Tuesday, November 29, 2016

Disrupting the kill chain

This post is authored by Jonathan Trull, Worldwide Executive Cybersecurity Advisor, Enterprise Cybersecurity Group.

The cyber kill chain describes the typical workflow, including techniques, tactics, and procedures or TTPs, used by attackers to infiltrate an organization’s networks and systems.  The Microsoft Global Incident Response and Recovery (GIRR) Team and Enterprise Threat Detection Service, Microsoft’s managed cyber threat detection service, identify and respond to thousands of targeted attacks per year.  Based on our experience, the image below illustrates how most targeted cyber intrusions occur today.


The initial attack typically includes the following steps:

  • External recon –  During this stage, the attacker typically searches publicly available sources to identify as much information as possible about their target.  This will include information about the target’s IP address range, business operations and supply chain, employees, executives, and technology utilized.  The goal of this stage is to develop sufficient intelligence to increase the chances of a successful attack. If the attacker has previously penetrated your environment, they may also refer to intelligence gathered during previous incursions.
  • Compromised machine – Attackers continue to use socially engineered attacks to gain an initial foothold on their victim’s network.  Why?  Because these attacks, especially if targeted and based on good intelligence, have an extremely high rate of success.  At this stage, the attacker will send a targeted phishing email to a carefully selected employee within the organization.  The email will either contain a malicious attachment or a link directing the recipient to a watering hole.  Once the user executes the attachment or visits the watering hole, another malicious tool known as a backdoor will be installed on the victim’s computer giving the attacker remote control of the computer.
  • Internal Recon and Lateral Movement – Now that the attacker has a foothold within the organization’s network, he or she will begin gathering information not previously available externally.  This will include performing host discovery scans, mapping internal networks and systems, and attempting to mount network shares.  The attacker will also begin using freely available, yet extremely effective tools, like Mimikatz and WCE to harvest credentials stored locally on the initially compromised machine and begin planning the next stage of the attack as shown below.


  • Domain Dominance – At this stage, the attacker will attempt to elevate their level of access to a higher trusted status within the network.  The attacker’s ultimate goal is to access your data and the privileged credentials of a domain administrator offers them many ways to access to your valuable data stores.  Once this occurs, the attacker will begin to pivot throughout the network either looking for valuable data or installing ransomware for future extortion attempts or both.
  • Data Consolidation and Exfiltration – Now that the attacker has access to the valuable data within the organization’s systems, he or she must consolidate it, package it up, and send it out of the network without being detected or blocked.  This is typically accomplished by encrypting the data and transferring it to an external system controlled by the attacker using approved network protocols like DNS, FTP, and SFTP or Internet-based file transfer solutions.

Microsoft Secure and Productive Enterprise

The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization’s employees remain productive.  Below, I briefly describe how each of these technologies disrupts the kill chain:

  • Office 365 Advanced Threat ProtectionThis technology is designed to disrupt the “initial compromise” stage and raise the cost of successfully using phishing attacks.
    Most attackers leverage phishing emails containing malicious attachments or links pointing to watering hole sites. Advanced Threat Protection (ATP) in Office 365 provides protection against both known and unknown malware and viruses in email, provides real-time (time-of-click) protection against malicious URLs, as well as enhanced reporting and trace capabilities.  Messages and attachments are not only scanned against signatures powered by multiple antimalware engines and intelligence from Microsoft’s Intelligent Security Graph, but are also routed to a special detonation chamber, run, and the results analyzed with machine learning and advanced analysis techniques for signs of malicious behavior to detect and block threats. Enhanced reporting capabilities also make it possible for security teams to quickly identify and respond to email based attacks when they occur.
  • Windows 10 –  This technology disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user’s PC and by protecting the accounts and credentials stored and used on the device.
    If an attacker still manages to deliver malware through to one of the organization’s employees by some other mechanism (e.g., via personal email), Windows 10’s security features are designed to both stop the initial infection, and if infected, prevent further lateral movement. Specifically, Windows Defender Application Guard uses new, hardware based virtualization technology to wrap a protective border around the Edge browser.  Even if malware executes within the browser, it cannot access the underlying operating system and is cleaned from the machine once the browser is closed.  Windows Device Guard provides an extra layer of protection to ensure that only trusted programs are loaded and run preventing the execution of malicious programs, and Windows Credential Guard uses the same hardware based virtualization technology discussed earlier to prevent attackers who manage to gain an initial foothold from obtaining other credentials stored on the endpoint.  And finally, Windows Defender Advanced Threat Protection is the DVR for your company’s security team.  It provides a near real-time recording of everything occurring on your endpoints and uses built-in signatures, machine learning, deep file analysis through detonation as a service, and the power of the Microsoft Intelligent Security Graph to detect threats.  It also provides security teams with remote access to critical forensic data needed to investigate complex attacks.
  • Microsoft Advanced Threat AnalyticsThis technology disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response.
    If an attacker still manages to get through the above defenses, compromise credentials, and moves laterally, the Microsoft Advanced Threat Analytics (ATA) solution provides a robust set of capabilities to detect this stage of an attack.  ATA uses both detection of known attack techniques as well as a user-based analytics that learns what is “normal” for your environment so it can spot anomalies that indicate an attack. Microsoft ATA can detect internal recon attempts such as DNS enumeration, use of compromised credentials like access attempts during abnormal times, lateral movement (Pass-the-Ticket, Pass-the-Hash, etc.), privilege escalation (forged PAC), and domain dominance activities (skeleton key malware, golden tickets, remote execution).
  • Azure Security Center – While Microsoft ATA detects cyber attacks occurring within an organization’s data centers, Azure Security Center extends this level of protection into the cloud.

