Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
There are trends that have been on the industry’s radar for a while now; social, mobile, applications and cloud. However, within the next year, we’ll see more of an emphasis on one of the key underpinnings of these trends – identity. The issues with data management and security are often told and understood from an industry, business or sector perspective; but society as a whole is still arguably not at a point where it is fully awake to these issues and how they directly affect individuals. Next year, I believe we will begin to see people recognising the need to make big decisions around privacy. This is especially true when it comes to how much of their identity and data they are and should be willing to ‘give away’ or hold back, and balancing this with the convenience of their rapidly developing online lives.
Many of us recently updated to iOS 9 and downloaded it without hesitation. Today you can ask Siri or Cortana to access your holiday pictures in an instant, pay for your shopping with your phone or check your heart rate or symptoms on a health application if you’re unwell. Every time we use one of these conveniences, we are giving away more and more information about our lifestyles, and increasingly becoming owned by the ecosystems that we choose.
We are still largely unaware of where and how our data can be accessed; and the consequences can be potentially dangerous. A study published in BMC Medicine recently revealed that 20 percent of the health apps it looked at did not have a privacy policy, most of the apps communicated with one or more third party services, and four of the apps even sent identifying and confidential health information without encryption. The general invasion of privacy isn’t the only problem. The data could fall into the hands of parties who could be actively seeking it out (e.g., insurance companies).
While society as a whole isn’t in a state of security and privacy awareness that it needs to be, there are signs that this is beginning to change and industry is beginning to respond. Following its launch of iOS 9, Apple recently launched a new section of their website dedicated to explaining to customers its approach to privacy and how it manages data.
Society is still not catching up fast enough, and there is currently a fundamental disconnect between what motivates product and technology development and what is needed to truly secure it. Organisations are putting their efforts into protecting corporate reputation, rather than investing in prevention with a ‘security-by-design’ approach. The speed at which new applications and devices are brought to market is faster than ever before and we are dealing with more data than ever. A culture of making security a staple part of development processes and programming needs to be embedded within every organisation that has a service to offer involving storing or managing consumer data. Such requirements are too often considered down the line. As a body of certified cyber, information, software and infrastructure security professionals, (ISC)² recently took steps to promote such a culture by working with the government, the Council of Professors and Heads of Computing, BCS, the Institute for IT and other industry bodies to create course guidelines to enable cybersecurity to become a core component of UK computing degrees. The result was a set of guidelines that detail aspects of defensive programming to defend against basic risks, as well as having core modules such as secure systems and products, and cybersecurity management.
By taking steps like these, society can move to a culture of ‘security first’ over time. The key is to start with future IT professionals before they enter the workforce to engrain security within them for any programming or development. This will ultimately enable the future workforce to respond to the needs of a more security aware general public (customer base) that will be ready to take control over their own data and identity.
Dr. Davis will be asking a panel of experts, including Oracle’s Director of Security for EMEA Georg Freundorfer; CISO for Deutsche Flugsicherung Dr. Sebastian Broecker; and former U.S. White House Advisor and current Executive Director at Safecode Prof. Howard Schmidt their visions looking forward in 2016 and beyond as he moderates the opening keynote, “How Can we Secure Tomorrow Today?” at (ISC)² Security Congress EMEA in Munich 20-21 October. — Dr. Adrian Davis, CISSP, Managing Director, (ISC)² EMEA
Malicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor pursues is the theft of authentication information, whether it applies to business or personal accounts. Unless specifically mitigated, this theft often allows an unauthorized actor to masquerade as the victim, either achieving immediate gains or creating a platform from which progressive attack campaigns may launch.
There are a number of threats that endanger the critical secrecy of credentials, including poor operational security practices, social engineering, man-in-the-middle attacks, password hash dumping and cracking, and surveillance malware. In this post, Unit 42 examines various trends in a malware threat set within the surveillance malware category: Predator Pain and its latest derivative, HawkEye.
