CEIC 2015 Highlights: Thwarting Malware, FRCP Rules Changes, Corporate Cyberbullying, Collaborating for the Win

CEIC® 2015 began with a one-day CISO/CLO Summit that gathered security and legal chiefs to collaborate on emerging best practices in defending the enterprise, as well as an energetic CEIC welcome keynote from our president and CEO Patrick Dennis and Roger Angarita, our head of product development. Patrick talked about how the legal, security, and forensic investigation communities are blending together, both to collaborate and even to expand their own professional areas of responsibility. Our data is converging—and so are our professions—which is good news, since as we collaborate, we are turning the tide in the defense of our organizations, our citizens, and our economies.

Security and IR Labs at CEIC Focus on Advanced Malware and Attack Analysis

CEIC 2015 is just a few weeks away and we’re excited to meet with you face-to-face on the show floor and in the conference sessions earmarked for cybersecurity and incident response professionals. If your cybersecurity journey seems to grow more complicated with each passing CEIC event, this is the year you won’t want to miss.

Incident response as a discipline is still largely misunderstood and under-implemented, mainly because enterprises struggle to understand the changing security landscape and the need to be prepared for the inevitable cyber attack. To help you better understand these changes, we've developed new sessions and labs for CEIC 2015 to help you take incident response to the next level.

CISO/CLO Summit 2015: One Day that Generates Actionable Intelligence

Mark Harrington

As legal chiefs around the world get serious about cybersecurity as part of our mission to defend our organizations, we’re learning fast, but it’s time to go beyond education and begin taking action. Four years ago Guidance Software brought legal, security, and risk and compliance chiefs together at the inaugural CISO/CLO Summit to talk strategy and we’ve come a very long way since.

Last year I was privileged to lead a panel discussion on enabling proactive risk and threat intelligence at CISO/CLO Summit 2014. The panelists included an information security chief for a major defense manufacturer, the CISO for a global automaker, security analyst Jon Oltsik of the Enterprise Strategy Group (ESG), and Ed McAndrew, the Assistant U.S. Attorney and National Cyber Security Specialist for the Department of Justice. 

Billington Cybersecurity Summit: Situational Awareness and Cyber Resiliency

Victor Limongelli

I was pleased to have the opportunity to participate on a panel at the 5^th Annual Billington Cybersecurity Summit, a very well attended event in Washington, DC yesterday. At the Summit’s opening keynote, Admiral Michael Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency, made a strong call for the adoption within cybersecurity of the military concept of “situational awareness,” both in government agencies and in corporate America. This, he said, can be achieved through understanding normal behavior across a network and on endpoints and having a way to quickly visualize anomalies. 

Why Signature-Based Cyber-Defenses are Bound to Fail

Sam Maccherola

You will never see an alert from your security information and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for the malware that was custom-built for your organization and secretly colonized your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly morphing, and because the sophisticated and dedicated minds under those black hats are working night and day to design a data breach specifically for each organization it decides to invade. When it hits you, it will be the first time its signature has ever been seen.

RDP Hacks: Thwarting the Bad-Guy Network

Jason Fredrickson

Brian Krebs of Krebs on Security just posted an article on RDP hacks that exploit weak or default login credentials, and goes on to describe how that provides the basis for a cybercrime business. His article explains that Makost[dot]net rents access to more than 6000 poorly configured and, therefore, compromised Remote Desktop Protocol (RDP)-enabled servers around the globe. As Krebs says, “…the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password.” It’s a classic brute-force attack and it’s aimed directly at an extremely weak target.

Many people on first reading this would consider this capability a “vulnerability” of Windows, but that’s like saying that an automated teller machine (ATM) has a “vulnerability” that allows you to get cash from your bank account. It’s a feature of the operating system and Windows is not alone in exposing functionality like it.

U.K. Announces Engagement in the War With No Front Line

Alex Andrianopoulos

On the day the mighty U.S. government shut down, the U.K. government threw down a colossal gauntlet: it revealed that it has been developing the capacity to carry out cyber attacks. The Financial Times reported today: Philip Hammond, defence secretary, said ahead of the Conservative party conference in Manchester that the UK was "developing a full-spectrum military cyber capability, including a strike capability." It was the first time any country  has made such a sensitive statement in public.

