, our interest in the process address space lies in the fact that an executed process can be viewed as a mere sequence of memory addresses. These addresses are fetched to the Central Processing Unit (CPU) one at a time according to a predesignated sequence. The CPU executes the instructions in the fetched address and proceeds to the consecutive one and so on and so forth until the final instruction, which is exiting the process.
This is what happens when the file is well-formed. However, in the scenario we described above, at a certain point in the sequence the execution flow deviates. The CPU is fetched with an address which does not contain any instructions which will stop the execution. This is, roughly, what happens when a process crashes.
Until this point we have not described anything malicious. The fact that applications accept malformed input files rather than reject them all together is a built in feature of code writing. The application writer by definition is unable to predict all the possible file alterations.
From the attacker’s perspective this is an attractive scenario. If a certain malformed input causes the execution flow to deviate to an empty address, an input could also be crafted to overwrite this empty with the attacker’s instructions. In that case the execution flow will no longer crash but will instead be redirected.
At this point we understand how an attacker can gain control on process execution flow. We have not yet understood what there is to be gained. The memory space the attacker is in is still the memory space the process received from the operating system and in this space the only valid code is the application code.
But what if this memory space contained also a dormant malicious code? In this case the attacker could leverage its control and redirect the execution flow to execute this code. The CPU will keep on executing since it will be fed with valid instructions. If this small piece of code could, upon execution, open a connection between the attacker’s machine and the victim’s machine the attacker will be able to remotely use the machine with legitimate user privileges.
So, in order to take control of a victim machine attacker must craft an application input (usually a data file) in the following manner:
After completing these preperatory stages the attacker needs to makes sure that the target user will indeed open this crafted file. This would typically be done through social engineering by sending email attachment (the crafted files in that case will be Office documents, Readers, etc.) or compromising a commonly visited web page.
When the user browses the webpage or opens the attachment, the chain we have described will be triggered: the application will start executing. At a certain point – without the user ever noticing – the execution flows will deviate, the deviated address will be overwritten, the execution flow will redirected toward the attacker’s embedded code, the code will be executed and a connection will be established between the attacker’s machine and the target user. From this point onwards the endpoint – the user’s machine — is compromised and the attacker is free to download any malware it desires to the targeted endpoint according to its specific needs and objects.
We can now define the following terms:
Vulnerability – is the bug in the application which causes execution flow to deviate from its designated path when trying to process a malformed data file. Various vulnerabilities correspond to different malformation variants. A vulnerability enables an attacker to intercept a process execution flow. The vulnerability by itself is merely the potential for compromise.
Shellcode – is the small sized code the attacker embeds in the malformed input file. The shellcode establishes connection between the attacker and the targeted machine. This connection is utilized further on to perform reconnaissance and download additional malware.
Exploit – is the code which redirects the execution flow from the overwritten address to the dormant shellcode. Successful exploitation is accomplished when the shellcode is executed and a connection between the attacker and the target machine is established.
The actual exploitation flow can be thus broken to the following parts:
In upcoming posts we will present different kinds of vulnerabilities and the main implementations of these three parts.
[Palo Alto Networks Blog]
If you are like many of our customers, your Palo Alto Networks firewall and Panorama configurations contain thousands of policies and objects. In previous releases you might have even lamented the difficulty of finding specific items that you want to modify.
Well the search is over! Or is it just beginning?
With the new Global Find feature introduced in PAN-OS 7.0 and Panorama 7.0, you can quickly locate items in your configuration by searching a key word or phrase. The search results show EVERY location in your configuration where a given object exists and the search results are categorized to help you locate the item you need.
If you are not sure what to search for, you can easily bring up Global Find while navigating your configuration. For example, let’s say you have an address object that contains the network range for your Sales department and you want to see all policies that use that address object. Simply navigate to Objects > Addresses and click the drop-down menu to the right of the object name and then select Global Find. In seconds, you see search results that contain clickable links to all referenced policies.
See Global Find in action:
Even if you know exactly where to find a configuration object, you can use the Global Find feature to quickly locate the object. The clickable search results enable you to jump directly to the area you want to modify, saving you time!
Find detailed information about the global find feature in the PAN-OS 7.0 Administrator’s Guide.
[Palo Alto Networks Blog]
Unintentional insider threats can cost a U.S. company as much as $1.5 million, according to a report from the Ponemon Institute. The Verizon 2015 Data Breach Investigations Report noted that most of the thousands of data breaches and security incidents studied involved stolen user credentials.
This predicament is understandable – most employees don’t fully understand the importance of the role they play in ensuring the security of their organization – but there are simple measures everyone can take to ensure they don’t become the open door into the network. Here are five tips on how not to become an insider threat:
Be mindful of devices with company data on them
It’s a new world out there, and most of us have some sort of company data on portable devices. Whether you get work-related emails on your smartphone, use company laptops out of the office, access cloud-based IT solutions or just log into company systems remotely, be careful not to let this information fall into the wrong hands.
