The IOC and IOA playbook: making sense of your indicators.
Acronyms such as IOCs (indicators of compromise) and IOAs (indicators of attack) are ubiquitous in the security industry. However, a recent SANS survey revealed a vast majority of security professionals don't even know how many indicators they receive or can use. Join DomainTools Senior Security Researcher Kyle Wilhoit to get clarification on the use and value of IOCs and IOAs and how they can enrich your investigations and overall security strategy.
The Week that Was.
October 29, 2017.
By The CyberWire Staff
Bears snuffling around CyCon phish.
Fancy Bear (APT28, Russia's GRU) is phishing around the CyCon conference set for Washington, DC on 7 and 8 November. Sponsored by the US Army Cyber Institute and NATO's Cooperative Cyber Defence Centre of Excellence, the conference's theme is "the future of cyber conflict." Fancy Bear is using a baited Word document carrying Seduploader, a reconnaissance tool useful in determining which targets deserve closer attention. The phishbait document, a cut-and-paste job designed to look like an event flier, is "Conference_on_Cyber_Conflict.doc" (Cisco Talos Blog).
APT28 is being widely razzed for "lame" phishing. "Oh you silly APT28, show some respect," is Bleeping Computer's admonition to the Russian hackers. Apparently few NATO phish have taken the bait, but it would surely be a first if everyone who received the malicious document just spit the hook and went on with life.
Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com
How Kaspersky thinks sensitive NSA tools leaked.
Kaspersky Lab continues to maintain its innocence of spying, offfering an account of what they believe happened in the NSA leak incident the press has associated with the Moscow-based company. Kaspersky says the NSA contractor (or employee—accounts differ) mentioned as the source of sensitive leaked files backdoored his-or-her own machine by installing malicious pirated software. This would account for a 2014 episode when Equation Group material was reported back to Kaspersky's servers for analysis (eWeek). If Kaspersky's correct, the NSA worker scored a trifecta in the race to the infosec bottom: putting highly classified files on a personal device, taking that device home, and then downloading pirated software. This proffered explanation has of course not dispelled the American stormcloud over Kaspersky (Reuters).
The moniker KHRAT came about because of the identification of a Remote Access Trojan (RAT) with command and control infrastructure found in Cambodia (KH). In the most recent episode of the CyberWire's Research Saturday, Ryan Olson, Director of Threat Intelligence at Palo Alto Networks, talks with us about the capabilities of KHRAT and shares details the feature set it provides to threat actors that use it.
Reaper botnet locked and loaded, or a fizzle?
The Reaper IoT botnet (a.k.a. IoTroop) is assembled and poised, but has yet to unleash the expected distributed denial-of-service attack. Researchers at NewSky Security have observed signs in the cybercriminal underground that hackers are sharing malicious code suitable for integration with the botnet (Threatpost). On the other hand, Radware researchers argue that Reaper, if it ever goes on a distritbuted-denial-of-service rampage, would be easy to stop (CyberScoop).
Whether you are getting started with threat intelligence or seeking to expand an existing program, the Threat Intelligence Maturity Model provides a systematic guide to help you understand where your organization resides on the path to a mature threat intelligence program. Download this white paper to learn how to apply threat intelligence to identify adversaries, prioritize your efforts, and take decisive action to keep your business on course.
BadRabbit popped out of a hat, then vanished.
Early this week BadRabbit ransomware emerged, carried in a bogus Flash update and affecting networks in Russia and Ukraine, as well as in other European countries (ZDNet). The attack infrastructure was up only briefly (roughly six hours) before it was taken down, apparently by its controllers (Motherboard).
Research by Cisco and others connects BadRabbit to the threat actors behind NotPetya. That would be the TeleBots APT, also known as Sandworm, which has in the past been associated with Russian security services, especially in operations directed against Ukraine. The damage done in BadRabbit's brief period of activity doesn't remotely approach that achieved by NotPetya, but, of course, BadRabbit could well return. Researchers note that it used the (allegedly) stolen NSA exploit EternalRomance to propagate across networks (Ars Technica).
A majority of the targets BadRabbit hit were Russian (around 65%), but ESET notes that the high-value targets it thumped were Ukrainian. Much reporting continues to treat BadRabbit as conventional criminal ransomware, as it may be, but it's too early to tell. TeleBots' alleged involvement may point in a different direction. What's not dispositive in the still-tenuous attribution is the high rate of attack against Russian targets. It might be ordinary crime, it might be misdirection on the backs of the little people, or it might be a mistake (which could explain why the attack infrastructure came down so quickly). If it's a conventional ransomware attack, it seems fairly easy to remediate many affected systems without paying the ransom (Bleeping Computer).
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
WannaCry vulnerability and attribution.
Investigators in the UK conclude that the National Health Service, particularly hard-hit by WannaCry ransomware, could have protected itself with proper patching and better cyber hygiene. Some effort would have been required, but it would have been far short of Herculean, the sort of thing any responsible enterprise might have managed without going to heroic lengths (Computing). Britain's National Audit Office concluded this week that patching Windows 7 and making sure firewalls were in place might well have stopped the infestation (Computing).
