Tuesday, February 28, 2017

[SANS ISC Diary] Analysis of a Simple PHP Backdoor

I published the following diary on isc.sans.org: “Analysis of a Simple PHP Backdoor“.

With the huge surface attack provided by CMS like Drupal or WordPress, webshells remain a classic attack scenario. A few months ago, I wrote a diary about the power of webshells. A few days ago, a friend of mine asked me some help about an incident he was investigating. A website was compromised (no magic – very bad admin password) and a backdoor was dropped. He sent a copy of the malicious file… [Read more]

[The post [SANS ISC Diary] Analysis of a Simple PHP Backdoor has been first published on /dev/random]



from Xavier

"Video: Seven most dangerous new attack techniques - RSA 2017 Keynote"

During RSA 2017 in San Francisco, SANS faculty members and expert instructors Ed Skoudis, Michael Assante, Johannes Ullrich and SANS Institute founder Alan Paller walked the audience through the seven most dangerous attack techniques. It didn't take Ed Skoudis long to get into it. At 3:20 into the keynote video Ed highlighted the dangers and … Continue reading Video: Seven most dangerous new attack techniques - RSA 2017 Keynote

from Securing the Human

Friday, February 24, 2017

Am I Affected by Cloudbleed?

Yesterday, Cloudflare posted an incident report on their blog about an issue discovered in their HTML parser. A very nice report which is worth a read! As usual, in our cyber world, this vulnerability quickly received a nice name and logo: “Cloudbleed“. I’ll not explain in details the vulnerability here, there are already multiple reviews of this incident.

According to Cloudflare, the impact is the following:

This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens).

A lot of interesting data could be disclosed so my biggest concern was: “Am I affected by Cloudbleed?” Cloudflare being a key player on the Internet, chances to visit websites protected by their services are very high. How to make an inventory of those websites? The idea is to use Splunk to achieve this: If your DNS resolvers logs are indexed by Splunk, you can use a lookup table to search for IP addresses belonging to Cloudflare.

Cloudflare is transparent and publicly announces the IP subnets they use (both IPv4 & IPv6). By default, Splunk does not perform lookups in CIDR directly. I created the complete list of IP addresses with a few lines of Python:

#!/usr/bin/python
# IP Sources:
# https://www.cloudflare.com/ips/
from netaddr import IPNetwork
cidrs = [
  '103.21.244.0/22', '103.22.200.0/22', '103.31.4.0/22', '104.16.0.0/12',
  '108.162.192.0/18', '131.0.72.0/22', '141.101.64.0/18', '162.158.0.0/15',
  '172.64.0.0/13', '173.245.48.0/20', '188.114.96.0/20', '190.93.240.0/20',
  '197.234.240.0/22', '198.41.128.0/17', '199.27.128.0/21' ]
for cidr in cidrs:
  for ip in IPNetwork(cidr):
    print '%s' % ip

The generated file can now be imported as a lookup table in Splunk. My DNS requests are logged through a Bro instance. Using the following query, I extracted URLs that are resolved with a Cloudflare IP address:

sourcetype=bro_dns rcode=A NOT qclass = "*.cloudflare.com" |
lookup cloudflare.csv TTLs OUTPUT TTLs as ip |
search ip="*" |
dedup qclass |
table qclass

(The query is very easy to adapt to your own environment.)

For the last 6 months, I got a list of 158 websites. The last step is manual: review the URLs and if you’ve accounts or posted sensitive information with them, it’s time to change your passwords / API keys!

[The post Am I Affected by Cloudbleed? has been first published on /dev/random]



from Xavier

Thursday, February 23, 2017

What’s new in Microsoft’s SDL

This post is authored by Andrew Marshall, Principal Security Program Manager, Security Engineering.

For well over a decade, Microsoft has been committed to designing, developing, and testing software in a secure and trustworthy manner and sharing the Security Development Lifecyle (SDL) methodology and resources with the software development community. We are continuing to make investments into the evolution of the SDL and resources we provide to enable the ecosystem to adapt to new technology and the ever-changing threat landscape.

