Rather than continue to complain about each other, developers and security pros need to work together and celebrate their successes.
The post Dev-Sec Disconnect Undermines Secure Coding Efforts appeared first on Malware Devil.
Rather than continue to complain about each other, developers and security pros need to work together and celebrate their successes.
RSA CONFERENCE 2021 — The disconnect between security teams and development teams continues to cause problems for companies’ efforts to secure software and their infrastructure, a security consultant told attendees during a virtual session at the RSA Conference.
Chris Romeo, CEO of training provider Security Journey, argued that companies are undermining their application security initiatives by not making more efforts to break down the walls between developers, security, and operations. A central problem is that many security professionals are not coders and do not understand their incentives and motivations. Meanwhile, developers see security as busy work and say that application security tools produce a high number of false positives.
Romeo called this tension between developers and security “the dev-sec disconnect,” and it’s when developers and security professionals see the other as the enemy, not as a partner.
“As a developer, I’m sitting here thinking to myself, ‘These security people are always in the way, they are always slowing me down, they have arbitrary requirements, [and] they can’t make up their mind [when] we need to push these new features into production,'” he said. “On the other side of the coin, security is saying, ‘These developers, they are lazy, they are not applying the guidance we are providing, … [and] their code is insecure.”
DevOps and agile programming have become most companies’ approach to application development, according to 68% of companies in a recent survey conducted by GitLab, a DevOps service provider. The survey found the majority of developers — 71% — consider security to either be their responsibility or a shared responsibility with another group.
Yet developers and security teams still need to improve how they work together, Security Journey’s Romeo said. Security teams frequently mandate rather than advise, and a lack of a detailed security process tends to convince many developers that security decisions are arbitrary and always hindering their job, he told attendees.
Instead, companies need to celebrate the successes as much as spotlight security problems, he said.
“By celebrating security wins, we can make security good for our developers and not consistently negative,” he said. “It is not that difficult of a thing to do, but often developers only hear about how the sky is always falling.”
Among the advice that Romeo has for security teams and companies intent on improving their application security programs: Tune the tools to reduce false positives, work together to determine the right amount of resources to dedicate to security needs, educate developers about security, and also educate security professionals about development.
“We always start with the what or the how … we don’t step back and say, ‘Here’s why you need to do that,'” he said. “Help the project-adjacent folks to understand why security is important for your customers. Not you as a security team, not for your executives, not for some other group inside your companies, but for your customers.”
Part of that is creating metrics for security return on investment. One important metric, for example, is to track the rework required to fix bugs that have a security component to them, Romeo says.
Another major recommendation: Make sure both security professionals and developers know that they need to partner for the business to succeed, not declare one as the gatekeeper. Guardrails are fine, but developers need room to maneuver, he said.
“We have guard rails to protect us from going off the side of the mountain,” Romeo said. “They don’t work if they are only two inches from your car and give you no room to maneuver. Security guardrails need to give you some freedom around the development process.”
While Romeo sees the disconnect between security workers and developers as a continuing problem, the GitLab survey released earlier this month spotlighted some hopeful trends. While security and application testing continues to be a headache for developers — with 40% of developers concerned that it takes place too late in the development pipeline — 72% of developers considered their organizations’ security to be either good or strong, 13 points higher than the previous year.
About 43% of the survey’s respondents deploy software at least once a week, the survey found.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Dev-Sec Disconnect Undermines Secure Coding Efforts appeared first on Malware Devil.
Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… […]
Read More
The post BYOT – Bring Your Own Telemetry appeared first on Malware Devil.
Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… so that you can come back to it one day.
For CompatTelRunner.exe this day is today.
When I looked at this program a few years ago I saw it has a great LOLBIN potential. It takes two arguments -m for module, and -f for exported API function name. Nothing could be better than that, right?
You just invoke:
CompatTelRunner.exe -m:foo.dll -f:bar
and it will load foo.dll and call the bar api!
