Posts Tagged ‘APTs’
Wednesday, July 30, 2014 @ 05:07 PM gHale
Nearly 33 percent of IT security teams never speak with their company’s executives about cyber security and of those who did, 23 percent spoke to them once per year, a new report said.
This lack of communication and security awareness can greatly increase companies’ risk of experiencing some kind of attack, said Jeff Debrosse, director of security research at Websense, which sponsored the “Roadblocks, Refresh, & Raising the Human Security IQ” report by the Ponemon Institute.
Debrosse said the “31 percent [of IT teams that do not speak with their corporate executives] will, at some point, find themselves on the front page because they’re not having a conversation about insider threats, APTs, etc.”
But even though they aren’t discussing threats with upper management, security teams are constantly thinking about them, which could contribute to the communications breakdown. An overworked employee might not have time to assemble a report and attend a meeting, though this is what they need to do. The executive suite might take silence on the IT team’s part to mean everything is running perfectly when, in reality, IT may need additional support or funding.
IT teams need to “really insist and show the ‘why’ of having security as part of executive team meetings and discussions,” Debrosse said. Whether that means offering a quick to-do list or even stating nothing has changed, it’s important to show the IT security team’s presence and differentiate themselves from the general IT department.
He suggested security leaders take advantage of cyber threat models, such as the NIST “Risk Management Framework,” to show the cost of risks and their solutions as well as to defend budget requests.
The report, which surveyed more than 160,000 IT security professionals in 15 countries to determine the challenges they face in dealing with cyber security threats, also found 47 percent of respondents felt frequently disappointed with the level of protection their security solution offers, and 52 percent of companies do not provide cyber security education to their employees. The majority of those surveyed work for financial companies, and the United States and India accounted for the largest portion of respondents.
Click here to register for the report.
Wednesday, July 30, 2014 @ 10:07 AM gHale
EDITOR’S NOTE: This is an excerpt of the second in a two-part series from Del Rodillas at Palo Alto Networks discussing the Havex campaign and its effects on industrial control systems. In part one of this series, Del discussed why the Havex Trojan is a significant industry milestone. This week, he looks at how to mitigate exposure through the combination of good practices and next-generation firewall technology.
By Del Rodillas
In my initial engagements with control systems operators two security objectives, both linked to keeping uptime high, frequently come up.
First, the operations manager, or person responsible for security in the operational technology (OT) environment, remains concerned over whether only the approved users are using the right applications and resources in the specific usage model intended for SCADA. This person, at the very basic level, would want to be able to validate that the system ends up used only in a way that aligns with the business objectives, ultimately with the goal of implementing role-based access control. In this person’s mind, an internal user accidentally causing system downtime is as much a cyber threat as an incident malicious in nature.
Second, there is a concern that malware, especially advanced persistent threats (APTs) that have never been seen in the wild, would, by accident or on purpose, get introduced into the network disrupting service availability.
Not surprisingly, I often find that a couple of core capabilities critical for achieving these security objectives, namely protocol/application layer visibility and Zero Day threat detection, are not yet deployed in their OT environment.
Most operators only have legacy stateful inspection firewalls (port-level visibility) plus add-ons like IPS/AV (block known threats). Whether they’ve been lax in upgrading their technology, or for some other reason, these operators are finding their technologies have simply run out of steam and cannot provide the type of visibility, security controls, and threat prevention required to combat advanced threats. It is imperative that asset owners take a fresh look at better techniques and tools that can help improve security posture to the required level and reduce downtime due to cyber incidents. So what are some of these options?
Technology is a critical piece of the cybersecurity equation, but its benefits have limits if you don’t have a clear understanding of risk, if you don’t have a clear set of access control policies, and/or if you haven’t segmented your network in a way that aligns with these risks and policies. As always, the IEC 62443 standard is the gold standard for network segmentation in industrial control systems.
