InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:
Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.
By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form
Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan
As threats to both data security and personal privacy pile up, fighting back has never been more important. The Deeper Connect Pico packs both privacy tools and cybersecurity protection into a unit you can drop into your pocket.
The Pico is easy to install, taking just a minute to set up and connect. It has no subscriptions to manage or add-ons to buy, as it’s a hardware tool. Nor will it require any updates, as it’s built to be a plug-and-play device and comes with a wireless adapter.
Powered from any USB source and drawing only 1W of power, it weighs just .11 lbs and is only 3.4 inches long by 1.2 inches wide. The brushed aluminum casing is rugged and discreet, so you can throw it in your bag, hang it off your keychain, or keep it in your pocket.
Once connected, the Pico drops an enterprise-grade seven-layer firewall in front of snoops and malicious actors. Using an onboard quad-core ARM processor strong enough to work on the blockchain while you’re idle, the firewall prevents common attacks and alerts you when they happen, so you can take further action.
Also built into the hardware is an ad blocker that cuts off certain attacks and guards your privacy. It’s backed up by one-click parental control, so kids can log onto public networks while you keep the rules in place.
Providing extra security, the decentralized private network (DPN) uses other Picos as nodes for its network, with smart routing, multi-routing, and other functions across an ever-changing network that adds an extra layer of obfuscation for would-be snoops.
The world is becoming more complex, with more risks to your data when you connect to public networks. This hardware cybersecurity and VPN tool takes the worry out of connecting with others.
“Learning is an experience. Everything else is just an information.”
The quote implies that true learning is not just about acquiring information but also experiencing it in a way that creates a deeper understanding and meaning.
Learning involves more than just memorizing facts or acquiring knowledge. It requires actively engaging with the material, processing it, and making connections between different concepts. When we experience something, we engage with it on a deeper level, and this can lead to a more meaningful and lasting learning experience.
For example, imagine learning a new language by simply memorizing vocabulary words and grammar rules without ever actually practicing the language with native speakers or immersing oneself in the culture. In contrast, if we actively engage with the language by speaking it, listening to it, and experiencing the culture, we are more likely to develop a deeper understanding and appreciation for the language.
Therefore, while information is necessary for learning, it is not sufficient on its own. To truly learn and understand something, we must engage with it and experience it in a meaningful way.
Looking to enhance your Linux skills? Practical examples to build a strong foundation in Linux – credit: Ramesh Nararajan *******************************************
The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.
Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.
The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.
DC Health Link: A Significant Breach
In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.
“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.
Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.
A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.
IntelBroker’s Resume of Previous Breaches
This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service.
Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.
Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.
IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says.
“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.
In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.
“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.
Is House Members’ PII a National Security Threat?
Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).
The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.
“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.
Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”
Akamai reported that on February 23, 2023, at 10:22 UTC, it mitigated the largest DDoS attack ever. The attack traffic peaked at 900.1 gigabits per second and 158.2 million packets per second. The record-breaking DDoS was launched against a Prolexic customer in Asia-Pacific (APAC).
“On February 23, 2023, at 10:22 UTC, Akamai mitigated the largest DDoS attack ever launched against a Prolexic customer based in Asia-Pacific (APAC), with attack traffic peaking at 900.1 gigabits per second and 158.2 million packets per second.” reads the post published by Akamai.
The company pointed out that the attack was intense and short-lived, with most attack traffic bursting during the peak minute of the attack. The overall attack lasted only a few minutes.
Akamai mitigated the attack by redirecting the malicious traffic through its scrubbing network.
Most of the malicious traffic (48%) was managed by scrubbing centers in the APAC region, but the company claims that all its 26 centers were loaded, with only one center in HKG handling 14,6% of the total traffic.
Akamai states that there was no collateral damage thanks to its defense.
The previous record-breaking distributed denial of service attack mitigated by Akamai hit a company customer in Europe on September 2022. At the time, the malicious traffic peaked at 704.8 Mpps and appeared to originate from the same threat actor behind another record-breaking attack that Akamai blocked in July and that hit the same customer.
In January, Microsoft announced that its Azure DDoS protection platform has mitigated a record 3.47 Tbps attack that targeted one of its customers with a packet rate of 340 million packets per second (pps).
The attack took place in November and hit a customer in Asia, it originated from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.
The 3.47 Tbps attack was the largest one Microsoft has mitigated to date, likely the massive one ever recorded.
A surge of cybersecurity incidents and a general feeling of work overload is leading to widespread burnout among IT security professionals, two surveys indicated.
A Cynet survey of chief information security officers (CISOs) of small to midsize businesses found nearly two-thirds (65%) said their ability to protect their organization is compromised due to an overwhelming workload–with nearly 100% admitting they needed additional resources.
The stress levels are affecting entire IT security teams, with nearly three-quarters (74%) of CISOs surveyed admitting they have lost team members because of work-related stress issues.
Nearly half (47%) of these CISOs have had more than one team member exit their role over the last 12 months.
Burning Out and Fading Away
Respondents to a Magnet Forensics survey said the rapid evolution of cybercrime is weighing on security teams substantially more than it did last year, leading to widespread burnout. Alert and investigation fatigue are twin contributing factors, the survey revealed.