And now for the best part.  As shown in the image below, each of the above listed technologies is designed to work seamlessly together and provide security teams with visibility across the entire kill chain.


Each of these technologies also leverage the power of the Microsoft Intelligent Security Graph, which includes cyber threat intelligence collected from Microsoft’s products and services, to provide the most comprehensive and accurate detections.

  • Cloud App Security, Intune, Azure Information Protection, and Windows 10 Information Protection – And finally, the Microsoft Secure and Productive Enterprise Suite provides significant capabilities to classify and protect data and prevent its loss.  Among other capabilities, Microsoft Cloud App Security can identify and control the use of unsanctioned cloud applications.  This helps organizations prevent data loss, whether from an attack or rogue employee, via cloud-based applications.  Intune and Windows 10 Information Protection prevent corporate data from being intermingled with personal data or used by unsanctioned applications whether on a Windows 10 device or on iOS or Android based mobile devices.  And finally, Azure Information Protection provides organizations and their employees with the ability to classify and protect data using digital rights management technology.  Organizations can now implement and enforce a need-to-know strategy thereby significantly reducing the amount of unencrypted data available should an attacker gain access to their network.

Finally, Microsoft’s Enterprise Cybersecurity Group (ECG) also offers a range of both proactive and reactive services that leverages the capabilities of the Secure and Productive Enterprise suite in combination with the Intelligent Security Graph to help companies detect, respond to, and recover from attacks.

In the coming weeks, I will be following up with blogs and demos that go deeper into each of the above listed technologies and discuss how companies can most effectively integrate these solutions into their security strategies, operations, and existing technologies.  To learn more about Microsoft technologies visit Microsoft Secure..

from Microsoft Secure Blog Staff

Friday, November 25, 2016

[SANS ISC Diary] Free Software Quick Security Checklist

I published the following diary on isc.sans.org: “Free Software Quick Security Checklist“.

Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to “free” software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!)… [Read more]


[The post [SANS ISC Diary] Free Software Quick Security Checklist has been first published on /dev/random]

from Xavier

Monday, November 21, 2016

The four necessities of modern IT security

As companies embrace the cloud and mobile computing to connect with their customers and optimize their operations, they take on new risks. Traditional IT boundaries have disappeared, and adversaries have many new attack vectors.

Even with a bevy of security tools already deployed, IT teams are having to process a lot of data and signal that makes it hard to find and prioritize relevant threats.  Solutions often compromise end-user productivity for the sake of security, leading to end-user dissatisfaction and, too often, rejection or misuse of the solution. And, without the ability to detect suspicious behavior, early signs of an attack can go unnoticed.

To confront these challenges, Microsoft is building a platform that looks holistically across all the critical endpoints of today’s cloud and mobile world. We are acting on the intelligence that comes from our security-related signals and insights. And we are fostering a vibrant ecosystem of partners who help us raise the bar across the industry.

