Craig Williams, senior technical leader and security outreach manager at Cisco Talos, chats about seeing a surge in organized criminal cyberactivity, especially in ransomware and wiper malware.
Q: What trends is Talos seeing in terms of threats this year? What should be the top concern of major organizations?
Craig Williams: We are clearly seeing an escalation around organized criminal activity. Ransomware and wiper malware are surging forward in 2015 and continue to be an ever-growing threat to our customers. Ransomware is especially insidious in that every dollar that victims pay to retrieve their data directly funds the development teams working towards depriving them of that data in the future. Additionally, many people do not realize that malware can continue to run on the machine after the data has been decrypted causing damage in the future. From an organizational perspective, it is extremely important that backup plans are created and tested. Full tests -- including restoration of departments and entire networks -- would be recommended.
Q: In your annual security report, you covered threats taking action to become more effective. What innovations have you seen in 2015?
Williams The majority of innovations we've seen this year from an exploit kit perspective continues to be from the Angler. We've covered domain shadowing in depth; we've also begun to see other exploit kits mimic this behavior. Clearly it must be providing the attackers an advantage in the field. We've also seen threats like Rombertik take very deliberate steps to make analysis more difficult for the researchers. As threats become more sophisticated, we must remain vigilant to ensure our detection technology maintains its lead.
Q: What lessons have been learned from your recent collaborative efforts to combat DDoS botnets?
Williams In April, Cisco collaborated with Level-3 Communications to identify and take action against a threat actor behind a massive SSH brute force campaign. Our analysis revealed that this group was responsible for approximately one-third of the entire Internet's SSH traffic level. During this event, it appears the threat actor was made aware of our plans and they changed their actions in an attempt to evade us. Luckily, due to our considerable resources, we were easily able to pivot and continue to track and take action against this threat. My takeaway from this event is that it is critical to share information with the right collaborators to ensure that appropriate actions can be taken while minimizing risk around operational security.
Q: This year you decided to be a Platinum-Plus Sponsor of Black Hat USA 2015. Why did you make that investment?
Williams: Security is a top priority within Cisco and we will continue to invest in this area in order to better protect our customers. We look forward to being a Platinum-Plus Sponsor at Black Hat and to continue to support the security community.
Ken Levine, CEO of Digital Guardian, talks about "thinking like an attacker" to keep data safe in the face of a breach, and identifies law firms as being one of the top targets for cyber criminals.
Q: I understand that Digital Guardian's on-demand Data Visibility Study is designed to tell clients whether their customer information, employee and financial data, intellectual property, and trade secrets are at risk or well-secured. Tell me how that works.
Ken Levine: The Digital Guardian Visibility Study is a service that's appropriate for virtually every organization with proprietary or regulated data; it is designed to provide actionable intelligence on policy compliance, privileged user and insider activity, and potential targeted cyber-attacks. After just 30 days, organizations will get a detailed snapshot of how their sensitive data is being used or, in some cases, misused. The Data Visibility Study does not require any additional staffing, hardware, or consultant fees. This service offers organizations unprecedented clarity into every aspect of how their sensitive data is actually being accessed, stored, and used with respect to their unique policies and restrictions. Once deployed by Digital Guardian experts, our host agents begin immediately and continuously capturing secure event meta-data from multiple sources on host systems, including information on application use, network uploads, data access, printing, e-mail and webmail events, and all file operations that occur both on and off the network.
Completely deployed and managed by our security experts, the service records continuous and actionable data discovery, use, and compliance telemetry on workstations, laptops, and servers. The complete service is available to organizations in North America and the Europe.
The Data Visibility Study includes agent configuration, deployment, and management; secure storage of client event meta-data; continuous activity monitoring on or off the network; risk alerting and trending analysis; detailed event forensics; self-service portal with a reporting dashboard of common data risks; and professional services consulting and 24x7 support.
You should note that no sensitive content is transmitted or stored as part of the service. Digital Guardian logs actions as meta-data that recreate any event in its proper context with forensic accuracy. To assure sufficient tamper resistance, event meta-data are encrypted, hashed, and digitally signed before being securely transferred to Digital Guardian's hosting facilities from anywhere in the world via Digital Guardian's FIPS 140-2 certified protocol.
Q: One of your recent blogs says that breaches are inevitable but sensitive data loss isn't … and that you recommend thinking like an attacker to keep your data safe in the face of a breach. How does one think like an attacker?
Levine: "Thinking like an attacker" is not a new concept – it's a different way of describing threat modeling. Threat modeling helps us set policies that protect the data from malicious actions.