Today, we’re announcing an important new round of updates and technical content additions to the SDL website. These updates are rolled out to provide up to date guidance and best practices that evolve with the Security Development Lifecycle. We’ve made updates to security tooling guidance, compiler and cryptographic recommendations, and the SDL Developer Starter Kit.

The SDL represents our strategic investment in improving security across the ecosystem and over the next few months we will make additional changes to the Security Development Lifecycle website. Check back for new content detailing how you can implement SDL in the world of Continuous Release/Continuous Development and Dev Ops.



from Microsoft Secure Blog Staff

Monday, February 20, 2017

How to create an effective cyber hygiene program

This post is authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group.


As noted in the 2016 Verizon Data Breach Incident Report, 63% of confirmed breaches involved leveraging weak, default or stolen passwords, 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link. Given this, organizations of all types can make significant gains in their security posture by educating their user base on best practices for digital engagement and cyber hygiene.

Yet, headlines like this recent story in Dark Reading, The Sorry State Of Cybersecurity Awareness Training, speak to the reality that user education is one of the most under-invested and under-appreciated aspects of cybersecurity. Many organizations require an annual online training program to meet compliance requirements, but rarely invest in broad, robust, ongoing training that contemplates the changing threat landscape and the vastly differing roles of end users.

I’ve seen these same organizations invest heavily in tools to defend and detect within their environment, all the while overlooking the most vulnerable part of the security infrastructure – the end user. Forbes reported “more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years according to a 2015 analysis of numbers from the Bureau of Labor Statistics by Peninsula Press” (January, 2016).  Therefore, organizations cannot rely solely on technology or security professionals to keep their data and infrastructure safe and secure. Threats are evolving, spear phishing is increasing, and users are being specifically targeted. It is incumbent upon the industry to also change the way we approach user education.

There are several aspects to consider to educate users:

  • Where do you focus your efforts?
  • What is the risk profile of your user population? Have you classified your users much like you do your data?
  • Is your directory up to date? Are your privileges appropriate?
  • Who is the population, i.e. are they computer literate?
  • What is the user accessing, i.e. classified, sensitive of confidential data?
  • What systems are they using, i.e. company issued, BYOD, managed, unmanaged?
  • How does your team learn best and how do you reinforce learnings?
  • How do you make complex security concepts consumable?

Create an effective cyber hygiene awareness program

  1. Lead by example
    To create a program takes focus, effort and commitment at the executive level to take cybersecurity education seriously. Internal stakeholders can cite numerous studies and use the wide range of industry data points to provide a business case and justification for the training. The average cost of each lost or stolen record containing sensitive information has reached $158USD according to the Ponemon Institute. And this figure does not include loss of business and customer loyalty from damage to the brand. Justifying the benefits of cybersecurity awareness is straightforward. Getting support and buy-in at the highest levels of an organization though more challenging, is key for setting the tone both for adherence to the effort as well as continued investment in it.
  2. Keep it top of mind
    An annual program may be a good start but the lessons learned are too soon forgotten and are not likely to turn into good habits. To truly create a sustainable program, training needs to be ongoing, not just annual. It must be flexible enough to accommodate learnings from new security events and attack types. Outside of the standard red/blue teaming efforts, web based training, employee awareness posters, and scenario drills for the average user are all good methods for staying in the forefront of end users’ minds and practice. In addition, put in place an outspoken executive sponsor for security awareness. It takes someone with enough credibility to foster trust and ongoing dialogue with the CISO as well as employees, on the impact of best practices. Taking it a step further for larger organizations, I recommend creating cyber security champions at the department level to maintain the culture throughout the company’s end user populations and geolocations. If you want to start small, something as simple as requiring privacy screens for anyone handling sensitive data is a good way to raise awareness and encourage employees to educate one another on best practices.
  3. Make it compulsory not perfunctory
    For many employees, online training is a time investment not well spent that takes away from bigger priorities. However, the task of completing frequent security training needs to become a vital job requirement, and viewed as critically important. This can potentially be accomplished by communicating broadly on the number of persons trained and sharing metrics about the security posture of each department, month to month, as well as reporting your security program’s relative standing compared to other training programs in the organization.
  4. Keep it simple
    If a full-blown program is not within reach right away, you can still make significant gains with awareness of the top three security risks. Weak passwords, phishing and thoughtless clicking on attachments, against better judgement, are still the primary ways in for attackers. Remind users of best practices to avoid becoming a victim, and explore ways to automate enforcement so that you can limit the risk to others from infected devices.