Our platform investments span four categories: identity, apps and data, devices, and infrastructure. Here is what you can expect from our security platform and solutions in each of these critical areas:

Identity— Help protect against identity compromise and identify potential breaches before they cause damage
  • Mitigate identity compromise with multi-factor authentication
  • Go beyond passwords and move to more secure forms of authentication
  • Identify signs of breach early with behavioral analytics that help detect suspicious activity
  • Respond quickly by automatically elevating access requirements based on risks
Apps and Data—Boost productivity with cloud access while keeping information protected
  • Enable employees to use cloud apps without losing control of corporate data
  • Classify, contain, and encrypt data based on IT policy—even on user-owned devices
  • Get notification of attempts for unauthorized data access, manage access to documents, remotely wipe data when necessary
Devices—Enhance device security while enabling mobile work and BYOD
  • Encrypt data, manage devices, and ensure compliance
  • Automatically identify suspicious or compromised endpoints and respond to targeted attacks
  • Rapidly block, quarantine, or wipe compromised devices
Infrastructure—Take a new approach to security across your hybrid environment
  • Gain greater visibility and control across on-premises and cloud environments
  • Enforce security policies on cloud resources and detect any deviations from baselines
  • Identify signs of compromise early through behavioral analysis and respond more quickly
  • Separate security event noise from signals with advanced analysis and machine learning

To learn more about security best practices, download the free eBook, “Protect Your Data: 7 Ways to Improve Your Security Posture”

from Microsoft Secure Blog Staff

"European Security Awareness Summit - After Action Report"

I'm flying home after this year's European Security Awareness Summit and wanted to share my thoughts and experiences from the event while still fresh in my mind. Once a year, every year, we host a security awareness summit both in the United States and in Europe. The purpose of the awareness summits are to bring … Continue reading European Security Awareness Summit - After Action Report

from lspitzner

Thursday, November 17, 2016

The Budapest Convention on Cybercrime – 15th Anniversary

This post was authored by Gene Burrus, Assistant General Counsel

November 2016 marks the 15th anniversary of the Convention on Cybercrime of the Council of Europe, commonly referred to as the Budapest Convention.

The treaty is the preeminent binding international instrument in the area of cybercrime. It serves as a guideline for countries developing national legislation and provides a framework for international cooperation between countries’ law enforcement agencies, so critical to cybercrime investigation and prosecution.

Since its inception, 50 countries have recognized this reality by acceding to it, with an additional six signing it, and a further 12 having been invited to do so. Its influence extends far beyond those countries, with a number of international organizations participating in the Convention Committee and many other countries looking at it for best practices.

The Budapest Convention’s success lies in part in the fact that it has not held still. As technology evolved, the Convention’s members sought to adopt a set of recommendations to make mutual legal assistance requests more efficient, as well as begun to investigate how to ensure that its premises are still valid under the new paradigm of cloud computing.

The importance of this to Microsoft, and its customers, is large and increasing. Estimates of global financial losses from cybercrime exceed $400 billion a year. And that number understates the less tangible impacts on privacy, trust, innovation and adoption of new technologies. Thus, effectively fighting cybercrime is of critical importance to Microsoft’s business.

In addition, the process of detecting and investigating cybercrime often involves private technology providers like Microsoft and partnerships between Microsoft and law enforcement. Driving towards the objectives of the Budapest Convention – to drive a common harmonized set of criminal prohibitions, and to facilitate international cooperation – is directly beneficial to our customers. Greater harmonization among national approaches on criminalizing behavior, criminal procedure and investigative capabilities are critical to helping companies like Microsoft ensure compliance with what otherwise might be conflicting legal obligations under different legal regimes.

The Convention’s main objectives are two-fold: to drive a common harmonized set of criminal prohibitions, and to facilitate international cooperation. Setting prohibitions and facilitating cooperation is important for Microsoft when it is looking to help protect customers. The first step in fighting cybercrime often consists of ensuring that the country where a perpetrator might live actually has laws against cybercrimes. Absent this, a perpetrator can act with impunity in a so called safe haven. The Convention defines a number of different types of crimes that can be committed online, providing a common frame of reference for its members, including:

  • Hacking crimes involving unlawfully accessing, intercepting or interfering with computers and computer networks;
  • Computer related fraud crimes;
  • Content related crimes, such as child pornography.