From an attacker's point of view, it's a target-rich environment -- they can attempt direct assaults on corporations' infrastructure, try to exploit common vulnerabilities in Web applications or popular programs, or target employee log-in credentials. Identifying your most commonly targeted attack vectors and the points of weakness in your infrastructure is key to building a proper defensive strategy. Common points of weakness in organizations include unregulated mobile devices, unpatched workstations that are running vulnerable applications, programs and/or operating systems, and employees who lack proficient security education, such as how to recognize spear-phishing e-mails and social engineering attacks.
It's not enough to assume that a perimeter defense will keep attackers out. You need to start with the assumption that some adversaries will be successful in their attempts to bypass your initial defenses – a successful strategy is implementing a layered security approach, with an emphasis on protecting both the network and endpoints to prevent attackers from moving deeper into your infrastructure after bypassing initial points of entry.
Q: Mark Stevens, your VP of global services, gave a speech about law firms being one of the top targets for cyber criminals. Who are other top targets and do you suggest different advice for them than you do for other clients?
Levine: Any organization with sensitive data is a target for cybercriminals or advanced threat actors. Sensitive data can vary depending on the organization, but examples include intellectual property, source code, trade secrets, customer and employee personal identifiable information, account numbers, financial credentials, pending M&A contracts, access tokens, and passwords. Attackers will quickly turn the stolen data into a profit by reselling it to interested third parties, whether that be in the cybercriminal underground or to competing organizations.
Organizations need to understand where their sensitive data is at all times while having complete visibility and control over who's accessing it and where it's traveling. This will enable organizations to perform risk assessments across their IT infrastructure, including their physical, virtual, and mobile environments. Risk assessments will provide organizations with the insight needed to protect their critical IT assets and sensitive data while hardening any points of weakness.
Q: As a Platinum-Plus Sponsor of Black Hat USA 2015, what will be your focus at the conference? What will be the takeaways for attendees who listen to what Digital Guardian has to say there?
Levine: Digital Guardian will be showcasing its latest version of the Digital Guardian Endpoint Security Platform which provides data aware security designed to stop data theft. The platform performs across traditional endpoints, mobile devices, and cloud applications to make it easier to see and stop all threats to sensitive data. It can be deployed on premise, as a managed service or a hybrid of both. The latest version offers the most complete form of data protection by providing constant visibility to all sensitive data, a contextual understanding of actions that can put data at risk, and control over what actions can be taken with the data by each user or process.
New features included in the Digital Guardian platform include:
Jim Jaeger, chief cyber services strategist, Fidelis Cybersecurity, describes "internal malware sinkholing" as valuable to identifying infected machines, and talks about the importance of being a sponsor of Black Hat USA.
Q: In a recent blog, one of your senior threat researchers talks about the fact that far too many organizations simply mine for indicators of compromise without establishing the confidence that a given indicator is, in fact, malicious. Explain that to me.
Jim Jaeger: There are several open-source collections of indicators of compromise that are available. Many threat intelligence companies simply pull this locally without any understanding of how those lists are generated. For instance, there are many malware domain lists available and what those domains resolve to. Because DNS resolution of malicious domains is under the control of a malicious actor, they could simply repoint the malicious domain anywhere they want. They could, for instance, point malicious domains at the IP addresses that correspond to the DNS root servers and, if an intelligence company mindlessly loads all that data into a firewall, an organization will no longer be able to use DNS.
The various open-source collections of indicators all have varying degrees of confidence attached to them and biases that are introduced when they are generated and collected. Those all need to be taken into account before operationalizing the data. It is foolhardy to block traffic without an assessment of trust in the sources. Risks are only enhanced in sharing networks where participants might not have the ability to vet and with increased focus on automation.
Q: Another blog maintains that close collaboration with third parties introduces potential security vulnerabilities that can be manipulated and exploited by hostile actors. What advice do you give to companies to reduce these threats?
Jaeger: We'd certainly recommend proactive assessments of third-party infrastructure, especially ones with privileged access to your enterprise, physical or electronic. This is especially true of third parties who maintain high-value information on your behalf, such as outside legal counsel, accounting services, and consultants. In cases where there is direct electronic connectivity, such as through VPNs, it's especially important to conduct continuous monitoring of activity, both to control for inbound malware and access to or leakage of sensitive information. Context is really important here -- a pharmaceutical company with a contractor conducting field trials has to be in a position to constrain third-party access to relevant data stores and do content inspection to ensure that other sensitive information doesn't leave, inadvertently or otherwise.
Q: You talk about "internal malware sinkholing" which you describe as valuable to identifying infected machines on the network and to severing the adversarial control of them. Tell me how that works.
