5 Ways to Get the Most Out of Security Congress

Security Congress is less than three months away! This year’s biggest and best cybersecurity conference will be held in New Orleans, Louisiana from October 8-10. Attending this year’s event can earn you as many as 46 CPEs for the year. To make sure you get the most out of #ISC2Congress, here are five things to do before you get to NOLA:

  1. Register for workshops

Reserved seating workshops are new to Security Congress this year. We will have five workshops available throughout the conference that require a registration. If you’ve already signed up for Security Congress, great! You can login to your registration and add them to your schedule. If not, hurry! Only 60 seats will be available in each workshop and most are close to full already. Security Congress workshop session numbers are 3010, 3011, 3012, 3013, 3014 and 3015 and can be found in the online agenda.

  1. Make cybersecurity personal

The Center for Cyber Safety and Education is hosting their annual orientation session to fill you in on the latest with the Garfield program, as well as other opportunities to engage with your community. The session kicks off Tuesday aka “Center Day” at Security Congress, which will be capped off with the Center Celebration on a riverboat cruise down the Mississippi River. The cruise is a separately ticketed event, but space is extremely limited on the Creole Queen. Make sure you save your spot soon for dinner, jazz and southern hospitality!

  1. Write your questions for Town Hall

Monday afternoon will include an (ISC)² Town Hall meeting open to both members and non-members. Management and Board of Directors members will be on the panel to talk about future developments, as well as answer your questions about membership, certification and more. You can submit your questions to congress@isc2.org or ask in person.

  1. Expand your network

Meet fellow Security Congress attendees online on the (ISC)² Community Security Congress board. You can chat with speakers, find out about upcoming webinars and earn a badge for registering for the conference. When you get to Security Congress, you’ll already know your fellow attendees and can celebrate a successful few days of learning and development at the closing event: “A Night in NOLA” Networking Night at Mardi Gras World.

  1. Leave room for swag in your bag

It’s not a conference without seemingly limitless swag! You can plan out your swag collection route with this Exhibit Hall map. Sponsors from the top cybersecurity training, product and software companies will be on hand to load you up with knowledge on their latest developments – plus probably a fidget spinner or two.

[(ISC)² Blog]

Avoiding Cyber Fatigue in Four Easy Steps

By Jon-Michael C. Brook, Principal, Guide Holdings, LLC

Cyber alert fatigue. In the cybersecurity space, it is inevitable. Every day, there will be a new disclosure, a new hack, a new catchy title for the latest twist on an old attack sequence. As a 23-year practitioner, the burnout is a real thing, and it unfortunately comes in waves. You’ll stay up on the latest and greatest for months on end. Take a couple weeks off at the wrong time of year, maybe around the big security conferences (think RSA or Blackhat/DEF CON), and you could spend 6 weeks catching back up. Everyone has a take, and without getting in front of the wave, the wheat may not be easy to separate from the chaff. How can you avoid–or at least lessen–the chance of missing the next question from a CISO while still maintaining a sense of sanity?

Where does the quest for knowledge transform into chasing your own tail?

Be picky

First and foremost, carefully vet your media input sources. Every source you sign-up for will inevitably add to the noise in your feed. Each follow, every like, even entering your email address for more information opens more avenues for daily discourse. Pick a few trusted sources of information, the innovators in your niche. For cybersecurity, Bruce Schneier (@schneierblog), Gene Spafford (@therealspaf) and Brian Krebs (@briankrebs) fit the mold. They’ll put enough content on the wire for a daily read in a short amount of time.

Set time limits

Set aside a period of time each day to catch up. It’s easy to read articles 24×7. Personally, I’m click baited any time I read a headline news article. My ADD increases my penchant for distraction, and suddenly three hours of my day passed without a tangible memo, report or other accomplishment.

Choose a duration that doesn’t wipe out the entire day, probably during the morning so you’ll have water cooler talk. Maybe it’s first thing before everyone comes in or you leave for the office, or try the train, lunch time. Find a daily podcast (Raf Los aka @Wh1t3Rabbit’s Down The Security Rabbit Hole is usually interesting) and listen to it during a morning exercise. Whatever it is, limit your alert time per day; they don’t call it Twitter for nothing.