Threat Background
Surveillance malware covers a broad range of capabilities, including:
Capture of keyboard and / or input device (e.g., mouse) activity, with window / process awareness (keylogging)
Taking asset display screen shots or video (display capturing)
Assuming control of cameras and / or microphones attached to an asset (live surveillance)
Interception of network communications (sniffing)
Each of these capabilities can be qualified by its scope (i.e., types of information collected) and method (ranging in techniques and sophistication). Additionally, some surveillance software includes its own exfiltration mechanism, while others may depend on external software to accomplish the transfer of captured information.
Both Predator Pain and HawkEye are considered keyloggers, but they also include additional features, such as web browser and e-mail client credential dumping, display capture, andcaptured information exfiltration. HawkEye is openly sold on a commercial website, whereas Predator Pain is usually acquired through underground forums. Associated features have made this set of malware popular with malicious actors across a number of motivations; however, the most prevalent motivation remains cyber crime, in which stolen information is directly exploited or sold for financial gain. (A list of additional reading links is found at the end of this blog post for anyone interested in learning more about this specific threat set.)
Trending and Analysis: July 2015-September 2015
The following sections describe Predator Pain and HawkEye trending and analysis conducted by Unit 42 from July 2015 through September 2015. We leveraged the Palo Alto NetworksAutoFocus service, under which this threat set is tagged as PredatorPain.
Target Selection
Almost all of the adversaries Unit 42 observed employing this malware threat set harvest publicly disclosed or leaked e-mail addresses to construct phishing campaign targeting lists. These lists are mostly indiscriminant, with malicious actors seeking any opportunistic gains they can glean from “shotgun” style attack campaigns. The natural exposure of businesses with publicly advertised e-mail addresses (e.g., sales@<domain> or info@<domain>) makes for easy targeting of what typically represents key organizational e-mail distributions. In other words, these distributions normally reach a number of staff at the target organization who are motivated by their importance to business, increasing the likelihood of them inadvertently executing malicious code on their systems.
Threat Volume
Figure 1 depicts July to September 2015 sessions (individual occurrences) for this threat set.
Observed sessions revealed an interesting pattern in distribution volume ramping up on Sunday for peaks over Monday through Wednesday, with significant volume dropping from Thursday onward. We believe this corresponds with focused business targeting early in the workweek, per the previously noted targeting process employed by most cyber crime actors.
Delivery
Figure 2 shows the delivery methods observed for the Predator Pain and HawkEye threat set over the period of interest, with e-mail by far being the preferred delivery method for adversaries.
Table 1: Lure theming examples for e-mail attacks, July – September 2015
Respective malware delivered via malicious e-mail mainly consisted of Microsoft Windows Portable Executable (PE) 32-bit and 64-bit binaries. Microsoft Word or RTF documents constituted the remainder of malicious files. Attempted downloads of this threat from web and FTP sites were also observed; however, these represented drastically lower occurrences (session counts).
Observed Targeting
With these distribution methods in mind, Figure 3 shows an AutoFocus visualization for the 80 countries Unit 42 observed as targeted by the Predator Pain and Hawkeye threat set during the noted time period.
Not surprisingly, the top-ten list of most highly targeted countries includes 7 of the 23 wealthiestin the world, based on GDP per capita:
United States
Australia
Canada
Thailand
Taiwan ROC
Kuwait
Japan
Spain
Italy
Sweden
The top ten targeted industries accounted for 82% of sessions:
High Tech
Higher Education
Manufacturing
Professional and Legal Services
Transportation and Logistics
Wholesale and Retail
Construction
Media and Entertainment
Telecommunications
Government
We suggest three reasons based on this combination of observed countries and industries targeted:
Innovative organizations are prime targets for a number of adversary motivations due to the capabilities and intellectual capital they aggregate.
Service oriented businesses, striving to develop customer relationships are more likely to fall victim to phishing attacks due to both organizational culture and incentives for client and customer engagement.
Natural target saturation occurs within countries with established or thriving infrastructure, enabling malicious actors to reach a broader range of targets remotely through technology.
