Give Thanks for Your Enterprise SOC and NOC Teams

While many U.S.-based enterprise workers plan to take a day off to celebrate Thanksgiving, their SOC and NOC teams are preparing for battle. Despite most workers logging off, U.S. enterprise attacks increase significantly on holidays.

This season’s official start might have kicked off early with a ransomware attack on Baltimore County Public School system yesterday that took down its internal networks. It’s such a big deal that the Cybersecurity and Infrastructure Security Agency (CISA) annually updates its site with tips and hints for reminding Americans about the increase for cybersecurity awareness.

Why? Despite reduced network activity during the holidays, NOC and SOC teams might have fewer members with a few members celebrating their well-deserved time off. This situation can create potential risk if not managed or planned for, which creates opportunities for attacks to be overlooked. Yet, as every security team knows, someone has to be available to monitor network security during the holidays, checking for IOCs, running sandboxes with potential threats and flagging potential threats with the appropriate team members.

What can you do to make their lives easier? Log out of systems that you have access to. If you are checking email during your celebration, be mindful of emails that you’re not used to and don’t reply to those you’re unsure of. Don’t open personal web-based email accounts on your work-based computer. And while you are taught to never let your guard down with cybersecurity, tis the season to raise your guard a little higher. Simple things.

Phishing attacks are a common form of holiday attack when email recipients are highly distracted or in a “holiday” mindset and are more likely to reply quickly to get back to the celebration. From cute ecards to last-minute shopping deals to mysterious past-due invoices, phishing attacks increase significantly over the holidays and any of these in your work inbox can open an attack opportunity. For instance, an Emotet botnet attack discovered in 2018 featured malicious spam emails with subject lines such as “Thanksgiving day wishes.” In 2019, that form of attack only got worse with a 233% increase in malicious phishing URLs. No one yet knows what 2020 might bring.

If you know a member of the SOC or NOC team, wish them a happy holiday and thank them for not protecting your enterprise. And if you’re the baking sort and can go into the office, leave them a few freshly baked cookies; they’ll be appreciated.


Cybersecurity Awareness Month: Trick or Treat? CxOs and Boards, Be Careful What You Ask For

A major goal of Cybersecurity Awareness Month is to raise awareness and educate as many people as possible on the importance of cybersecurity and the threats they face. As Cybersecurity Awareness Month comes to a close on Halloween, I thought I would take a different approach and provide what you might see as a treat, especially for CxOs and Board members.  I’d like to raise awareness of the cybersecurity team in your organization and their tireless fight to combat cyber threat actors 24x7. These men and women play an important role in keeping companies operational and protecting your customers and your brand. It is important to continuously have awareness and appreciation for your cybersecurity team and its leadership as they are expected to mitigate every attack without fail. When they do stop an attack, it is rarely acknowledged or quantified to show the level of positive impact they provide; yet they are under significant scrutiny when there is a successful breach. It's especially important for CEOs, CFOs and Board Members to stay aware of their own security team, the services they provide, and the challenges they face. Hopefully, this post helps raise awareness which will in turn enhance communications and cybersecurity effectiveness year-round.

Cybersecurity teams have never been under more pressure to perform and had so many requirements to support. However, some of the demands put on the security team and questions posed to them can limit their effectiveness. Here are some key considerations for CxOs and Board Members that I think will help provide some context the next time they meet or interact with their cybersecurity team:

  • Being compliant doesn’t mean your organization is secure. Compliance requirements overweigh legacy approaches to cybersecurity and if you restrict your security program from investing in and deploying emerging cybersecurity tools your organization will undoubtedly be playing whack-a-mole. This reactive approach to cybersecurity ends up costing millions of dollars more than forecasted.
  • Cybersecurity teams are made up of humans, not robots. Incidents (false positives) spin them up frequently and as a result, many have experienced long hours over months trying to restore trust in the organization’s IT systems. They have sacrificed many birthdays, holidays, weekends, little league games and other events. This takes a toll on the workforce.
  • Cybersecurity teams often request training to stay sharp and maintain professional certifications. Training is an important investment to help mature your organization’s cybersecurity defense capabilities and critical to morale and higher retention rates.
  • Giving the security team new capabilities to empower them and keep their skills sharp also has strong benefits for retention and improved team morale.
  • Black box tools limit your cybersecurity team’s analytical thinking and creativity, putting them in the back seat as they try to face advanced cyber threat actors.
  • Cybersecurity must be seen as a critical enabler of business success and not solely as a cost center. Giving the cybersecurity team freedom and allowing them to focus on securing the organization vs. achieving compliance has had positive results.
  • Giving customers peace of mind and comfort that your organization is going above and beyond to protect their data is a strong selling point when many competitors are oftentimes not doing so and potentially cutting corners.
  • IT decisions (especially those made to save costs) should always have the security team involved during the architecture and requirements phases. Security needs to be built into all processes and validated. Be careful that cost savings in IT don’t in turn add new or additional risks and costs in other areas. This is also very important in evaluating companies for acquisition and during post-merger management.
  • Cybersecurity Awareness should be promoted 12 months a year and be a part of everyday life. CxOs constantly communicating the importance of cybersecurity and then backing that up with action breeds a culture that strives to achieve high levels of cybersecurity maturity within their organizations. We all know the saying; actions speak louder than words and there are plenty of well-known examples where this strongly applies to cybersecurity.