Back-scatter and bit buckets

Be prepared to be bought and sold. The luckiest thing I ever did was buy my own domain name. I use unique email addresses for everything I sign up for and then forward the important ones into folders to keep my immediate inbox clean. It’s technically a back-scatter technique. If you have to make it past a marketing wall and provide information, don’t be afraid to unsubscribe, unfollow or remove access. Your contact info will be monetized, and most reputable marketing/distribution houses fear the legal ramifications of not complying with spam prevention acts. When someone doesn’t comply appropriately, simply point that individual address to the bit bucket.

The struggle is real

Add an additional account for friends and family threads for non-business hours. Co-workers at the office won’t think you’re wasting work time on personal pursuits. You also have a chance to create a work/life balance.

No one wants to live, breathe and die work. Cyber fatigue is real …

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

[Cloud Security Alliance Blog]

Cybersecurity Certifications That Make a Difference

The security industry is understaffed. By a lot. Previous estimates by the Ponemon Institute suggest as much as 50 percent underemployment for cybersecurity positions. Seventy percent of existing IT security organizations are understaffed and 58 percent say it’s difficult to retain qualified candidates. ESG’s 2017 annual global survey of IT and cybersecurity professionals suggests the biggest shortage of skills is in cybersecurity for at least six years running. It’s a fast moving field with hacker’s crosshairs constantly targeting companies; mess up and you’re on the front page of the Wall Street Journal. With all of the pressure and demand, security is also one of the best paying segments of IT.

Cybersecurity is a different vernacular, with a set of acronyms and ideas far outside even its information technologies brethren. For the gold standard as a security professional, the title to have is the Certified Information Systems Security Professional (CISSP)from the ISC2 (isc2.org). The requirements grow increasingly strict since my testing in 2001. Not lax, mind you, but five-year industry minimums and certified professional attestation gives the credential even more heft. There is an associate version available, the Associate Systems Security Certified Practitioner (SSCP)that eliminates the time and sponsorship minimums and would be appropriate for someone new to the field.

Adding to the professional shortages are new IT delivery methods, a la cloud computing. Amazon Web Services is the giant in the space, offering several certifications for cloud architecture and implementation. Microsoft and Google round out the top three. These, too, are hot commodities, as cloud is a relatively nascent industry and not very well understood. Layer security onto the cloud platform, and you find certifications such as the Cloud Security Alliance’s Certificate of Cloud Security (CCSK) and, again, the ISC2’s Certified Cloud Security Professional (CCSP). In 2017, Certification Magazine listed cloud security certifications as some of the highest salary increases available to an IT professional.

One caveat to all of the excitement of underemployment: recruiters, headhunters and hiring managers. Position requirements are sometimes outlandish or poorly vetted, such as the requisition asking for 10 years of cloud and 20 years of security experience. Amazon Web Services started in 2006. Microsoft Azure and Google Compute Platform were seen as cannibalistic to existing revenue streams. Even five years of cloud industry experience is a lifetime, and the industry moves so fast that AWS’s Certified Solutions Architect (AWS-ASA) requires re-certification every two years vs. the standard three for the rest of IT. They, too, have a security exam recently out of beta, the AWS Certified Security Specialty, though it requires one of their associate certifications first.

If you have the appetite for learning, add privacy to the mix. The number of industry vertical regulations (healthcare’s HIPAA, Payment Card Industry’s PCI-DSS, finance’s FINRA/SOX, etc…) and regionally specific requirements (EU’s GDPR) have the International Association of Privacy Professionals (IAPP), offering eight Certified Information Privacy Professional (CIPP) certifications. As an IT professional in the US, the Certified Information Privacy Technologist (CIPT) and CIPP/US are probably the most attainable and attractive.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

Jon-Michael C. Brook, Principal, Guide Holdings, LLC

[Cloud Security Alliance Blog]

The Old and New: Current Trends in Web-based Threats

Summary

In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.

 

Statistics analysis

CVEs

In the first quarter of 2018, we found 1583 malicious URLs across 496 different domains. Attackers used at least 8 old and public vulnerabilities as shown in Figure 1. The Top 3 CVEs used are

  1. CVE-2014-6332: exploited by 774 malicious URLs
  2. CVE-2016-0189: exploited by 219 malicious URLs
  3. CVE-2015-5122: exploited by 85 malicious URLs.