Prevalent Malware Capabilities
The Predator Pain and HawkEye set of malware is feature rich, compared to most other keyloggers. The following are the capabilities Unit 42 observed as most often enabled for this threat set during the focal time period (ordered by prevalence):
E-mail client credential dump
Web browser credential dump
Collection of system configuration information
Logging of web browser activity
Logging of e-mail activity
Screenshot grabbing
Exfiltration Method Break-Out
This threat set includes three main methods of exfiltration: E-mail, PHP-based Web Panel, and FTP. Figure 4 shows the HawkEye keylogger’s settings page, where the method employed by an instance can be specified.
Figure 4: HawkEye keylogger settings screen
The Predator Pain and HawkEye configurations analyzed by Unit 42 over the focal time period revealed the following break-out for exfiltration method, with e-mail constituting the preferred method across a number of malicious actors:
Prevention is the best strategy when it comes to the threat posed by keyloggers, such as the Predator Pain and HawkEye set. System hardening, integrity assurance, software version and patch management, and user awareness are just the first steps towards threat mitigation.
Recommendations to protection against this class of threat include:
Employ multi-factor authentication: Knowledge-based authentication relies on the secrecy of information. Including elements of what you have (i.e., hardware token) or what you are (i.e., biometrics) can reduce the value of respective stolen credentials for an adversary if that information only satisfies one level in the authentication process.
Limit the impact of stolen credential information: Don’t share credentials across accounts and change those credentials periodically. Adversaries commonly engage in activities such as credential stuffing in an attempt to maximize benefits of stolen credentials.
Maximize network control and visibility: The latest Verizon DBIR included the finding that in over 25% of breaches, the organization was notified of the breach through a third party. Inbound, outbound, and internal network traffic needs to be controlled and monitored. This is also useful for disrupting malware C2 and exfiltration channels.
Integrate anti-malware automated dynamic analysis (e.g., sandboxing): Identify previously unknown threats before they become much larger problems on the network. Given the anti-detection tools at the disposal of adversaries, this is a modern necessity.
Implement network segmentation: Avoid flat networks, where once an adversary is in they have unrestricted access to internal resources. Network segmentation is a best practice for exposing only enough information as is required for specific organizational processes, moving toward a “zero trust” model. In this context, it is about further limiting the access of an adversary should they successful compromise credentials.
Additional Reading
The following are some analyses for the Predator Pain and HawkEye malware threat set that expand on associated capabilities, attributed actors, and observed campaigns:
Technology is great. People are better. “People of Palo Alto Networks” celebrates the employees who preserve our unique culture of innovation and collaboration.
Earning a security credential can help you open the door to a great job. But you need to know which certification is the right one for you.
GIAC Security Essentials (GSEC)
Global Information Assurance Certification (GIAC) is the leading provider and developer of Cyber Security Certifications, globally recognized by government, military and industry leaders. GIAC tests and validates the ability of practitioners in areas including security administration, forensics, management, audits, software security, and legal.
Description
This certification is designed for candidates who want to demonstrate skills in IT systems roles with respect to security tasks. Ideal candidates for this certification possess an understanding of information security beyond simple terminology and concepts.
(ISC)² certifications are globally acknowledged as the Gold Standard in for educating and certifying information security professionals. (ISC)2 provides certification in areas such as information security, system security, authorization, software development, digital forensics and healthcare. The two key certifications are Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP).
This certification is designed for candidates interested in the field of information security. The ideal candidates are those who are information assurance professionals and know how to define the information system architecture, design, management and controls that can assure the security of business environments.
Prerequisites
Candidates must have a minimum of 5 years of paid full-time work experience in 2 of the 8 domains of the CISSP Common Body of Knowledge (CBK), which covers critical topics in security including risk management, cloud computing, mobile security, application development security, and more.
Exam
CISSP – Certified Information Systems Security Professional (250 questions, 6 hours, 70% passing score)
Approximate Cost for Exam
$599 USD (For Americas, Asia Pacific, Middle East and Africa regions), administered by Pearson VUE
Online Practice Tests
–(ISC)² Practice Tests App is available for iOS users: NOTE: The CISSP and SSCP practice test questions are not currently aligned with the domain refresh. New questions will be available in mid-2015.