Segmentation and access control, especially when done with a least-privilege approach, are key in that they reduce your attack footprint and establish a baseline from which anomalies could end up easily detected. In the context of the security concerns raised by Havex, some basic but important questions to ask yourself around access control and segmentation include:
• Do you have enough security zones and points of inspection between zones, a.k.a. conduits in IEC 62443 terms, to validate compliance to policy or to be able to implement controls? For example, while you may isolate the OT from IT with a perimeter firewall, are you able to observe intra-OT traffic such as HMI/Workstation to Server, PCN to Plant/PLC, and interplant traffic? It will be very difficult to see the fingerprints of APTs if you have a flat SCADA/ICS network.
• Have you clearly defined which users and machines are allowed to access which applications, and from which zones these policies are relevant? What file/data types are allowed to traverse your network?
• If direct Internet connectivity is allowed, do you have a list of which domains/IP addresses are allowed, and which users are allowed to access those sites? You may be clear on what is and isn’t allowed to enter the ICS environment, but what about what goes out?
These aren’t easy tasks, but they have to occur up front. The fact that SCADA/ICS systems are purpose built with a very specific set of users and applications should help in terms of containing the effort of creating access policies.
It’s all about the ID
Clearly, effective segmentation and access control is dependent on the ability to control protocols/application based on user and the ability to inspect content.
App-ID, User-ID, and Content-ID technologies should be the heart of the platform. App-ID provides visibility to protocols and applications, versus just ports/services. For example, App-ID is able to identify ICS protocols such as OPC, DNP3, Modbus, BACnet, OSIsoft PI, and others. Functional App-IDs are also available for some protocols like Modbus and IEC 60870-5-104 to enable resolution at the read/write level.
User-ID is the technology that allows role-based access control by mapping IP addresses to user (or user group). A variety of user information repositories and authentication events could be used for this purpose.
Content-ID is able to inspect the payloads (e.g. files, data types, URLs, threats). It is important to note that packets are processed for App-ID, User-ID, and Content-ID in parallel, and in a single pass providing not only high-performance, but also shared context. which is equally as important in terms of correlation analysis.
Here is how App-ID and User-ID may end up applied in unison to enable role-based access for OPC. Actually, your OPC policy within the SCADA may be very different from the OPC policy you have at the IT-OT boundary. For example, at the perimeter you may allow only a certain set of users, say finance users in the Active Directory group “SCADA_finance” access to the OPC application so they can get access to a primary or replicated historian in the SCADA zone or SCADA DMZ zone. This can all be defined in single policy that involves no opening up of ports. Furthermore, a network appliance could use a positive enforcement approach meaning no other traffic but that allowed in policy will pass through by default.
Within the OT, you might allow all users in the “SCADA Ops” AD group access to OPC. This might be very different for a third party vendor that needs to access your network to service their products that do not use OPC. To limit the risk of the third party accidentally or intentionally accessing resources via OPC while letting them do their job, one could also define another role-based policy. For example, you could define a rule that allows the vendor access to another ICS protocol only between relevant security zones. You could also define a third party zone that has jump servers and another PLC Zone where that vendors products reside. While we use OPC as an example, these same kinds of policies could just as easily be applied for other ICS protocols and applications as well as common administrative protocols, such as SSH, FTP, and SNMP, that are often used in SCADA networks.
Access control via App-ID and User-ID helps to reduce your attack footprint as well as the risk of accidental cyber incidents such as erroneous programming by less experienced personnel. This takes us to the next core technology, Content-ID. This service blocks malicious payloads, such as exploits, viruses, and spyware/CNC (command and control), and also helps to further reduce your footprint by controlling access to URLs/Domains.
Finding Zero Days
Okay so what about the never-before seen variants of Havex? The next thing to put in place is a means to detect Zero Day malware. There are services that isolate suspicious payloads entering your network, detonates them in a virtual sandbox environment, and determines if payloads are benign or malicious in nature. Service subscribers get protections against malicious payloads in as little as 30 minutes.
End point security remains a vital cog in securing a network. One way a security solution could work is instead of the technology trying to block the large and quickly growing universe of known malware and exploits, it blocks the techniques themselves. The universe of techniques is on the order of a couple dozen and grows very slowly, therefore this approach much more effective.
