InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised networks that would give them subsequent remote access. Even if the vulnerabilities were patched, the shell would remain until the network operators removed it.
Now, months later, many of those shells are still in place. And they’re being used by criminal hackers as well.
On Tuesday, the FBI announced that it successfullyreceived a court order to remove “hundreds” of these web shells from networks in the US.
FireEye published its M-Trend 2021 report based on the data collected during the investigation, 650 new threat groups were tracked in 2020
FireEye published its annual report, titled M-Trend 2021, which is based on the data collected during the investigation on security incidents it managed. Most of the incidents investigated by Mandiant (59%) in 2020 were initially detected by the victims, a data that is an improvement of 12% from 2019.
Since its launch, Mandiant tracked more than 2,400 threat groups, 650 of them were tracked in 2020. Over the years, the experts combined or eliminated approximately 500 groups, leaving more than 1,900 distinct groups tracked at this time (+100 compared to 2019).
The threat actors tracked by Mandiant include nation-state actors, financially motivated groups, and uncategorized groups (known as UNCs).
“In 2020, Mandiant experts investigated intrusions that involved 246 distinct threat groups. Organizations faced intrusions by four named financial threat (FIN) groups; six named advanced persistent threat (APT) groups, including groups from the nation-states of China, Iran and Vietnam; and 236 uncategorized threat (UNC) groups. Of the 246 threat groups observed at intrusion clients, 161 of these threat groups were newly tracked threat groups in 2020.” reads the report published byFireEye.
ISO is shaking up the familiar structure of the ISO 27001/27002 control framework after over 20 years of stability.
Originally published as British Standard BS 7799 Part 1 and 2 in the late 1990s, adopted as the ISO 17799 standard in 2000, and then renumbered as ISO 27001/27002, the name has changed a few times but the structure of the controls has remained intact until now.
Historically ISO has resisted major changes given that so many organizations globally have adopted ISO 27001/27002 for their security policies, security programs and certifications, and considering that numerous countries have adopted or incorporated them into their own national standards.
Publication of the final standard is expected to occur in the next year.
The country’s top nuclear official … Ali Akbar Salehi, did not say who was to blame for the “terrorist act”, which caused a power failure … a day after it unveiled new uranium enrichment equipment. … Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack. … On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. … It represented another breach of the country’s undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it. … Later state TV read out a statement by … Atomic Energy Organisation of Iran (AEOI) … head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism.” … Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.
[The] power failure … appeared to have been caused by a deliberately planned explosion. … American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed the … power system that supplies the underground centrifuges. … The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iran’s ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss. … The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iran’s nuclear program. The best-known operation under this collaboration … was a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.
As required by ISO27001 the risks identified in the risk assessment need to be ones that if they happened would result in the loss of Confidentiality Integrity and/or Availability (CIA) of information in the scope of the ISMS. As also required by ISO27001 those controls that are necessary to modify each risk need to be determined. Each risk gets a list of one or more controls.
This article gives some advice about how to choose/determine the controls for each risk and how control sets (e.g. Annex A, ISO27017, ISO27018, NIST CSF, CSA) can be used to help with this and as a quality check on the risk assessment.
What do we mean by necessary?
A good question!
“Needed to manage the risk”. Yes, I know that this just rephrases the word “necessary”….
In many cases this is a simple (or perhaps tricky!) matter of judgment but each control should be checked if it is necessary by asking questions like these:
what effect this control has on the likelihood or impact of this risk? Only controls that have more than a negligible effect on the likelihood or impact should be designated as “necessary”.
what would happen to this risk if this control is not in place or stops working properly? Your answer should be “the business continues to operate and deliver all its services but we have just increased the likelihood and/or impact of something going wrong that stops us delivering this service and/or gets in the way of meeting our objectives”. If this is not your answer then this control is unlikely to be “necessary” and should not be included.
Extended detection and response (XDR) is a designation used when you do not have the ability to cover a wide range of threat vectors.
Simply put, XDR encompasses more than one type of detection, but it can be as little as two in some cases. But threats can come via desktop, web, SaaS applications, cloud providers, and so on, and you need more than a couple of detection capabilities to secure you systems.
So, why XDR and why now? Many providers only have a couple of threat vectors covered, and if they do not manage them for you they cannot claim to provide a managed service. Instead, they call it XDR — a great marketing term to hide the lack of coverage they provide.
Gartner defines XDR products as platforms that automatically collect and correlate data from multiple components. XDR promises to make security teams more efficient, productive and effective via centralized historic and real-time event data in common formats, and with scalable, high-performance storage, fast-indexed searches and automation-driven responses.
