Oct 18 2022

7 critical steps to defend the healthcare sector against cyber threats

Category: Cyber Threats,Threat detectionDISC @ 10:31 am
7 critical steps to defend the healthcare sector against cyber threats

While knowing full well that human lives may be at stake, criminal gangs have been increasingly targeting the healthcare sector with high-impact attacks like ransomware.

1. Tighten up email security

Healthcare providers should set up numerous layers of defense for a variety of email-borne threats. A good email security solution should be the first layer but will only be effective if it is able to detect multiple malicious signals (malicious IPs, suspicious URLs, hidden malware files, etc.).

Training staff to recognize malicious emails can be useful, but personnel should not bear the brunt of responsibility when it comes to catching signs of attack. Instead, training should focus on the importance of proper policies, such as confirming payments and transfers with a second channel outside of email.

2. Follow best practice for passwords and credentials

Obtaining login credentials is a primary goal in most cyberattacks, and many threat actors now specialize in selling information on to others. Investigations by the Trustwave SpiderLabs team found a large quantity of stolen login credentials and browser sessions enabling access to healthcare facilities advertised on dark web markets.

In addition to following best practices around phishing emails, all employees should be using complex passwords that can’t be easily guessed. When storing passwords, organizations must make sure to use modern and robust password hashing algorithms. Two-factor authentication should also be implemented across the organization as a priority (Note: SMS 2FA should not be considered secure).

3. Improve cyber security awareness

While the responsibility of spotting and stopping cyberattacks should not rest on ordinary healthcare personnel, a well-trained workforce can make a real difference in averting disaster. Attackers will be counting on healthcare staff being too busy and focused on supporting their patients to concentrate on security.

Security training is often limited to a few one-off PowerPoint-driven seminars, but this will do little to increase awareness. Healthcare providers should instead consider more in-depth exercises that replicate serious incidents such as ransomware attacks. This will help decision makers to gain experience in making snap decisions under pressure, better equipping them for when a real crisis looms.

4. Prepare for ransomware attacks

Ransomware is a threat to all sectors, but healthcare is particularly vulnerable to its disruptive effects. A paralyzed IT network will mean more than lost data or productivity – human lives may be on the line if data and equipment are locked down. Callous criminals are counting on healthcare providers caving and paying up to restore systems quickly. Further, attackers increasingly exfiltrate data to pile on more pressure and secure additional profits from dark web buyers.

A strong email security system will stop most malicious emails, but not all – and organizations should be prepared for that. Effective managed detection and response (MDR) capabilities, backed by a skilled team of threat hunters, will help identify and stop ransomware quickly to reduce its impact. A managed security service provider (MSSP) is one of the most affordable ways of acquiring these capabilities on a limited budget.

5. Secure extended IoT networks

Internet of Things (IoT)-enabled equipment has been hugely beneficial in enabling healthcare providers to automate and facilitate remote working. But if not properly monitored and patched, these connected devices can also provide threat actors with an easy attack path.

Hospitals are likely to have hundreds of devices deployed across their facilities, so keeping them all updated and patched can be an extremely resource-heavy task. Many health providers also struggle to accommodate the required downtime to update vital equipment.

Automating device discovery and update processes will make it easier to keep devices secured. Providers should also vet future purchases to ensure they have key security functionality and are accessible for maintenance and updates.

6. Understand supply chain risks

Healthcare providers sit in the center of extremely large and complex supply networks. Suppliers for medical materials, consultants, hardware, and facilities maintenance are just a few examples, alongside a growing number of digital services.

These suppliers often have a large degree of network connectivity or access to data, making them a prime target for threat actors seeking a way into the healthcare provider’s network. Organizations can also become the victim of a second-hand breach if a firm trusted to host or manage their data is attacked.

Supply chain risk can be reduced by vetting the security level of all third-party connections. This can be achieved without invasive network scans through publicly available information such as DNS server configurations and the presence of insecure ports open to the internet (e.g., MS-TERM-SERV, SMB, etc.).

