The IOC and IOA playbook: making sense of your indicators.
Acronyms such as IOCs (indicators of compromise) and IOAs (indicators of attack) are ubiquitous in the security industry. However, a recent SANS survey revealed a vast majority of security professionals don't even know how many indicators they receive or can use. Join DomainTools Senior Security Researcher Kyle Wilhoit to get clarification on the use and value of IOCs and IOAs and how they can enrich your investigations and overall security strategy.
The Week that Was.
November 12, 2017.
By The CyberWire Staff
WikiLeaks releases more alleged CIA material.
WikiLeaks has released another tranche of alleged CIA material, said to be from the "Hive" collection WikiLeaks began publishing in April. The leakers say the files demonstrate that Langley deploys significant false-flag capability, specifically the ability to masquerade as companies using bogus certificates that accompany CIA implants. It is surely no accident (as Pravda used to say) that the three examples of such impersonation in the material WikiLeaks issued all involve pretending to be Kaspersky, using fake certificates pretending to be from Thawte Premium Server CA, a certificate authority based in Cape Town (Macedonia Online).
WikiLeaks had called its earlier cache of CIA material "Vault 7." This is Vault 8, and it differs from Vault 7 in that it includes source code. Vault 7 had contained mostly manuals and presentations allegedly related to CIA cyber operations. Vault 8 is different, resembling the ShadowBrokers' release of alleged Equation Group code. While the Hive seems not to present an immediate risk to Internet users, it could be used to establish an infrastructure for the delivery of damaging attacks. Observers think this would present problems even if the contents of Vault 8 turn out to be nothing more than the code alluded to in Vault 7 (Bleeping Computer).
The answer to the question of who benefits from the Vault 8 leaks seems obvious: Russia does, especially given the way the false-flag aspects of the alleged CIA code would seem to exculpate Kaspersky.
Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com
A wiper disguised as ransomware is active in the wild.
G Data and other researchers report finding a strain of pseudoransomware, "Ordinypt," actively targeting German users. The malware represents itself as crypto ransomware, but in fact it's not encrypting anything, just replacing files with strings of random numbers. There are screens the attackers present that appear to answer victims' frequently asked questions (like, "How do I get Bitcoin?) but in fact there's no real way to pay the ransom and get your files back. The motive and identity of those behind the wiper is unclear (Bleeping Computer).
The keys to intelligent investment in ICS security.
There are four basic ways of detecting threats: through configuration, modeling, indicators, and behavioral analytics. If an ICS security team understands these modes of detection, how they're different, and how they can be used to monitor industrial environments, they'll be able to help their organization invest intelligently for improved security. Check out our upcoming webcast to learn more.
Amazon to provide a cover for open S3 buckets.
Amazon shores up Amazon Web Service security. The cloud giant is trying to make it easier for clients to avoid inadvertently exposing sensitive material by offering these enhancements to its service. The S3 service will henceforth warn users ("with a prominent indicator") if their storage buckets are publicly accessible. It will be easier to copy access control lists and tags when replicating data, and it will now be possible to choose a destination key when replicating encrypted objects. Customers may now specify that objects in S3 buckets be stored in encrypted form, and there are now three options for server-side encryption. Finally Amazon will also give users a detailed inventory that shows the encryption status of the objects in a data bucket. These options can all be enabled through the S3 management console (IT News).
Accenture dodged a bullet from its own AWS cloud. UpGuard found sensitive information exposed to public access and informed Accenture. The firm quickly remediated the problem, and upon investigation said that it detected no unauthorized access to the material (TEISS).
There's another problem with exposed S3 buckets: they can be used to execute man-in-the-middle attacks. This issue arises when the bucket owner not only leaves the data exposed, but also inadvertently forgets to restrict write-access. The technique, which researchers at SkyHigh Security and elsewhere are calling "GhostWriter" involves quietly overwriting code stored in the buckets with malicious script that can execute various other attacks from within the AWS account. Too many admins, apparently, regard cloud services as secure by default (Bleeping Computer).
What do AI and machine learning mean for cybersecurity?
We hear about them everywhere in cybersecurity. They sound cutting-edge, but what do they mean? And what value do they add? Find out exactly how significant AI and machine learning are, and how small nuances in their use can make a big difference.
Cryptocurrency freeze attributed to library bug.
On Tuesday it was reported that somewhere between $150 million and $300 million in ether, Ethereum's crytpocoin, had become unavailable. It appears that the problem lies in the inadvertent triggering of a software flaw in the library Parity Technologies provides to Ethereum users (Parity Tech). The cash is essentially frozen (Motherboard). Parity explains the problem as follows:
The cash is holed up in cryptocurrency multi-sig wallets (wallets requiring more than one owner to “sign” a transaction before it can proceed) created after 20 July using a library provided by Parity Technologies Ltd. Parity explains what happened as follows:
"(I)t was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.
"It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library."