Del Rodillas is a senior product manager for SCADA & Industrial Control Systems at Santa Clara, CA-based Palo Alto Networks.
Thursday, February 20, 2014 @ 03:02 PM gHale
Security firms Check Point and Bit9 will combine their individual areas of expertise in a move to upgrade their service offerings.
The companies will offer the upgraded service in the first half of 2014.
Check Point and Bit9 said the solution will attempt to fix four key challenges posed by advanced threats: It will let IT managers prioritize alerts, respond to them, prevent incoming attacks and analyze all incoming files passing through their endpoints and servers.
“Integrating the Check Point Threat Emulation Service with the Bit9 Security Platform, now with Carbon Black, extends real-time malware prevention, detection, analysis and response to every endpoint and server,” said Brian Hazzard, vice president of product management for Bit9. “Attacks and compromise are the new normal, but complete lockdown of every machine is unrealistic.”
“The best protection is to secure as many endpoints and servers as possible and put the rest in a ‘detect-detonate-deny’ posture that allows for real-time security policy enforcement as threats appear. This is exactly the operational value and closed-loop integration we will deliver as result of our partnership with Check Point.”
“Check Point’s network-protection and threat-emulation capabilities, combined with Bit9 and Carbon Black’s advanced threat security and incident-response solutions, will deliver complete end-to-end protection,” said Dorit Dor, vice president of products at Check Point.
Check Point and Bit9 are two of many companies to bolster their advanced threat-detection and protection portfolios in recent months. IBM just unveiled a new Security QRadar Incident Forensics attack-detection tool for enterprise-level businesses.
Thursday, July 25, 2013 @ 06:07 PM gHale
There has been an uptick in more sophisticated and targeted malware attacks over the last 24 months, a new survey said.
The most likely avenue for a malware attack, and cause for successful malware attacks, is lack of user knowledge about cyber security risks, according to a survey of 315 North American-based IT security professionals working at enterprise-class organizations (1,000 employees or more) sponsored by Malwarebytes and conducted by Enterprise Strategy Group (ESG).
The study found enterprise organizations are seeing an increase in more sophisticated malware and are making it a strategic priority to add new layers of endpoint security to protect their organizations against advanced Zero Day and polymorphic threats commonly used for targeted attacks.
“As cyber-attacks become more sophisticated, IT security professionals are realizing that relying on only one layer of endpoint security isn’t enough. Each endpoint needs multiple layers of malware detection to ensure complete protection,” Marcin Kleczynski, chief executive of Malwarebytes. “The reality is, most antivirus products will miss nine out of 10 Zero Day malware threats, and having a layered approach blocks advanced threats that traditional antivirus scanners may fail to detect.”
The ESG report found the majority of respondents have seen an uptick in more sophisticated and targeted malware attacks over the last 24 months. However, 62 percent of organizations surveyed said endpoint security software is not effective for detecting Zero Day and/or polymorphic malware, which leaves them vulnerable to these attacks. Likely avenues for malware to compromise an organization’s system included employees opening an infected email attachment and unwittingly clicking on an infected URL while surfing the Web. Survey respondents indicated an employee clicking on an infected URL posted within an email was the most likely vector for malware to infiltrate their organizations.
On average, it took 57 percent of respondents hours to detect that an IT asset suffered a compromise by malware. It took 19 percent of organizations several days to determine there had been an attack, and 29 percent of respondent organizations that have suffered a successful malware attack believe the increasing use of social networks is responsible for those attacks.
In addition, two-thirds of U.S.-based respondents do not believe the U.S. federal government is doing enough to help the private sector cope with the current cyber-security and threat landscape, and 85 percent of IT security professionals expressed concern about some type of massive cyber attack that could impact critical infrastructure, the economy and/or national security.