7. Test out your preparations

Security is never a one-and-done affair. Even if the right solutions are in place, the workforce has been well-trained and processes are watertight, it is important to continually test defenses and look for ways to improve them.

Regular vulnerability scans are essential for keeping up with the shifting IT and cyber threat landscape. Application and network penetration tests will take things a step further by leveraging the ingenuity of experienced security personnel to look for a crack that can be found and exploited.

Larger healthcare providers such as hospitals may also consider physical penetration tests to determine if their facility’s IT infrastructure is vulnerable to an intruder on their grounds.

Defending against healthcare threats: Preparation is everything

Hospitals and other frontline healthcare providers are used to dealing with medical emergencies. Personnel have the equipment and processes they need in place, and they have the training to adopt the cool head needed to handle a crisis.

As attackers continue to target the sector, the same level of preparation is increasingly essential for cyber threats.

Criminal gangs are counting on budget cuts and staffing shortages to leave healthcare organizations vulnerable to their attacks. By focusing on these seven steps, providers will be able to present a hardened target that sends these callous opportunists in search of easier prey.

Tags: healthcare cyber threats, Healthcare Cybersecurity

Oct 18 2022

Detailed explanation of 11 new security controls in ISO 27001:2022

Category: Information Security,ISO 27kDISC @ 9:00 am

If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.

In this article, I’ll focus on 11 new controls that are set to be introduced in ISO 27001. For general information about the changes, see this article: Most important facts about changes in ISO 27001/ISO 27002.

What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.

As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.

Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.

So, let’s review the 11 controls in more detail…

https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/?

Tags: ISO 270012022, ISO 27001:2022, ISO27k

Oct 18 2022

RedEye – CISA Developed Open-source Red Team Tool Monitoring C&C Server Activities

Category: Security ToolsDISC @ 8:35 am
RedEye – CISA Developed Open-source Red Team Tool Monitoring C&C Server Activities

A new open-source analytical tool dubbed RedEye designed to make it easier for operators to visualize and report activities associated with C2 communication has been released by CISA.

Both the red and blue teams can benefit from RedEye, as it provides an easy way to gauge data, leading to specific decisions that can be made with confidence.

RedEye – CISA Developed Open-source Red Team Tool Monitoring C&C Server Activities

RedEye

A collaborative effort between CISA and DOE’s Pacific Northwest National Laboratory has given birth to this analytical tool. 

A graphically displayed log of all servers and hosts associated with each campaign can be retrieved by RedEye users by correlating historical records of each campaign log.

In order to view relevant information about a campaign, users can upload campaign data via RedEye to view information such as:-

  • Beacons 
  • Commands

During the process of parsing log files, such as those generated by Cobalt Strike, the tool presents the information in a format that can be easily understood.

As a result, users are able to tag activities displayed within the tool and comment on them. Operators can present findings and workflow to stakeholders using the presentation mode that is available on the RedEye application.

To discover the payload activity analysts can also analyze all the key events in a selected campaign. In addition to using RedEye to check the raw data received after an assessment, blue teams can also use it to understand it better.

This data can be used by them to see the attack path and the compromised hosts to take the appropriate action based on what they have learned.

RedEye offers a wide range of features and all its key features are presented in the below video made by CISA:-

Apart from RedEye, the CISA have also released several other open-source tools like:-

  • Malcom
  • ICS NPP
  • Sparrow

The following major platforms have been tested and proved to be compatible with RedEye:- 

  • Linux (Ubuntu 18 and above, Kali Linux 2020.1 or newer)
  • macOS (El Capitan and above)
  • Windows 7 or newer

Moreover, the CISA’s repository on GitHub hosts the tool, and it is available for download via the repository.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: C2 signal, Open-source Red Team Tool, RedEye

Oct 17 2022

Cybercrime and data breaches are more than just the CISO’s problem

Category: CISO,Cyber crime,Data BreachDISC @ 11:20 am
I Was A CISO for Six Years -- Here's Why Burnout Is Such A Problem

In recent weeks, cybercrime and data breaches have become unavoidable topics in Australia. Many citizens have been forced to confront – for the first time – the reality of living in a disrupted digital world, where our personal data has become the most valuable commodity.