Secondly, the Convention aims to provide for criminal procedure necessary to investigate and prosecute cybercrimes, and to set up a fast, efficient, effective regime for cooperation between law enforcement in different nations. The latter is critical for Microsoft to help protect its customers. By its very nature cybercrime is almost always international in its scope. Perpetrators sitting in one country often attack victims in other countries, frequently using servers and networks sitting in yet others. Therefore, there must be procedures and mechanisms in place to facilitate and enable cooperation between and among the countries where the victims, the perpetrators, and the computer systems are physically located.

Finally, and outside the scope or the powers of the Budapest Convention, the practical reality of motivating a country housing a perpetrator, but which may have few nationals as victims itself, to spend resources addressing that crime must be overcome. That will continue to be easier said than done, until all countries come to a realization that trust in the online environment is mutually beneficial and difficult to maintain. Lack of trust it will impact all online economies, no matter where the criminals come from.

On its 15th birthday the Budapest Convention has been established as the gold standard of international conventions in the area of cybercrime. It’s a critical tool in our efforts to help protect and secure our products and our customers against cybercriminals. We hope that in the coming years more countries join it in an effort to eradicate the most modern of crimes.

from Microsoft Secure Blog Staff

[SANS ISC Diary] Example of Getting Analysts & Researchers Away

I published the following diary on isc.sans.org: “Example of Getting Analysts & Researchers Away“.

It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malware’s have VM evasion techniques to detect as soon as possible if they are executed in a sandbox environment. The same applies for web services like phishing pages or C&C control panels… [Read more]

[The post [SANS ISC Diary] Example of Getting Analysts & Researchers Away has been first published on /dev/random]

from Xavier

"The Three C's of Awareness"

Upgrade your Cyber Awareness Training with the Three C's of Security Awareness According to the 2016 Security Awareness Report, over 80% of security awareness professionals have a background in either information security or information technology. Less than 15% have a background in soft skills such as training, marketing or communications. This technical orientation has significant … Continue reading The Three C's of Awareness

from lspitzner

Monday, November 14, 2016

Securing the new BYOD frontline: Mobile apps and data

With personal smartphones, tablets, and laptops becoming ubiquitous in the workplace, bring your own device (BYOD) strategies and security measures have evolved. The frontlines have shifted from the devices themselves to the apps and data residing on—or accessed through—them.

Mobile devices and cloud-based apps have undeniably transformed the way businesses operate. But they also introduce new security and compliance risks that must be understood and mitigated. When personal and corporate apps are intermingled on the same device, how can organizations remain compliant and protected while giving employees the best productivity experience? And when corporate information is dispersed among disparate, often unmanaged locations, how can organizations make sure sensitive data is always secured?

Traditional perimeter solutions have proved to be inadequate in keeping up with the stream of new apps available to users. And newer point solutions either require multiple vendors or are just too complex and time-consuming for IT teams to implement. Companies need a comprehensive, integrated method for protecting information—regardless of where it is stored, how it is accessed, or with whom it is shared.

Microsoft’s end-to-end information protection solutions can help reconcile the disparity between user productivity and enterprise compliance and protection. Our identity and access management solutions integrate with existing infrastructure systems to protect access to applications and resources across corporate data centers and in the cloud.

The following Microsoft solutions and technologies provide access control on several levels, offering ample coverage that can be up and running with the simple click of a button:

Identity and access management

Simplify user access with identity-based single sign-on (SSO). Azure Active Directory Premium (Azure AD) syncs with existing on-premises directories to simplify access to any application—even those in the cloud—with a secured, unified identity. No more juggling multiple combinations of user names and passwords. Users sign in only once using an authenticated corporate ID, then receive a token enabling access to resources as long as the token is valid. Azure AD comes pre-integrated with thousands of popular SaaS apps and works seamlessly with iOS, Android, Windows, and PC devices to deliver multi-platform access. Not only does unified identity with SSO simplify user access, it can also reduce the overhead costs associated with operating and maintaining multiple user accounts

Secure and compliant mobile devices

Microsoft Intune manages and protects devices, corporate apps, and data on almost any personal or corporate-owned device. Through Intune mobile device management (MDM) capabilities, IT teams can create and define compliance policies to meet specific business requirements, deploy policies to users or devices, and monitor device and/or user compliance from a single administration console. Intune compliance policies deliver complete visibility into users’ device health, and enable IT to block or restrict access if the device becomes non-compliant. IT administrators also have the option to install device settings that perform remote actions, such as passcode reset, device lock, data encryption, or full wipe of a lost, stolen, or non-compliant device.