“When it comes to managing malware risk, enterprises would be best served by implementing a layered approach using proactive and reactive lines of defense through their networks. Antivirus software plays a key role in protecting organizations, but it should not be the only method used to deter malware attacks,” said Jon Oltsik, senior principal analyst at ESG. “Additionally, sometimes the biggest vulnerability in an organization is the computer users. Because employee actions can greatly impact computer security, educating employees on potential threats and how to avoid them should be made a priority.”
Thursday, July 25, 2013 @ 05:07 PM gHale
Senior executives are now becoming very aware of the cyber threat hanging over them with over 66 percent of the top brass concerned their companies will not be able to stop cyber threats, and one in five say their biggest concern is not knowing whether an attack is underway, a new survey found.
However, sometimes fears don’t always translate into fixes. Of those surveyed, 42 percent report not having an Incident Response Team in place, and nearly half (47 percent) said they are not making use of advanced malware analysis tools, according to the ThreatTrack Security report.
The independent blind survey of 200 C-level executives at enterprises ended up conducted by Opinion Matters on behalf of ThreatTrack Security in June 2013. The results highlight the opinions of CSO, CIO, CEO and CTO executives related to the cyber security practices of their companies.
At a time when advanced persistent threats (APTs), targeted attacks, Zero Day threats and other sophisticated malware have become profitable businesses for malware writers and cybercriminals, many large enterprises are still struggling with how to protect themselves.
It is especially telling that, according to the study, 97 percent of enterprises with annual security budgets over $1million still report concerns they are vulnerable to malware attacks and cyber espionage tactics.
“Enterprises are facing an unprecedented surge of highly targeted and sophisticated threats that are designed to evade traditional malware detection technologies,” said Julian Waits, chief executive at ThreatTrack Security. “The only way to battle these threats effectively is with a combination of highly skilled cyber security professionals armed with the strongest malware analysis tools available. Companies that don’t employ the right mix of people, process and technology are making themselves excellent targets for the cyber bad guys.”
Key findings from the survey include:
• 69 percent of executives fear their organizations may be vulnerable to targeted malware attacks, APTs and other sophisticated cybercrime and cyber-espionage tactics.
• More than one in five enterprises (21 percent) said their biggest concern is not knowing whether an attack is taking place.
• 47 percent said their cyber defense does not include an advanced malware analysis tool, such as a malware analysis sandbox; 42 percent do not have a dedicated Incident Response Team employed.
• One third of the enterprises surveyed say they are aware of a targeted malware attack against their company, including 50 percent of financial services firms and 53 percent of manufacturing companies.
• 82 percent of financial services firms fret over APTs and sophisticated attacks, but only half of them employ an advanced malware analysis tool like a sandbox.
• 36 percent of enterprises said they fear losing proprietary intellectual property and trade secrets in a breach than they are about losing their customers’ personally identifiable information (such as credit card data, social security numbers or medical records).
Friday, February 22, 2013 @ 03:02 PM gHale
Even in today’s heightened digitally aware environment, companies remain unprepared to protect themselves against an emerging, relentless cyber security danger that threatens national security and economic stability, a new survey said.
Advanced persistent threats (APTs) are not easy to eliminate, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found 53 percent of respondents do not believe APTs differ from traditional threats.
This disconnect indicates IT professionals and their organizations may not be fully prepared to protect themselves against APTs, ISACA said.
“APTs are sophisticated, stealthy, and unrelenting,” ISACA International Vice President Christos Dimitriadis said. “Traditional cyber threats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective — and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”
High-profile examples of APTs include the Google Aurora attack, disclosed in January 2010, and an attack on security, compliance, and risk management provider RSA in 2011. Although APTs are espionage tactics that often look to steal intellectual property, the Google Aurora and RSA attacks show these threats are not just facing government entities, the report said.
Although more than 70 percent of IT professionals surveyed said their organizations are able to detect APT attacks, and more than 70 percent said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises use to stop APTs were anti-virus and anti-malware programs (95 percent), and network perimeter strategies such as firewalls (93 percent).
The difference is APTs can get around these types of defenses. “APTs call for many defensive approaches,” said ISACA Director Jo Stewart-Rattray.