Of course, as tech leaders, this is a topic that keeps us awake at night. No part of our economy has proven immune from the impacts of cybercrime and data breaches.. Government agencies at all levels, large organisations, critical infrastructure providers, small-to-medium enterprises, families and individuals have all been targets.

Our customers sleep soundly at night in the knowledge there will be no unauthorised access to their physical digital infrastructure located in our data centres.

The $33 billion question

However, it’s not just CISOs who should be worried, particularly when considering this key question: What is the true cost to our economy of cybercrime?

It’s a $33 billion question because that’s how much Australian organisations self-reported in cybercrime losses during FY21. And that doesn’t even cover the hefty financial penalties that apply to companies that fail to protect their customer data.

The cost extends far beyond the financial. Aside from the financial costs there are the non-financial costs to individual companies that are victims of these attacks. This includes reputational damage, remedial distraction, service interruptions and process breakdowns. Cybercrime also poses a major threat to consumer trust, innovation, and growth across the digital economy.

In other words, security risk management is fast becoming every business leader’s problem – not just for CISOs and CSOs.

The four pillars of security risk management

At NEXTDC, we’ve been talking for some time about the importance of an integrated approach to security risk management around digital infrastructure. The conversation so far has been focused on how there must be a ‘mesh’ or integrated approach to physical and cyber security. These are the first two pillars of robust security risk management and, , they have converged to the point where you can’t have one without the other.

As I like to say, securing your internal critical infrastructure is only half the story. You can have the most advanced cyber security systems in place and still be compromised by a physical breach of your facility.

However, there are two additional pillars to security risk management. These are less well-known but are no less important – people and processes, and supply chain and business continuity. And responsibility for those extends far beyond the technology department.

The remainder of this article will focus on the people and processes pillar. A subsequent blog will address supply chains and business continuity.

What does converged security mean from a people and process perspective?

Most of us are familiar with the terms converged or integrated security risk management, but what does that really mean from a people and process perspective? For most organisations, it comes down to what it is you’re trying to protect against. In general, that will fall into one of two categories: accidental or deliberate (malicious) human actions.

While it’s usually the malicious actors who get the most airtime (put your hand up if you immediately visualise a shadowy figure in a hoodie hunched over a laptop when you hear the word ‘hacker’!) – the evidence suggests we should be far more worried about accidental actions.

Malicious actors are everywhere, constantly active and becoming increasingly sophisticated, but human error is still the greatest cause of data breaches. Robust physical environments – supported by cutting edge technology, education to create awareness amongst people and the right processes to support them – are still the most important component of holistic security strategy.

Build a ‘ready for anything’ security mesh

As pressure continues to mount around data protection and sovereignty, an enhanced security posture is best achieved by partnering strategically with a trusted provider. A supply chain partner who will take on not only the heavy lifting that gets you to your ideal state, faster and safely, but also without significant capital investment in infrastructure, personnel and meeting compliance.

Your provider’s security risk management must be completely aligned with yours, so ensure you ask the right questions during the evaluation process. Make sure you dig deep into factors such as:

  • Security awareness programs, policies and procedures for staff and suppliers (including personnel screening, both pre-employment and also right throughout tenure)
  • Compliance with the certification programs and standards relevant to your organisation and industry
  • Internal and external audit procedures.