The study also revealed that the evolving nature of threats is extending response times beyond what they feel is acceptable—43% of respondents said it takes them between one week and more than a month.
Nearly a third of respondents said that identifying the root cause of an incident requires either a “complete overhaul” or “major improvements” in the organization’s threat posture.
“We’re seeing a direct correlation between burnout and the increased activity of cybercriminals who are relying on more complex strategies and bombarding organizations with more attacks,” explained Adam Belsher, CEO of Magnet. “New cybersecurity regulations also impacted our respondents who said they’re now under increased pressure to get answers faster.”
He pointed out that a global talent shortage resulted in hiring challenges, and that digital forensics and incident response practitioners (DFIR) find themselves in a difficult situation.
“They need to respond to more incidents, get answers faster and do so while knowing no reinforcements are on the way,” Belsher noted. “It’s no surprise that they’re burned out.”
George Tubin, director of product marketing for Cynet, added that what stood out most is what a vicious cycle this work-related stress is. Their stress at work spills over into their personal lives, which increases their stress at work—and repeat.
“Because of their workload and stress, these CISOs said they’re missing vacations and private events and they’re also losing their tempers with family and friends. This only exacerbates their stress levels,” he says.
In addition, 80% of them have received complaints about how they handled security tasks and two-thirds said their ability to protect their organizations is compromised due to work overload and stress.
More Cybersecurity Staff Needed to Combat Burnout
The Cynet survey also asked CISOs whether they need more people, and the general consensus is that they could use 30% more staff.
They also said they’ve compromised on hiring decisions because it’s so hard to find good cybersecurity people.
“But, when we asked them what initiatives could help them reduce stress levels, rather than say hire more, more CISOs stated technology consolidation and automation, as well as outsourcing,” Turbin says. “Cybersecurity technology has become so complicated and so expensive that the cure is almost as bad as the disease.”
Belsher noted that each factor contributing to the burnout of DFIR practitioners is out of their hands.
“They can’t control how often cybercriminals attack their organizations or the methods they use,” he said. “Cybercriminals have continued to find new threat vectors and ways to scale the volume of their attacks. That won’t change in 2023.”
That means organizations must adapt to this threat landscape beyond trying to hire themselves out of this problem.
“If we maintain the status quo, burnout will only get worse,” he says. “Automation is essential to scaling the capacity of DFIR teams.”
Turbin agreed, noting a couple of the survey questions asked the respondents to compare the past year with previous years; the results were consistent or have become slightly worse.
“Unless these security leaders can somehow relieve their stress, mainly through simplifying and automating their cybersecurity technology, I expect the situation to get worse before it gets any better,” he said.
He added that CEOs and the board should be concerned about the threat of burnout, especially considering that this stress is leading to a degradation in security outcomes that increased risk for the organization.
“CEOs and board members should proactively reach out to their security leaders to discuss ways to reduce stress and improve the company’s security posture,” he advised.
Belsher pointed out that cybersecurity and IT personnel can’t tackle burnout alone.
“Mental health is a company-wide imperative that executives, HR departments and all people leaders should play an active role in addressing,” he said.
It is possible to use AI for offensive security, just as it is possible to use any technology for malicious purposes. However, the use of AI for offensive security raises significant ethical concerns and legal considerations.
AI could be used to automate and scale attacks, such as phishing, malware propagation, or social engineering. It could also be used to analyze large amounts of data to identify vulnerabilities or weaknesses in security systems, and to develop targeted attacks.
However, the use of AI for offensive security could also have unintended consequences, such as collateral damage or false positives. Furthermore, it raises concerns about accountability and responsibility, as it may be difficult to trace the origin of an attack that is automated and conducted by a machine learning system.
Overall, the use of AI for offensive security is a complex and controversial issue that requires careful consideration of the ethical and legal implications. It is important to always use technology responsibly and ethically.
Chat GPT is just the tip of the iceberg!15 Artificial Intelligence tools that may be useful to you:
1.Midjourney: a tool that creates images from textual descriptions, similar to OpenAI’s DALL-E and Stable Diffusion. 2. RunwayML: Edit videos in real time, collaborate and take advantage of over 30 magical AI tools. 3. Otter AI: Transform audio into text with high accuracy. Use this tool for meeting notes, content creation and much more. 4. Copy.AI: This is the first copyright platform powered by artificial intelligence. This tool helps generate content for websites, blog posts, or social media posts, helping increase conversions and sales. 5. Murf AI: Convert text to audio: generate studio-quality narrations in minutes. Use Murf’s realistic AI voices for podcasts, videos and all your professional presentations. 6. Flow GPT: Share, discover and learn about the most useful ChatGPT prompts. 7. Nocode.AI: The Nocode platform is a way to create AI solutions without ever writing a single line of code. It’s a great way to quickly test ideas, create new projects, and launch businesses and new products faster. 8. Supernormal: This tool helps create incredible meeting notes without lifting a finger. 9. TLDRthis: This AI-based website helps you summarize any part of a text into concise and easy-to-digest content, so that you can rid yourself of information overload and save time. 10. TheGist: Summarize any Slack channel or conversation with just one click! This AI analyzes Slack conversations and instantly creates a brief summary for you. 11. Sitekick: Create landing pages with AI by telling it what you want via text. 12. Humanpal: Create Avatars with ultra-realistic human appearances! 13. ContentBot: – Write content for articles, ads, products, etc. 14. Synthesia– Create a virtual presenter that narrates your text for you. Synthesia is a video creation platform using AI. It’s possible to create videos in 120 languages, saving up to 80% of your time and budget. 15. GliaCloud: This tool converts your text into video. Generate videos for news content, social media posts, live sports events, and statistical data in minutes.