The UK has officially attributed WannaCry to North Korea (Independent). In other news related to DPRK hacking, industry security researchers, at Kaspersky Lab and elsewhere, have traced the Lazarus Group to servers located in India, but apparently under the control of Pyongyang (Economic Times).
A grand jury Friday approved charges brought by Special Counsel Robert Mueller, appointed by the US Justice Department to investigate the role influence operations and possible collusion between campaigns and foreign intelligence services may have played in last year's US elections (CNN). The indictments are currently under seal, but may be announced as early as tomorrow. Speculation suggests that several people close to President Trump may be targets of the indictment (New York Daily News). There are also reports that the Clinton presidential campaign paid for delivery of a Fusion GPS dossier, initially requested by Republican primary opponents of then-candidate Trump (Vanity Fair). The House Intelligence Committee will subpoena Fusion GPS bank records (CNN).
The other aspect of Russian influence operations receiving attention continue to be Moscow's security services' engagement with social media, in the form of both posts and paid advertising. The amount spent on ads was small, and the goal of the social media activity seems largely to have been exacerbation of mistrust among mutually suspicious groups in the US.
Twitter CEO Jack Dorsey was apparently successfully trolled by Russian influence operators in 2016, induced to retweet positive stories from a bogus Black Lives Matter activist that actually originated in a Saint Petersburg troll factory. Observers take the incident as a cautionary tale of how grooming influencers works. It's little different from the ways in which unwitting agents of influence have always been cultivated: start small and start innocent, in this case with tweets about how "Rihanna collects her Humanitarian of the Year award from Harvard" (Daily Beast).
Dorsey is believed to have retweeted precisely two tweets from the trolls, both of them quite harmless, the sort of thing anyone who notices pop music, or Harvard, for that matter, might have retweeted or liked (Ars Technica). It's also worth noting that Twitter is a casual medium, with few bothering to check the provenance of the messages they engage with. But many found much to criticize in this episode, and Twitter's reputation took a small but discernible hit, which seems hardly fair.
The other social media giant, Facebook, also continues to get bad reviews for its own susceptibility to manipulation, and equally for its halting steps toward moderating content, which seem to have pleased few (TechCrunch).
Breaches, past, present, and forthcoming.
A source has said Equifax was warned about the vulnerabilities that led to its epic breach this summer (Tech Target). A security researcher contacted Motherboard to say that the credit bureau was informed in 2016 that its large consumer information data holdings were vulnerable to loss, and that Equifax failed to heed the warning. The researcher (who spoke with Motherboard on condition of anonymity) said that a scan revealed that information was readily available through exploitation of a forced browser bug. Equifax was alerted in December, but the vulnerable servers remained up and in their exposed condition until they were taken down in June (Motherboard).
Note that this is a different vulnerability from the one now widely know to have exposed Equifax to its massive breach: that flaw involved failure to patch a known Apache Struts flaw (Ars Technica). This latest report suggests that there may have been multiple attacks on Equifax through distinct vulnerabilities. If so, then as seems to be so often the case, what appeared first to be a distinct data heist eventually begins to look more like a window-smashing riot.
Tarte, a cosmetics firm that specializes in "cruelty-free and eco-friendly makeup," was found to have exposed the information of some two million customers. As has been the case with other recent breaches, this one comes down to what Kromtech calls misconfigured MongoDB databases. The data may already be in the hands of criminals: a known extortion group, "CRU3LTY," has dropped a demand for 0.2 Bitcoin, which isn't much, just shy of $1200. But CRU3LTY also talks about having encrypted Tarte data, which seems not to have happened, so the ransom demand may be a bogus attempt to muscle a target of opportunity (SC Magazine).
Appleby, a Bermuda law firm specializing in handling the affairs of prominent, wealthy, and offshore clients has been breached. The company is bracing for the usual reputational damage, possibly at the hands of the International Consortium of Investigative Journalists, which has looked into the tax practices of the rich, famous, and arguably oligarchical before (Infosecurity Magazine). Appleby has denied any wrongdoing (the papers say "refuted," but they mean "denied") (Bermuda Insurance Magazine). Observers are comparing the breach to the Panama Papers incident (SC Magazine).
Industrial Control System security: notes from Atlanta.
In the UK, GCHQ says it stopped an attempted hack of Northern Ireland's power grid (Belfast Telegraph). The US Department of Homeland Security issued an unusual public warning about the Dragonfly group's threat to the US power grid (Washington Free Beacon), and Canada's Communications Security Establishment also expressed concerns about the possibility of cyber attacks on critical infrastructure (Reuters).
The Department of Homeland Security and the FBI last week shared information about how Dragonfly (believed to be a Russian state actor) operates, and noted that the threat actor's campaigns could involve either espionage or sabotage (Power Magazine).