Jaeger: Malware requires ultimately either an IP address or a fully qualified domain name to reach the malicious control server. If you know the IP address, you can use simple firewall rules to redirect all traffic destined to that IP address to your sinkhole. If you know the DNS name, you can have your internal DNS resolver (which you control) give a response for that malicious host to point to your sinkhole. By doing this, you've ensured that infected hosts in the enterprise are no longer communicating with adversary-controlled infrastructure and it gives you time to go remediate those systems.
Q: Talk to me about the importance of being a Platinum-Plus Sponsor of Black Hat USA 2015. What advantages do you perceive to having become one?
Jaeger: We are very excited to be at Black Hat again this year -- and with an even larger and more prominent presence. The security community that we interface with at Black Hat is so crucial for our overall branding and awareness strategy. In addition to interacting with some of the world's most brilliant minds in our industry, we have the opportunity to show them the value of our advanced threat defense solutions and how we are helping our customers face advanced threats with confidence every day.
Jewel Timpe, Senior Manager, Threat Research at HP Security Research, reveals that the major part of HP's presentation at Black Hat USA 2015 will focus on its Zero Day Initiative.
Q: I understand that a major part of your presentation at Black Hat USA 2015 will focus on HP's Zero Day Initiative which, 10 years ago, began purchasing vulnerability reports from independent security researchers and then reporting them to vendors to help tailor defenses for security appliances. What will be the takeaway from that discussion?
Jewel Timpe: Ten years of deep insight into the threat landscape has allowed us to tailor defenses for HP's security appliances and to lead the vulnerability conversation across the industry, but it's important to know that the data accomplishes so much more than that. The ZDI is one of the oldest and largest vendor-agnostic bug bounty programs out there. The researchers' work manifests itself in IPS filters, of course, but it's also used to expand our internal research, to drive content for Threat Central and, of course, to inform computer users of what they need to know to be safer. In the presentation, we'll be using the last 10 years as a jumping-off point to look at what sort of landscape we should all expect to see unfolding over the next decade.
Q: Going forward – and in keeping with your theme of "ZDI@10" – what will be your priorities in 2015 and beyond?
Timpe: Our priorities don't shift much year-to-year -- the ZDI and HP Security work hard to protect the ecosystem … to make all users of technology safer. What will change is how we do it and how we talk about it. Right now, the pace of technological achievement is being driven by the cybercriminal element which is moving at incredible speed as we all know. Security pros need to move faster to keep up let alone to get ahead of the problem -- but how? In the year to come, we will be looking at not only our own technology advances, but at our abilities to see what's happening today and extrapolate how that will evolve in the near-, mid-, and far future.
Q: In a recent talk, Art Gilliland, HP Enterprise Security Products senior VP and GM, said businesses should invest in training staffers and perfecting internal processes rather than relying solely on new technology to guard against cybercriminal intrusions. Coming from a technology company, that is quite a statement. Can you elaborate on that?
Timpe: At HP, our perspective is that technology is only as effective and secure as the ecosystem within which it is operating. Adding the latest, most cutting-edge technology to your security array may address some specific challenges, but if the people and processes interacting with your technology and network systems every day aren't equally secure, you're leaving the door wide open to threats. That's why we advocate for a multi-layered, holistic security approach that begins with a strong foundation and builds on it. Team members who understand your policies and basic security techniques, processes for handling device and network hygiene on a regular basis -- these are the pillars of a good foundation to support advanced security solutions, such as those we offer via HP ArcSight, HP Atalla, HP Fortify, HP TippingPoint, and HP Threat Central.
Q: Once again, HP will be a Platinum-Plus Sponsor of Black Hat USA 2015. Why is that an important part of your marketing strategy?
Timpe: There are three major reasons we continue to support Black Hat at this level. First, HP has found Black Hat to be one of the best opportunities -- outside of the Zero Day Initiative itself -- to interact with security researchers and practitioners with deep technical skills, devotion, and passion around cybersecurity. Second, connecting with Black Hat's vendor-agnostic approach and ethos of sharing actionable data aligns with own research mission. Finally, the feedback and knowledge we acquire from Black Hat researchers and attendees has a direct effect on products throughout our security portfolio.
Patrick Bedwell, VP, product marketing at AlienVault, recommends joining the world's largest crowd-sourced repository of threat data, and says being a Platinum Sponsor at Black Hat USA enhances a company's visibility at the conference.
Q: I know that AlienVault is looking for threat researchers and security practitioners to join your recently announced beta of Open Threat Exchange (OTX) 2.0. Tell me about OTX 2.0, what it is, and how it's different from the 1.0 version.