With the rise of online commerce, digital marketing, online data storage and internet communication, big and small businesses should already know the importance of cybersecurity. Statistics report that more than 50% of cyberattacks happen every week to different companies worldwide. Inadequate cybersecurity precautions can increase the risk of a company losing its customers’ sensitive or confidential data and security breaches. For this reason, entrepreneurs and business owners from all industries must implement a robust security information and event (SIEM) strategy in their companies.
What Is SIEM?
SIEM is a technological security solution that provides a comprehensive view of all data and activities happening in an IT infrastructure. It monitors network activities and detects unusual or suspicious behaviours to mitigate cyberattacks. With many businesses expanding their IT systems and networks, new risks emerge with this upgrade. These risks often include potential breach compliance and increased susceptibility to cybercriminals.
You must have an efficient Security Operations Center (SOC) to implement SIEM technology in your organisation. The SOC is responsible for managing all the security monitoring and analysing the data gathered from the SIEM platform.
Suppose you don’t have a SOC on your side yet. You can work with services like Castra or any managed security operations agency that can work for your company. You’ll work with a team of experts who proactively monitors your business’ security 24/7, giving you peace of mind that your organisation and its highly sensitive data are always protected.
Both the SIEM and SOC are crucial to each other. Without SIEM, the SOC will have difficulty monitoring your company’s IT infrastructure. And without SOC, no experts will be there to analyse the data gathered from the SIEM tool.
What Are The Main Roles Of SIEM?
There’s a lot more to this cybersecurity solution than simply detecting abnormalities and suspicious activities in all your network applications. To learn more, here are the primary roles of SIEM that will significantly benefit your business:
1. Log Collection And Management
SIEM solutions will collect and analyse event data from different sources across your company’s network and IT infrastructure to gain better network visibility. SIEM analyses various applications, external and internal technologies, multiple cloud environments and even logs from different users in real time. This process makes it easier for the SOC or security experts to manage the company’s network flow from one centralised location.
This increase and improvement in network visibility also help reduce false positive alerts. All potential cyber threats and issues are catalogued according to their type, status and severity. This categorisation makes it easier for the security team to identify and review false and true security alerts.
2. Event Correlation and Analytics
Another role that SIEM plays in effective log analysis is employing event correlation, forensics and analytics. These processes are necessary to quickly detect cyberattacks and data breaches in real time and mitigate threats to business security. With this function, SIEM can eliminate the need for manual processes, significantly improving the IT security experts’ mean time to detect (MTTD) and mean time to respond (MTTR) against any cyberattack.
3. Incident Tracking and Security Alerts
SIEM’s centralised network management can be an efficient tool for incident tracking and security alerts. This solution enables security and IT experts to identify and track all entities across all connected applications, devices and users from one platform.
This tool also has customisable and predefined correlation rules where the management or business administrators can be alerted immediately in case of any cyberattack. This way, they can take the necessary actions before the threat worsens into more complicated and dangerous security issues.
For example, SIEM detected a potential cyber threat from one of your employees’ computers. Instead of manually checking the employee’s computer to run some security tests, the SIEM will automatically trigger the alert and employ security controls to stop the suspicious attack from progressing. This significantly minimises the time it takes for the security team to deal with the security concern.
Furthermore, SIEM’s incident management will help ensure that the compromised, corrupted, or attacked data/device will be quarantined, along with its malicious codes. This will prevent the cyberattack from spreading and attacking more devices, avoiding large-scale breaches.
Regardless of how small or big your organisation is, SIEM is highly effective in protecting your network from ever-evolving threats. Most importantly, your company can customise this solution to meet your business’s requirements.
4. Compliance Management and Reporting
Most organisations from different industries must report different forms of regulatory compliance. Since SIEM is an efficient tool for collecting and verifying various data from the company’s entire infrastructure, this makes SIEM a popular choice for retrieving compliance reports.
SIEM can produce real-time compliance reports for various compliance standards. It also reduces the hassle of the security team manually creating reports that are only at risk of inaccuracy.
Conclusion
SIEM allows businesses and organisations to protect their networks and IT infrastructures from various security challenges. Its comprehensive security surveillance and other major roles for your company make SIEM a worthy investment for your organisation.
There are many web vulnerability scanners available on the market and their performance varies widely. Here we show you how you can quickly and objectively evaluate web vulnerability scanners, to help you find the best product for detecting security issues in your web applications.