There is no silver bullet to addressing rapidly increasing threats. The combination of risk based policies, technology controls, solid audits and user education can go a long way at mitigating your organization’s risk.



from Microsoft Secure Blog Staff

Wednesday, February 15, 2017

Sharing Microsoft learnings from major cybersecurity incidents

This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2.  Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at CyberDocFeedback@microsoft.com.

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.



from Microsoft Secure Blog Staff

Integrating OpenCanary & DShield

Being a volunteer for the SANS Internet Storm Center, I’m a big fan of the DShield service. I think that I’m feeding DShield with logs for eight or nine years now. In 2011, I wrote a Perl script to send my OSSEC firewall logs to DShield. This script has been running and pushing my logs every 30 mins for years. Later, DShield was extended to collect other logs: SSH credentials collected by honeypots (if you’ve a unused Raspberry Pi, there is a nice setup of a honeypot available). I’ve my own network of honeypots spread here and there on the Wild Internet, running Cowrie. But recently, I reconfigured all of them to use another type of honeypot: OpenCanary.

Why OpenCanary? Cowrie is a very nice honeypot which can emulate a fake vulnerable host, log commands executed by the attackers and also collect dropped files. Here is an example of Cowrie session replayed in Splunk:

Splunk Honeypot Session Replay

It’s nice to capture a lot of data but most of them (to not say “all of them”) are generated by bots. Honestly, I never detected a human attacker trying to abuse of my SSH honeypots. That’s why I decided to switch to OpenCanary. It does not record a detailed log as Cowrie but it is very modular and supports by default the following protocols:

  • FTP
  • HTTP
  • Proxy
  • MSSQL
  • MySQL
  • NTP
  • Portscan
  • RDP
  • Samba
  • SIP
  • SNMP
  • SSH
  • Telnet
  • TFTP
  • VNC

Writing extra modules is very easy, examples are provided. By default, OpenCanary is able to write logs to the console, a file, Syslog, a JSON feed over TCP or an HPFeed. There is no DShield support by default? Never mind, let’s add it.

As I said, OpenCanary is very modular and a new logging capability is just a new Python class in the logger.py module:

class DShieldHandler(logging.Handler):
    def __init__(self, dshield_userid, dshield_authkey, allowed_ports):
        logging.Handler.__init__(self)
        self.dshield_userid = str(dshield_userid)
        self.dshield_authkey = str(dshield_authkey)
        try:
            # Extract the list of allowed ports
            self.allowed_ports = map(int, str(allowed_ports).split(','))
        except:
            # By default, report only port 22
            self.allowed_ports = [ 22 ]

    def emit(self, record):
        ...

The DShield logger needs three arguments in your opencanary.conf file:

"logger": {
    "class" : "PyLogger",
    "kwargs" : {
        "formatters": {
            "plain": {
                "format": "%(message)s"
            }
        },
        "handlers": {
            "dshield": {
                "class": "opencanary.logger.DShieldHandler",
                "dshield_userid": "xxxxxx",
                "dshield_authkey": "xxxxxxxx",
                "allowed_ports": "22,23"
            }
        }
    }
}

The DShield UserID and authentication key are available in your DShield account. I added an ‘allowed_ports’ parameter that contains the list of interesting ports that will be reported to DShield (by default only SSH connections are reported). Now, I’m reporting many more connections attempts:

Daily Connections Report

Besides DShield, JSON logs are processed by my Splunk instance to generate interesting statistics:

OpenCanary Splunk Dashboard

A pull request has been submitted to the authors of OpenCanary to integrate my code. In the mean time, the code is available on my Github repository.

[The post Integrating OpenCanary & DShield has been first published on /dev/random]



from Xavier

[SANS ISC Diary] How was your stay at the Hotel La Playa?

I published the following diary on isc.sans.org: “How was your stay at the Hotel La Playa?“.

