"Security Awareness Summit - Call For Presentations"

We are super excited to announce the Call for Presentationsfor the 4th Annual Security Awareness Summit to be held 2/3 August in Nashville, TN. This is the largest event of its kind bringing hundreds of security awareness officers and industry experts together to learn and share from each other the latest challenges, lessons learned and … Continue reading Security Awareness Summit - Call For Presentations

from lspitzner

"Guest Blog - Nudging Towards Security - Part 3"

Editor's Note: This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic Nudging Towards Security. The earlier posts have highlighted why it is important for security to be proactive and easy for employees. We looked at two nudges that can help us in achieving this. In this … Continue reading Guest Blog - Nudging Towards Security - Part 3

from lspitzner

[SANS ISC Diary] IOC’s: Risks of False Positive Alerts Flood Ahead

I published the following diary on isc.sans.org: “IOC’s: Risks of False Positive Alerts Flood Ahead“.

Yesterday, I wrote a blog post which explained how to interconnect a Cuckoo sandbox and the MISP sharing platform. MISP has a nice REST API that allows you to extract useful IOC’s in different formats. One of them is the Suricata / Snort format. Example… [Read more]

[The post [SANS ISC Diary] IOC’s: Risks of False Positive Alerts Flood Ahead has been first published on /dev/random]

from Xavier

Quick Integration of MISP and Cuckoo

With the number of attacks that we are facing today, defenders are looking for more and more IOC’s (“Indicator of Compromise) to feed their security solutions (firewalls, IDS, …). It becomes impossible to manage all those IOC’s manually and automation is the key. There are two main problems with this amount of data:

1. How to share them in a proper way (remember: sharing is key).
2. How to collect and prepare them to be shared.

Note that I’m considering in this post only the “technical” issues with IOC’s. There are much more issues like their accuracy (which can be different between different environments).

To search for IOC’s, I’m using the following environment: A bunch of honeypots capture samples that, if interesting, are analyzed by a Cuckoo sandbox. To share the results with peers, a MISP instance is used.

In this case, a proper integration between Cuckoo and MISP is the key. It is implemented in both ways. The results of the Cucko analyzis are enriched with IOC’s found in MISP. IOC’s found in the sample are correlated with MISP and the event ID, description and level are displayed:

In the other way, Cuckoo submits the results of the ianalyzes to MISP:

Cuckoo 2.0 comes with ready-to-use modules to interact with the MISP REST API via the PyMISP Python module. There is one processing module (to search for existing IoC’s in MISP) and one reporting module (to create a new event in MISP). The configuration is very simple, just define your MISP URL and API key in the proper configuration files and you’re good to go:

# cd $CUCKOO_HOME/conf
# grep -A 2 -B 2 misp *.conf
processing.conf-enabled = yes
processing.conf-
processing.conf:[misp]
processing.conf-enabled = yes
processing.conf:url = https://misp.xxxxxxxxxx
processing.conf-apikey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
maxioc = 100
--
reporting.conf-logname = syslog.log
reporting.conf-
reporting.conf:[misp]
reporting.conf-enabled = yes
reporting.conf:url = https://misp.xxxxxxxxxx
reporting.conf-apikey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

But, in my environment, the default modules generated too many false positives in both ways. I patched them to support the more configuration keywords to better control what is exchanged between the two tools.

In the processing module:

only_ids = [yes|no]

If defined, only attributes with the “IDS” flag set to “1” will be displayed in Cuckoo.

ioc_blacklist = 8.8.8.8,8.8.4.4,www.google.com

This parameter allows you to define a list (comma delimited) of IOC’s that you do NOT want in Cuckoo. Typically, you’ll add here DNS servers, specific URLs.

In the reporting module:

tag = Cuckoo

Specify the tag to be added to created event in MISP. Note that the tag must be created manually.

# Default distribution level:
# your_organization = 0
# this_community = 1
# connected_communities = 2
# all_communities = 3
distribution=0

The default distribution level assigned to the created event (default: 0)

# Default threat level:
# high = 1
# medium = 2
# low = 3
# undefined = 4
threat_level_id=4

The default threat level assigned to the created event (default: 4)

# Default analysis level:
# initial = 0
# ongoing = 1
# completed = 2
analysis = 0

The default analysis status assigned to the created event (default: 0)

ioc_blacklist = 8.8.8.8,8.8.4.4,www.google.com,crl.verisign.com,sc.symcb.com

Again, a blacklist (comma separated) of IOC’s that you do NOT want to store in MISP.