Evaluating a web vulnerability scanner can be a complex task, but here are some key factors to consider:
Accuracy: The most important factor to consider is the accuracy of the scanner. A good scanner should be able to detect all types of vulnerabilities accurately, without generating false positives or negatives.
Coverage: The scanner should be able to scan all areas of the web application, including dynamic and static content, as well as all types of input fields, including cookies and hidden fields.
Speed: The scanner should be fast and efficient, with the ability to scan large web applications quickly.
Ease of use: The scanner should be easy to use, with a user-friendly interface and clear reporting of vulnerabilities.
Reporting: The scanner should generate detailed reports of vulnerabilities, with clear descriptions of each vulnerability, its severity, and recommendations for remediation.
Integration: The scanner should be able to integrate with other tools, such as bug tracking systems and penetration testing tools.
Support: The vendor should provide good technical support and regularly update the scanner with new vulnerability signatures and features.
It’s also important to test the scanner against known vulnerabilities to see how it performs in real-world scenarios. Additionally, comparing multiple scanners against the same web application can help identify strengths and weaknesses of each scanner.
Cyber Security operations center is protecting organizations and the sensitive business data of customers. It ensures active monitoring of valuable assets of the business with visibility, alerting and investigating threats, and a holistic approach to managing risk.
Analytics service can be an in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.
Events – The security operations center
Events are generated by systems that are error codes, devices generate events with success or failure to their normal function. so event logging plays an important role to detect threats. In the organization, there are multiple numbers and flavors of Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware, etc.
These devices usually track attackers’ footprints as logs and forward them to SIEM tools for analysis. In this article, will see how events are pushed to the log collector. To know more about windows events or event ids refer Here.
Log Collector
It’s a centralized server to receive logs from any device. Here I have deployed Snare Agent on Windows 10 machine. So we will collect windows event logs and Detect attacks on windows 10 machines attacks using Snare Agent.
The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.
Snare Installation
For Demo purposes, I have been using no credentials but it is always recommended to use strong passwords to protect logs without a leak.
Snare Web interface:-
By default, snare will run at Port 6161.
A random port can also be chosen with TCP or UDP or TLS/SSL Protocols.
Snare will ask for credentials to log in. Here I have given no authentication.
The below figure shows the snare agent install success and provides additional details on screen.
Network & File Destination Configuration
Our windows 10 is started sending event logs to the Snare console.
Snare console is running at localhost and collecting logs from a windows machine.
NOTE: Logs can be sent to a centralized server, then the centralized server push logs to SIEM (To reduce the load in SIEM this method is used), send snare logs directly to SIEM (If your SIEM is capable of good storage for a long and short-term log retention this method can be deployed), It recommended to configure your SIEM with port details of snare and test connection should be the successor to collect logs.
So you can change network destination IP to SIEM IP or LOG COLLECTOR IP.
Above figure shows destination is configured with localhost to collect and store event logs in various format SNARE, SYSLOG, CEF (Common Event Format) or LEEF (Log Event Extended Format)
By default, it will be collecting logs and saving file with snare format & logs are forwarded to SIEM.
Access Configuration
Web server port, authentication for console access, and Web server Protocol can be easily defined according to your environment.
The above figure shows a configuration with Web server port 6161, Snare agent port 6262, and HTTP as web server protocol for demo purposes, It is recommended to install a certificate for secure connection to forward logs.
Objective Configuration
The objective includes events with different categories which can be windows Log on/Log off, access to file or directory, security policy change, system restart, and shutdown.
Modify or delete specific events to assign a priority(Critical, High, Low & Information)
Audit Service Statistics
Audit Service ensures snare is connected and sends logs to SIEM.
It shows daily average bytes of events transmitted to SIEM.
In case of network failures, Soc Administrator can check the status of the service.
Security Certification – The security operations center
To make connection encrypted and generate a self-signed certificate to WEB-UI, snare agent, and network destination certificate validation to establish a secure way of forwarding logs to SIEM.
Restart-Service
If SIEM is not collecting Event logs from the Snare agent for a while, then it’s time to troubleshoot and retrieve logs from the snare server.
The above figure shows Snare services are restarted successfully.
Events – The security operations center
Windows 10 is forwarding event logs to your deployed SIEM or events can be viewed in the snare console.
Every time you cannot open and lookup for intrusions to your environment with snare, for this reason, we are forwarding logs to SIEM for Intelligence to detect attacks.
SIEM will be Intelligent to trap attackers by building an effective correlation rule.
Above pictures with Event Ids 4625 which is failed password attempt to Windows 10 machine followed by Successful 4689 Event.
NOTE: Above figures shows failed attempts followed by a successful login.
Correlation rule & Incidents
It’s an engine designed to write a defensive rule to detect offensive guys, Each rule will be a unique incident.
Example: Assume that you’re writing a rule for a brute-force attempt, Brute-force attempts will have continuous threads with a different passphrase to the server.
As per NOTE: failed attempts followed by a successful login.