The problem is that programmers of this tool anticipated this sort of abuse and built-in some code to block it, and:
made sure the DLLs are loaded from the system directory, and path to the system directory is retrieved via GetSystemDirectory API, andthey also check the -m argument is one of:appraiser.dllgeneraltel.dllinvagent.dlldevinv.dllaeinv.dllaepic.dllpcasvc.dll, andfinally they also check the -f argument is one of:DoScheduledTelemetryRunUpdateAvStatusRunGeneralTelemetryDoCensusRunRunInUserCxtWRunUpdateGetFileSigningInfoCreateDeviceInventoryUpdateSoftwareInventoryWUpdateSoftwareInventoryGetCITDataQueryEncapsulationSettings
Bummer.
Today it crossed my mind that I never checked if we can find these DLLs in both System32 and SysWOW64 directories. I hypothesized that maybe one of the 32-bit ones is missing and we could place our own there. I quickly checked and found out far more than I anticipated – from the list of all .exe and .dll listed above I could only find the following:
WindowsSystem32CompatTelRunner.exeWindowsSystem32appraiser.dllWindowsSystem32generaltel.dllWindowsSystem32invagent.dllWindowsSystem32devinv.dllWindowsSystem32aeinv.dllWindowsSystem32aepic.dllWindowsSystem32pcasvc.dllWindowsSysWOW64aepic.dll
As you can see, almost none of these allowed DLLs are present in the SysWow64 directory. And, there is no sign of 32-bit CompatTelRunner.exe either.
Since…
I decided to borrow one from 32-bit version of Windows 10 and placed it in c:test. I then created my test c:WINDOWSSysWOW64appraiser.dll and ran:
CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun
Once my test 32-DLL got loaded, I could see its debug message in Debug View:
It’s nothing groundbreaking and I abused subtle differences between Syswow64 and System32 many times before it’s still fun to discover more of them over and over again.
The post BYOT – Bring Your Own Telemetry appeared first on Malware Devil.
Resilience planning should be based on data and backed by technology, cybersecurity pros agreed at this week’s RSA Conference.
The post Don’t Let Scary Headlines Shape Your Company’s Cyber-Resilience Strategy appeared first on Malware Devil.
When implemented correctly, threat hunting can help organizations stay head of threats, researcher says at RSA Conference.
The post Lack of Skills, Maturity Hamper Threat Hunting at Many Organizations appeared first on Malware Devil.
When implemented correctly, threat hunting can help organizations stay head of threats, researcher says at RSA Conference.
RSA CONFERENCE 2021 – Many organizations that have implemented a capability for cyber-threat hunting aren’t deriving the full benefits from it, either because they lack the required skill set or because they have not fully made it a part of their cybersecurity program.
Tim Bandos, CISO and vice president of managed security services at Digital Guardian, says common mistakes that companies make include underestimating the time required for it and failing to get top-down support. Bandos hosted a session on best practices for threat hunting at the RSA Conference this week.
“Threat hunting is a critical component of an overall cybersecurity strategy whether it is done internally or through a managed service provider,” Bandos says. Instead of waiting for an incident to happen, threat hunting offers a way for organizations to proactively seek out potential issues by setting traps and looking for behaviors within the environment that suggest suspicious activity. “But unless it is an official part of your program, you can’t be successful at it,” he says.
Interest in proactive threat hunting to stay ahead of new and emerging threats has grown in recent years. Security researchers have described it as giving organizations a way to try and uncover threats that may have slipped through or bypassed intrusion detection and prevention controls. The idea with threat hunting is to assume a breach has already happened and then track down all the different ways it could have happened using the same techniques an attacker likely would have used to pull it off. The focus is not so much on chasing down known threats alone but also uncovering new ones.
Gartner has previously described cyber threat hunting as useful, especially for organizations that already have maximized their alert triage, detection, and response processes and are looking for additional improvements in their security posture.