Six Steps for Managing Cyber Breaches

Ale Espinosa

You’ve been breached. Now what?

Being quick to respond to a security breach is critical in minimizing the impact that malware could have on your network, as well as limiting an intruder’s access to your data. Having helped numerous clients with their cybersecurity needs, we have identified how to better prepare for and respond to cyber-attacks, which we included in our recently published white paper Incident Response: Six Steps for Managing Cyber Breaches.

With 70% of cyber-attack victims being notified by third parties about their security breaches (which you can read more in my recent blog post Hello? You’ve Been Breached.), many security professionals from even the largest organizations and agencies in the world have found themselves surprised by the fact that their enterprise was center stage to a cyber-attack –sometimes for several months—all without their knowing. That is why it is extremely important to be proactive about implementing security best practices and an incident response plan, as well as having in place tools for the detection, analysis, and remediation or cyber-attacks, such as EnCase Analytics and EnCase Cybersecurity.

Trust but verify, people.

Josh Beckett

I thought it was a well understood security principle; trust but verify.  Maybe it is and the PHBs are simply out-voting the security crowd and the voice of reason.  At the end of the day when you don't know what is out in the cloud and have limited to no controls to act if you did know, your data is seriously at risk.

Of course, an equally well known security principle states that a valid response to risk is to accept it.  I would sincerely hope that the businesses that have my data aren't doing this.  Who am I kidding? I know they are.  As if I only do business with the 20% crowd...I can only dream of the day.

...Or you could fix the software.

Josh Beckett

One of the fundamental realities of security is dealing with vulnerabilities.  In the industry, we have become so jaded to the fact that software makers simply don't want to go to the trouble and expense of churning out secure code that we have just learned to 'abide.'  Consequently, we come up with elaborate ways to measure vulnerabilities and concoct Wile E. Coyote style mitigation plans to bring the risk down to an acceptable level.

Occasionally, I'm reminded that my permanently security-tainted skepticism needs a bit of a challenge to my comfortable position that there is no real security, there is only incident response.  We continue to fight a losing war and resign ourselves to try harder tomorrow.  With nation-states throwing their hats and ample wallets into the ring and anonymously buying bugs and exploits and expecting it to not be reported to the software vendor or public, it seems all is lost.

Beyond Reactive: Your Security Game Plan

Sandy Lii The well-known military general and strategist Sun Tzu said it best in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” In today’s war against cybersecurity threats, two types of enemy have been classified: known threats and unknown threats.

The known threats, true to their name, are tracked by their known and readily available signatures and are typically stopped by perimeter security solutions such as antivirus software, firewalls, or SIEM (security information and event management) systems. While these tools are necessary and can be effective at stopping known threats, the unknown threats--the ones with no defined modi operandi or signatures--remain at large within organizations, lurking undetected, waiting for the right moment to strike. Sometimes, these threats can even be a careless or disgruntled employee.

Who Turned Off the Lights? U.S. Electric Grid Sees Increase in Cyber Attacks

Ale Espinosa When news of Stuxnet broke out, the world was shocked. It was the first discovered malware to spy on and subvert industrial systems, as well as the first to include a programmable logic-controller rootkit, used to attack Iran’s nuclear facilities.

Yet, despite fears of retaliation from foreign governments against the U.S. electric grid, a recent report based on over 100 surveyed utility companies revealed alarming vulnerabilities in the nation’s energy system. The report was supported by members of the U.S. House of Representatives in an effort to bring awareness to the security gaps in the utilities sector.

Among some of the report’s key findings were:

• Attacks on the nation’s critical infrastructure – including energy – were up 68 percent from 2011
• Many utility companies reported receiving “daily,” “constant” or “frequent” cyber-attack attempts
• Among the attacks reported were phishing, malware infection, and unfriendly probes
• Most utility companies are compliant with mandatory cybersecurity standards issued by the government, but voluntary recommendations by the industry watchdog – the North America Electric Reliability Corporation (NERC) – have been ignored by many

Hello? You’ve Been Breached.