Your customers, regulators, investors and partners are depending on you to get security risk management right and the consequences of falling short in this area can be very expensive and long lasting.

https://www.nextdc.com/resources-and-insights/news/cybercrime-and-data-breaches-are-more-just-cisos-problem

Tags: Cybercrime and data breaches

Oct 17 2022

New UEFI rootkit Black Lotus offered for sale at $5,000

Category: APT,Cyber crime,CybercrimeDISC @ 10:02 am
New UEFI rootkit Black Lotus offered for sale at $5,000

Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.

Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.

The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.

“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.” wrote Scheferman.

Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.

The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.

The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.

Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.

Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.

New UEFI rootkit Black Lotus

Tags: APT, Black Lotus, criminal forums, UEFI rootkit

Oct 17 2022

Phishing-as-a-Service Platform Lets Anyone Launch Own Phishing Campaigns

Category: PhishingDISC @ 9:50 am
Phishing-as-a-Service Platform Lets Anyone Launch Own Phishing Campaigns

With the release of the PhaaS platform called ‘Caffeine’, threat actors can now easily launch their own sophisticated phishing attacks. Anyone who wants to start their own phishing campaign will be able to register on this platform through an open registration process.

Caffeine has been thoroughly tested by the analysts at Mandiant. This is a free and open-source platform that does not require any specific requirements like the following to use its portal for launching Phishing campaigns:-

  • No invites or referrals required
  • No approval needed
  • No social shares required
  • No specific joining or subscription to any social channel or hacking forum is needed

Sophisticated Phishing Campaigns

Phishing Scam

I'd Rather Be Phishing - Cool Cyber Security Hacker T Shirt

Tags: Phishing Scam, Phishing-as-a-Service

Oct 15 2022

STRIDE covers threats to the CIA

Category: Information Security,Threat ModelingDISC @ 12:53 pm

I’ve been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better.  Better means faster, cheaper or more effectively.  There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products.   One of the things that I’ve learned is that we ask a lot of developers, testers, and PMs here.  They all have some exposure to security, but terms that I’ve been using for years are often new to them.

Larry Osterman is a longtime MS veteran, currently working in Windows audio.  He’s been a threat modeling advocate for years, and has been blogging a lot about our new processes, and describes in great detail the STRIDE per element process.   His recent posts are “Threat Modeling, Once Again,” “Threat modeling again. Drawing the diagram,” “Threat Modeling Again: STRIDE,” “Threat modeling again, STRIDE mitigations,” “Threat modeling again, what does STRIDE have to do with threat modeling,” “Threat modeling again, STRIDE per element,” “Threat modeling again, threat modeling playsound.”

I wanted to chime in and offer up this handy chart that we use.  It’s part of how we teach people to go from a diagram to a set of threats.  We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.

Source:

STRIDE chart

Threat Modeling for security

Tags: STRIDE Chart, Threat modeling

Oct 15 2022

Recovering hacked accounts

Category: HackingDISC @ 10:36 am

Recovering hacked accounts – A step-by-step guide to recovering online accounts.

Recovering-hacked-accounts-1Download

My Internet Security: Protect & Recover your accounts from Hackers

Tags: Recovering hacked accounts

Oct 14 2022

Cost-effective steps healthcare CISOs can take to mitigate damaging attacks

Category: CISO,hipaa,vCISODISC @ 12:30 pm
Cost-effective steps healthcare CISOs can take to mitigate damaging attacks

Cybersecurity measures are increasingly failing to close gaps, and the healthcare industry, in particular, has become a high-dollar target due to limited budgets and quick ransom pay-offs.

In this Help Net Security video, Maureen Kaplan, Chief Revenue Officer at SilverSky, discusses how attackers are now narrowing their focus from larger healthcare systems to smaller hospitals and specialty clinics to more easily retrieve patient data and use it for launching fraud and identity theft.

Due to the massive deficit of cyber defenses and limited security budgets of the healthcare industry, attackers have shifted their points of entry to systemic technology like EMR systems to wreak as much havoc as possible while demanding ransom.

Kaplan talks about the steps health IT leaders can take for a more cost-effective approach to safeguarding patient and employee data.