Correlation Rule : failed password attempts + Followed by successful Login = Brute-force (Incident)
Now your customer environment is ready for Known use case(Brute-force detected), you can also build or write your own use case and deploy in your SIEM to detect sophisticated cyber-attacks !!!
LayerX has published its annual browser security report in which the company highlights the most prominent browser security risks of 2022. The report includes predictions and recommendations for 2023 as well.
The report focuses on Enterprise environments, but several of its key takeaways apply to small business and home environments as well. The browser security threats of 2022 make up the largest part of the document, but users find predictions, recommendations and an interesting monthly overview of major security events in the report as well.
The nine major threats that LayerX identified in 2022 were the following ones:
Phishing attacks via high reputation domains.
Malware distribution via file sharing systems.
Data leakage through personal browser profiles.
Outdated browsers.
Vulnerable passwords.
Unmanaged devices.
High-risk extensions.
Shadow SaaS.
MFA bypass with AiTM attacks.
Some of these are quite clear, others may require explanation. For phishing attacks, the researchers discovered that threat actors are hosting phishing URLs on legitimate SaaS platforms at an alarming rate. The rate of phishing attacks that use these legitimate platforms has increased by 1100% when compared to 2021, according to a Palo Alto Networks study.
LayerX conducted tests on how well browsers and network security tools protected against 1-day phishing sites. According to the test, the best performing browser had a catch rate of just 36%. Network security software blocked 48% of threats.
Similarly, malware is distributed via sanctioned services such as Google Drive and Microsoft OneDrive, to overcome blocks that may be in place for lesser known services and sites.
An analysis of data leakage in browsers concluded that 29% of users connected work browsers to personal profiles, and that 5.8% of identities were exposed in data breaches.
Outdated browsers are another threat to security, according to LayerX’s report. Ana analysis of 500 Chrome browsers revealed that a good number was either critically outdated or vulnerable to 1-day attacks.
Weak passwords and the reuse of passwords continue to be major issues. According to LayerX’s report, 29% of users use weak or medium strength passwords, and 11% of users reuse passwords regularly. The company noticed that 29% browser profiles were personal and set to sync.
Web browser extensions are another attack vector, as they “can grant excessive permissions once installed”. A recent Incogni study found that almost half of the analysed browser extensions posted either a high security or privacy risk.
The report includes an overview of browser security highlights of the year 2022. It is an interesting account that lists major security events in 2022. Some of these involved attacks, like the January 2022 video player attack that stole credit card information from over a hundred sites. Others highlight security advances, like the passwordless logins announcement by major tech companies in May, or the end of Internet Explorer in June.
The report ends with four predictions and recommendations. Predictions include that browsers will become “the main attack surface”, that attacks will “be increasingly SaaS-based and less file-based”, and that malicious web pages “will become more sophisticated”.
Closing Words
The report offers insights on the browser threat landscape of 2022, and how threats will evolve in 2023 and beyond. While most of it is aimed at Enterprise and large business environments, it may still be of interest to home users and small businesses alike.
The recommendations focus on SaaS and Enterprise-grade protections, but all users may use the listed threats to improve security. For example, outdated browsers may be updated more frequently, and weak or reused passwords may be replaced with unique strong passwords.
The report is available for download here, but a short form needs to be filled out before the download link is made available.
Chief information security officers (CISOs) are senior-level executives responsible for overseeing an organization’s information security strategy and operations. They are responsible for identifying, evaluating and mitigating security risks and ensuring the organization’s information assets are protected from cyber threats and attacks.
CISOs play a critical role in protecting an organization’s valuable information assets. As such, they must possess a strong understanding of the latest threats and technologies in the cybersecurity landscape. They must also have strong leadership and communication skills and the ability to work effectively with other organizational executives and stakeholders. But why are they often forced to also play the role of firefighter?
When a CISO is referred to as a “firefighter,” it typically means that they are spending a significant amount of time responding to security incidents and putting out fires rather than being able to focus on proactively preventing those incidents from occurring in the first place. Here are some reasons why a CISO may become a firefighter:
1. Lack of resources: A CISO may not have sufficient resources (e.g., budget, staff, or technology) to implement a comprehensive cybersecurity program effectively. This can lead to security incidents that require a reactive response.
2. Insufficient risk management: A CISO may not have a robust risk management program in place, which means that security incidents are more likely to occur. Without proper risk management, a CISO may be caught off guard by security incidents and have to react quickly to mitigate the damage.
3. Lack of security awareness: Employees may not be properly trained on cybersecurity best practices, which can lead to security incidents such as phishing attacks or malware infections. When employees are unaware of the risks, they may inadvertently engage in behaviors that put the organization at risk.
4. Rapidly evolving threat landscape:Cyberthreats constantly evolve, so a CISO must be vigilant and adapt to new threats. If a CISO is not proactive in staying up-to-date with the latest threats, they may be caught off guard when a new threat emerges.
5. Organizational culture: The organizational culture may not prioritize cybersecurity, making it difficult for a CISO to implement a comprehensive cybersecurity program. If the organization does not prioritize cybersecurity, it may not allocate sufficient resources to the CISO to effectively prevent security incidents.