A person known only by their Twitter handle ("@devops199") said they were responsible, and that it was all an accident ("I'm eth newbie...just learning") which may or may not be true (Naked Security). A hard fork will be the only way in which investors can recover their frozen currency (CoinDesk). In any case, Comae draws a useful lesson from the incident: there are issues, to say the least, with smart contracts that may induce people to take a second look at the wisdom of reposing so much uncritical faith in blockchain-based media of exchange. As Parity put it in their security advisory, "Blockchain and related technologies are a vanguard area of computer science."
How are you handling your cloud monitoring and security?
Cloud providers offer many security measures, but you’re ultimately responsible for securing your own data. While 53% of organizations are training their staff to manage cloud security, 30% of organizations plan to partner with an MSP. In our new white paper, we discuss the considerations you need to make before choosing a solution.
Trouble in Paradise.
The long anticipated and much-feared document dump from Bermuda's Appleby law firm, specialists in offshoring who cater to very high-net-worth individuals, has dropped. 13.4 million documents are said to figure in the "Paradise Papers" leak, whose source remains unknown.
Appleby has been preparing its clients since late last month for the exposure, which the law firm characterizes as "an illegal hack," not a leak (presumably thereby ruling out document theft by a rogue insider). The law firm began to prepare its response when it was contacted in October by the International Consortium of Investigative Journalists, who sought comment on the documents.
Among those mentioned in dispatches are prominent UK public figures, including members of the Royal Family. Of interest to US audiences are documents that appear to show the way investment money from Russian oligarchs, and possibly the Russian government itself, passed into Silicon Valley. The New York Times reports significant Russian investment in both Facebook and Twitter going back as far as 2010, with the money coming from a variety of Russian sources through Yuri Milner. It eventually amounted to a bit more than 8% of Facebook and some 5% of Twitter. As the New York Times points out, there's nothing illegal about Russian entities, even state-controlled ones, investing in US companies. Facebook held its IPO in May of 2012. Twitter went public in November of 2013.
The Paradise Papers episode is being widely compared to the Panama Papers leak, in which 11.5 million documents taken from the Mossack Fonseca law firm were released to the public in 2015.
We've received a number of comments on the Paradise Papers from industry experts. They've tended to see the lesson here as one of data security at law firms. Law firms have become a very attractive target for cybercriminals, and in the opinion of many experts this is unlikely to be the last serious incursion into the data attorneys hold.
Equifax and Yahoo! tell Congress about their breaches.
Current and former Equifax and Yahoo! executives testified on Capitol Hill this week. They weren't the only ones; they were joined by other companies whose business operations have wide-ranging effects on consumer privacy. The US Senate Commerce, Science and Transportation Committee heard from Marissa Mayer (formerly Yahoo!'s CEO), Equifax's Interim CEO Paulino do Rego Barros and the credit bureau's former CEO Richard Smith, Entrust Datacard CEO Todd Wilkinson, and Verizon's Chief Privacy Officer Karen Zacharia (Gizmodo).
The testimony was interesting in the light it shed on the strong pull attribution of an incident to a nation-state exerts on corporate hacking victims. Companies are, the Senators heard, essentially powerless to keep a determined espionage service out of their systems. Yahoo!'s former boss Meyer (whose appearance was compelled by subpoena) was particularly explicit on this point. Although she said that how Yahoo! was compromised remains unknown, she's confident that it was a Russian operation (CIO Dive). (There is thought to be little evidence that the Equifax breach was the work of a foreign intelligence service, and that company's current and former leaders acknowledged the central role failure to patch an Apache Struts vulnerability played in their own mishap.)
In any case, the executives asked for more government help in fending off hostile states. They were particularly keen to get more assistance from NSA. They also agreed that the Social Security Account Number has greatly outlived its usefulness as an identity management tool; several of them thought the Brazilian government's practice of issuing three-year digital identities to citizens was a promising approach. The Social Security Account Number, of course, follows an American for a lifetime. But talk about technological fixes for this widely recognized problem with identity remained aspirational and speculative.
The hearings were also interesting in the way the Senators' questions appear to foreshadow incipient legislation. There were some sharp exchanges over companies' use of arbitration clauses as a means of keeping breach victims from seeking redress though civil lawsuits, particularly during questioning by Senator Blumenthal (Democrat of Connecticut) who wishes to hold hackers to criminal account, but who also wants negligent companies and their executives exposed to civil suits.
Senator Blumenthal is a sponsor of the Data Breach Accountability and Enforcement Act of 2017, which would empower the Federal Trade Commission to investigate any enterprise that disclosed a data breach. Giving the FTC such wide-ranging authority is likely to prove controversial, and might be at least as likely to inhibit swift disclosure as to promote it. At the SINET Showcase this week described what its title called "The Cybersecurity Regulatory Complex," with the FTC at the center of that complex. Panelists were already calling disclosure the point of maximal risk, reputational risk to be sure, but more significantly legal and regulatory risk (The CyberWire).