Tags: healthcare CISOs

Oct 14 2022

This flash drive will self-destruct (if you want it to)

Category: Hardware SecurityDISC @ 9:07 am
Apricorn Aegis Secure Key 3

Want to feel like James Bond? Check out this easy-to-use encrypted flash drive.

Losing hardware is a pain, but everything is replaceable.  

Allowing data to fall into someone else’s hands is the ultimate headache. Once your data is out there in the wild, it’s game over.

The “solution” is to encrypt your data. But the problem with that solution is that unless the encryption is easy and foolproof, users are going to sacrifice data security for convenience.

If you want easy-to-use high security encryption, then you need hardware that’s aimed at professionals, and that hardware doesn’t get much better than the Apricorn Aegis Secure Key 3.0.

Apricorn Aegis Secure Key 3.0 tech specs:

  • No software – so there’s nothing to keylog or to hack.
  • OS agnostic – the device is completely cross platform compatible.
  • Onboard keypad – all authentication takes place within the device itself.
  • All data, passwords and encryption keys are 256-bit encrypted at rest.
  • No host computer is involved in setup, authentication or encryption.
  • Forced enrollment – no default PINs ensures that data is not put at risk by employees who fail to change a factory set PIN before deployment.
  • IP68 rated against water and dust damage.
  • Separate administrator and user access.
  • Read-only options that can be enforced by the administrator or set by the user if allowed by policy.
  • Highly configurable with policy such as time out values, data recovery PINs, and programmable PIN lengths.
  • Brute force PIN attack protection.
  • Extruded aluminum enclosure with protective sleeve.
  • FIPS 140-2 Level 3 validated.
  • Can be automatically configured remotely using Apricorn’s Aegis Configurator tool.
  • Up to 195MB/s read speed/162MB/s write speed.
  • Super Speed USB 3.2 (backwards compatible with USB 3.0, 2.0 and 1.1)
  • Capacities ranging from 30GB to 2TB.

“For an added level of security, there’s also the ability to set a self-destruct PIN to quickly wipe the drive of its contents yet make it seem like it is fully working.”

Source:

https://www.zdnet.com/article/this-flash-drive-will-self-destruct-if-you-want-it-to/

Tags: Secure flash drive

Oct 14 2022

Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Category: Cyberweapon,HackingDISC @ 8:52 am
Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Cybersecurity researchers at Kaspersky Security Labs have recently identified an unofficial version of WhatsApp for Android, which is dubbed by experts “YoWhatsApp.”

This unofficial version of WhatsApp is mainly designed to steal users’ account access keys or login credentials. There are many unofficial versions of legitimate apps that are advertised as being unofficial versions. 

While these unofficial versions lure users by advertising features that the official versions do not have. Though YoWhatsApp is an unofficial version of WhatsApp, but, it’s a fully working messenger with some key additional features like we have mentioned below:- 

  • UI customization
  • Blocking access to individual chats
  • Several emojis

Unofficial WhatsApp: YoWhatsApp

There is no difference between YoWhatsApp and the standard WhatsApp application in terms of permissions. The promotion of this unofficial Android mod is done using ads on popular Android apps such as the following ones: 

  • Snaptube
  • Vidmate

n the latest version of YoWhatsApp, version 2.22.11.75, the threat actors were able to obtain the keys to the WhatsApp accounts of their victims and take full control.

It is claimed that YoWhatsApp will allow users to send files up to 700 MB using their service. While there is a limit of 100 MB per file that can be sent from the official app to your contacts, and this makes the YoWhatsApp more appealing.

In a modified version of WhatsApp, the app sends the user’s access keys to a server located remotely on the developer’s server.

Source: Weaponized Mod WhatsApp Version “YoWhatsApp” Attempt to Hack Android Devices

Recommendations

Here below we have mentioned all the recommendations:-

  • Make sure you only install applications from official stores and websites that you can trust.
  • Make sure that you check what permissions you have given to installed apps.
  • Ensure that your smartphone is protected by a reliable mobile antivirus application.
  • Avoid downloading or installing unofficial mods.