Bandos says threat hunting is something that organizations need to do on an ongoing basis using resources like MITRE’s ATT&CK framework as a starting point. The framework offers different techniques and subtechniques that threat actors typically employ as part of the attack chain. Security teams can learn a lot by searching through their environment for signs of any of these techniques being used to enable or obfuscate malicious activity. “You can literally dive into a single one of those techniques all week searching through your environment,” he says.
Similarly, organizations can learn a lot sifting through logs from their endpoint environment or by profiling all accounts that might have been created over the past week and separating the legitimate ones from the ones that might be more suspicious.
Successful threat hunting requires an awareness of new and emerging attacker tactics, techniques, and procedures. Equally, it requires a willingness to keep constantly going back and looking at older techniques, too, because attackers often tend to stick with tactics that they are familiar with and that have worked for them previously.
To conduct effective threat hunting, security teams need to have a reliable data source, such as a security information and event management system with centralized logs from multiple sources. Even logs from individual environments — such as endpoint detection and response, antivirus tools, networks, and data loss prevention (DLP) systems — are sufficient for threat hunting. Once the data source has been defined, threat hunters need to search through it using different techniques.
For example, the goal could be to hunt for signs of credential dumping in the environment. “You want to aggregate all threat intelligence that you know about credential dumping programs and commands and build a playbook around what you are going to actively seek around those logs,” he says. The same approach can be applied for each of the different attack techniques listed in frameworks such as MITRE ATT&CK.
“I would start by focusing on a particular technique and then kind of exploding from there to a point where you can collect a particular artifact from every single endpoint in your environment and hunting through that data,” he says. “That is when you start leveling up your capabilities in the threat hunting space.” As one example, he points to the application compatibility cache that is stored on all machines. The caches contain a record of all processes that ran on a particular machine. Organizations can conduct a whole hunting campaign around just that data source alone.
The Right Skill Set
To be good at it, threat hunters need a solid understanding of security architectures, asset security, application security, and other fundamentals. They also need some level of incident response skills, including log analysis, malware analysis, forensics, and threat intel handling. Additionally, a threat hunter needs to be analytical, patient, and relentless, according to Bandos. The job can be tedious, and those without the right attitude can get quickly frustrated, he says.
One challenge with threat hunting is measuring success. It sometimes can be unclear if a threat hunting exercise turned up nothing because the exercise itself was not conducted properly or because there really was nothing to uncover. In smaller environments especially, threat hunters might often not uncover any new or hidden threats.
But in larger environments, with tens of thousands of endpoints, threat hunting can frequently uncover artifacts that might have slipped through intrusion detection and prevention controls. When threat hunting is handled internally, the analysts in charge most often tend to wear multiple hats. While that by itself is not a bad thing, it’s important that threat hunting not be viewed as a part-time endeavor, Bandos says.
“The worst mistake is just assuming something is legitimate,” just because it appears to be that way, Bandos says. Often, security analysts — especially the less experienced ones — can look at some activity or log data and ignore it because it appears to be normal. He adds: “Bad actors do a fantastic job of blending in and staying within the lines.”
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Lack of Skills, Maturity Hamper Threat Hunting at Many Organizations appeared first on Malware Devil.
Resilience planning should be based on data and backed by technology, cybersecurity pros agreed at this week’s RSA Conference.
RSA CONFERENCE 2021 – When the Colonial Pipeline attack made headlines earlier this month, Steve Grobman knew that every security practitioner would soon be talking about ransomware risk in their organizations again.
“Here we are halfway through 2021 and the pendulum has swung back to discussing ransomware attacks,” he says. “If all of our focus is on the last thing to [have] happened, then we can get in a really dangerous situation.”
Grobman, senior vice president and chief technology officer at McAfee, served as a keynote speaker at RSA Conference this week, pointing to the flaw in heeding headlines to make risk-based decisions. Grobman’s argument is this: As humans, we are awful at perceiving risk. We are too easily influenced by media, anecdotal data, and evolutionary biology. He called on security leaders to lean on data and science, not headlines, when deciding where to invest in tools and how to craft security strategy.