It has always been challenging to evaluate how well investments in an organization’s cybersecurity program are working. Some CEO/CFOs see cybersecurity as a cost center and are constantly pushing the cybersecurity team to justify their budget and measure the value of their investments. In some cases where no (known) major breach has occurred, some CEO/CFOs may conclude that the organization is overspending on their cybersecurity program. In the coming years, it is expected that there will be more accountability of the C-Suite and Board members for the performance of their cybersecurity programs now is the time to raise awareness.

That said, there are two major trends in the cybersecurity landscape to be mindful of.  First, cyber adversaries are becoming more aggressive, more capable, and their numbers are growing. They are finding safe havens where they don’t have to play by any rules. Secondly, many organizations and companies have many rules to follow and sadly they often stop at checking the box on these rules (achieving compliance) when implementing cybersecurity.  The constant focus on budget and justifying spend is making CISOs and their teams become more business focused and leaves them less time to stay technically savvy. The challenge here is that cybersecurity is a job that is never done and must be seen as core to the business’ success. The added stresses of meeting new compliance requirements, defending growing attack surfaces (when security isn’t involved in the process), managing cybersecurity workforce shortages, and spending more time justifying their budgets all distract them from their day jobs. For your cybersecurity teams to have the greatest impact and enable business success they will need more flexibility and enablement to implement a proactive approach to cybersecurity which allows them to adapt and keep pace with evolving cyber threats.

How confident are you that your cybersecurity program is properly equipped to protect your assets and stop advanced and menacing attacks?  If your approach is overly focused on compliance and trimming costs, there is a growing chance that you could be a victim with a catastrophic impact on you and your organization. 


Turning Back the Clock: Cybersecurity Lessons from Ben Franklin

The secret to effective cybersecurity has been known for almost 300 years and came to us from Ben Franklin. That is, “An ounce of prevention is worth a pound of cure.” Very powerful words when you look at the challenges facing most organizations today.

We live in turbulent times, especially in the Cyber Realm. As society becomes more and more dependent on technology and interconnectedness, we are faced with an unavoidable number of vulnerable products (software and hardware) with a wide range of exposure and transfer of cyber risks across service providers, vendors and customers. Combine that with growth in the number and sophistication of cyber threat actors, and you have a recipe for potential disaster if more urgency and rigor aren’t applied to organizations’ cybersecurity programs. This alarming trend is also compounded by several other factors: an increase in work from home employees (i.e. increased attack surface and increased triage time), unacceptable adversarial dwell times and an enormous talent shortage.

Several recent reports are very alarming. For example, the average dwell time (the time from when an adversary compromises their victim’s network to when they are detected) is 207 days, and it can take over 70 days to contain the impact. Another alarming trend noted in a survey of SMB CEOs is only 7% were concerned that a cyber break was very likely when 67% of SMB organizations were actually targeted in the last year. One may think that this is due to a lack of urgency or care about cyber breaches, but looking at the data further, many of these organizations do not have a dedicated cybersecurity professional to raise awareness and educate the company. The cybersecurity workforce gaps will continue to grow as demand for talent, driven by new and more advanced threat actors, continues to outpace supply.

Organizational IT transformation and consolidation, done with or without CISO involvement, will also exacerbate the problem. Consolidation and transformation of IT resources will save money in the near term but putting all of your eggs in one basket, so to speak, not only puts your organization on the adversarial radar, it also increases the potential scale and scope of a breach. One may ask, if cyber threat actors are able to live in victim networks for months and these victims are of all sizes, industries, and levels of cybersecurity maturity, what can be done?

I can tell you what not to do, “More of the Same,” because it clearly isn’t working.

The term “rise of the threat actor has been used for quite a while and unfortunately threat actors’ impact haven’t plateaued. What has plateaued are the cyber defense programs of many organizations. Sadly, the goals of most organizations don’t go beyond being compliant with stagnant and outdated concepts while threat actors have no rules and are constantly evolving. Also, many CISOs (some are lucky) spend a lot more of their time focused on trying to get senior buy-in to protect their cybersecurity program budget, or addressing challenges in recruiting, retooling and retaining their workforce.