I made the following demo for a customer in the scope of a security awareness event. When speaking to non-technical people, it’s always difficult to demonstrate how easily attackers can abuse of their devices and data. If successfully popping up a “calc.exe” with an exploit makes a room full of security people crazy, it’s not the case for “users”. It is mandatory to demonstrate something that will ring a bell in their mind… [Read more]

[The post [SANS ISC Diary] How was your stay at the Hotel La Playa? has been first published on /dev/random]



from Xavier

Monday, February 13, 2017

Upgraded Microsoft Trust Center adds rich new content

This post is authored by David Burt, Senior Product Manager, Cloud Platform Marketing

A little over a year ago, we launched the Microsoft Trust Center at www.microsoft.com/trustcenter, which unified trust-related resources across our enterprise cloud services.  This week, we launched a completely redesigned and greatly expanded site with new content including EU General Data Protection Regulation (GDPR) guidance, audit reports, and security assessments.

The Trust Center is an important part of the Microsoft Trusted Cloud initiative and provides support and resources for information professionals, as well as the legal and compliance community.  The Trust Center offers a rich set of resources, including in-depth information about security, privacy, and compliance offerings, policies, features, and practices across our cloud products, including Azure, Dynamics 365, Office 365, Power BI, Visual Studio Team Services, and Windows Server 2016.  Each content area is supplemented by a curated collection of hundreds of the most applicable and widely-used resources for each topic.

New enhancements to the Trust Center include:

We are committed to providing you with guidance, documentation, and support you need to meet your security, privacy, and compliance goals. We will continuously improve the Trust Center to help make your job easier.

Visit http://www.microsoft.com/TrustCenter



from Microsoft Secure Blog Staff

Sunday, February 12, 2017

Think Twice before Posting Data on Pastebin!

Pastebin.com is one of my favourite playground. I’m monitoring the content of all pasties posted on this website. My goal is to find juicy data like configurations, database dumps, leaks of credentials. Sometimes you can find also malicious binary files.

For sure, I knew that I’m not the only one to have interests in the pastebin.com content.  Plenty of researchers or organizations like CERT’s and SOC’s are doing the same but I was very surprised by the number of hits that I got on my latest pastie:

Pastebin Hits

For the purpose of my last ISC diary, I posted some data on pastebin.com and did not communicate the link by any mean. Before posting the diary, I had a quick look at my pastie and it had already 105 unique views! It was posted only a few minutes before., think twice before posting data to

Conclusion: Think twice before posting data to pastebin. Even if you delete quickly your pastie, there are chances that it will be already scrapped by many robots (and mine! ;-))

[The post Think Twice before Posting Data on Pastebin! has been first published on /dev/random]



from Xavier

[SANS ISC Diary] Analysis of a Suspicious Piece of JavaScript

I published the following diary on isc.sans.org: “Analysis of a Suspicious Piece of JavaScript“.

What to do on a cloudy lazy Sunday? You go hunting and review some alerts generated by your robots. Pastebin remains one of my favourite playground and you always find interesting stuff there. In a recent diary, I reported many malicious PE files stored in Base64 but, today, I found a suspicious piece of JavaScript code… [Read more]

[The post [SANS ISC Diary] Analysis of a Suspicious Piece of JavaScript has been first published on /dev/random]



from Xavier

Friday, February 10, 2017

Detecting Cyber Threats

This post is authored by Joe Faulhaber, Senior Consultant ECG

In today’s cyber threat landscape, it’s not a question of if an attack will occur, but who will attack and when. To keep enterprise data safe against global threats that include attackers as technically sophisticated as any defender, enterprises need to have world-class cyber defenses. This requires strong execution of security fundamentals, in-depth knowledge of the enterprise environment, and working with experts to be ready to detect attacks when they occur.

World-class attackers, your enterprise

Protecting the modern enterprise is challenging because it’s an incredibly dynamic problem. Configurations are in constant flux, hardware is being cycled, software is updating, workloads are moving to the cloud, and users are bringing devices in and out of the network. At the same time, random attacks are entering the system, and there is danger of well-funded, determined external attackers trying to steal valuable data from enterprises as well. Even insiders can be threats, and what an attack looks like can change every day. Cybersecurity is an arms race, with attackers and defenders responding to each other constantly.