Ale Espinosa Knock, knock. Who’s there? The FBI.

The reality of the world we live and do business in has made us increasingly vulnerable to cyber threats and attacks. Perimeter security and signature-based threat detection tools can only do so much when the threat is brand new or if it morphs as it spreads out through your network, making their signature unrecognizable. Chances are, there is someone lurking in your network right now and you don’t even know it.

In fact, Verizon’s 2013 Data Breach Investigations Report revealed that approximately 70% of cyber breaches go completely undetected by organizations’ security teams, and are instead discovered by external parties like the authorities, FBI, or even the attackers themselves.

Why Are We Losing the Cyberwar? It's About the Money.

Josh Beckett 'Follow the money' is a tried and true security strategy. It will lead to you the things the bad guys may be after. It will lead you to the tools they use. It will lead you to who is committing the crimes. Money is the reason we are losing the Cyberwar.

It is simply more profitable to sell newly discovered exploits to bad guys than it is to report them to the software companies for fixing. The few companies that are willing to pay bounties for bugs are easily outbid by the bad guys as a cost of doing business. As long as that is a viable economic model, we will never have a hope of any defensive strategy that will work other than fast clean up of the mess when it happens.

Chinese government behind Chinese hack-a-thon...really?

Josh Beckett The Pentagon has come out and stated the obvious. When listening to this story this morning on NPR, the immediate thought that came to me was, "Yeah, well, what are you going to do now?"  Of course, the interviewer asked that very question and the interviewee burbled and hemmed and hawed.  No real answer.  What can you do in a war that is not fought on a physical battlefield with physical weapons, but inside of computers?

Attack Aftermath: What’s Next for South Korean Banks and Broadcasters?

Anthony Di Bello What's next for South Korean banks and broadcasters that were paralyzed by a massive cyber attack this past week? I was talking with Rodney Smith, who directs information security and field engineering here at Guidance Software and has consulted on post-attack digital investigations with hundreds of firms around the world.

His take is that a thorough digital forensic investigation is an urgent and essential next step to getting back to normal after having hard drives and associated master boot records (MBRs) wiped out. Master boot records encapsulate critical information on the organization of file systems on the drives. Affected systems were given a forced reboot command, but restarts were impossible because the MBRs and file systems had been corrupted.

RSA Conference: Actionable Intelligence is the Missing Link in Incident Response

Anthony Di Bello Yesterday at Moscone Center I walked by the former Gartner security analyst who famously pronounced nearly 10 years ago that “IDS is dead.”

So it was fitting to attend the keynote by RSA Chairman Art Coviello and hear him say, “It’s past time for us to disenthrall ourselves from the reactive and perimeter-based security dogmas of the past and speed adoption of intelligence-driven security.” He described a fact that’s inescapable to all security professionals now, which is that alerting systems and point solutions for threat response aren’t sufficient to respond to modern threats. The time has come to change the way we perform incident response by using rapidly accessible, actionable intelligence to make the stakes higher for hackers, crackers, and thieves.

Cutting Through the Cyber "Fog of War"

Anthony Di Bello Most people are familiar with the phrase Fog of War, which refers to the uncertainty present in the heat of military operations. That same “fog of war” is also present in the cyber battlefields of today. Without the right insight, it’s next to impossible to tell what constitutes an attack, let alone what attacks have successfully hit their endpoints. Today’s advanced threats are multi-dimensional, rapidly evolving and stealthy.

And they often hit endpoints quickly, sometimes through little known zero day vulnerabilities found in browsers, operating systems, and other applications, they’ll sit clandestinely and await instructions, which may be to exfiltrate data of value, burrow deeper into the infrastructure, launch attacks on others, or wait for a more opportune time to strike.

It may be startling to many, but faith in traditional defenses to fight these attacks is often misguided as anti-virus, intrusion detection and prevention systems, firewalls, and other old-line defenses fail to block, let alone identify these attacks and provide quick visibility into what is occurring on their network.