“A lot of what we can focus on in the media are these high-impact, high-profile incidents, like Sony and Ashley Madison,” he said. “But we’re getting too caught up in the exact playbook that is in any of these attacks. We need a holistic view of all events that could impact an organization.”
Grobman is advocating for more security teams to build risk models that consider three factors: impact, scale, and frequency. How likely is a certain type of attack or incident when it comes to your organization’s threat profile?
“How do we prep for earthquakes in earthquake-prone regions? It should be the same thing in cybersecurity,” he says. “Organizations need to do red teaming [and] tabletops on how they will respond to different types of attacks that could impact them.”
Always Evolving: A Cyber-Resilience Plan
In a panel on building cyber-resilience, which was also this year’s conference theme, panelists echoed many of Grobman’s assertions. In “Building Cyber Resilience: Considerations for CISOs,” Biju Hameed, director of technology infrastructure and operations at Dubai Airports, said his resilience planning is based on numbers and scientific assessment.
“It’s very important to define quantitative metrics in order to define resilience targets and capabilities,” Hameed said. “Often there are a lot of perceptions and assumptions of what we need to do.”
Abeer Khedr, information security director at the National Bank of Egypt, said the quest to determine which risks are most relevant is a constantly evolving process. With so much happening in digital banking and finance services, “There are no borders anymore, and the attack surface is constantly widening,” Khedr says,
With nation-states, hacktivists, and criminals also looking for ways to exploit financial weaknesses, the bank is always evolving its cyber-resilience program.
“When we talk about cyber-resilience, it’s always a journey. It’s never just a project,” added panelist Dr. Reem Al-Shammari, digital transformation leader of corporate solutions and digital oil fields at Kuwait Oil Co.
At Saudi Arabia telecom provider stc, resilience is based on three tenets, according to Arwa Alhamad, cybersecurity enablement director:
Having the mindset of a hacker: You have to think like an adversary and understand the battlefield.
Make it expensive and difficult: Invest the most in protecting the crown jewels of the organization.
Be well-prepared: Know how long it will take to detect and respond to an incident.
In addition to considering risks specific to the business, often some of the best ways to build resilience is to deploy some of the most basic technologies, McAfee’s Grobman said.
“If you are an organization that hasn’t implemented multifactor authentication, for example, turn on MFA,” he said. “Often it is a very boring but important place to start. Sometimes the most important things for an organization are the most boring or least exciting.”
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Don’t Let Scary Headlines Shape Your Company’s Cyber-Resilience Strategy appeared first on Malware Devil.
Custom playbooks played a key role in the Arizona election jurisdiction’s security strategy.
The post Maricopa County CISO: Online Misinformation/Disinformation in 2020 Election a ‘Gamechanger’ appeared first on Malware Devil.
RSA CONFERENCE 2021 – The CISO of Maricopa County – which is currently in the midst of a controversial and politically charged recount of the 2020 presidential election results – said the biggest security challenge in the past election year was disinformation campaigns, mostly on social media.
Lester Godsey, the top cybersecurity official for the Arizona county, said in a panel discussion here today that his county during the 2020 election cycle saw attackers attempt port scanning, DDoS attacks, and other cyber activity, but the primary threat they faced was adversaries hacking trust in the election and election systems.
“I would say for 2020, one of our biggest challenges was around misinformation/disinformation from a social media perspective. That in itself was a gamechanger” for the county, he said.
Maricopa County created specialized playbooks for how it would respond to cyberattacks or other disruptive events in the run-up to, and during, Election Day. “On the day of the election… we utilized portions of our playbook around social media monitoring, which we reported internally and passed along to our Fusion Center here,” Godsey said.
He and his team spotted evidence of activity by an advanced persistent threat (APT) actor that the FBI also had been watching. According to Cynthia Kaiser, the FBI’s section chief for cybersecurity, intelligence and federal officials saw evidence of Iranian and Russian nation-state groups waging disinformation campaigns online during the election year.