This certification is designed for candidates interested in the field of information security. The ideal candidates are those who are information assurance professionals and know how to define the information system architecture, design, management and controls that can assure the security of business environments.
Prerequisites
Candidate is required to have a minimum of one year of cumulative paid full-time work experience in one or more of the seven domains of the SSCP CBK. If candidates do not have the required experience, they may still sit for the exam and become an Associate of (ISC)² until they have gained the required experience.
Online Practice Tests
— (ISC)² Practice Tests App is available for iOS users. NOTE: The CISSP and SSCP practice test questions are not currently aligned with the domain refresh. New questions will be available in mid-2015.
Information Systems Audit and Control Association (ISACA) certifications are globally accepted and recognized, and are known for helping candidates combine the achievement of passing an exam with credit for their work and educational experience.
The key certifications offered by ISACA are Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). Other certifications offered include Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC).
Description
This certification is for candidates who have an inclination towards organizational security and want to demonstrate the ability to create a relationship between an information security program and broader business goals and objectives. This certification ensures knowledge of information security, as well as development and management of an information security program.
Prerequisites
Candidates must have five years of work experience in the field of information security, with at least three years in the role of information security manager.
Exam
Certified Information Security Manager (CISM) (200 questions, 4 hours, 450 as the passing mark for the exams required)
Approximate Cost for Exam
Applicant can register for an ISACA exam via online registration or a hard copy registration form. Note: There is an additional $50 USD processing fee for applying for certification. Cost of online registrations: $490 USD (for ISACA members) and $675 USD (for Non-ISACA members).
Self-Study Material CISM exam preparation, including prep resources, certification job practice, terminology, a glossary, study material and review courses in required area.
The CISA certification is a globally recognized certification for IS audit control, assurance and security professionals. With this certification, candidates can showcase their audit experience, skills and knowledge, and demonstrate the capability to assess vulnerabilities, report on compliance and institute controls within their enterprise.
Prerequisites
Candidates must have five years of work experience in the fields of Information Systems Auditing, Control, Assurance or Security.
Exam
Certified Information Systems Auditor (CISA) (200 questions, 4 hours, 450 as the passing mark for the exams required)
Approximate Cost for Exam
Applicant can register for an ISACA exam online registration with
URL Self-Study Material CISA exam preparation, including prep resources, certification job practice, terminology, a glossary, study material and review courses in required area.
EC-Council is a member-based organization that certifies individuals in various e-business and information security skills. Here is a list of all the certifications that EC-Council provides: Certified Ethical Hacker (CEH); Computer Hacking Forensic Investigator (CHFI); EC-Council Certified Security Analyst (ECSA); Licensed Penetration Tester (LPT); EC-Council Network Security Administrator (ENSA); EC-Council Certified Incident Handler (ECIH); EC-Council Certified Security Specialist (ECSP); EC-council Certified Disaster Recovery Professional (EDRP); Chief Information Security Officer (CISO); Certified Secure Computer User (CSCU); Certified Ethical Hacker (CEH) is the most common and widely used certification.
Description
CEHv8 is a comprehensive Ethical Hacking and Information Systems Security Auditing program, suitable for candidates who want to acquaint themselves with the latest security threats, advanced attack vectors, and practical real time demonstrations of the latest hacking techniques, methodologies, tools, tricks, and security measures.
Prerequisites
Candidates must attend official training or have at least two years of information security related experience.
Approximate Cost for Exam
The version 8 exam costs $500 USD for the actual test and $100 USD as a nonrefundable fee for registration, administered by Prometric Prime/ Prometric APTC/VUE.