The first two are vulnerabilities with Microsoft Internet Explorer’s VBScript, and the last one is an Adobe Flash Player vulnerability discovered by the Hacking Team and part of the July 2015 data leak. The exploit source code of these top 3 can easily be found on the internet.

Figure 1. CVE statistics

In addition to these top three some additional notable findings in our CVE statistics. We found attackers targeting very old vulnerabilities in Microsoft Internet Explorer, such as CVE-2008-4844 and CVE-2009-0075. According to statistics from netmarketshare[.]com, there are still 6.55% of users using Windows XP and 3.17% using old versions of Internet Explorer (IE6, IE7, IE8, IE9, IE10) as shown in Figure 2 and Figure 3.

 

Figure 2. Operating System share by version on March 2018

Figure 3. Browser share by version on Mar 2018

 

Users still using old versions of web browsers, flash players, or unpatched operating systems are very vulnerable to these attacks, particulary because they are unprotected against both old and new vulnerabilities.

 

URL statistics

We found 496 malicious domains serving these exploits hosted across 27 different countries/regions. The Top 4 are:

  1. United States: 257 domains
  2. China : 106 domains
  3. Hong Kong: 41 domains
  4. Russia: 20 domains

We created a heat map for all the malicious domains as shown in Figure 4 and the exact number of malicious domains for each country are in Table 1.

Figure 4. Malicious domain heat map

 

Countries/Regions Number of malicious domains
Turkey  2
Italy 3
Panama 1
France 8
Georgia 2
Argentina 1
 Israel 1
Australia 1
Singapore 1
Slovenia 1
China 106
Thailand 2
Germany 12
Hong Kong 41
Spain 1
Ukraine 1
Netherlands 13
United States 257
Japan 3
Switzerland 1
Russia 20
Romania 1
India 2
United Kingdom 3
Korea 9
Hungary 1
Taiwan 2

 

Table 1. Malicious domain countries and numbers

Exploit Kit Statistics

Of the 1583 URLs malicious URLs, 1284 malicious URLs are EK-related. We found Sundown and Rig EKs are slowing down not only in the number of vulnerabilities used but also in how often they are upgraded. However, KaiXin EK is still evolving. As we can see in Figure 5, below, KaiXin takes the lead when compared with Sundown and Rig. KaiXin was discovered in 2012 and became more and more active according our observations. The most exploited vulnerabilities in KaiXin are CVE-2016-0189 and CVE-2014-6322. We saw the very old EK Sinowal was also active with one malicious URL.

 

Figure 5. Exploit Kit statistics

 

Life Cycle of Web Threats

All of the malicious URLs were tagged as malicious when we first detected them. On April 11, 2018, we reviewed all 1583 malicious URLs from the first quarter of 2018 and found 54 domains which didn’t bind to a valid IP address which are in Figure 6, below. Among the 496 domains, by April only 145 domains were still alive, and of the 1583 malicious URLs only 375 were still alive.

It means at least 10% (54 out of 496) domains are registered by attackers to be used to serve exploits specially, among the remaining 442 domains approximately 66% (297 out of 442) domains did not serve exploits. The 54 malicious domains are shown in Figure 6 below.

 

Figure 6. Invalid domains

 

It also shows the life cycle of around 23% (375 out of 1583) of malicious URLs are live for over 2 months. We also drew a new malicious domain heat map for these 375 domains, shown in Figure 7, with China and U.S. having the highest numbers. The exact numbers are shown in Table 2.

 

Figure 7. Live malicious domain heat map

 

Countries/Regions Number of malicious domains
France 4
Hungary 1
China 37
Hong Kong 3
Italy 3
Spain 1
Taiwan 1
United States 68
Argentina 1
Germany 5
Russia 4
Romania 1
Korea 3
Singapore 1
Thailand 1
Turkey 1
Netherlands 5
Japan 3
United Kingdom 2


Table 2. Live malicious domain countries/regions and numbers

Case studies

EK evolving

Although EKs are not as active as previously, we are still seeing EKs evolving. KaiXin EK used the original exploit code of CVE-2016-0189 without any obfuscation when we first detected it in 2016 as showed in Figure 8.

Figure 8. First version of CVE-2016-0189 used in KaiXin EK

 

Several months later, the author(s) of KaiXin EK added 2 layers of obfuscation for CVE-2016-0189. The first layer’s obfuscation is unescape and document.write as showed in Figure 9.