Kaiser, who spoke on the RSAC election security panel along with CISA senior cybersecurity advisor Geoff Hale, reiterated there was no evidence of threat actors seeking to hack or sabotage the actual vote counts. “We didn’t see them go after the ballot box,” she said. “We saw them go after our minds with an aim toward destabilizing society” by casting doubt on the election system, she said.
Maricopa County’s Godsey said there “was no evidence whatsoever” of impropriety in the election, but misinformation and disinformation clouded perception for some of the integrity of the process.
He said his team will continue to “refine” their election playbooks, as well as their incident response playbooks, information gathering, and visibility, “improving the dashboard in our SIEM so we can more quickly pivot.” They will also automate manual tasks, he said.
Watch the full panel, “Election Security: Lessons from the Front Lines,” here.
The post Maricopa County CISO: Online Misinformation/Disinformation in 2020 Election a ‘Gamechanger’ appeared first on Malware Devil.
Several mobile apps, some with 10 million downloads, have opened up personal data of users to the public internet – and most aren’t fixed.
Read More
The post 100M Android Users Hit By Rampant Cloud Leaks appeared first on Malware Devil.
Prior to building a web security program, you have to have a plan. How does one create that plan? In this segment, Kevin will focus on some concrete steps to help you create an AppSec plan using a simple framework.
This segment is sponsored by Netsparker.
Visit https://securityweekly.com/netsparker to learn more about them!
The post How to Build and Maintain a Resilient Web App Security Program – Kevin Gallagher – RSA21 #4 appeared first on Malware Devil.
Covert fraud losses such as costs of resetting account credentials overwhelmed contact centers attending to customer complaints, and regulatory fines, accompany the upfront financial damage that businesses incur due to ineffective fraud prevention solutions. These hidden costs not only add to the overall financial losses but can also cause customer churn and damage to brand […]
The post Businesses Have to Bear Covert Fraud Losses Due to Subpar Defenses appeared first on Security Boulevard.
The post Businesses Have to Bear Covert Fraud Losses Due to Subpar Defenses appeared first on Malware Devil.
Researchers who examined 23 Android apps report developers potentially exposed the data of more than 100 million people.
Mobile app developers have potentially exposed the data of more than 100 million users due to misconfigurations of third-party cloud services, report researchers who analyzed Android apps.
The Check Point Research (CPR) team examined 23 Android applications and found multiple kinds of misconfigurations that may have exposed emails, chat messages, location, passwords, and photos. These misconfigurations may have also put developers’ internal resources at risk.
In 13 of these applications, CPR found publicly available sensitive data from real-time databases that allow app developers to store data in the cloud and ensure it’s synchronized to connected clients in real time. Some real-time databases were not configured with authentication, so the team could access data like chats and passwords by simply sending a request to the database.
A popular taxi app with this misconfiguration has more than 50,000 downloads, researchers report. They were able to access chat messages between drivers and passengers, and retrieve users’ full names, phone numbers, and destination and pickup locations by sending a request.
The team also found push notification and cloud storage keys embedded in multiple Android apps themselves. Most push notification services require a key — sometimes multiple keys — to recognize the identity of who submitted a request. When those keys are embedded into the app file, it’s easy for attackers to take control and send potentially malicious notifications.
Cloud storage is another common problem. When analyzing the “Screen Recorder” app, which has more than 10 million downloads, researchers were able to recover keys that grant access to each recording. Another app called iFax both had cloud storage keys embedded into the app and stored all fax transmissions there, they report.
Researchers note they disclosed their findings to Google and each app’s developer before they published their findings. Some of the apps have since updated their configuration.
Read the full Check Point blog post for more details.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post 100M Users’ Data Exposed via Third-Party Cloud Misconfigurations appeared first on Malware Devil.
As cybercrime continues to grow, your network’s security remains a top priority. To protect your network from potential threats, better access control over your network is paramount. Without it, you could be leaving your organization vulnerable to threats. To help,…
The post LogRhythm and Zscaler Partner to Streamline Website Access Control appeared first on LogRhythm.