APT hackers do use social media to learn information about employees of organizations. Then they send “spear phishing” emails that appear legitimate. Ninety percent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.
While 22 percent of respondents said they suffered an APT attack, 63 percent said it is only a matter of time before their enterprise ends up targeted by an APT.
“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cyber security for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”
Click here to register to download the report.
Thursday, February 21, 2013 @ 05:02 PM gHale
Sophisticated attacks that once targeted the financial services industry are now going out to other critical sectors, while the bad guys are employing new tactics and technologies to avoid industry-standard security measures.
Does that mean bad guys don’t want to play by the rules?
There is a continued proliferation of password-stealing Trojans and advanced persistent threats (APTs) such as Operation High Roller and Project Bliztkrieg, and the expansion of their attacks to government, manufacturing and commercial transaction infrastructure targets, according to the report from McAfee.
“We are seeing attacks shifting into a variety of new areas, from factories, to corporations, to government agencies, to the infrastructure that connects them together,” said Vincent Weafer, senior vice president of McAfee Labs. “This represents a new chapter in cyber security in that threat-development, driven by the lure of financial industry profits, has created a growing underground market for these cybercrime weapons, as well as creative new approaches to thwarting security measures common across industries.”
Leveraging data from McAfee’s Global Threat Intelligence (GTI) network, the McAfee Labs team of 500 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public.
In Q4 2012, McAfee Labs identified the following trends:
More threats, more availability, more industries targeted. As a group, unique password-stealing Trojans grew 72 percent in Q4 as cybercriminals realized user authentication credentials constitute some of the most valuable intellectual property stored on most computers. Now widely available, these Trojans are increasingly appearing within customized threats or combined with other “off-the-shelf” threats available on the Internet. Fourth quarter revelations around the Citadel Trojan suggest this Trojan’s information theft capabilities are going beyond the financial services sector.
Web threats shift from botnets to URLs. McAfee continued to see suspicious URLs replacing botnets as the primary distribution mechanism for malware. An analysis of web threats found the number of new suspicious URLs increased by 70 percent in Q4. New suspect URLs averaged 4.6 million per month, almost doubling the previous 2.7 million per month figure from the last two quarters. Ninety-five percent of these URLs were hosting malware, exploits or code designed specifically to compromise computers. The decline in the number of infected systems controlled by botnet operators comes in part by law enforcement efforts to bring botnets down, but perhaps more so by the declining appeal of the botnet business model.
Increase in infections beneath the OS. The volume of Master Boot Record-related malware climbed 27 percent to reach an all-time quarterly high. These threats embed themselves deep within the PC system storage stack, where standard antivirus solutions cannot detect them. Once embedded, they can steal user information, download other malicious software, or leverage the infected PC’s computing power to launch attacks against other PCs or networks. While these MBR attacks represent a relatively small portion of the overall PC malware landscape, McAfee Labs expects them to become a primary attack vector in 2013.
Malicious signed binaries circumvent system security. The number of electronically-signed malware samples doubled over the course of Q4. This indicates cyber criminals have decided that signing malware binaries is one of the best ways to circumvent standard system security measures.
Mobile malware continues to increase and evolve. The number of mobile malware samples discovered by McAfee Labs in 2012 was 44 times the number found in 2011, meaning 95 percent of all mobile malware samples appeared in the last year alone. Cyber criminals are now dedicating the majority of their efforts to attacking the mobile Android platform, with an 85 percent jump of new Android-based malware samples in Q4 alone. The motivation for deploying mobile threats roots in the inherent value of the information found on mobile devices, including passwords and address books, as well as new “business” opportunities that are not available on the PC platform. These opportunities include Trojans that send SMS messages to premium services, then charge the user for each message sent.
Click here to download the complete report.
Thursday, December 6, 2012 @ 06:12 PM gHale
The rush of mobile devices entering corporate networks, advanced persistent threats and third-party application vulnerabilities are the primary pain points for IT professionals headed into 2013.