 

Figure 9. First layer obfuscation of CVE-2016-0189 used in KaiXin EK

 

In the second layer obfuscation, we can see they used a VB array to store the encoded real triggerBug function and payload in Figure 10. Everytime they only needed to change the offset (here is 599), then the VB array is different, which is used to evade content-based detections like IDS/IPS.

Figure 10. Second layer of obfuscation for CVE-2016-0189 used in KaiXin EK

 

After the de-obfuscation, we can see the real payload and source exploit code in Figure 11.

Figure 11. De-obfuscation of CVE-2016-0189 used in KaiXin EK

 

Later, KaiXin EK also embedded a Flash vulnerability (CVE-2015-5122) as shown in Figure 12, and used UTF-16 encoding to evade detection as showed in Figure 13.

 

Figure 12. Combination of CVE-2015-5122 and CVE-2016-0189 in KaiXin EK

 

Figure 13. UTF-16 encoding of CVE-2016-0189 in KaiXin EK

Cryptocurrency Miner

Usually web-based threats are spread via malicious domains, however we found a malicious link (hxxp://210.21.11[.]205/HDCRMWEBSERVICE/bin/aspshell[.]html) hosting malicious content on the IP address instead of using a domain in the malicious link. The content of this malicious page is quite straight forward as showed in Figure 14.

 

Figure 14. Malicious content shows use of CVE-2014-6332

 

There are 2 parts in this malicious page. They used document.write to obfuscate the real exploit code in the first part. We can get the plain exploit code through simple de-obfuscation as shown in Figure 15.

 

Figure 15. de-obfuscation of CVE-2014-6332

 

This is CVE-2014-6332 which used an Out of Boundary (OOB) vulnerability in VBArray. If the attack succeeds, the VB code runs custom function runmumaa which generates and executes wmier.vbs that in turn downloads and executes lzdat. as shown in Figure 16 and Figure 17.

 

Figure 16. The payload of CVE-2014-6332

 

Figure 17. wmier.vbs

 

Another example of EK which used CVE-2016-6332, this time of a cryptocurrency miner hosted on a domain, there is a domain “twlife[.]tlgins[.]com[.]tw” which hosted the cryptocurrency miner payload “wu[.]exe” called by the custom VB function runmumaa. This domain appears to be a legitmate but compromised domain belonging to a Taiwan insurance company and likely compromised by attackers with a Struts vulnerability as shown in Figure 18.

 

Figure 18. malicious domain information

The second part in the exploit code is a cryptocurrency miner. It used a public JavaScript library of cryptocurrency miner named CoinHive and we can see the user is “John-doe”. More and more web Trojans are used to mine cryptocurrencies recently. More information about CoinHive, please see another blog by Unit 42.

 

Summary

Based our observation from ELINK statistics in first quarter 2018, we found that the most active EK is becoming KaiXin and it is still evolving with more layers obfuscation and adding a cryptocurrency miner. The traditional EKs, Rig and Sundown, are still alive but not too much updating and using some old exploits. Besides, not all of web-based threats are from EK, around 20% of the malicious URLs are not from an EK family and using some public exploits. All of malicious URLs detected from ELINK will be blocked by Palo Alto Firewalls, we have all of these exploits covered with IPS signature and also other Palo Alto Networks products or service like URL filtering and Threat Prevention will protect our customers from these kinds of attacks. At last, to protect yourselves from most of web Trojans, we recommend users to use the latest software and patch your system in time.

 

IOCs

Malicious domains:

http://www.primoprime[.]com

http://www.adultcre[.]online

apple-id[.]vip

iz-icloud[.]cn

icloud-appd[.]cn

http://www.icloud-mayiphone[.]com

theshoppingoffers[.]trade

casino-lemnde[.]online

tdpaas[.]com

техталенто[.]рф

http://www.icloud-fneiphone[.]com

iosny[.]cn

gavkingate[.]info

icloud[.]iosny[.]cn

http://www.appleid-ifane[.]com

app-id-itunes[.]vip

bugi1man[.]info

http://www.apple-ifngiphone[.]com

http://www.adultacream[.]online

http://www.applefind-iphone[.]com

http://www.icloud-iphoneifed[.]com

http://www.appid[.]pxret-ios[.]cn

http://www.iphone[.]firds[.]cn

com-iosvnt[.]cn

appie-pd[.]top

prestige-rent[.]eu

netrsy[.]com

icloud[.]com-iosrnx[.]cn

appie-yd[.]top

http://www.icloud[.]com-ioseat[.]cn

casinosmart[.]online

appleid-iphone[.]com

http://www.aducrea[.]online

apple-icloud-idcos[.]top

ggga[.]xyz

http://www.apple-ifena[.]com

24vipcpsins[.]online

http://www.apple-lnciphone[.]com

http://www.icloud[.]com.iosny[.]cn

http://www.icloud[.]com-ioslga[.]cn

apple-icloud-iphone[.]cn

недостаточно[.]рф

icloud-mybook[.]com[.]cn

http://www.apple[.]com.iosny[.]cn

lookogo[.]com

http://www.app-id-itunes[.]vip

http://www.iphone[.]id[.]firds[.]cn

com-iosrnx[.]cn

http://www.apple-ifoniphone[.]com

http://www.apple-icloud-ac[.]cn

appie-td[.]top

tvbsports[.]nl

icloud-id[.]co

pixelko[.]info

 and 

[Palo Alto Networks Research Center]

Is the NIST Cybersecurity Framework Enough to Protect Your Organization?

The National Institute of Standards and Technology (NIST) Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity and commonly referred to as CSF, is top of mind for many organizations.

Whether driven by the May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the need for a common framework between business partners or as a way to measure best practices, many organizations are considering adopting NIST’s framework as a key component of their cybersecurity strategy.

Initially designed by NIST to protect critical infrastructure, the framework is seeing much wider adoption across industries and organizations of various types and sizes. The CSF provides guidance and was built to be customized by organizations to meet their unique business and mission goals.

If you are embarking on implementing CSF, some areas to consider:

  • CSF does not prescribe control “requirements.” The framework only provides a very high-level requisite. While this allows organizations to perform a security assessment against CSF, the depth of the assessment is open to organizational interpretation and preference. This can lead to an assessment that leaves weaknesses undetected, giving the organization a false sense of security posture and/or risk exposure.
  • CSF does not make NIST SP 800-53 easier. If organizations use the NIST SP 800-53 requirements within the CSF framework, they must address the NIST SP 800-53 requirements per CSF mapping. This is not an easy task and generally requires additional focus.
  • CSF control categories … to what end? Control categories (IRM, RM, and EP) provided with CSF are available, but it is up to the implementing organization to determine the alignment for each control and how it applies to their risks. It is not terribly clear how these categories improve the risk assessment results.
  • CSF control tiers are not a maturity model. The CSF control tiers provided – partial, risk informed, repeatable, and adaptive – can be assigned to assessed controls. When used in aggregate, these tiers can provide an indication of the implementation level of the organization’s controls. However, if you are looking for a prescription, you might find that you are on your own. For example, CSF maintains that these tiers are not to be confused with a maturity model, so it’s up to you to decide if a ‘partial’ rating is (or is not) good enough for a particular risk.

True to any successful risk management framework, CSF or not, a suitable implementation requires a determination of business impact, risk appetite/tolerance and actual threat vectors, among other key variables. Proper knowledge and true understanding of one’s organizational risks is required when implementing CSF (or any risk management framework for that matter). By going about CSF the wrong way, your end results may belie the true state of your organization’s risk, resulting in false confidence in your current program and potentially misguided investments in resources.

Here are five practical tips to effectively implementing CSF:

  1. Start by understanding your organizational risks.
  2. Define your risk appetite (how much) and risk tolerance (acceptable variance).
  3. Choose the CSF tier that best matches your business and mission (most likely you will end up with several tiers within the same organization).
  4. Map existing frameworks (FISMA, ISO, COBIT) in your environment to CSF based on your business model.
  5. Perform initial gap analysis, then use the findings to decide your CSF strategy.

It is best to plan on integrating CSF into your business as a long-term strategy. CSF is not a one-time, quick checklist, so best to allocate the proper resources to ensure a successful implementation for long-term, effective risk management.

Baan Alsinawi, President and founder of TalaTek

[ISACA Now Blog]

English
Exit mobile version