Conditional access

Microsoft Intune can also help reinforce access protection by verifying the health of users and devices prior to granting privileges with conditional access policies. Intune policies evaluate user and device health by assessing factors like IP range, the user’s group enrollment, and if the device is managed by Intune and compliant with policies set by administrators. During the policy verification process, Intune blocks the user’s access until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Intune integrates with cloud services like Office 365 and Exchange to confirm device health and grant access based on health results.

Multi-factor authentication

Multi-factor authentication is a feature built into Azure Active Directory that provides an additional layer of authentication to help make sure only the right people have the right access to corporate applications. It prevents unauthorized access to on-premises and cloud apps with additional authentication required, and offers flexible enforcement based on user, device, or app to reduce compliance risks.

To learn more about BYOD security, download the free eBook, Protect Your Data: 7 Ways to Improve Your Security Posture


from Microsoft Secure Blog Staff

Artificial intelligence and cybersecurity: The future is here

Although we’re a very long way from putting artificial intelligence (AI) in charge of national defense, the use of AI in cybersecurity isn’t science fiction. The ability of machines to rapidly analyze and respond to the unprecedented quantities of data is becoming indispensable as cyberattacks’ frequency, scale and sophistication all continue to increase.

The research being done today shows that automated cybersecurity systems can do many things with only limited human oversight. Through neural networks, heuristics, data science, etc. systems are being designed to identify cyberattacks, to spot and remove malware, and to find ways to fix bugs faster than any human could. In some respects, this work is simply an extension of the principles that people have got used to in their mail-filters or firewalls. That being said, there is something qualitatively different about the AI’s “end game”, i.e. having cybersecurity decisions taken by technology without human intermediation.

This novelty brings with it entirely new challenges. For example, what would legal frameworks around such cybersecurity look like? How would we regulate their creation and their use? What would we in fact regulate? There has already been some insightful writing and research done on this (see Potential AI Regulatory Problems and Regulating AI systems for example), but for policy-makers the fundamental challenge of defining what an AI is and what it is not remains. Without such fundamentals, even outcomes oriented approaches could fall short as there is no certainty about when they must be used.

If our brains were simple enough for us to understand them, we’d be so simple that we couldn’t.” Ian Stewart, The Collapse of Chaos: Discovering Simplicity in a Complex World)

In fact, AI technologies will be complex. Many government policymakers may struggle to understand them and how to best oversee their integration and evolution in government, society and key economic sectors. This is further complicated by the chance that the creation of AI might be a globally distributed effort, operating across jurisdictions with potentially distinct approaches to regulation. Smart cars, digital assistants, and algorithmic trading on financial markets are already pushing us towards AI, how could we improve the understanding of the technology, transparency about its decision making, integrity of its development and ethics, and the actual control of the technology in practical terms?

But it is also critical to understand the role AI can and will play in cybersecurity and resilience. The technology is initially likely to be “white hat” enabling critical infrastructures to protect themselves and the essential services they provide to the economy, society and public safety in new and novel ways. AI may enable systems to anticipate and rapidly mitigate security incidents or advanced persistent threats. But, as we have seen in cybersecurity, we will likely see criminal organizations or nation states seek to exploit AI to evade cybersecurity defenses or even attack. This means that reaching consensus on cybersecurity norms becomes more important and urgent. The work on cybersecurity norms will need more public and private sector cooperation globally.

In conclusion, it is worth noting that despite the challenges posed by AI in cybersecurity, there are also interesting and positive implications for the balance between cybersecurity and cyber-resilience. If cybersecurity teams can rely on smart systems to play defense, their focus can turn to preparing to handle a successful attack’s consequences. The ability to reinvent processes, to adapt to “black swan” events and to respond to developments that violate the fundamental assumptions on which an AI is built, should remain distinctly human for some time to come.


from Paul Nicholas

Wednesday, November 9, 2016

Enabling collaboration—without data leaks

Many of us have accidentally sent sensitive information to the wrong person at some point in our career, perhaps without even knowing. This is a frightening reality for companies and their IT teams, especially as collaboration increases and corporate data becomes more distributed among on-premises and cloud environments. Monitoring every device, application, and piece of data at all times is not only not practical—it’s impossible.

To stay protected and compliant, IT groups need the ability to effectively manage users and devices in ways that enable productivity without introducing risk. And users must learn to protect themselves from situations in which leaks could occur.