The post LogRhythm and Zscaler Partner to Streamline Website Access Control appeared first on Security Boulevard.
The post LogRhythm and Zscaler Partner to Streamline Website Access Control appeared first on Malware Devil.
Ed Skoudis joins us to discuss recent attacks against software integrity, including:
– open source libraries
– session tracking for single sign on
– weak crypto
– machine learning (ML) algorithms used to detect malware
– ransomware attacks – how they are evolving
The post Recent Attacks Against Software Integrity – Ed Skoudis – RSA21 appeared first on Malware Devil.
SPONSORED CONTENT: Watch now — Leading security companies meet Dark Reading in the RSA Conference Broadcast Alley to talk about tackling insider threat, SOC complexity, cyber resilience, mobile security, attacker evasion, supply chain threats, ransomware, and more.
Watch Now: Work from Home Modifies the Endpoint Security Equation, Cisco Says
Watch Now: Cisco: Reduced Complexity in the SOC Improves Enterprise Security
All it took was a global pandemic and a shift to working from home to expose security operations centers’ open secret: Too much software, systems, and data to filter. Dug Song, chief strategy officer of Cisco Secure, makes a strong case for why reducing that complexity is the only tenable way forward for security professionals.
Watch Now: Sophos Research Uncovers Widespread Use of TLS By Cybercriminals
Watch Now: Acronis: Pandemic Hastened Cloud Migration, Prompting New Security Issues
DEK: The COVID-19 pandemic has accelerated an ongoing shift in data away from business data centers to home offices and the cloud, explains Candid Wuest, VP of cyber protection research for Acronis. Wuest also discusses the huge uptick in data breaches and credential theft, as well as the potential use of AI-fueled automation by cybercriminals.
Watch Now: Axis Fosters Work-From-Home Momentum with Zero Trust Network Access
Virtual private networking and virtual desktop infrastructure, while still useful, lack the hardened security required to keep users secure. That’s created an opening for Zero Trust network access, according to Dor Knafo, co-founder and CEO of Axis Security. He discusses why Zero Trust is more secure than VPNs or VDI, and how it works with SASE.
Watch Now: How Menlo Uses Isolation to Secure Mobile Devices in the Cloud
Mobile devices like smartphones and tablets have emerged as popular targets for bad actors looking to break into to cloud-based networks, according to Poornima DeBolle, chief product officer for Menlo Security. Consequently, the vendor has created new mobile isolation features to keep devices secure – without any performance hit on the device.
Watch Now: Raytheon: Supply Chain, Ransomware, Zero Trust Biggest Security Priorities
While organizations may be more vulnerable than ever to supply chain hacks and ransomware, they can look to Zero Trust frameworks to keep their users and data safe, said Jon Check, a senior director in Raytheon’s cyber protection solutions business unit. Check also foresees wider use of automation to handle tasks humans in the SOC can’t get to.
Watch Now: Orange: Your Leaky Security is Coming from Inside the House!
Your home WiFi router may be streaming fast, but it’s also a major point of vulnerability in this work-from-home era, says Charl van der Walt, head of security research at Orange Cyberdefense. And while Zero Trust offers some relief, he offers up some how-to advice to ensure it’s properly deployed.
Watch Now: ExtraHop Explains How Advanced Threats Dominate Threat Landscape
How do SOC professionals build a strategy when they lack basic information about how such threats operate? Advanced threats by their very nature create plenty of uncertainty, according to Matt Cauthorn, VP of cloud security for ExtraHop. He discusses how to handle mitigation and encourages post-incident learning to improve resilience.
Watch Now: Devo: SIEM Continues to Evolve with Tech Trends and Emerging Threats
Security information and event management (SIEM) started as technology for the SOC and evolved to embrace the cloud. Some organizations split the difference with a hybrid of premises- and cloud-based SIEM, says Ted Julian, senior VP of product at Devo. As security data volumes continue to increase, SIEM’s evolution will only continue, he adds.