However, XDR solutions are pulling data from a variety of solution sets possibly comprised of even more tools, and they are flooding analysts with an overwhelming amount of threat data to be analyzed.
XDR represents a natural evolution of endpoint detection and response (EDR) solutions. It seeks to provide an all-in-one platform which includes endpoint protection, cloud access security brokers (CASBs), secure web gateways (SWGs), secure email gateways (SEGs), network firewalls, network intrusion prevention systems (NIPs), unified threat management (UTM) and identity and access management (IAM).
It takes a proverbial village of acronyms to describe what XDR is, exactly. But here’s one thing that none of this cybersecurity-speak covers — people.
XDR investments are set up for failure because they overlook the human factor. XDR is just a tool. To derive any of the tool’s value potential, you need talent empowered with the intelligence required to parse through it, apply the analytics, sort real incidents from the noise, and prioritize responses. Without them, using XDR amounts to simply dumping everything you can possibly collect about threats in a big pot and letting it simmer. Plus, attackers will continue to find new approaches to get through.
It’s similar to the more traditional industry staple, security information and event management (SIEM), which arrived as an answer for organizations with several different analysts and consoles, each one looking for smoking guns.
Through SIEM, companies sought to eliminate these inefficiencies by aggregating all consoles and putting everything in one place (including the smoking guns). Thus, at their core, SIEM and XDR are conceptually the same and hindered by the same problem: you need people on board who know what to do with these tools to get anything out of them.
In addressing this missing factor organizations are turning to what will be the last of our acronyms: MDR (managed detection and response). This security as a service (SaaS) offering provides companies access to outside analysts who command expertise in all XDR capabilities for comprehensive coverage, detection, and response. They remove the burden of triage from in-house IT teams with the ability to continuously and effectively receive and prioritize events. They reduce false positives while investigating high-risk incidents before they escalate, with up-to-date intelligence across all customer deployments.
In other words, proper MDR is managed XDR. As a result, the customer’s security team members don’t have to procure their own intelligence feeds and the solution is more than just a tool. They no longer handle up to 10,000 alerts a day, or suffer from alert fatigue. They are liberated from these burdens so they can focus instead on bigger-picture, strategic initiatives to improve the overall security posture of their companies.
Because of these advantages, MDR is positioned for broader adoption, as one-quarter of organizations are now using an MDR service, with 72 percent of them decreasing the time it takes to resolve attacks by 25 to 100 percent. Among those that do not currently use it, 79 percent are either evaluating or are considering the adoption of such a service.
These organizations are still getting XDR. However, as indicated, they’re acquiring a managed services version of it, which means they’re buying the external staffing and know-how that can transform a tool into a comprehensive, impact-making capability. This drives toward the inherent value of the human touch — a value which especially benefits companies that can’t afford to internally staff 24/7/365 coverage for threat detection and response.
An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work — which is why MDR may be the only acronym that your organization needs.
Google’s Project Zerodiscovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”:
The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.
The Stuxnet virus cyber-attack launched by the U.S. and Israel unleashed malware with unforeseen consequences. Delve deep into the burgeoning world of digital warfare in this documentary thriller from Academy Award® winning filmmaker Alex Gibney.
Those of us in the security industry saw the need to identify and share incident and vulnerability information, but unfortunately ‘security through obscurity’ was often the approach taken – operations over protection. Fast forward to today, and whether you agree or disagree with the state of software security, we at least have the forums and infrastructure to address the issues at a working level.
The Forum of Incident Response and Security Teams (FIRST) is an international organization that provides best practices and assistance when dealing with a security incident. If an attack is underway, there is often strength in numbers for all those being exploited, and this is an avenue to share that information. If you come across a vulnerability in the software you are using on your systems, you have some options on how to handle it.
Many reported vulnerabilities are characterized under the Common Vulnerabilities and Exposures tracked in the National Vulnerability Database (NVD) maintained by MITRE. You should check here first to see if the issue is already reported. If it exists in the database, then the vendor is aware of the issue and should be working to correct it. Though there is a level of confidentiality involved to prevent public disclosure and exploitation before a fix is available. While I mentioned FIRST and NVD, your company may have other reporting requirements, so check first.
In the news this week with their annual PWN2OWN 2021 competition, the Zero Day Initiative continues to discover new vulnerabilities that will need to be addressed. This is a valuable service that allows the vendors to fix the previously unknown issues, discovered by the security research experts, before they are publicly disclosed for open exploitation.