Detection in Depth

Protection in depth is the best enterprise defense, because defending just at the host, network edge, or the cloud isn’t sufficient. Similarly, threats that cause damage or pose danger need to be detected in depth as well. When threats or attacks are detected, an appropriate effective response is required. The three pillars of security; Protect, Detect, and Respond are key to a secure enterprise.

Detection in depth means taking a layered approach to find threats all over the enterprise with redundant detection mechanisms, even where there are no protective defenses. It also means verifying the output of detective sensors to build trust in signals.

Some threats are not complicated to detect. Out-of-date software, missing or stale anti-malware protection, and misconfigured policies are all threats that can lead to successful attacks. These threats can be detected easily and are among the fundamental requirements to stay secure.

Other threats are tougher to detect, such as attacks against network infrastructure or insider attacks, and detection often depends on collecting numerous logs and performing analysis. Software supply chain attacks may be particularly successful, especially if users go looking for software on the Internet on their own, and require different detection methods. Knowing your environment well makes it much easier to know if something is out of place or missing.

Even in a well-protected network, there will be successful attacks. Some of them are quite easy to identify – a new variant of an existing and common commodity malware evading anti-malware detection isn’t that hard to find if you know where to look. Even if you’re not familiar with an attack, being curious and knowledgeable enough to think “that’s weird” is often the start of detecting something new. Another key to good detection and analysis is the knowledge and resources to understand the tactics, techniques, and procedures used in today’s attacks. Even the biggest organizations need help to see parts of attacks that happen beyond systems in their control.

Determined Human Adversaries

The most dangerous attacks are targeted and perpetrated by determined human adversaries. These have been called “Advanced Persistent Attacks”, though they may not be particularly advanced or even well targeted. But they are especially perilous because they attack the enterprise, not an individual or computer, and are driven by humans who may have incredible determination and goals only known to the attackers. The adversary may come after what they think an enterprise has, not what it possesses.

Differentiating between a targeted attack and a random commodity attack can be quite difficult, since what works to compromise an organization does not depend on the attacker’s motivations. An expected penetration test and a real attack can look the same or completely different when it comes to detection. Different attacks may use similar methods and a seemingly random attack may turn out to be a determined adversary. This makes knowing previous adversary behavior incredibly important. The first encounter with a new threat can be very confusing, with time wasted chasing irrelevant details or false leads. This confusion is often compounded by the human impact of being targeted, which can bring the emotional impact of a physical attack.

In the worst case of having a determined human adversary attacking your enterprise for the first time, it is essential to have help from those who have detected these types of threats before, and a response plan on how to deal with the attacker.

Becoming World-Class

Detecting cyber threats can seem overwhelming when new threats are constantly making news and older threats are still capable of causing big problems. However, identifying threats can be made much easier by implementing protection and detection in depth. Executing the fundamentals of security daily, knowing what is normal for your enterprise environment, and having expert help in identifying the latest attack methods is key. Solid protection and rapid response capability are tied together by detection and intelligence, and the Microsoft Enterprise Threat Detection (ETD) service enables detection in depth with cybersecurity experts and global intelligence for your enterprise.

Read more at Microsoft Enterprise Threat Detection blog.

 



from Microsoft Secure Blog Staff

Thursday, February 9, 2017

Join us at RSA Conference. Here’s your event guide for connecting with Microsoft

The RSA Conference is fast approaching and the agenda is packed with the latest technology, trends, and people that help protect our digital data. We’ll be there sharing our unique perspective through keynotes, deep-dive sessions, and on the expo floor.

Since planning your itinerary is a must to get the most out of RSA, here’s a preview of where and when you can learn about how Microsoft can help you be more secure.

Keynote Address by Brad Smith

Protecting and defending against cyber threats in uncertain times | Tuesday, February 14th, 8:35 a.m.
While many cyber attacks are the work of criminals seeking financial gain, new threats continue to emerge targeting civilians, businesses and governments. Microsoft President Brad Smith will share our perspective on what’s needed to protect and defend this critical infrastructure.

Microsoft in North Expo Hall, booth 3501

Come chat with the Microsoft Secure team in the North Expo. We’ll be there throughout the conference to show you how our $1 billion annual investment in security R&D helps organizations secure their environment and protect their customers.