Cybersecurity solutions have evolved from endpoint anti-virus (AV), then firewalls, then Network Intrusion Detection Systems (NIDS), then Host Intrusion Detection Systems (HIDS) Intrusion Prevention Systems (IPS) then NW based Sandboxes, then EDR solutions, then Next Generation Firewalls then Advanced EPP and so on. Adding more stove piped solutions that don’t expose data, don’t provide rich context, only adds to the noise and despite buzz words, rely heavily on a team writing signature/threat intel rules and trying to deploy them to customers faster than threat actors can act.

Despite organizations implementing these solutions over the years, adversaries have still been incredibly successful. The two biggest problems are poor first move detection and inability to find and triage the events that matter from all of the noise efficiently in time to usurp attacks. More focus has been placed on curing the impact of a breach rather than more effective prevention.

Many CISOs continue to focus on achieving compliance and deflecting liability rather than solving the problem by being more secure and enhancing an organization’s cybersecurity maturity. Now is the time to Turn the Tide, and not continue to revert back to the old way. The old way takes a reactive posture focusing too heavily on post-breach detection (Second or Third Move detection). Adversaries are more capable than ever, have more reasons to be destructive (deploying wiper software, ransomware or worse), and have more opportunities brought on by an expanded attack surface. We need a sense of urgency to proactively deal with this growing challenge. Trying to cure the impact of cyber-attacks after the damage has been done only makes them more impactful, expensive and potentially catastrophic and unable to recover from. Collecting an insurance policy or passing on the liability of a breach to another third party doesn’t cure the problem or make the impact go away. CISOs and their security teams can turn back the clock on attackers by adopting a proactive approach to cybersecurity. Leveraging tools that give them First Move alerts and visibility into novel threats before they can enter into a network and spend weeks to months, causing significant to catastrophic damage. An ounce of prevention in cybersecurity is truly worth a pound of cure.

In our next blog in the series, we will discuss several ways CxOs and board members can help ensure their organization is being proactive in dealing with cybersecurity and not solely focused on checking the box for compliance.


Cybersecurity Overview for the Oil and Gas Industry

The Result of Not Addressing Increasing Cybersecurity Risk

The increased potential of blurring boundaries between Information Technology (IT) networks and Operational Technology (OT), for example Industrial Control Systems (ICS), poses a huge risk to the oil and gas industry. As the industry increases its efficiency with automation, companies are significantly increasing their cyber attack surface. Internally, changes due to human error, misconfiguration, insider threat, or supply supply chain can change one part of the business indirectly and have major consquences. These changes need to be considered when mitigating cybersecurity risks.

The oil and gas industry has been at risk of losing competitive advantage in several areas, including exploration information or bidding information, by way of intellectual property theft at the hands of a cyber threat adversary. The most significant wake up call occurred in 2012 with the Shamoon attack on Saudi Aramco that was destructive in nature as over 30,000 Windows-based machines began to be overwritten. A significant problem for the company which provides 10% of the globe's oil supply and caused impacts to their IT systems.

What’s more alarming is that 2017 saw the unauthorized release of sophisticated national state cyber tools to the masses, which were then weaponized for multiple destructive campaigns, including WannaCry and NotPetya, which impacted 100s of thousands of computer systems globally.

With a heightened awareness of cyber breachs and their impacts, it’s still alarming that many IT teams are taking a reactive approach to cybersecurity. Meeting regulation or compliance requirements that don’t evolve rapidly enough to keep pace with adaptive cyber threat adversaries, is no longer an option. There is too much political and financial gain to be had by threats and cyber is becoming their choice avenue of attack because in many cases it is the easiest path and cheapest way to achieve success.

Organizations, especially in the oil and gas industry, are huge targets with very signifant consequences that could include destruction of plants or pipelines, loss of life, oil spills and financial loss.  Proactive attention is needed by organizations to prevent these tragic scenarios from becoming a reality.

What can the Oil and Gas Industry do?

Technological advancements and cloud adoption don’t eliminate cyber risk, they only change the roles and responsibilities for mitigating cyber risk. That change, especially in large enterprise environments, can unknowingly open opportunities for an adversary to gain access to an organization’s assets. They also increase the stakes when organizations go through IT consolidation. The consolidation of an organization’s information and business critical data offers many advantages, but it can also consolidate the time and effort used by a threat advesary if a breach were to occur.