To avoid being a firefighter, a CISO must take proactive measures to prevent security incidents from occurring. This includes implementing a comprehensive cybersecurity program, conducting regular risk assessments and educating employees on cybersecurity best practices. By taking a proactive approach, a CISO can reduce the likelihood of security incidents and spend less time reacting to them.
It is important to note that being a firefighter is not necessarily negative, as incident response is a critical component of a comprehensive cybersecurity strategy. While it is important for CISOs to be proactive in identifying and mitigating potential threats, it is also crucial for them to respond quickly and effectively when incidents occur.
Ideally, CISOs should be able to balance their time between proactive prevention efforts and reactive incident response. This requires having a comprehensive security program in place, including technical controls, policies, procedures and employee training programs. By taking a holistic approach to cybersecurity, CISOs can work to reduce the number and severity of security incidents they need to respond to and shift their focus more towards proactive prevention.
Applied Programming Interfaces (API) are an essential component of most modern programs and applications. In fact, cloud applications and mobile applications now rely heavily on APIs because they are designed to control various elements. Many large companies have hundreds or even thousands of APIs built into their infrastructure. The number of API interfaces will only increase over time.
It’s important to keep your website or web applications foolproof against malicious activities. What you need to do is to use some security testing tools to identify and measure the extent of security issues with your web application(s).
The primary function of security testing is to perform functional testing of a web application under observance and find as many security issues as possible that could potentially lead to hacking. All of this is done without the need to access the source code. To prevent API vulnerabilities and weaknesses, security testing is critical. API security testing ensures APIs work as designed and can only do what they are intended to. A particular tool might be the best choice for one company but not another, depending on their respective needs. Below is the list of open source API testing tools. As per cyber security course experts, although open source tools, as a rule, do not have the same support as commercial platforms, experienced developers can easily deploy them, often even for free, to increase the security level of their APIs
TAURUS
Taurus makes it possible to turn autonomous API testing programs into an ongoing testing process. At first look, the tool is easy to use. The user installs it, creates a configuration file and allows the tool to do its job. There are additional functions: the ability to create interactive reports, more complex scripts for testing their APIs, configure failure criteria to immediately begin to eliminate the problems detected.
APACHE JMETER
Apache JMeter (it is not surprising that it was written in Java) was originally made to test the load on web applications, but recently expanded its capabilities – now it is suitable for testing the operation of any application, program or API. Its functionality allows you to test performance on both static and dynamic resources. The tool can generate a large simulated (but realistic) load of traffic so that developers can understand how their APIs will cope during load testing. Apache JMeter does not require programming skills. It can handle many different types of applications, servers and protocols, and it supports request chaining. Tests can use CSV files to generate heavy loads of realistic traffic that put APIs under pressure.
CRAPI
At the tool craPI is not the most nice name (“crap” – “sucks”), but it efficiently performs its API testing functions. This is one of the few tools that can connect to the target system and use a basic set of tests with a whole set of additional functions to study root client. As per cyber security course experts, the program can do this without the need to create any new connections. Advanced API developers will be able to save a lot of time with cRAPI .
ASTRA
Astra mainly focuses on the transfer of a representative state (REST) of the API, which can be extremely hard because they are constantly changing. Given that the REST architecture stresses scalability when interacting between components, it can be difficult to ensure the security of the REST API over time. Astra helps solve this problem by offering integration with CI / CD-Pipeline, and by checking that the most common vulnerabilities no longer appear in the supposedly safe REST API . Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during the development cycle.
KARATE
Karate is an open source framework that combines automated API testing, performance testing and mocking into a single framework. While it is implemented in Java, it doesn’t require users to have advanced programming skills. As per cyber security course experts, test definitions can also serve as the functional documentation for the API itself. Karate can be integrated with CI/CD tools. Additionally, tests can double as performance tests with the addition of Gatling, which verifies if server responses are as expected under load. Karate has extensive documentation, a wide range of test examples and an active user community.
ESET researchers have published the first analysis of a UEFI bootkit capable of circumventing UEFI Secure Boot, a critical platform security feature. The functionality of the bootkit and its features make researchers believe that it is a threat known as BlackLotus.
BlackLotus investigation
This UEFI bootkit has been sold on hacking forums for $5,000 since at least October 2022. IT can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.
“Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component — an HTTP downloader — in our telemetry late in 2022. After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware,” says Martin Smolár, the ESET researcher who led the investigation into the bootkit.
What is this UEFI bootkit capable of?
The bootkit exploits a more than one-year-old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate — but vulnerable — binaries to the system in order to exploit the vulnerability.
BlackLotus can disable operating system security mechanisms such as BitLocker, HVCI, and Windows Defender. Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader responsible for communication with the Command and Control server and capable of loading additional user-mode or kernel-mode payloads. Interestingly, some of the BlackLotus installers ESET has analyzed do not proceed with bootkit installation if the compromised host uses locales from Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.
Not many threat actors are using it yet
BlackLotus has been advertised and sold on underground forums since at least early October 2022. “We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” says Smolár. “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”
UEFI bootkits pose a significant threat
Many critical vulnerabilities affecting the security of UEFI systems have been discovered in the past few years. Unfortunately, due to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, or at least since we were told they had been fixed.