Watch Now: Uptycs Offers Resilience Formula to Boost Business Continuity
Breaches and data loss are inevitable, but customers can bounce back more readily with some planning and foresight, says Ganesh Pai, CEO and founder of Uptycs. He suggests a trajectory for customers looking to improve their own resilience, starting with proactiveness, followed by reactivity, then predictive capabilities and better protection.
Watch Now: Turn the Tables: Supply Chain Defense Needs Some Offense, Fortinet Says
While the SolarWinds hack put fresh attention supply chain vulnerability, Derek Manky of Fortinet’s Fortiguard Labs suggests dismantling cybercriminals’ own supply chains to blunt their effectiveness and keep organizations safer. Manky discusses how defenders have dismantled criminal supply chains and what security pros can do.
Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post Security Providers Describe New Solutions (& Growing Threats) at RSAC appeared first on Malware Devil.
Ransomware has been evolving, and each evolution appears to be a bit “meaner” than the first. Early ransomware targeted consumers. Encrypting baby pictures, or tax records, motivated users to pay in some cases a few hundred dollars to get their data back. The attacker went for easy targets and with that for easy money. But as most people dealing with consumers can attest to: Customer support is hard! Many consumers do not know how to use crypto currencies. Even the relatively straightforward Bitcoin payment can be too difficult. And forget about currencies like Monero that are often not traded on mainstream exchanges.
Next came ransomware targeting enterprises. Payouts quickly reached millions of dollars. The influx of new money lead to the rapid development of more sophisticated methods to attack enterprise networks to plant ransomware. Attacks lasted weeks or months and not seconds. The attack carefully figured out how to cause the hardest to a particular entity and create sufficient urgency to pay the ransom, even if backups were available but too difficult to retrieve and install.
But attackers didn’t stop here. Next, we had “extortion ware”. In addition to encrypting the data, attackers exfiltrated the data and threatened to leak it. Companies like Quanta computers are said to have paid tens of millions of dollars to groups deploying this kind of software. Of course, if the organization doesn’t pay, the attacker needs to find a method to release the data. This happened now to the Irish Health Services with what may be devastating consequences [1]. The ransomware attacker not only leaked private health information after a ransom payment was category denied. In addition, other miscreants, or the original attackers themselves, are now using this leaked data.
Apparently, individuals in Ireland are receiving calls claiming to come from the Irish Health Service, asking for banking information. The caller is using leaked data (personal information like birthday and address, but also the date and type of recent medical procedures) to authenticate themselves. The victim is then asked for banking information for a “refund”.
[1] https://siliconangle.com/2021/05/19/information-stolen-ransomware-attack-irelands-health-service-shared-online/
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post And Ransomware Just Got a Bit Meaner (yes… it is possible), (Thu, May 20th) appeared first on Malware Devil.
Of particular interest to me from our newly published “The Forrester Tech Tide
: Zero Trust Threat Detection And Response, Q2 2021” are what look like the final acts of several solutions once considered vital detection and response point products. While automated malware analysis (sandboxing) and network intrusion detection systems (NIDS) remained in our Divest category, three more technologies joined them this year: data loss prevention (DLP), managed security service providers (MSSP), and security user behavior analytics (SUBA). Why is this? Because these stand-alone technologies simply don’t cut it anymore. This isn’t to say these solutions are dead, mind you. No, they live on within larger, more comprehensive solutions.
Segment Resources:
https://go.forrester.com/blogs/the-death-and-life-of-the-standalone-solution/ https://www.forrester.com/report/The+Forrester+Tech+Tide+Zero+Trust+Threat+Detection+And+Response+Q2+2021/-/E-RES164039?objectid=RES164039
The post Tech Consolidation and the Final Acts of Once Vital Point Solutions – Jess Burn – RSA21 appeared first on Malware Devil.
The post 2021-05-20 – Hancitor with Ficker Stealer, Cobalt Strike, and netping tool appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