Like those experts, we have an obligation to take action on any vulnerabilities we may discover in performing our regular patch or IT activities. Take the time to see if the vulnerability has been reported and contact the vendor to see if it is a known issue. We all benefit in the long run.
When selecting an attack detection solution, no single product will provide the adequate detection needed that is required to detect and defend against the current advanced threat landscape. The holistic aspect of defending against threat actors requires technology, expertise, and intelligence.
The technology should be a platform of integrated technologies providing detection at each point of entry that a threat actor may use such as email, endpoint, network, and public cloud. These should not be disparate technologies that don’t work together to holistically defend the organization.
We must use technologies that can scale against threat actors that have a very large number of resources. The technology should also be driven by intelligence cultivated from the frontlines where incident responders have an unmatched advantage. It is also important to remember that post-exploitation, threat actors masquerade as your own employee’s making it difficult to know legitimate from non-legitimate activity occurring on the network or your endpoints.
This is where intelligence and expertise is extremely valuable to determine when a threat actor is operating within the organization. Being able to identify the threat actors “calling card” and potential next moves, is paramount. While many solutions will claim they defend against advanced threats, it is important to understand the experience that a vendor has and how that is included into their product offering.
The SolarWinds hack was a classic supply chain attack, compromising downstream organizations in order to traverse the victim’s extended enterprise of customers, suppliers, vendors and other third parties to gain unauthorized access to their on-premises and cloud systems.
The hack was unprecedented, transforming a core security product into a malware delivery system that provided unauthorized access to sensitive data for a minimum of nine months by escalating privileges, forging access tokens, and other alterations that went undetected.
Minimize supply chain cyberattacks
How can your organization protect itself from data breach by affected third parties in your supply or value chain? Apart from “basics” such as enforcing least privilege for third-party users and forcing administrative password resets on initial use (to avoid “username:admin, password:admin” scenarios), below are four unique and effective ways your organization can mitigate access-related third-party risk.
In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of “hiring a hitman on the dark web”.
According to Europol:
The hitman, hired through an internet assassination website hosted on the Tor network, was paid about €10,000 worth in Bitcoins to kill the ex-girlfriend of the suspect.
Heavy stuff, though Europol isn’t saying much more about how it traced the suspect other than that it “carried out an urgent, complex crypto-analysis.”
In this case, the word crypto is apparently being used to refer to cryptocurrency, not to cryptography or cryptanalysis.
In other words, the investigation seems to have focused on unravelling the process that the suspect followed in purchasing the bitcoins used to pay for the “hit”, rather than on decrypting the Tor connections used to locate the “hitman” in the first place, or in tracing the bitcoins to the alleged assassin.
Fortunately (if that is the right word), and as we have reported in the past, so-called dark web hitmen often turn out to be scammers – after all, if you’ve just done a secret online deal to have someone killed, you’re unlikely to complain to the authorities if the unknown person at the other end runs off with your cryptocoins:
Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has found that cybercriminals increasingly often use legitimate services such as GoogleForms and Telegram to obtain user data stolen on phishing websites. Alternative ways to obtain data help cybercriminals keep it safe and start using the information immediately. In addition, ready-to-go platforms that automate phishing and which are available on the darknet also have Telegram bots at their core, with an admin panel that is used to manage the entire process of the phishing attack and keep financial records linked to them. Such platforms are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.
Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and — traditionally — financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.
A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if it’s blocked. By extracting phishing kits, cybersecurity analysts can identify the mechanism used to carry out the phishing attack and figure out where the stolen data is sent. In addition, a thorough examination of phishing kits helps analysts detect digital traces that might lead to the developers of the phishing kit.
In 2020, as in the previous year, the main target for cybercriminals were online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.
The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.
Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough:
The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people
According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.
The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.
We remain deeply concerned, therefore, that the Council of the European Union is seeking to adopt new rules that would effectively do away with encryption. At the end of last year, they released a five-page resolution that called for the EU to pass new rules to govern the use of end-to-end encryption in Europe. We are completely against this resolution as it effectively ends the notion of true encryption.
There’s no such thing as strong encryption if you allow the institution of backdoors for government or law enforcement officials – and don’t believe any politicians who say otherwise – they are, at best, ill-informed. The most important takeaway here is that encryption is either secure or it is not. Users either have privacy or they do not.
![Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security Practitioners by [Dejan Kosutic]](https://m.media-amazon.com/images/I/51BN2rT3+yL.jpg)