Try not to store unnecessary sensitive data on your mobile devices, and be wary of what external networks you connect to. Malware can be used to steal login credentials or compromise the corporate network if you return to the office with the infected device.
Lastly, don’t forget devices can be stolen or lost. Keep track of your devices, promptly report any device containing company data to your IT group, use a password and secure them, which leads to the next tip.
Encrypt data at rest
Most people only think about encryption when they are transferring data to a third party, but data that is sitting unused in storage is also at risk. From the perspective of an employee, this most often takes place when sensitive items are stored on mobile devices, personal computers or data storage devices such as external hard drives and thumb drives.
Encryption ensures that even if data falls into someone else’s hands, they won’t be able to access it. Most phones and mobile devices have the ability to encrypt data stored on them. Here is some information on encrypting iOS and Android devices.
Encrypting external hard drives and thumb drives is a little more difficult. Though there are several third-party applications to encrypt storage drives, if you are running Windows Vista or later, Microsoft BitLocker is a good solution. For more information on BitLocker and installation instructions, click here.
Of course, the effectiveness of encryption is highly dependent upon the strength of the key and the key management processes…
Use good password practices
You wouldn’t put your valuables in a safe but leave the door open, would you? Likewise, you wouldn’t use the same key for your car, safe, safety deposit box, etc. Your sensitive data is only as safe as the password you use to protect it.
You should use passwords that are at least 10 characters long, though the longer the better, with complexity: it should contain a mixture of uppercase, lowercase and special characters as well as numerals. Change your password often, and use a unique password for every site, system and application. If you use only one password for everything and a website you use suffers a data breach that includes user passwords, all of your accounts are as good as compromised.
Of course, it is difficult to memorize and manage so many unique passwords, but there is a solution. You can use secure password managers to generate unique passwords and keep track of them, requiring you to only remember the one password used to secure the manager. You can also employ two-factor authentication for your most sensitive accounts (your password vault, for example), which will require you to input a unique ID that is sent to your phone every time you log in, drastically reducing the likelihood of compromise.
For more information on using secure password managers and two-factor authentication, click here.
Beware of social engineering
“Social engineering” is just a fancy way of saying an attacker utilizes tactics from traditional scams in conjunction with a cyber-attack, and it is a common practice. Social Engineering attacks the human component of the security system. The most common example of this today is phishing, in which an attacker crafts an email that appears legitimate but aims to trick the recipient into divulging sensitive details such as passwords or installing malware on their machine. A more targeted approach is called “spear phishing” wherein the attacker creates an email targeting a specific person, perhaps even you.
Very few of us are truly “off the grid”; we all have information available about us online. In a matter of minutes, an attacker can find out what you do and discover your workplace responsibilities. They can then use that information against you. For instance, an attacker may identify a company’s CEO or other C-level executive and then send a fraudulent email that appears to be from that CEO to you, a company finance manager. The attacker claims they need an urgent wire transfer to close a deal or secure a service. The wire information will likely contain a legitimate vendor but a fake SWIFT code that routes the money to the criminal. Most people don’t question emails that appear to come from a company executive, or another associate, but that mistake could cost your company thousands or even millions.
Social engineering doesn’t have to be digital. Some of the largest breaches over the past few years involved an attacker using the telephone to speak with a company employee posing as a member of IT or other organization insider and convincing them to divulge passwords and other access information. Legitimate IT support staff will never ask you to divulge your passwords! Be wary of strange phone calls. If someone seems suspicious, clear it with a company security professional before you give them any information or ask the caller to hang up so you can call them on an official company phone number.
Ensure you don’t have unnecessary access privileges
This may sound like a strange tip, but most employees don’t need access to every resource on their company’s network, and limiting access to sensitive systems to only those who need it can drastically reduce the reach of a potential data breach. This is called the “principle of least privilege.”
Though access privileges are typically managed by IT Security, they do not always know everything different employees need access to, and maintaining proper access control can be difficult. If you discover you have access to data or systems that you don’t require as part of your job, you should notify your organization’s security team. This is especially true if the data or systems contain sensitive information such as customer payment information or personally identifiable information (PII).
While there is no cyber security “silver bullet” to prevent breaches, remaining aware of common security practices can help prevent attackers from using you as a way into your employer’s network. Just like you brush your teeth every morning, these practices are essential to maintaining your “cyber security hygiene.”
Andrew Wild, Chief Information Security Officer, Lancope
This post is part of a series for National Cyber Security Awareness Month, which aims to educate Internet users on how to stay safe online.
[Cloud Security Alliance Blog]