Microsoft sessions at RSA Conference 2017

Tuesday, February 14th

A Vision for Shared, Central Intelligence to Ebb the Growing Torrent of Alerts | 1:15 p.m.– 2:00 p.m.
Despite the positive advancements in machine learning and intelligence, security professionals remain overwhelmed. How is it that we keep wasting time and energy on analyzing and assembling the information presented by our supposedly “intelligent” solutions? This session will explore a conjoint approach that would help our industry climb out of the sea of data that is most certainly going to drown us.

How to Go from Responding to Hunting with Sysinternals Sysmon | 1:15 p.m.–2:00 p.m.
Sysinternals Sysmon can help you precisely detect and track an attacker’s movement inside your Windows networks, but only if you know how to use it effectively. Get a deep dive from Sysmon’s author on its design, capabilities, latest enhancements, and guidance for collecting and alerting on its rich forensic data with popular log analytics services.

Advances in Cloud-Scale Machine Learning for Cyber-Defense | 3:45 p.m.–4:30 p.m.
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attacker. This session presents the latest frameworks, techniques and the unconventional machine learning algorithms that Microsoft uses to protect its infrastructure and customers.

Wednesday, February 15th

Learnings from the Cloud: What to Watch When Watching for a Breach | 2:45 p.m.–3:30 p.m.
Protecting against account breach and misuse when using a cloud service can be challenging, as the cloud service decides what tooling is available, and control may be limited. This session will share learnings and best practices from the Office 365 engineering team: from the patterns observed, what are best practices to protect against account breach?

Securing the Making of the Next Hollywood Blockbuster | 1:30 PM–2:15 PM
Get a look behind the scenes at New Regency, the company that produced the Oscar-winning movie The Revenant to hear how employees collaborate and keep production secrets safe.

Friday, February 17th

Critical Hygiene for Preventing Major Breaches | 10:15 a.m.–11:00 a.m.
Microsoft’s Incident Response teams investigate major breaches week after week and almost always see the exact same pattern of attacks and customer vulnerabilities. Microsoft and the Center for Internet Security (CIS) will share step by step recommendations to defend against these attacks, including information on cybersecurity solutions that Microsoft has open-sourced to protect our customers.

Choose from nearly 40 theater sessions

Attend one of the 20-minute theater sessions in the Expo hall to learn more about a variety of topics including NextGen SOC, Risk Based Identity Protection, Office 365 Threat Intelligence, Detecting Threats from Enterprise Telemetry, Taking Ransomware to Task with Windows 10, and Security in Industrial IoT. Stop by booth #N3501

Explore more about our unique approach to security at Microsoft Secure.



from Microsoft Secure Blog Staff

Tuesday, February 7, 2017

"2017 Planning Ideas and 2016 Lessons Learned"

  Amplify Your Security Awareness Program in 2017 At the end of December I led a webcast reviewing some of the key lessons learned in 2016 and what we can do in 2017 to keep improving the practice, and impact, of security awareness programs. After working with hundreds of clients and awareness officers from around … Continue reading 2017 Planning Ideas and 2016 Lessons Learned

from Securing the Human

"3 Courses for Security Awareness Summit - Sell Out Fast"

Folks, we just added several new courses for the Security Awareness Summit in Nashville on 2/3 August. You may not realize it, but with the summit you can take classes also. The reason I'm telling you now isI'm concerned three of these classes will sell out FAST. If you are interested in any one of … Continue reading 3 Courses for Security Awareness Summit - Sell Out Fast

from lspitzner

Sunday, February 5, 2017

[SANS ISC Diary] Many Malware Samples Found on Pastebin

I published the following diary on isc.sans.org: “Many Malware Samples Found on Pastebin“.

pastebin.com is a wonderful website. I’m scrapping all posted pasties (not only from pastebin.com) and pass them to a bunch of regular expressions. As I said in a previous diary, it is a good way to perform open source intelligence. Amongst many configuration files, pieces of code with hardcoded credentials, dumps of databases or passwords, sometimes it pays and you find more interesting data… [Read more]

[The post [SANS ISC Diary] Many Malware Samples Found on Pastebin has been first published on /dev/random]



from Xavier

Saturday, February 4, 2017

[SANS ISC Diary] Detecting Undisclosed Vulnerabilities with Security Tools & Features

I published the following diary on isc.sans.org: “Detecting Undisclosed Vulnerabilities with Security Tools & Features“.