Patrick Bedwell: Open Threat Exchange (OTX) 2.0 is a new iteration on the mission AlienVault created when launching OTX -- to establish a culture of sharing threat data within the security community. While the analytics infrastructure behind OTX remains largely unchanged, we have created new ways for users of all technical skills and abilities to interact with OTX's threat data and utilize that information to create threat intelligence.
The most noticeable change in OTX 2.0 is our new interface. Previously, interacting with the community-driven data within OTX was done through an API. OTX 2.0 extends this functionality by providing an easy-to-use Web interface that allows users to interact with the data in OTX without programming knowledge. Through this interface, users can navigate OTX's data, learn about new threats, and collaboratively build threat intelligence with other users that can be exported to defend any number of systems.
A critical part of this new interface is the concept of a "pulse," a new structure in OTX that allows you to describe nearly any online threat. OTX previously focused on IP reputation, in terms of reporting malicious content or activity. Pulses however change this paradigm by allowing users to collect a score of different types of Indicators of Compromise (IoCs or "indicators"), allowing users to map and describe the infrastructure of nearly any type of malicious activity or agent. Additionally, pulses allow users to contribute social context via comments, critical data that frequently is missed in purely programmatic interfaces.
To use all of this new functionality in OTX beyond the Web interface, AlienVault created a new API to serve pulses and the scores of new IoCs supported by OTX 2.0. The OTX 2.0 Direct Connect interface allows developers to access the data and social interface in OTX. We currently support two SDKs for Direct Connect in Python and Java and support the existing IP reputation API. Additionally, OTX 2.0 allows you to export pulses to open formats, such as STIX and OpenIoC, so users can readily analyze this data in other security information systems.
Collecting the data for research can be a big pain point. Because of this, OTX 2.0 comes with tools included in the Web interface to allow researchers and security practitioners to quickly harvest indicators from a variety of programmatic and non-programmatic sources. For example: you can now import English text descriptions of a threat (via a blog post or e-mail) into OTX, and OTX will harvest indicators from the text and perform a first level analysis of those indicators as well as screen for false positive data to create a new pulse.
Q: What are the advantages of joining OTX 2.0 which you describe as "the world's largest crowd-sourced repository of threat data?"
Bedwell: The biggest advantage that users have in using and contributing to OTX is in numbers. OTX's truly open approach ensures that users have access to a large and robust wealth of threat data. OTX collects and processes over a million IPs and malware samples a day -- from 5,000-plus systems in over 140 countries as well as from a host of other joint research groups and forums.
Beyond the wealth of data, OTX is also unique in that it's truly "open." Unlike ISACs and other closed threat sharing groups, Open Threat Exchange is not restricted to security practitioners who work within a certain industry or in certain companies/groups. We pride ourselves on creating and managing an environment for open collaboration, and this open approach to threat intelligence has ensured that OTX analyzes a significant portion of online threats.
OTX is also a lot more than just a blacklist. There is a robust set of analytics engines powering OTX, which automatically investigate OTX's data. These engines do everything from analyze the behavior and composition of malware, to interrogate reputedly malicious IPs, and even identify and track malicious DNS hosts. OTX 2.0's expanded Web interface and API allow users to take advantage of these tools directly, and enable faster and better threat research.
Q: You just came out with Version 5.0 of your Unified Security Management (USM 5.0) platform which you say "narrows the gap between security awareness and action with new asset management and threat intelligence capabilities." What exactly does that mean? What are some of the new features of the latest version?
Bedwell: IT teams of all sizes suffer from too much data and not enough information, as security tools generate a steady stream of alerts about important (and not-so-important) activity. IT teams without deep security expertise are then required to conduct research into each alarm to understand the significance of each alarm and what to do about it.
USM's integrated threat intelligence from AlienVault Labs eliminates the need for IT teams to spend precious time conducting their own research. AlienVault regularly delivers threat intelligence as a coordinated set of advanced correlation rules and product updates, including up-to-the-minute guidance on emerging threats and context-specific remediation guidance, which accelerates and simplifies threat detection and remediation.
Q: This isn't the first time AlienVault has been a sponsor of Black Hat USA 2015. What do you get out of being a Platinum-Plus Sponsor of the Conference. Why did you make the investment?
Bedwell: Black Hat provides a great opportunity for us to get in front of security professionals from around the world. The Platinum-Plus sponsorship provides us with a level of visibility at the conference that ensures that we maximize that reach to the broad community of attendees. Stop by and see us at booth #619.