Guidance Software has recently partnered with FireEye, Inc. to help clear away the fog by integrating communications between their Malware Protection System (MPS) Appliances, which analyzes and protects network traffic with our EnCase Cybersecurity software, which secures the endpoint. Together, the two solutions provide a clear view into attempted attacks.

One of the first things customers of our partner FireEye explain, as soon as they install the FireEye MPS Appliance, is that they can suddenly see things they couldn’t see before, such as numerous bad outbound and inbound communications they previously had no idea were underway.

But seeing the threats is much different than being able to understand precisely what they’re doing on the endpoint. Security and IT managers need to know if malicious traffic is a threat to their networks and infrastructure, and if any of these attacks have successfully compromised an endpoint.

This is where the FireEye-Guidance relationship comes in. When the FireEye MPS Appliance identifies nefarious traffic, the integration with EnCase Cybersecurity makes it possible to automatically validate if the attacks detected over the wire had successfully penetrated into any systems attached to the network.

This integration between FireEye and EnCase Cybersecurity provides customers with everything they need to scope and remedy compromised endpoints.

To achieve this we’ve built an Enterprise Service Bus (ESB), a way to communicate, with other technologies. With the new integration, EnCase Cybersecurity listens for FireEye MPS to report on detected events via an XML feed that is translated by the listener service. With just IP address information and hash values related to the FireEye detected event, EnCase Cybersecurity will first validate whether or not the attack successfully compromised the indicated endpoint(s). Once it confirms the presence of malware, additional information related to the attack with be collected and presented to the security analyst via a thin client review capability. By capturing attack artifacts and indicators in this manner at the time of the alert, the security team can be confident that have a complete picture of the attack, and a wealth of information for which to triage, determine risk exposure, and accelerate remediation efforts.

Without this network to endpoint view provided by the FireEye MPS Appliance and EnCase CyberSecurity, there’s no realistic way to tell if exploits and attacks are harmless to an infrastructure (such as exploits targeting an OS that is non-existent on a network), or if some other countermeasure such as a firewall rule or intrusion-prevention system has successfully blocked an attack. 

Additionally, EnCase Cybersecurity, is grabbing all of the data about the state of the machine, including what processes are running in RAM, what services and system libraries are running, who is authenticated to the machine, and more. With that information, the security analyst not only understands what systems are truly at-risk, but they know what they need to know to more deeply understand the attack and what is truly at-risk.

What this coupling of FireEye and EnCase technology does is clear much of the fog associated with all of the data that pounds security analyst management console screens everyday. And it makes it possible for them to make clear, well informed decisions all the way through remediation. For more information about the Guidance Software and FireEye collaboration, check out our press release, and download the datasheet.

DNS Changer malware highlights need for scalable forensic response

Anthony Di Bello

Given the fact that DNS Changer, 5-year-old malware designed to redirect traffic from infected users, still infects an estimated 58 of the Fortune 500 and at least 2 government agencies – it’s safe to say IT and IS staff cannot entrust users to oversee the security of their corporate/government issued devices. While the warnings have been loud and clear, and there are detection and cleanup tools available, it’s no fault of their own — most employees aren’t paid to spend their day ensuring that their computer is free of malware.

Unfortunately, for threats like DNS Changer, the detection and cleanup tools require physical access to any given machine in order to address the problem, and in any enterprise spanning multiple locations, or with remote employees, this poses a challenge for the information security team. 

Fortunately, there are tools and just enough publically available information to overcome this challenge. As mentioned above, the DNS Changer malware modifies device DNS tables to redirect the computer to fraudulent DNS servers. As such, the FBI has been kind enough to provide the ranges for fraudulent IP address that are being injected into the DNS tables of infected computers:

85.255.112.0 through 85.255.127.255

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

This information, coupled with cyber response technology like EnCase Cybersecurity, allow information security teams to rapidly audit the DNS tables on devices across the enterprise, exposing any device containing reference to a fraudulent DNS entry for a rapid, definitive understanding of any devices infected with the DNS Changer malware. At which point, the information security team can take proper steps to remediate the malware.