While there is no standard set of cybersecurity rules for the oil and gas industry, organizations should start by with a set of requirements for narrowing the risk of breaches and restriciting access to parts of the organization that, formerly, were not connected:

  • Isolate (or "air gap") OT/ICS systems from IT systems (especially web-facing systems)
  • Implement emerging security technologies to better keep pace with adversarial innovation
  • Ensure a level a higher level of security on backups, where they’re located and how often they’re accessed
  • Establish and enforce a "least privilege" culture across your IT systems
  • Limit the avenues of attack to your key data(from production to exploration to sales, each group’s data should be treated as high value)
  • Enact a specialized and focused security monitoring program on the critical systems/network segments
  • Test your network and its protection and reactive measures vigorously

Mitigating Destructive Malware

One approach for the IT team is to treat each group’s access and behaviors differently. While the establishment of a company-wide security plan can look good to the CTO, clearly defining each group’s security thresholds with its leadership or IT leads can greatly reduce risk and assist in the establishment of testing and monitoring each group’s risk. So while legal

By identifying that risk, IT teams can use that data to help drive where resources should be allocated for the reduction of risk.

One growing area is the sophisitication of these attacks. Attackers are no longer trying to break in, they’re designing their attacks to take down the systems that are used for IT recovery. In the past, backup systems have been a vital and necessary tool for bring back a company after a malicious attack. Now, ransomware such as Locky and WannaCry actually look for remote shares and backup stores.

Proper cyber hygiene is always important (and yes, very difficult to achieve 95%+ in organizations), staying current with patches and increased communication with a security vendor’s content can aid greatly in repeat attacks where files are reused by the adversary. This is where defense in depth comes into play and incorporate other security best practices to limit the adversary’s ability to maneuver and move laterally across your organization.

Segmenting this key data on the network and focusing your security operations teams to prioritize its monitoring will greatly improve your chances of thwarting a destructive malware attack. Lastly, leveraging non-signature based detection technologies, e.g. Artificial Intelligence/Machine Learning (AI/ML), can rapidly analyze unknown content and identify threats rapidly to enable detection and response in order to miminize impact.

The key aspect in a destructive attack is to prevent via good hygiene. If the adversary leverages a zero-day exploit or finds a crack in your organization’s security armor, then speed of detection and containment is crucial.

Technological Advancements to Deal With This Problem

Cyber adversaries have been very successful at staying one step ahead. Constantly changing their tools and techniques continue to aid in their success. There are even service offerings on the black market, for example "ransomware as a service," that can enable less sophisticated actors. The increased financial and political gain by cyber breaches have caused a rapid increase in the number and sophistication of threat actors. Organizations in the oil and gas industry, in conjunction with a strong cyber hygiene program and proper network segementation, should explore security solutions that can help detect and identify unknown threats that routinely evade signature/threat intelligence-based cybersecurity prodcuts. For example, real-time threat detection using AI/ML is focused on malicious content (file-based or fileless attacks) without the use of signatures or behavior detection engines.

With the rapid increase in ransomware and other destructive malware, which are capable of impacting an organization immediately upon payload delivery, organizations should shift their focus to leveraging artificial intelligence at the point of entry into their network to better deliver rapid and scalable detection along with increased analyst efficiency.

Conclusion

Proactive cyber defense must be the new normal. The luxury of being able to wait for an attack to react is over. Do not expect others to solve or stop cybersecurity problems for your organization. Cyber risks pose physical and potentially catastrophic risks to many industry verticals, including the oil and gas industry. Over reliance on reactive security and check box compliance are proven recipes for failures in mitigating cyber risks, as routinely seen in the news. The oil and gas industry has taken major steps at reducing cyber risk over the last several years, but in security, the job is never done as long as there are capable adversaries wanting access.

First Published in American Public Gas Association's (APGA) quarterly publication: The Source


Meltdown and Spectre: Bracing for Impact

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

In the second post in our series, Meltdown and Spectre: How They Could Be Targeted, we discussed ways in which cyber adversaries could leverage the Meltdown and Spectre vulnerabilities. Now we will switch focus on addressing what organizations and security operations teams should be doing to help mitigate the risks associated with these vulnerabilities.

There are two first steps an organization should take to assess the potential impact of the vulnerability. Organizations should gain a full understanding of what types of systems are impacted by the vulnerabilities: i.e. Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715). Then determine which systems in your network are susceptible to the vulnerabilities. In this case, the scale and scope of impacted systems is much larger than typical vulnerability advisories. These vulnerabilities affect CPUs within systems that were built over the last 20 years and may include mobile devices, servers, desktops, laptops, cloud services and network devices. It’s important to research or keep current on advisories from your vendors and service providers to rapidly deploy patches as they become available. Then deploy (or test and deploy depending on your organizational processes) these patches as fast as your organization can. During your mitigation plan, consider that there is the potential for performance impacts once the patch has been applied.