Notes on cyber conflict.
This week's CyCon meetings in Washington, DC, indicated how seriously NATO in general and the US Army are taking the cyber threat (The CyberWire). Lieutenant General Paul Nakasone (commander of US Army Cyber Command) called data "the new high ground, the new key terrain," and described the Army's efforts to push cyber capabilities to forward-deployed forces. An important sign of this is the degree to which the Army now gives Brigade Combat Teams cyber elements to use in their regular training rotations.
Ambassador Marina Kaljurand, former Estonian Foreign Minister, shared lessons learned from Estonia's experience of sustained cyber attack in 2007. She stressed the importance both of political will and a whole-of-nation approach to effective cyber defense. She also warned that the lines between different forms of conflict have become blurred, and are growing progressively less distinct.
Hacking voting machines may be harder than we think.
The US off-year elections this week went off without evidence of the vote-hacking election officials feared. A look back at Defcon's noisy and much-discussed voting machine hacking exercise indicates that compromising the devices isn't as simple a matter as reports made it out to be. In most cases hacking an electronic voting machine took uninterrupted physical access over a relatively long period of time, and a number of the devices used in the demonstrations were older, decertified models known to suffer from exploitable vulnerabilities. But while this is reassuring, it's not grounds for complacency. Threats to voting integrity are real, and election authorities do well to take them seriously (FCW).
Deloitte has released its Fast 500, an overview of rapidly growing companies in various sectors. Several of the fastest growing firms are cybersecurity outfits; we found thirty seven among the five hundred. Here they are, with their ordinal rank (and apologies if we missed any of you): Cylance (10), White Ops (20), Cloudnexa (38), Tanium (51), Dashlane (65), KnowBe4 (70), n2grate (80), Trinity Technology Partners (87), Nutanix (101), LookingGlass (105), Malwarebytes (111), Wombat (135), Cloudera (166), ReliaQuest (171), Druva (175), TraceLink (177), SiteLock (179), Phishme (200), Delphix (210), Onapsis (243), eSentire (247), FireEye (267), 2nd Watch (272), Recorded Future (274), ClearObject (292), Magnet Forensics (299), AlienVault (320), Thycotic (321), Palo Alto Networks (324), PhishLabs (328), Splunk (338), Resolver (345), Forescout Technologies (350), SailPoint (434), Proofpoint (439), Alert Logic (483), and Netwrix (495).
Deloitte selects the Fast 500 on the basis of "percentage fiscal year revenue growth during the period from 2013 to 2016." Companies must own proprietary intellectual property whose sale to customers accounts for a majority of a company's operating revenues. Their base year operating revenues must be at least $50 thousand, their current year revenues must be at least $5 million, they must have been in business for at least four years, and their headquarters must be in North America.
A look at cybersecurity mergers and acquisitions in the year so far. The M&A market shows simultaneous expansion and consolidation in the sector: a lot of new entrants, and considerable appetite for acquisition on the part of larger firms (CSO).
Proofpoint has bought Cloudmark for $110 million. Cloudmark protects messaging services, serving ISPs and mobile carriers. Observers see the acquisition as a "consolidation play" by Proofpoint (TechCrunch). On Monday Symantec announced its acquisition of SurfEasy, a VPN outfit that offers a suite of mobile privacy and security apps (CRN). Booz Allen Hamilton, increasing its Washington, DC, area headcount and contemplating share buy-backs, is rumored to be interested in pursuing acquisitions (Washington Business Journal).
Warburg Pincus has made an offer for a controlling stake in Cyren. The private equity firm currently owns 21.3% of the company, which specializes in cloud-based threat detection and security analytics; Warburg Pincus would like to increase its stake to 75% (Globes). Broadcom has offered to buy Qualcomm for $70 per share, an offer that values Qualcomm at $130 billion (TechCrunch).
Avast, the Prague-based anti-virus company, prepares for a $4 billion IPO (New York Times). WatchGuard has filed for an IPO in which it hopes to raise $75 million. The firm is best known for in-vehicle video systems (with software and hardware security) provided mostly to law enforcement organizations. It intends to shift its focus to body-worn systems (Seeking Alpha).
NeuVector has raised $7 million in Series A funding. The container security company intends to augment its engineering and sales teams (eSecurity Planet). Enveil announced that it's raised $4 million from a group of investors that includes DataTribe, Bloomberg Beta, Thomson Reuters, and a USAA affiliate (BusinessWire). FireEye has informed the Securities and Exchange Commission that it's raised $4.5 million from an undisclosed investor (NewsCenter).
One of the founders of surveillance and lawful intercept shop NSO has a new start-up, Orchestra, this one a cyber-defense specialist (CTECH).
SnoopWall has renamed itself. It will henceforth be NETSHIELD (PRNewswire).
Today's issue includes events affecting Bermuda, Estonia, NATO/OTAN, Russia, South Africa, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.