Tags: whatsapp, YoWhatsApp

Oct 13 2022

What You Need for a Strong Security Posture

Category: Attack Matrix,cyber security,Information SecurityDISC @ 12:40 pm

From the basics to advanced techniques, here’s what you should know.

Cybersecurity concept art
Source: Rancz Andrei via Alamy Stock Photo

Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.

An organization’s security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.

That’s why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.

The Basics: Vulnerability Scanning

The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There’s a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.

Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.

While vulnerability scanning is relatively easy to use, it’s not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They’re also often prone to false positives and must be updated consistently.

Overall, though, vulnerability scanning is an important baseline step. Once it’s running well, the next step is penetration testing.

Penetration Testing

Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there’s a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.

Run periodically, pen testing can uncover weaknesses that aren’t found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.

Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.

While penetration testing can provide a great deal of benefit, it’s a good idea to periodically review the wealth of information on best practices available online.

Red Team/Purple Team

The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization’s security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.

A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.

But too often, red and blue teams devolve into an adversarial relationship that’s counterproductive. It’s also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.

Using Adversary TTPs for Good

There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE’s ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.

For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.

Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure’s detection and response rates.

Looking Ahead

Security vendors are moving beyond simply advocating the concept of MITRE’s ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.

MITRE’s CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.

There are also open source projects for adversary behavior simulation in development. A few of them of note include Uber’s Metta, Nextron Systems’ APT Simulator, Elastic/Endgame’s Red Team Automation, CyberMonitor’s Invoke-Adversary, and Red Canary’s Atomic Red Team.

Conclusion

Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.

Source:

https://www.darkreading.com/vulnerabilities-threats/what-you-need-for-a-strong-security-posture

Tags: Security Posture

Oct 12 2022

5 Kali Linux books you should read this year

Category: Hacking,Linux SecurityDISC @ 1:36 pm
5 Kali Linux books you should read this year

Kali Linux is a Linux distribution designed for digital forensics, penetration testing, security research, and reverse engineering.

Here is a selection of books for different experience levels, you can either start from scratch or get advanced tips – there’s something for everyone.

Advanced Security Testing with Kali Linux

Independently published / Author: Daniel Dieterle

Kali Linux books

This book covers the more intermediate and advanced uses of the Kali Linux pentesting distribution. You will learn topics like:

  • The MITRE ATT@CK Framework
  • Command & Control (C2) frameworks
  • In-depth network scanning
  • Web app pentesting
  • Advanced techniques like “Living off the Land”
  • AV bypass tools
  • Using IoT devices in security

Kali Linux Penetration Testing Bible

Wiley / Author: Gus Khawaja

Kali Linux books

This book is the hands-on and methodology guide for pentesting with Kali Linux. You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.

  • Build a modern dockerized environment
  • Discover the fundamentals of the bash language in Linux
  • Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
  • Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
  • Apply practical and efficient pentesting workflows
  • Learn about Modern Web Application Security Secure SDLC
  • Automate your penetration testing with Python

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

No Starch Press / Author: OccupyTheWeb

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

If you’re getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, you’ll learn the basics of using the Linux operating system and acquire the tools and techniques you’ll need to take control of a Linux environment.

First, you’ll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, you’ll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. You’ll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:

  • Cover your tracks by changing your network information and manipulating the rsyslog logging utility
  • Write a tool to scan for network connections, and connect and listen to wireless networks
  • Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
  • Write a bash script to scan open ports for potential targets
  • Use and abuse services like MySQL, Apache web server, and OpenSSH
  • Build your own hacking tools, such as a remote video spy camera and a password cracker

Mastering Kali Linux for Advanced Penetration Testing, 4th Edition

Packt Publishing / Author: Vijay Kumar Velu

Mastering Kali Linux for Advanced Penetration Testing, 4th Edition

In this book you’ll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. You’ll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. You’ll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.