The threat to critical infrastructure, and to the power grid in particular, was much discussed this week in Atlanta, Georgia, at Security Week's annual US ICS Cybersecurity Conference.
On Tuesday ICS thought leader Joe Weiss, of Applied Control Solutions, delivered his annual "State of the State" address. He sees widespread security challenges for the industrial control system field as a whole. He deplored the ways in which IT security has taught the ICS community lessons he believes more misleading than helpful. "Our challenge isn't information assurance; it's mission assurance." The engineer's job is safety and availability. Fundamentally the engineer doesn't care whether a disruption arises from malice, error, or act of God: as long as it disrupts operations or affects safety, it must be dealt with. The consequences of failing to do so can be not only expensive, but in the worst cases lethal, and this is where he thinks a target fixation on protecting data can lead those responsible for industrial cybersecurity.
Other speakers agreed that analogies from the IT world could proved misleading to those concerned with ICS. As one of the speakers put it in a bit of quick advice to the security community, "Please forget fail fast. There is no agile. Failure is not an option."
So how susceptible is critical infrastructure to catastrophic failure? In Atlanta we saw a division between optimists and pessimists, between those who see resilience and those who see fragility. The engineers who operate plants and worry about doing so safely and reliably tend to be fall into the more pessimistic camp. They're very much alive to the dependencies, the possibilities of cascading failure, and the difficulty of keeping complex systems in equilibrium.
The cyber operators tend toward the optimistic—they're engaged, at least imaginatively and sometimes actually, in thinking about attack. And they perceive all of the attackers' difficulties so familiar to military operators. To be sure the attacker has the initiative, and can choose the time and place of engagement. Beyond that the defender has advantages, too: it's not for nothing that conventional tactical wisdom looks for a three-to-one advantage before going on the attack.
But perhaps some of the usual tropes about mutual misunderstanding between those concerned with IT and those concerned with OT are simply misguided. As the conference closed, participants were reaching consensus that the way to understand the issue is in terms of "before the packet" and "after the packet." What goes on physically before the packet is where the systems' ground truth is to be found, and it's there one finds the unaddressed security (and safety) issues (The CyberWire).
Tech firms generally have awakened to the presumed value of hiring personnel with security clearances, something of course that has long been common in cybersecurity firms. This will put further pressure on an already tight cleared labor market (Bloomberg).
Several mergers and acquisitions were announced this week. Booz Allen Hamilton announced its acquisition of Cincinnati-based Morphick, a managed detection and response shop (Seeking Alpha). Cisco has acquired software company BroadSoft for $1.71 billion (Reuters). The acquisition is seen as bolstering Cisco's collaboration offerings, and as a move toward further diversification outside the company's core switch and router business. Analysts speculate that more software acquisitions are in Cisco's future; perhaps also the acquisition of a peer company (The Street). Private equity firm Elliott Management purchased Gigamon, paying $1.6 billion for the network intelligence provider (Register). Financial details of Forcepoint's August acquisition of Red Owl were disclosed this week: Forcepoint paid $54 million in cash for the company (Baltimore Business Journal).
KnowBe4 plans to boost its security training offerings with its purchase of Securable.io (PRNewswire). KnowBe4 also picked up a new Series B round, $30 million from Goldman Sachs (CSO). Skybox Security also announced a significant infusion of capital in a growth equity investment by CVC Capital Partners ($100 million) and Pantheon ($50 million) (Globe Newswire). Averon, a San Francisco-based mobile security start-up that promises "frictionless authentication," received an $8.3 million funding round (eSecurity Planet).
Forescout went public on October 23rd, bringing in about $116 million (Fortune). The company at IPO is valued at just above $800 million, which would amount to a down round, short of the hoped-for $1 billion valuation (TechCrunch). Forescout is undismayed, and remains confident its IoT security business will make it a billion-dollar revenue company in the not too distant future (Silicon Valley Business Journal). Cloud security firm Zscaler is reported to have quietly filed an IPO this week as well, with the company expected to go public by the end of the year (TechCrunch).
Darktrace, recent recipient of $180 million in venture capital, has used part of that funding to expand its operations in Ottawa (Ottawa Business Journal).
Start-up Cryptonite emerged from stealth this week. Its technology aims to block hostile reconnaissance of networks (Technical.ly DC).
Allegis Capital has appointed FireEye founder Dave DeWalt to its board. The venture capital firm has also changed its name to AllegisCyber, the better to reflect its investment focus, and is expected to expand its scouting for investable companies in the Baltimore-Washington area (US News and World Report).
Israeli cybersecurity start-ups, spun out of Unit 8200, Israel's cyber intelligence organization, are increasingly prospecting US investors, "speed-dating" VCs, as the Jerusalem Post puts it.
A new set of insurance product issued by Rubica offer high net-worth individuals coverage for cyber risk (Business Insider).
Today's issue includes events affecting Bermuda, Bulgaria, Canada, Germany, Democratic Peoples Republic of Korea, Russia, Turkey, Ukraine, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.