I’m a big fan of OSSEC. This tools is an open source HIDS and log management tool. Although often considered as the “SIEM of the poor”, it integrates a lot of interesting features and is fully configurable to solve many of your use cases. All my infrastructure is monitored by OSSEC for years… [Read more]

[The post [SANS ISC Diary] Detecting Undisclosed Vulnerabilities with Security Tools & Features has been first published on /dev/random]



from Xavier

Thursday, February 2, 2017

Stopping Cyberthreats in a new era

The explosive growth in the scale and sophistication of cyberthreats is remaking the security landscape. Today, it’s not a matter of if your organization’s data will be compromised, but a matter of when. Having a proactive protection strategy that includes pre- and post-breach components is critical to addressing advanced attacks.

Fortunately, Windows 10 has comprehensive pre-breach solutions and with Windows Defender Advanced Threat Protection (ATP) we added a post-breach layer to the Windows Security stack. And the best part? Windows Defender ATP is built in to Windows 10 and designed to provide the best performance experience on your machine. It doesn’t require any additional software deployment and management.

So do you want the good news or the bad news?

Well, here’s the outcome: New hacking techniques are multiplying exponentially and old pre-breach detection techniques can’t keep up. The numbers are alarming—on average it takes an attacker minutes to get in, and security teams more than 140 days to discover it.

With the release of Windows 10 Anniversary Update, Microsoft offers Windows Defender ATP to complement the existing endpoint security stack of Windows Defender, SmartScreen, and various OS hardening features. The new service, purposely built to detect and respond to advanced attacks, leverages a deep behavioral sensor integrated into Windows 10 combined with a powerful security analytics cloud back end to enable enterprises to detect, investigate, and respond to targeted and sophisticated advanced attacks on their networks.

Next-level protection: Post-breach detection and response

Windows Defender ATP goes wide and deep, working to cover all your bases, with a focus on post-breach challenges. It’s like having a black belt team of security defense experts supporting every machine running Windows 10.

Advanced attack detection. Microsoft makes the most of its strong security analytics and rich intelligence capabilities to provide visibility into anomalies and threats from a broad base of sources. We also leverage the Microsoft Security Intelligence Graph to cull data from Windows updates and search engine results that index billions of URLs to generate potential hack alerts immediately.

Investigation and response. The portal gives SecOps tools and capabilities to investigate and respond to threats on their endpoints. You can also proactively explore your network for signs of attacks, perform forensics on specific machines, track attacker actions across machines in your network, get a detailed file footprint across your organization, submit a file for deep analysis, and with the Creators Update isolate machines, kill processes, or ban files from your network.

Threat intelligence. Get internal and external reports and indicators for known attackers and of prominent attacks (Strontium, for example), validated and enriched by an internal team of security black belts and third-party feeds. With the Creators Update, you can add your own TI to define alerts unique to your environment within Windows Defender ATP, based on IOCs.

Windows 10 and Windows Defender ATP helpgs give you the best defense and offense when it comes to potential and actual data breaches. Learn more by downloading the ebook now.

Discover more about how this new strategic approach can make a real difference at Microsoft Secure.



from Microsoft Secure Blog Staff

"Get Your Security Awareness Roadmap Poster"

The Security Awareness Maturity Model was developed five years ago by a community of security awareness officers to solve a problem. Specifically the awareness community needed a way to visually communicate what stage a security awareness program was currently at and where the organization wanted to take it. The Security Awareness Roadmap builds on the … Continue reading Get Your Security Awareness Roadmap Poster

from lspitzner

Wednesday, February 1, 2017

[SANS ISC Diary] Quick Analysis of Data Left Available by Attackers

I published the following diary on isc.sans.org: “Quick Analysis of Data Left Available by Attackers“.

While hunting for interesting cases, I found the following phishing email mimicking an UPS delivery notification… [Read more]

[The post [SANS ISC Diary] Quick Analysis of Data Left Available by Attackers has been first published on /dev/random]



from Xavier