This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, you’ll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.

For more information about this book, we have a video with the author you can watch here.

The Ultimate Kali Linux Book – 2nd Edition

Packt Publishing / Author: Glen D. Singh

Kali Linux books

This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, you’ll understand how to set up a lab and explore core penetration testing concepts.

Throughout this book, you’ll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. You’ll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, you’ll be able to compromise Active Directory and exploit enterprise networks.

Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.

Tags: Kali Linux books

Oct 12 2022

Refund Fraud-as-a-Service Ads on Hacker Forums Increase by 60%

Category: Cyber crime,Cyber Threats,CybercrimeDISC @ 9:42 am

Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.

Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.

Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.

Netacea’s research also found:

  • Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
  • Refund fraud services increased by almost 150% from 2019 – 2021

Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.

“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”

Additional steps include:

  1. Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
  2. E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
  3. Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.

Source:

https://www.darkreading.com/attacks-breaches/refund-fraud-as-a-service-ads-on-hacker-forums-increase-by-60-

What are refunding services and how to stop them - Kount
Kount
What are refunding services and how to stop them – Kount

The Increase in Ransomware Attacks on Local Governments

Tags: Refund Fraud-as-a-Service

Oct 12 2022

Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Category: Phishing,RansomwareDISC @ 8:52 am
Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Figure. 1: Attack Chain
Attack Chain

Evolution of Bazarcall Social Engineering Tactics

Tags: Callback Phishing Attack

Oct 11 2022

Move over Patch Tuesday – it’s Ada Lovelace Day!

Category: Security patchingDISC @ 9:30 pm
Move over Patch Tuesday – it’s Ada Lovelace Day!

The second Tuesday of every month is Microsoft’s regular day for security updates, still known by almost everyone by its unofficial nickname of “Patch Tuesday”.

But the second Tuesday in October is also Ada Lovelace Day, celebrating Ada, Countess of Lovelace.

Ada was a true pioneer not only of computing, but also of computer science, and gave her name to the programming language Ada.

The Ada language, intriguingly, emerged from a US Department of Defense project aimed at “debabelising” the world of governmental coding, where every department semed to favour a different language, or a different language dialect, making it more difficult, more expensive, and less reliable to get them to work together.

Ada Lovelace’s era

You might be surprised to find, given how strongly Ada’s name is associated with the beginnings of computer science, that she lived in the first half of the nineteenth century, long before anything that we currently recognise as a computer, or even a calculator, existed.

(Ada died of uterine cancer in 1852 at just 36 years old.)

But although computers in their modern sense didn’t exist in the 1800s, they very nearly did.

Here’s how it almost happened.

Charles Babbage, in the early 1800s, famously devised a mechanical calculating device called the Difference Engine that could, in theory at least, automatically solve polynomial equations in the sixth degree, e.g. by finding values for X that would satisfy:

aX6 + bX5 +cX4 +dX3 +eX2 + fX + g = 0

The UK government was interested, because a device of this sort could be used for creating accurate mathematical tables, such as square roots, logarithms and trigonometric ratios.

And any machine good at trigonometric calculations would also be handy for computing things like gunnery tables that could revolutionise the accuracy of artillery at land and sea.

But Babbage had two problems.

Firstly, he could never quite reach the engineering precision needed to get the Difference Engine to work properly, because it involved sufficiently many interlocking gears that backlash (tiny but cumulative inaccuracies leading to “sloppiness” in the mechanism) would lock it up.

Secondly, he seems to have lost interest in the Difference Engine when he realised it was a dead end – in modern terms, you can think of it as a pocket calculator, but not as a tablet computer or a laptop.

So Babbage leapt ahead with the design of a yet more complex device that he dubbed the Analytical Engine, which could work out much more general scientific problems than one sort of polynomial equation.

Perhaps unsurprisingly, if regrettably in hindsight. the government wasn’t terribly interested in funding Babbage’s more advanced project.