To help mitigate data leaks, influence user best practices, and still allow for collaboration, Microsoft designed the following security features to protect corporate data—whether it is in the data center, in the cloud, or shared with internal and external partners:

Manage your mobile applications

With Microsoft Intune mobile application management (MAM), organizations can control apps and resources at the app level. IT can discourage users from working in unauthorized apps by applying restrictions that prevent copying, pasting, or saving data from a managed app onto an unmanaged app. End users can work productively in familiar Office apps and retain the rich Office productivity experience. Intune MAM capabilities are native to Office mobile apps, but can also be extended to other proprietary and line-of-business apps through the Intune SDK or Intune App Wrapping tool.

Lock mobile devices down

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so it can only run trusted applications. When in the lockdown state, users will not have the ability to modify the device state, preventing further unauthorized mobile behavior. Device Guard automatically senses threatening behavior and takes appropriate action, unburdening IT from constantly supervising user behavior at all times.

Protect enterprise data

A combination of Windows 10, Intune, and Azure Rights Management, Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), separates and protects enterprise apps and data against disclosure risks across both company and personal devices—without requiring changes in environments or apps. WIP integrates with Intune to enable comprehensive management of WIP policies to protect corporate data by preventing unauthorized apps from accessing business data, similar to the Intune MAM capabilities for iOS and Android. With this capability, all copy and paste functions are restricted for unknown sources and remote wipe of sensitive data can be performed on devices to prevent unauthorized mingling of personal and corporate data.

Prevent data loss

Data Loss Prevention (DLP) in Office 365 helps identify the areas that are most susceptible to threats and potential data loss. The DLP classification engine built into Office 365 analyzes data across programs like Exchange, SharePoint, OneDrive for Business, and Office applications to determine which information is the most sensitive and vulnerable based on unique business requirements. DLP Policy Tips provide complete visibility to help influence better-informed decision making. IT can then leverage this data to inform and enforce compliance and security policies that will best protect sensitive information.

Utilize policy-driven access control

Azure Rights Management (Azure RMS) enables IT to encrypt data at the file level and apply policy-based permissions based on the user’s identity. These access control policies provide integrated coverage across on-premises environments and cloud applications. IT can define privileges for users and files, ensuring only the right people can view sensitive information. Actions like viewing, editing, authoring, and co-authoring capabilities delegated to the user are all governed by access control policies, and they can be tailored to meet specific project or business needs. Designed to support multiple workloads such as Exchange, SharePoint, and Office documents, Azure RMS enables safer sharing and collaboration with partners inside and outside the organization.

To learn more about secure collaboration, download the free eBook, “Protect Your Data: 7 Ways to Improve Your Security Posture”.

from Microsoft Secure Blog Staff

"Stopping Business Email Scams Takes More than Just Phishing Training"

  A Conversation with the FBI Cybercrimes Division Since January 2015, losses from Business Email Compromise scams (often called BEC) increased 270 percent, according to the FBI cybercrimes division. While CEO Fraud is the most common and fastest growing version, the entire class of business email compromises rely on the same social engineering and targeting … Continue reading Stopping Business Email Scams Takes More than Just Phishing Training

from Securing the Human

Sunday, November 6, 2016

[SANS ISC Diary] Full Packet Capture for Dummies

I published the following diary on isc.sans.org: “Full Packet Capture for Dummies

When a security incident occurred and must be investigated, the Incident Handler’s Holy Grail is a network capture file. It contains all communications between the hosts on the network. These metadata are already in goldmine: source and destination IP addresses, ports, time stamps.  But if we can also have access to the full packets with the payload, it is even more interesting. We can extract binary files from packets, replay sessions, extract IOC’s and many mores [Read more]

[The post [SANS ISC Diary] Full Packet Capture for Dummies has been first published on /dev/random]

from Xavier

Friday, November 4, 2016

Bringing EMET protections into Windows 10

This post is authored by Chris Hallum, Senior Product Manager, Windows

The Enhanced Mitigation Experience Toolkit (EMET) was born as a stop-gap solution to deliver tactical mitigations against certain zero-day software vulnerabilities and over time it’s proven effective against a wide range of vulnerability exploit techniques. Since its first release in 2009 we’ve received a great deal of feedback on it and one common request was to include EMET functionality directly into Windows itself.