Next, you need to identify where sensitive customer or business information resides across your enterprise (on/off-premises) and validate or implement a strong level of isolation and a physical separation of critical data and systems from the more public facing systems (e.g. also includes client systems which are used for web/email) that aren’t business critical. If business critical information is found on systems where they shouldn’t be, deleting the information and then rebooting the system to clear out system memory is the best strategy for limiting any potential vulnerability.

Lastly, enhanced monitoring by security teams on the various avenues of attack that we previously discussed. These are a few examples, but each requires prioritization of focus areas in your organization:

A New Breach – Spear phishing and web-based attacks that leverage fileless or polymorphic malware are the key ways an adversary can gain access to systems and begin to leverage these vulnerabilities to gain access to sensitive data, credentials, etc. Heightened awareness and monitoring of malicious content entering your enterprise are critical as this will likely be the initial vector in exploiting the vulnerabilities. Organizations should explore technologies that are designed to rapidly detect unknown malicious content (fileless and file-based). Being able to detect various stages of a new breach greatly increases your ability to respond quickly and limit impact. Leveraging technologies, like BluVector, that can detect unknown threats (file and fileless) is key to mitigating threat attacks that target unpatched systems or where a hardware refresh doesn’t mitigate the vulnerability.

Expanding a Breach – This scenario is more problematic because it means that an adversary already has access to your enterprise, but until the announcement of these vulnerabilities, hasn’t been able to expand their reach/visibility. By adding code that utilizes the vulnerabilities, the adversary could significantly increase their access. An example for focused monitoring is to look for updates to the Remote Access Toolkits (RATs) by an adversary to enable them to leverage Meltdown and Spectre vulnerabilities. This is just one example of where enhanced monitoring can aid in detecting and mitigating these risks.

Credential Monitoring – As these vulnerabilities greatly impact the confidentiality of systems, and thus increases the likelihood of credentials theft. If the Spectre vulnerability was exploited in your cloud provider’s environment, then your information may be susceptible and the attack would never touch your network. In this case, credential and user behavior monitoring would be the only way to detect.

Consumers - The Meltdown and Spectre vulnerabilities also impact the consumer market and require vigilance of patching one’s personal devices. It’s imperative that you (and your household) apply patches and follow sound web surfing and email principles in your routine activities.

The nature of vulnerabilities associated with the complexity of hardware, operating systems, applications and the cloud requires a comprehensive approach to confirm and mitigate today’s vulnerabilities. The emerging threat landscape is ever evolving and there is a real fear of the unknown. BluVector’s technology was purpose-built to address the fear of the unknown to help organizations defend against cyber threats that haven’t yet been seen in the wild.


Meltdown and Spectre: How They Could Be Targeted

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

In yesterday’s post, Meltdown and Spectre: The Threats in Your Machine, we discussed the significance and some of the technical details of the Meltdown and Spectre vulnerabilities. Today, let’s talk about how a cyber adversary could leverage these vulnerabilities to target your organization or your personal systems.

To prepare for potential attacks that might use the vulnerabilities, it’s important to understand various theoretical scenarios of how an attack could unfold:

New Breach – As with most attacks, the attacker will need to gain access or execute code on the target’s system. These vulnerabilities could be exploited by the very common attacks used today including drive by downloads, watering hole or spear phished emails, which leverage malicious files (e.g. weaponized PDFs, office documents, etc.) or fileless attacks (e.g. JavaScript embedded in PDFs files or in HTML code). Solely relying on signatures and other legacy detection and protection solutions will not provide an organization much protection as knowledgeable attackers craft their attacks to evade most mandated and compliance-based technologies.

Expanding the Breach – These vulnerabilities could provide value to a cyber adversary who already has breached your network and has been unable to gain further access to sensitive information in your environment. For example, the adversary has breached a virtual machine in the network or cloud instance, but has been unable to gain further access. Leveraging Meltdown or Spectre, an attack could allow the adversary to gain access to other systems’ memory spaces. While these spaces might typically be secure and inaccessible, an attack using the vulnerabilities may allow the attacker to begin expanding their access by obtaining sensitive data such as passwords and encryption keys. This is very concerning if organizations rely solely on logical segmentation for security and destructive malware exploits these vulnerabilities to wreak more havoc. This should be a major area of concern.

Avenues of Attack – What SOCs should be watching for (generally, as no samples have yet been found in the wild). The scale and scope of these vulnerabilities are significant and pose various risks to consumers and organizations. First, let’s look at some of the various ways an adversary could leverage these vulnerabilities.