EC-Council Certified Security Analyst (ECSA) is an advanced ethical hacking certification and a step ahead of a CEH. This certification helps analysts validate the analytical phase of ethical hacking by being able to analyze the outcome of hacking tools and technologies. By making use of innovational network penetration testing methods and techniques, an ECSA can perform the intensive assessments required to effectively identify and mitigate risks to the information security of the infrastructure. The ECSA certification is designed for candidates who are Network Server Administrators, Firewall Administrators, Information Security Testers, System Administrators and Risk Assessment Professionals.
Prerequisites
Candidates must attend official training or have at least two years of information security related experience.
Approximate Cost for Exam
The version 8 exam costs $500 USD for the actual test and $100 USD as a nonrefundable fee for registration, administered by Prometric Prime/ Prometric APTC/VUE.
CompTIA is the leading provider of vendor-neutral IT certifications, offering 16 certification exams in PC support, networking, servers, Linux, security, cloud, mobile and more. CompTIA provides certification series that test various knowledge standards, from entry-level to expert. For security specifically, CompTIA offers the CompTIA Security+ certification.
Prerequisites
Candidates must have a minimum of two years of experience in IT administration with a focus on security. Network+ certification is recommended before taking the Security+ exam.
CWNP is a non-profit organization that sets the IT industry standard for vendor-neutral enterprise Wi-Fi certification and training. Currently, CWNP focuses on 802.11 wireless networking technologies and offers 6 levels (Entry to Expert levels) of career certification for Enterprise Wi-Fi in areas including fundamentals, administration, security, analysis, design, mastery and instruction.
The CWSP certification is a professional level wireless LAN certification that ensures candidates have the skills to successfully secure enterprise Wi-Fi networks from hackers, without dependency on the brand of Wi-Fi gear deployed in the organization.
Prerequisites
Applicant must hold a current and valid Certified Wireless Network Administrator (CWNA) credential.
Exam
CWSP-205 exam administered by Pearson VUE (60 questions, 90 minutes, 70% passing score, 80% passing score for instructors)
When a company suffers a data breach—or fears that it has suffered a breach—teams often go into panic mode. When the dust settles, work divides into two camps: those focused on business continuity and containment, and those focused on determining if the organization has any breach notice obligations under relevant laws.
Often, these goals can be in conflict—or at least resources to achieve these goals can conflict. Different teams work on different sides of the issue. Internal resources are stretched. Outside resources overlap. What can a company do? First, recognize that both goals are important and deserve resources. Second, account for both goals throughout the breach “process.” The following are some concrete steps companies—and their breach crisis teams—can take:
Before the incident: Everyone knows about creating an incident plan, and giving it a test run. But what about taking steps to understand your business realities and needs? Being prepared and ready to address a breach, if it arises, hinges on a good understanding of the types of information you have, where you have it, and with whom that information is shared. It is never too soon to start on this work, and keeping that information up-to-date can be a life saver if a breach arises.
Digging in—investigating an incident : This is where the work of the two goals, containment and determining notification obligations, can come into the most conflict. Obviously you will need to contain and control the incident. You will want to take steps like investigating the nature of the incident and getting the right team–with the right background—on hand. But you will also want to know some very specific facts for the lawyers who are determining whether notification is necessary. This includes understanding if there was a compromise to the information and if the information itself triggered breach notice laws (social security numbers, medical information, usernames and passwords, etc.).
Notification : If you determine that notification is necessary, containment should not leave the scene. Will your notice impact any ongoing investigations? Will you tip off a bad actor? These are things that should be taken into account as you draft your notifications, and as you potentially work with law enforcement pursuing said bad actors.
Post -notification: Once your notice goes out, you are not finished. The containment team will want to look at what lessons can be learned for next time—if there is a next time. The legal side of the house will be thinking about potential post-notice inquiries, whether they come from regulators, the press, or impacted individuals.
Regardless of whether your incident involves an aggressive bad actor bent on destroying your company or gives rise to a duty to notify, your team should ensure that it is taking appropriate steps to both contain and assess legal risks. The tips above are aimed at helping you get there.
Note: This post is the third in a series of Cybersecurity Awareness Month blog posts. To learn more on the cyber security resources ISACA is offering this month, click here.