With Windows 10 we’ve integrated the many mitigation features that EMET administrators have come to rely on directly into the system. With the Windows 10 Anniversary Update our efforts have achieved critical mass and so EMET 5.5 is entering into the sustained engineering part of its lifecycle. More background information on EMET, it’s integration into Windows 10, and the updated support statement can be found in the Moving Beyond EMET post which can be found on Security Research & Defense blog.

from Microsoft Secure Blog Staff

Cybersecurity and cyber-resilience – Equally important but different

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.


from Paul Nicholas

Thursday, November 3, 2016

"Awareness Training Ranks High in New Cyber Security Report"

Key Awareness Findings from the SANS 2016 Survey on Security and Risk in the Financial Sector What if you could peer into the front lines of the battle against cyber threats in the financial services sector? What role does security awareness play in thwarting attacks? The 2016 SANS Survey on Security and Risk in the … Continue reading Awareness Training Ranks High in New Cyber Security Report

from Securing the Human

Popularity of a Talk VS. Internet Usage?

When I analyzed the data collected during the last BruCON edition, I had the idea to correlate the timeslots assigned to talks with the amount of Internet traffic. First a big disclaimer: My goal is not to judge the popularity of a speaker or the quality of his/her presentation but more to investigate if the network usage could reveal interesting facts.

Measuring the bandwidth is not a good indicator. Some people used BitTorrent clients or others were downloaded big files in the background. I think that it is more relevant to collect the number of sessions. The first step was to extract relevant data. I decided to focus only on HTTP traffic (TCP 80 & 443). Only public destination IP addresses have been used (eg. connections to the wall of sheel are not included). All sessions with their timestamp have been extracted and indexed by Splunk:

HTTP Connections

Then, I exported the connections grouped by slots of 30 minutes and exported the data in a CSV file:

source="/opt/splunk/var/run/splunk/csv/httpbrucon.csv" index="brucon" | timechart span=30m count

Finally, I exported the schedule from sched.brucon.org and correlated both with Excel:

Excel Correlation

And the graph showing traffic per talk:

Connections VS. Talks

So now, how to interpret those numbers? A peak of traffic can be interpreted in both ways: When the speaker has a nice slide or explain something awesome, attendees will often share it on social networks. But, on the other side, bored people (or those who are lost in too complex slides) will be tempted to surf the web waiting for the end of the presentation. Based on the feedback received about some talks, both situations are present in my results (again, I won’t disclose which one).

This model is not perfect. Besides regular talks, there was also workshops organized and they could generate a significant amount of connections too. The idea to improve the reporting could be to restrict the analyze to connections performed from wireless access points located in the main room…

[The post Popularity of a Talk VS. Internet Usage? has been first published on /dev/random]

from Xavier

"OUCH Newsletter is Out - Using the Cloud Securely"

The Novemberedition of the OUCH! security awareness newsletter is out. For this monthwe focus on Using the Cloud Securely. We chose this topic as there is a great deal of unnecessary confusion and fear aboutthe Cloud. Cloud technology isa powerful way to collaborate with others and be far more efficient at work and home. However … Continue reading OUCH Newsletter is Out - Using the Cloud Securely

from lspitzner

Wednesday, November 2, 2016

Debriefing the BruCON Network

The eighth BruCON edition is already over! Don’t expect a wrap-up because I just don’t have time. I’m always keeping an eye on the attendees’ bits & bytes! Based on the first feedback that I received from attendees and speakers, it was another good edition but, from a network point of view, it was harder. Indeed, the venue does not provide any network service at all and we have to build a temporary network from scratch. The ISP which provides us the pipe to the Internet was not able to help us and we had to find an alternative. We found one but it was extremely expensive for us (keep in mind that BruCON is a non-profit organization) and, worse, the quality was not present. When we deployed the network, we had only 25% of the ordered bandwidth (ouch!). The ISP installed in emergency a backup line via a 4G connection and I spend an half-day configuring the load-balancing between the two lines and some QoS to prioritize traffic. At certain times, we had up to 15% of packets lost on the main link… Our apologies for the bad network quality! Hopefully, more and more people don’t trust wireless networks and use their mobile phones or portable access points to access the Internet.