  • Mobile Devices – Malicious mobile applications are a prominent way to target mobile devices (tablets and smart phones). For example, a cybercriminal can spoof a legitimate mobile application and trick users into downloading and installing a version that looks very similar, but is malicious. These malicious mobile applications, have limitations based on the permissions granted, but could then exploit the Spectre vulnerability and gain access to memory of other mobile applications on the mobile device (tablet, smart phone, etc.). If a corporate enterprise allows Bring Your Own Device (BYOD), then an adversary could leverage Spectre to access to sensitive corporate data contained within another application’s memory space. Possible risks could include: personal email account passwords, corporate login credentials and corporate IP, credit card number, password reminder apps, or other PII/PHI information (disclaimer – each entity’s situation is unique and is very specific to what hardware and software they are running on their devices and requires investigation by your organization to determine
  • Cloud Infrastructure – As moving to the cloud consolidates computing resources for cost savings and efficiencies, the data processing and storage of multiple customers on the same piece of physical hardware can create risk. However, the vulnerabilities could now allow an adversary to expand their foothold and visibility into other logically separated computing environments which would otherwise seem secure.
  • Server/Laptop/Desktop Systems – These systems, even over 10-year-old devices (and especially under-monitored, but connected, ghost devices), are widely deployed and used to process and store sensitive data across all industry verticals. These end devices are subject to similar attacks as noted above (file-based and fileless attacks). Specifically, desktops and laptops are prime targets for cyber adversaries as they can leverage the Meltdown vulnerability to harvest valid network credentials that may be used to directly access other systems in the organization. End user’s stored personal credentials could also potentially be obtained, resulting in financial fraud and identity theft.

The Meltdown and Spectre vulnerabilities are the beginning of the latest wake up call for organizations to continuously question, enhance, test and secure their environments. While the attacks I’ve described have not yet been seen in wild, they do represent how attackers might be planning ways to capitalize on the vulnerabilities before adequate patches are deployed widely or hardware is refreshed.

Please come back for Monday’s blog as we discuss some mitigating best practices for Meltdown and Spectre as it relates to cyber hygiene, architectural security practices, and the ways that emerging technologies can provide additional defenses. Our BluVector solutions, which leverage Artificial Intelligence/Machine Learning and Speculative Code Execution capabilities, can help to detect unknown, zero-day attacks that threat actors will inevitably create and use to exploit these vulnerabilities.


Meltdown and Spectre: The Threats in Your Machine

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

After responsibly disclosing the details to affected vendors, a collective of security researchers publicly announced details of two critical vulnerabilities they found in current CPUs from Intel, AMD and ARM.

Labeled as Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), these vulnerabilities are distinct and have separate mitigations. However, in general terms, both will allow malicious programs to access areas of memory they should not be able to access. This memory may be system memory or memory allocated to other running programs. Thus, a malicious program may be able to access in-memory data such as stored passwords, personal files and business documents.

The basic difference between the two is Meltdown compromises the isolation between the operating system and programs executed by users. Spectre compromises the isolation between different running programs.

Since these vulnerabilities are made possible due to bugs in the physical CPU, these vulnerabilities affect personal computers, including Macs and those running Linux and mobile devices. These vulnerabilities are of potentially even greater concern for cloud providers, as depending on their implementation of hardware virtualization, it could be possible to access data from another customer utilizing the same physical hardware.

As of the time of writing, there is no evidence these vulnerabilities are being exploited in the wild maliciously. In addition to the publishing of the research into these vulnerabilities, there is proof-of-concept code available for both vulnerabilities - experience with countless other vulnerabilities tells us it is only a matter of time until Meltdown and Spectre malware is released. Attacks could also potentially come from malicious JavaScript utilized in a fileless malware scenario.

Meltdown has been confirmed on Intel CPUs since 1995, it is not currently confirmed to affect ARM and AMD processors. Spectre has been confirmed to affect Intel, ARM and AMD processors.

Patches have been released for Meltdown on Windows, macOS and Linux, though there are reports further patches are to be expected to ensure complete mitigation. Spectre is more difficult to mitigate and will likely require patches to software applications, rather than at the operating system level.

Stay tuned for tomorrow’s blog post:

It’s not currently known how, if at all, these vulnerabilities have been targeted in the wild, but it’s only a matter of when and not if these vulnerabilities will be targeted by cyber adversaries.  Stay tuned to our blog tomorrow as we discuss the various avenues of attack that could exist in your organization and what security teams can do to stay on guard for attacks against these vulnerabilities.  We’ll also discuss best practices and how BluVector’s technology was designed to address both file-based and fileless threats that haven’t been seen before in the wild and where signatures don’t yet exist to detect these types of threats.  Learn how the combination of BluVector’s machine learning and speculative code execution engines can significantly enhance malware detection at line speed.