UEFI bootkits are very powerful threats, having full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages. This allows them to operate very stealthily and with high privileges. So far, only a few have been discovered in the wild and publicly described.
UEFI bootkits may lose on stealthiness when compared to firmware implants — such as LoJax, the first in-the-wild UEFI firmware implant, discovered by ESET Research in 2018 — as bootkits are located on an easily accessible FAT32 disk partition. However, running as a bootloader gives them almost the same capabilities, without having to overcome multiple layers of security features protecting against firmware implants.
“The best advice, of course, is to keep your system and its security product up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence,” concludes Smolár.
BlackLotus UEFI bootkit: Mitigations and remediation
ESET researchers offer the following advice:
It is essential to ensure that both your system and its security software are regularly updated. This increases the likelihood of thwarting a threat in its early stages, before it can establish pre-OS persistence.
In order to prevent the exploitation of known vulnerable UEFI binaries to bypass UEFI Secure Boot, it is necessary to revoke them in the UEFI revocation database (dbx). On Windows systems, updates to the dbx should be disseminated through Windows Updates.
The issue with revoking widely used Windows UEFI binaries is that it can render thousands of outdated systems, recovery images, or backups incapable of booting. As a result, revocation can often be a time-consuming process.
Note that revocation of the Windows applications used by BlackLotus would prevent installation of the bootkit, but as the installer would replace the victim’s bootloader with the revoked one, it could make the system unbootable. In such a scenario, the issue can be resolved by either reinstalling the operating system or recovering the ESP.
If the revocation would happen after BlackLotus persistence is set, the bootkit would remain functional, as it uses a legitimate shim with custom MOK key for persistence. In this case, the safest mitigation solution would be to reinstall Windows and remove the attackers’ enrolled MOK key by using the mokutil utility (physical presence is required to perform this operation due to necessary user interaction with the MOK Manager during the boot).
Decider is a new, free tool that was launched today by CISA. It is designed to assist the cybersecurity community in mapping the behavior of threat actors to the MITRE ATT&CK framework. Through the use of guided questions, a powerful search and filter function, and a cart functionality that allows users to export results to commonly used formats, Decider helps make mapping both quick and accurate. It was developed in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and MITRE.
To get started with Decider, network defenders, analysts, and researchers may get started by viewing the video, information sheet, and blog posted by CISA. CISA strongly recommends that users of the community make use of the tool in tandem with the newly revised Best Practices for MITRE ATT&CK Mapping guidance. The MITRE ATT&CK framework is a lens that network defenders can use to analyze the behavior of adversaries, and it directly supports “robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data,” as CISA Executive Assistant Director Eric Goldstein noted in his June 2021 blog post on the framework. Since it offers a standardized vocabulary for the evaluation of threat actors, the CISA strongly recommends that the cybersecurity community make use of the framework.
This revision of the best practices was made in collaboration with the Homeland Security Systems Engineering and Development InstituteTM (HSSEDI), which is a research and development facility owned by the Department of Homeland Security and run by MITRE. Since CISA first released the best practices in June 2021, the update addresses the modifications that the MITRE ATT&CK team has made to the framework as a result of those improvements. Moreover, frequent analytical biases, mapping problems, and particular ATT&CK mapping guidelines for industrial control systems are included in this version (ICS).
This tool leads users through a mapping process by asking them a series of guided questions concerning enemy behavior. The purpose of these questions is to assist users in determining the appropriate strategy, technique, or sub-technique. In addition to the application itself, users are given access to a data sheet and a short film that will acquaint them with the most important capabilities and features that Decider offers.
Penetration testing, also known as pen testing, is a process of assessing the security of a computer system or network by simulating an attack from a malicious outsider or insider. The goal is to identify vulnerabilities and weaknesses that can be exploited by attackers to gain unauthorized access to the system.
There are many penetration testing tools available that can help security professionals and ethical hackers to perform effective tests. Here are some of the best penetration testing tools:
Metasploit Framework: It is an open-source penetration testing framework that provides a range of exploits, payloads, and auxiliary modules. It is widely used by penetration testers and security professionals to identify vulnerabilities and exploit them.
Nmap: It is a network exploration and security auditing tool that can be used to scan networks and identify hosts, ports, and services. It can also be used to detect operating systems and versions.
Wireshark: It is a network protocol analyzer that allows you to capture and analyze network traffic. It can be used to detect and analyze network attacks and vulnerabilities.
Burp Suite: It is an integrated platform for performing web application security testing. It includes a proxy server, a scanner, a spider, and other tools that can be used to identify vulnerabilities in web applications.
Aircrack-ng: It is a suite of tools that can be used to crack wireless network passwords. It includes tools for capturing and analyzing network traffic, as well as tools for cracking encryption keys.
John the Ripper: It is a password cracking tool that can be used to test the strength of passwords. It can be used to crack passwords for a range of operating systems and applications.
SQLmap: It is an open-source penetration testing tool that can be used to test the security of SQL-based web applications. It can be used to detect and exploit SQL injection vulnerabilities.