Given that he hadn’t managed to build the mechanism needed for a much simpler equation solver, what chance did a giant, steam-powered, general-purpose computer have of ever delivering any useful results?

The European conference circuit

Tags: Ada Lovelace Day

Oct 11 2022

Top Cybersecurity Threats for Public Sector

Category: Cyber Threats,Insider Threat,Threat detection,Threat ModelingDISC @ 12:31 pm
Top Cybersecurity Threats for Public Sector

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Conclusion

The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.

This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.

The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.

Top Cybersecurity Threats for Public Sector

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: Cybersecurity Threats

Oct 11 2022

The hijab will never be the same

Category: Information Security,Social networkDISC @ 9:28 am
The hijab will never be the same
A WOMAN IN TEHRAN CLIMBED ONTO A CAR AND SET HER HIJAB ABLAZE. “AMIN” WAS JUST FIVE METERS AWAY. (PHOTO CREDIT: TWITTER)

The death of 22-year-old Mahsa Amini in Iran has ignited the most powerful protests the country has seen in years. Authorities there have rolled out a host of new tools to throttle mobile phone connections, block social media sites, and make it harder for people on the ground to organize. Our Click Here team spoke to one man who has been protesting since Amini’s death was announced, and he talked to us about the dangers of using social media and technology while participating in street demonstrations. He asked us not to use his real name because speaking to foreign reporters could get him arrested. Amin talked with us about getting around internet restrictions, the dangers of using social media in Iran, and how protesters handle their passwords.

Our interview with him has been edited and condensed for clarity.

The hijab will never be the same

https://therecord.media/the-hijab-will-never-be-the-same/

Tags: hijab

Oct 10 2022

Dark web carding site BidenCash gives 1.2M payment cards for free

Category: Dark WebDISC @ 10:36 pm
Dark web carding site BidenCash gives 1.2M payment cards for free

BidenCash, a popular dark web carding site, released a dump of more than 1.2 million credit cards to promote its service.

Operators behind the popular dark web carding market ‘BidenCash’ have released a dump of 1,221,551 credit cards to promote their underground payment card shop. Multiple security firms, noticed the promotional activity, but the news was first reported by threat intelligence firm Cyble and the Italian firm D3Lab.

https://twitter.com/D3LabIT/status/1578306932380606464?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1578306932380606464%7Ctwgr%5E4dab1b5578b291216a38877a5dd5c0fc7e765813%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F136872%2Fcyber-crime%2Fbidencash-carding-site-leak.html

It is a great gift to fraudsters that can download for free the dump and use it for fraudulent activities.

The announcement of the availability of the dataset consisting of over 1.2 million credit and debit cards information on a notorious cybercrime forum mainly hosting Russian and English-speaking Threat Actors.

Bidencash

Tags: Dark web carding site

Oct 10 2022

6 Things Every CISO Should Do the First 90 Days on the Job

Category: CISO,vCISODISC @ 9:44 am
CISO

Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company’s business strategy and operations.

The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.

Given this evolution in responsibilities, a CISO’s first 90 days on the job should look a lot different today than it did even several years ago.

The First 90 Days

While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company’s mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.

With this in mind, here are a few recommendations on what a CISO’s focus should be during their first 90 days on the job.

Gain An Understanding of the Organization’s Larger Mission and Culture

The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.

Identify the Crown Jewels

Determine which data and systems underpin the company’s strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.

Develop a Plan Based on the Company’s Current IT and Business Landscape

Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.

Master the Basics

There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren’t already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.

Implement Benchmarks

Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.

Always Treat Security as a Business Problem

Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it’s so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they’ll be more apt to pay attention and participate in security efforts.

At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization’s security posture, and do we have a road map?

While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.

https://www.darkreading.com/careers-and-people/6-things-every-ciso-should-do-the-first-90-days-on-the-job

Tags: CISO

« Previous PageNext Page »