A view of a device DNS table as seen by EnCase with IP addresses associated with various DNS entries called out. An audit of these tables network-wide with EnCase Cybersecurity can be used to expose the effects of DNS Changer via known fraudulent DNS table entries.

While modern threats such as DNS Changer have learned to evade traditional signature-based defenses, these threats still leave traces of their effect somewhere on the target device whether on the hard disk, or in memory. Forensic response technologies like EnCase Cybersecurity are designed to rapidly audit the enterprise for these artifacts, enabling security teams with a full and accurate understanding of the scope of any incident, as well as the information to empower complete remediation of those threats.

Staggering Level of 2011 Breaches Shows Incident Response Speed Is of the Essence

Anthony Di BelloTo reduce costs and mitigate the damage done by breaches, security teams need quick access to the right information.

It seems the torrent of data breach news never lets up. In 2010, according to the Open Security Foundation’s Data Loss Database, there were 555 breaches affecting nearly 27 million records. And while the number of incidents fell to 369 this year (so far, the year isn’t over as this is written), a staggering 126.7 million records have been affected.

The number of breached records isn’t the only statistic that is up. The most recent Ponemon Institute U.S. Cost of a Data Breach Study report, published in March of this year, found that the cost of breaches per record also is climbing. The report, which looked at 2010 data, found the cost per record to be $214, up $10 when compared to the previous year.

Why is the number of records compromised rising, along with the cost of breaches? There are no easy answers. Of course, more institutions are using electronic records today than ever before – and they’re also operating under stricter regulatory compliance mandates that require notification. Those are probably two very important reasons.

Another is the greater complexity of today’s networks. There are more servers, databases, and applications managing our data across more and more networks.

This makes it very challenging to quickly identify potential breaches as they’re just getting underway.

As networks grow more complex, with more interactions with more network infrastructure and applications, the number of potential security events to monitor also rises. In order to better manage the associated risks – and quickly clamp down on breaches as they’re occurring – IT security teams need to deploy more security defenses and to monitor everything from network access to network and web traffic to application usage.

This heightened level of security monitoring means, of course, that security teams will receive tens of thousands – for large organizations perhaps hundreds of thousands – of security alerts from their Security Information and Event Management (SIEM) system every day. This makes it incredibly difficult to prioritize and respond to those events that matter. In fact, obtaining information about endpoints (where many breaches originate) that can be acted upon in a reasonable period of time is next to impossible.

This lack of visibility into real-time endpoint security activity significantly intensifies enterprise risk by both increasing the probability that successful attacks go unnoticed, and that security teams are hampered from doing their jobs effectively.

What IT security teams need is quick access to endpoint data to reduce risks. Because endpoint data tends to decay, or change very often, by the time security teams get to see the alerts that come from their SIEM, it’s often many hours or days too late to respond.

What’s needed for SIEMs to be more effective is the ability to integrate endpoint incident response into SIEM alerting. For example, our EnCase® Cybersecurity automates the incident response process by enabling the augmentation of rules into one of the most well established SIEMs, HP ArcSight. This integration makes it possible for EnCase® to capture the necessary data right on the endpoint as soon as possible. For example, if a user who is authorized to access the network attempts to access unauthorized applications or resources, EnCase® Cybersecurity can be configured to capture relevant system information at the very time that undesirable event occurs. This ensures an accurate view of exactly what activity was underway at the time the user attempted to access the unauthorized resources.

Additionally, as alerts from security defenses are generated and captured by the SIEM, EnCase® Cybersecurity can be configured to immediately take memory and system information snapshots of all hosts involved in the event. This ensures a real-time glimpse into the state of the computer at the time of the alert, revealing known, unknown, and hidden processes, as well as running DLLs and network socket information.

And with that kind of information in the hands of the IT security team, it then can prioritize and address the biggest risks before substantial damage occurs. If more organizations had these capabilities in place, the number of breaches, affected records, and the total cost of the breaches will likely go down.

Watch Trends in SIEM and Incident Response webinar featuring 451 Research and HP Enterprise Security to learn more about how the convergence of SIEM and incident response technologies can benefit you.