Hydra: It is a password cracking tool that can be used to test the strength of passwords for a range of protocols, including HTTP, FTP, and Telnet.
Nessus: It is a vulnerability scanner that can be used to scan networks and identify vulnerabilities. It can also be used to generate reports and prioritize vulnerabilities based on their severity.
OWASP Zap: The world’s most popular free web security tool, actively maintained by a dedicated international team of volunteers.
Kali Linux: It is a Linux distribution that is specifically designed for penetration testing and ethical hacking. It includes a range of tools for network analysis, vulnerability testing, password cracking, and more.
Latest Pen Testing Titles
Cobalt’s Pentest as a Service (PtaaS) platform, coupled with an exclusive community of testers, delivers the real-time insights you need to remediate risk quickly and innovate securely.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
You can now connect to ProtonVPN with just one tap of a button.
Proton VPN has launched its new browser extension for Chrome and Firefox, fulfilling one of the most sought-after features requested by its user community. This new extension provides users with a more flexible way to protect their online privacy and bypass censorship.
The Proton VPN browser extension is a standalone platform that encrypts internet traffic and browsers without needing to install Windows or Mac applications. This distribution method allows users in countries with blocked app stores to access Proton VPN.
With this new extension, users can easily protect their browser traffic without affecting the speeds or IP addresses of other applications on their devices. The extension can be used across multiple browsers, and each browser can be connected to a different server, allowing for up to ten simultaneous VPN connections.
In a statement, Proton VPN explained that they understand the importance of online privacy and freedom of access, and this new extension is designed to provide more options for users to protect their online activity. They also emphasized that they take user feedback seriously and strive to implement new features that cater to their needs.
The Proton VPN browser extension is available for Chromium-based browsers (such as Google Chrome, Brave, Microsoft Edge, Chromium, Opera, and Vivaldi) and Firefox-based browsers (including Firefox itself, LibreWolf, and Waterfox).
ProtonVPN
Proton VPN is a well-known and reputable VPN provider based in Switzerland that has been praised for its strong security measures and privacy protections. The company’s commitment to expanding its offerings and providing users with more control over their online privacy is a significant step forward in the fight for digital rights.
A virtual Chief Information Security Officer (vCISO) service or (CISOaaS) may be appropriate for a variety of scenarios, including:
Your clients, collaborators (partners) and some regulatory requirements anticipate the presence of an individual fulfilling the position of Chief Information Security Officer (CISO).
Companies without an in-house CISO: Small and medium-sized companies may not have the budget or need for a full-time CISO. A vCISO service can provide these companies with access to a seasoned cybersecurity professional without having to hire a full-time employee.
Companies experiencing rapid growth or change: Companies that are growing quickly or undergoing significant changes, such as mergers or acquisitions, may benefit from the expertise of a vCISO to help them navigate the cybersecurity implications of these changes.
Companies with limited cybersecurity resources: Some companies may have an IT team but lack dedicated cybersecurity resources. A vCISO can help fill this gap by providing strategic guidance and oversight of the company’s cybersecurity program.
Compliance requirements: Companies in regulated industries, such as healthcare or financial services, may require a CISO to meet regulatory requirements. A vCISO can help these companies meet compliance requirements with standards (ISO 27001) and regulations (PCI, HIPAA, NIST CSF, etc.) without having to hire a full-time CISO.
Cybersecurity incident response: In the event of a cybersecurity incident, a vCISO can provide expertise and guidance to help the company respond effectively and minimize the impact of the incident.
Overall, a vCISO service can be a cost-effective way for companies to gain access to the expertise of a seasoned cybersecurity professional without having to hire a full-time employee.
CISOaaS
Organizations committed to prioritizing security encounter the difficulty of locating a Chief Information Security Officer (CISO) possessing the appropriate skills and knowledge. It becomes necessary for someone to take charge of the security and compliance strategy, but this requirement often surpasses the expertise possessed by operational IT/CIO.
What is CISOaaS? Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise. CISOaaS provides security guidance to senior management and drives the organization’s information security program.
Scoping -> Assessment (business, legal and contractual reqs) -> Gap analysis (based on stds and regulations) -> provide a roadmap to-be state -> implementation of roadmap -> Evaluation and Continual improvement (of security program)
The benefits of our CISOaaS
Gain access to a diverse pool of highly experienced and specialized senior cyber security professionals.
Rapidly access valuable resources and eliminate the necessity of retaining talent.
Reduce your expenses by paying solely for the necessary support, effectively minimizing costs.
Based on CISOaaS being engaged for four days a month annually at current prices. ($37,000 per year)
Based on your requirements, you can hire a vCISO 5-10 hours a week or per month. ($125 per hour)
Mitigate your risk by strengthening your cyber and information strategy through the implementation of a clearly defined roadmap, thereby enhancing your overall security posture.
Acquire valuable experience in effectively educating and presenting to board members, and non-technical senior staff across functional diverse backgrounds.
Leverage our independent perspective and established credibility to secure comprehensive cross-business support and successfully accomplish your information security objectives.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