WannaCry, North Korea and the DHS SAFETY Act

By: Kris Lovejoy, CEO, BluVector

In the wake of the revelation that North Korea was behind the latest WannaCry ransomware attack, it has become apparent that companies of any size or industry can become targets (or merely unwitting victims) for acts of cyber warfare launched between governments. It is equally clear, with the "success" of the attack counted in dollars collected, victims impacted, and outages sustained, that we will see an increase in number of terrorist, extremist, and other hate actors using cyberattacks as the mechanism to enact social unrest and/or financial panic. Now the question remains – how does the average company protect themselves against what seems to be a potentially existential threat?

Thankfully, the U.S. Government, through the Department of Homeland Security (DHS), identified this type of destructive threat and took action to to prepare our Government, our businesses, and our people through the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002 which was enacted to promote the development of technologies created by cyber threat hunters and responders.

After rigorous testing by DHS, products like BluVector can be awarded a SAFETY Act Designation, which allows the capability to be considered as a Qualified Anti-Terrorism Technology (QATT). In addition to the prestige such an accolade imbues, there are important real-world benefits to users of the technology, all of which become even more pertinent in our current climate where victims do not only have to address the immediate financial, reputational, and operational impacts – but are forced to spend time addressing lawsuits

By utilizing a QATT Technology, should a cyberattack occur that the Secretary of DHS determines to be an Act of Terrorism, you, the consumer, can rest a little easier, as DHS has mandated that consumers of the technology shall have no liability. Any claim that is filed must be directed at the seller of the technology (that’s us). This protection not only applies to you as a direct purchaser of QATT technology, but also to you as a reseller, partner, end user, or even sub-end user. So, with Safety Act designated technologies like BluVector, not only are you armed with the tools to identify, predict, and contain threats, but you have an added layer of protection after an event, for greater piece of mind.

So, ask yourself, after suffering an attack that can interrupt your operations, leak data, and cause huge financial setbacks, do you really want to spend time addressing lawsuits and other claims? Investing in technologies like BluVector may offer the best and easiest "insurance" against this risk.


What’s My IDS Missing?

By: Travis Rosiek, Chief Technology and Strategy Officer, BluVector

Today’s society is quick to adopt and leverage new features and technology without consideration for the security risks and possible consequences. Combined with a thirst for new web applications created with a multitude of easy to program scripting languages, these realities seed a growing attack surface that allows cyber adversaries more ways to conduct their attacks and stay ahead of most security products.

Attack Methodology

Cyber adversaries are constantly evolving their attack methodologies and tools to stay ahead of detection. Over the last couple of years, they have been effectively leveraging Operating Systems capabilities that lack the means to log activity -- making this tactic a powerful and lower risk resource for adversaries.

These attacks typically run in memory and operate in areas of the system that are ever changing (e.g. system memory, registry and system utilities which, in many cases, lack logging capabilities). Called "fileless malware," due to a lack of a file used to typically initialize an attack, fileless attack vectors can be leveraged in two common ways:

  • Conduct the entire attack using scripts and avoid writing to disk (but doesn’t persist through a system reboot) or;
  • Leverage a fileless approach as the initial attack vector in order to download and install a malicious backdoor (this maintains persistence). This allows threat actors to not worry as much about whether their backdoor will install properly and evade detection or generate large amounts of logs.

What is Speculative Code Execution?

Speculative Code Execution (SCE) is the exploration of multiple execution paths through machine code or scripts to identify the potential for malicious behavior. The technique does not require but may leverage a control flow graph to determine paths of interest.

How is Speculative Code Execution different than sandboxing for detection?

Sandboxing has been leveraged over the last several years as a means to automate malware analysis by executing a suspicious file in a detonation chamber and then monitor the file’s interaction with the virtual machine to determine if there are any nefarious interactions.

Applied as a secondary analysis capability for network traffic monitoring devices as well, this technology has shown to be effective in many use cases but offers some limitations. For instance, the speed of performing this analysis is measured in minutes, which limits the amount of traffic that can be analyzed at high network speeds. Another challenge is that adversaries are actively building attacks that can avoid detection by evading sandbox detection techniques.

In response, Speculative Code Execution rapidly examines execution paths of machine code or scripts to identify malicious behavior. This requires much less overhead as compared to sandboxing technologies and can make determinations in milliseconds instead of minutes. This makes speculative code execution very capable of detecting fileless attacks at line rate speeds.