These are new and different issues where a few years ago, these were not even a blip on the worry-meter.
One of the top concerns cited in the fourth annual report researched by the Ponemon Institute was the proliferation of personally-owned mobile devices in the workplace such as smartphones and tablets. Eighty percent of those surveyed said laptops and other mobile data-bearing devices pose a significant security risk to their organization’s networks.
With 13 percent stating they use stricter security standards for personal over corporate-owned devices and 29 percent reporting no security strategy for employee-owned devices at all, there is a clear disconnect between awareness and action.
These figures are quite different compared to the 2010 survey. At that time, nine percent of respondents said mobile devices were a rising threat. This year, 73 percent rank mobile as one of the greatest risks within the IT environment.
This year’s study also found IT professionals view third-party applications as a major security threat. In fact, 67 percent of those surveyed reported they viewed third-party applications as a significant risk – second to mobile security risk.
In previous year’s surveys, the server environment, data centers and operating system vulnerabilities were primary concerns. With the proliferation of mobile devices, along with the wide range of software and removable media commonly used in today’s enterprise environment, IT practitioners increasingly worry about the attack vectors these third party tools could bring into the corporate network.
In addition to mobile security risk, the security concern that represents the biggest headache for 2013 is advanced persistent threats (APTs). Whereas worms and less harmful viruses were a concern in earlier reports, today’s IT teams consider APTs and hacktivism a real, global threat.
Of those surveyed, 36 percent reported they viewed advanced persistent threats as a “significant” threat to their environments while just 24 percent of respondents held this view last year. In addition, 12 percent of those surveyed this year stated current anti-virus/anti-malware technology is very effective in protecting their IT endpoints from today’s malware risk.
“Once again, we found the changing security terrain is preventing the state of endpoint security from improving,” said Dr. Larry Ponemon, chairman and founder, the Ponemon Institute.
“With the rise of hacktivism and advanced persistent threats, along with the sheer number of malware incidents we are seeing today, IT simply cannot keep up with the bad guys,” he said. “Add to this fact that end-users are furthering the complexity of the IT environment by bringing in mobile devices and downloading third-party applications — causing risk to exponentially proliferate. IT simply must take further action before the risk is beyond their control.”
Over 670 IT and IT security practitioners took part in this year’s study. Of those, 77 percent were in organizations with a headcount of more than 1,000 and 66 percent were in a supervisory role or higher. These professionals spanned key industries including financial services, the public sector and healthcare.
Monday, October 29, 2012 @ 12:10 PM gHale
A new generation of advanced persistent threats (APTs) forced McAfee to update its Endpoint Security platform.
In the ever changing and dynamic environment of cyber security, the company said the update would better equip systems to block highly sophisticated attack techniques, such as the use of master boot record (MBR) sabotage techniques and the use of Zero Day flaws for intrusion attempts.
The update would look to not only expand the scope of protections for Endpoint Security, but also the new form factors, said Candace Worley, senior vice president and general manager of Endpoint Security for McAfee.
“We believe that the endpoint has to become more dynamic and context-aware,” Worley said.
“Devices are becoming more diverse, you have everything from a laptop and desktop to a tablet form factor.”
In addition to the MBR protections introduced, McAfee is updating the Enterprise Mobility manager to add support for iOS 6 devices and adding to the whitelisting protections on the McAfee Application Control administrator tool.
Encryption is also a priority in the update. The company said it would be updating the Endpoint Encryption platform to support PC and MacOS X systems. The update will include the use of new encryption algorithms from Intel which allow for faster encryption and decryption of data.
In addition to security enhancements, the company said the new Endpoint Encryption would simplify the process of managing and updating systems required to have encryption. By integrating the tool with the company’s ePolicy Orchestrator Deep Command console, administrators will be able to remotely access and patch end user systems without the need to enter credentials.
“If you have a full-disk encryption product and you power those systems off at night you need a body to type in that password to decrypt it and that is problematic,” Worley said, “This really addresses that case.”