First some high level stats about the network usage:

High Level Statistics unique-wifi-clients-os-over-time unique-wifi-clients-over-time

About the traffic, we collected 193 GigaBytes of PCAP files. 528 unique devices (based on their MAC addresses) connected to the wireless and got an IP address. We did not play MitM to inspect encrypted protocols (we respect your privacy). Editions after editions, we see that more and more people are using VPN, which is good! Here is the top-20 of MIME types detected:

Count MIME Type
1034509 application/pkix-cert
94885 text/plain
74707 text/html
61321 image/jpeg
34892 image/png
31268 image/gif
20709 text/json
19209 application/ocsp-response
14323 application/ocsp-request
9370 application/xml
5054 application/vnd.ms-cab-compressed
4304 application/javascript
2717 application/x-debian-package
2250 application/font-woff
1761 image/svg+xml
1734 image/x-icon
1608 application/x-gzip
675 video/mp4
675 application/zip
519 application/x-bzip2

Our attendees communicated with 115.930 uniques IP addresses from the wild Internet. Here is a global map:

BruCON Traffic Map

Of course, we had our wall of sheep running to collect all pictures and interesting credentials. If our attendees use VPN connections, some of them regularly fail to protect their network communications.

Wall of Sheep

We collected 68848 images and 119 credentials. Amongst the classic IMAP or SNMP accounts, we found that some security products are not so secure by default. Two attendees were running the GFI LANguard tool which communicates over HTTP with the central servers:


About DNS requests, 129883 unique A requests were performed. Here is the top-30 of hosts queried:

Count FDQN
119314 google.com
93601 brucon.org
90383 t.co
57564 apple.com
42841 microsoft.com
29479 facebook.com
27399 vmware.com
27043 g.co
27038 softwareupdate.vmware.com
23418 capgemini.com
22252 gstatic.com
21127 dns.msftncsi.com
20532 www.google.co
20425 www.google.com
19952 wall.brucon.org
19405 pool.ntp.org
19375 push.apple.com
18844 auth.gfx.ms
16919 live.com
14999 twitter.com
13942 avast.com
13443 zabbix.countercept.mwr
12814 dropbox.com
11006 www.googleapis.com
10680 doubleclick.net
10346 nucleus.be
9952 teredo.ipv6.microsoft.com
9863 google.be
9706 sz.local
9205 corp.capgemini.com

Interesting top queries: WPAD, AD, ISATAP. WPAD is amazing, so easy to be abused to play MitM. Some samples detected:

wpad, wpad.hogeschool-wvl.be, wpad.nl.capgemini.com, wpad.corp.capgemini.com,
wpad.home, wpad.howest.be, wpad.brucon.org,  wpad.be.capgemini.com,
wpad.capgemini.com, wpad.bnl.capgemini.com,  wpad.capgemini.be, wpad.capgemini.nl,
wpad.fantastig.lan , wpad.webde.local, wpad.eu.thmulti.com, wpad.soglu.internal,
wpad.ctg.com, wpad.sogeti.be, wpad.united.domain, wpad.fictile.lan,
wpad.telenet.be, wpad.eu.didata.local

The DNS traffic remains one of my favorite source of intelligence! Many devices are corporate ones and keep constantly trying to “phone home”. Here is a list of companies that were present (well, their devices) at BruCON:

  • Cap Gemini
  • Ernst & Young
  • Sogeti
  • PWC
  • ING
  • CTG
  • Hogeschool West-Vlanderen
  • MWR
  • Nucleus
  • Limes Security

It’s always interesting to extract the download PE files. We captured 268 unique PE files. Not really malicious but some of them were really suspicious. We detected the following signatures:

  • 5 x Win32.Trojan.WisdomEyes.16070401.9500.9997
  • 1 x Trojan.Agentb.akq
  • 2 x Win32/Bundled.Toolbar.Google.D potentially unsafe
  • 1 x Posible_Worm32
  • 1 x Win32.Application.OpenCandy.G
  • 1 x Trojan-Clicker.Win32.Agent!O

A special mention to the guy who downloaded a malicious ‘BitTorrent.exe’ (22bc69ed880fa239345d9ce0b1d12c62). Do you really need to download such files at a security conference?

From a security point of view, we did not face any incident. Only one device was blacklisted during the conference. As usual, some folks spent time to bring p0rn pictures on the wall of sheep. Besides the classic [smurf|avatar|manga|hulk] p0rn, we have a winner who used furnitureporn.com! Taste and colors are not always the same! 🙂

We already have nice and fun ideas to implement during the next edition. We will expect your packets again in 2017!


[The post Debriefing the BruCON Network has been first published on /dev/random]

from Xavier