Another advantage of SCE is that it is less resistant to the evasion techniques that plague sandbox technologies. Many evasion techniques leverage artifacts of the sandbox environment to detect and ultimately evade sandbox analysis. Another difference is that SCE allows an analyst to follow and analyze possible execution paths during dynamic analysis, whereas a sandbox typically only sees the execution path that is observed in the sandbox detonation.

Applying SCE to Next Generation – Network Intrusion Detection

The inclusion of SCE within a Next Generation – Network Intrusion Detection (NG-NIDS) answers several challenges that organizations face in today's threat landscape: speed, volume and accuracy. In more practical terms, it's also an effective approach to applying an emergent detection capability to all network traffic at the point of entry into an enterprise’s network.

This completeness of coverage and ability to detect threats rapidly make it possible to analyze both web traffic and files that contain malicious code. This technological advance provides a robust approach for addressing a new class of attacks that have been a blind spot for many.

For instance, scripting languages are commonly embedded in files (e.g. a PDF with embedded JavaScript) or incorporated into web sites and served up via web surfing. Therefore, an NG-NIDS must be able to account for these attack vectors and analyze and detect these threats at network rate speeds. And they should be engineered to handle the complexity and high volume of content that poses a rapidly increasing risk to an organization.

Answering the Challenge

Fileless malware will become one of the biggest challenges for many organizations as they're designed to avoid detection, cause damage and leave no files for a post-breach investigation. What they can leave behind are damage to productivity and reputation.

If you're not sure if your current IDS is detecting fileless malware, the easy answer is that it isn't. With the new BluVector Advanced Threat Detection™ release, we are the first and only security vendor to offer fileless malware detection in real time on the network. Combined with our patented machine learning engine that runs in parallel with SCE, customers will significantly lower their threat risk while increasing their detection capabilities. Before your next breach, put us to the test to see how BluVector finds threats that others don't.


About Travis Rosiek
With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity across product development, quality assurance, technical marketing, professional services and sales engineering. Prior to his role at BluVector, Travis held several leadership roles including CTO at Tychon and Federal CTO at FireEye as well as senior roles at CloudHASH Security, McAfee, and Defense Information Systems Agency (DISA).


Understanding the Technology in Next Generation Network Intrusion Detection Systems

As described in earlier posts, a Next Generation Network Intrusion Detection System (NG-NIDS) is a software- or appliance-based solution that monitors network traffic for indications of cyber-attacks or intrusions that have evaded the firewall or endpoint controls. Once identified, high priority attacks can be contained by the NG-NIDS via integration with existing infrastructure or by forwarding contextualized alerts to an SOC team for forensic analysis.

What makes NG-NIDS successful is the integration of machine learning-based technology to power core detection capabilities. Machine learning is an algorithmic method by which an application automatically learns from input and uses feedback to improve performance.

One of the original and more commonly marketed methods of machine learning as applied to cybersecurity is based upon the Bayesian network model. Bayesian network is a model that identifies a probabilistic relationship between variables based on profiling over time. This model has been prototypically used for detection of anomalous behaviors, such as DDoS attacks or data exfiltration in a post-breach scenario.

While these technologies can be extremely effective in meeting these use cases, application of this technology to a broad range of network malware-based threats is limited. The volume and changeability of network traffic makes it difficult to understand what activity is normal. This gives threat actors opportunities to "hide in plain sight" or fool the system that their activity is normal.

The next evolution of this behavioral-based approach, applied specifically to fileless and file-based malware attacks, can be found in speculative code execution (SCE), also known as "network emulation." This application of machine learning operates on any network stream and emulates how malware will behave when it is executed. Operating at line speeds, SCE determines what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, this analytic technology vastly reduces the number of execution environments and the quantity of analytic results -- often to just two or three -- that must be investigated.

The last and rarest machine learning technique leverages supervised machine learning. With this technique, the algorithms are exposed to data, called training instances, which are labeled to produce highly accurate models. While the concept of training and labelling may seem trivial, it is a difficult, expensive and time-consuming process to attain enough training instances of each label to produce models with low false positive/negative rates. In fact, within the network attack detection context, subject matter experts must be used to manually look at every training instance to determine its label, with the number of training instances required in the trillions. The resultant algorithms can be applied to detect aberrations at a binary level, enabling the detection engine to statically identify malware attacks via the presence or absence of particular code features.

Takeaways

Use of machine learning – particularly speculative execution and supervised machine learning - as the technological core of a NG-NIDS makes it possible to once again fulfill the promise that the traditional NIDS was intended to deliver – to identify network attacks with low rates of false positives and negatives.  A word of warning, however: Machine learning has become a "buzzword." For those interested in a machine learning powered NG-NIDS, it is critical to "try before buying." Only then can you truly evaluate whether the technology meets your use case.