Events are created in MISP with an “unpublished” status. This allows you to review them, add manually some IOC’s, to merge different events, add some tags or change default values.

The patched files for Cuckoo are available in my GitHub repository.

[The post Quick Integration of MISP and Cuckoo has been first published on /dev/random]

from Xavier

[SANS ISC Diary] Malicious SVG Files in the Wild

I published the following diary on isc.sans.org: “Malicious SVG Files in the Wild“.

In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or “Scalable Vector Graphics”) are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system, SVG files are handled by Internet Explorer by default… [Read more]

[The post [SANS ISC Diary] Malicious SVG Files in the Wild has been first published on /dev/random]

from Xavier

Confidence building measures can make a huge difference to the global online economy

The continuing advancements of the Internet and associated technologies have brought new opportunities to governments, businesses, and private citizens. At the same time, they have also exposed them to new risks. However, Internet adoption has not been even and countries or economies have come online in different ways and at varied paces. As a result, awareness of cyber risk and approaches to managing it can differ greatly between jurisdictions. This is a particularly true when thinking about emerging economies, which have typically had a very different online journey than developed markets in Europe or United States. One way to ensure we can address this gap is through the use of confidence building measures (CBMs).

CBMs aim to instil good cybersecurity practices across the global online economy, focusing on the critical cybersecurity work that can be done in the early stages of a country’s emergence into cyberspace. Not only can CBMs help reduce vulnerability to cybercrime in general, by embedding best practices in the foundations of a country’s approach to the Internet, but they can also complement the objectives of cybersecurity norms. This is because CBMs seek to diminish the risk of a potential online inter-state escalation by enhancing transparency of government action and encouraging cooperation around areas of common interest. This, combined with their ability to act as vehicles for sharing best practices and delivering cyber-capacity building, makes CBMs worthy of more attention.

CBMs have a particular relevance for economies that have seen very recent but rapid growth of the Internet. Unlike developed economies, which saw it grow incrementally over the past twenty years, users from emerging economies have had little chance to gradually adjust their behaviors online. Typically, increased internet access and more mature technological development is correlated with improvements in cybersecurity. However, our research has suggested that some emerging countries may not be ready to secure their ICT infrastructure in a way that is commensurate with the increased use of computer systems by their citizens and businesses, as well as the government itself. The consequences of this cybersecurity gap for the countries concerned could be very serious. More than this, however, the interconnectedness of the Internet at the global level makes weaknesses in one part of it a potential threat to the rest. Since the majority of the 3+ billion people online today come from the Global South, the problems posed by such gaps represent a weakness for the globe’s overall cybersecurity and, in terms of cyber conflict risks, for its real world security too.

Governments are not oblivious to the challenges outlined above. A cursory glance at a map or a timeline of cybersecurity policies, guidelines, and regulation shows us that over sixty percent of the world is currently developing some sort of cybersecurity framework, hoping to secure their critical systems, or developing laws to help them catch cybercriminals. This is where collaboration on cybersecurity, as envisioned in CBMs, can be particularly beneficial. Moreover, the returns of CBMs are also real for the global online ecosystem itself. Despite government initiatives to limit online criminal activity in its borders, cyberspace continues to be a global endeavour. Improving not only cooperation, but the overall level and consistency of cybersecurity practices is therefore the best way of dealing with cybercriminals who show no respect for traditional borders.

There is considerable economic upside to be gained as well. The digital economy contributed $2.3 trillion to the G20’s GDP in 2010, an estimated $4 trillion in 2016, and is growing at 10% a year. For emerging markets, research suggests that the effect could be even greater. Certainly, the skills developed locally through CBMs and cybersecurity training correspond to the skills needed to enable local businesses to scale up and innovate, without having to rely on outside, more expensive talent.

For all these reasons the case for CBMs is compelling. They can equip countries to navigate the global online environment, as well as to be able to respond operationally to international requests for assistance. They also help the public and private institutions in one country join a broader community of security experts, allowing everyone to engage in a full range of protection, detection, response and recovery activities. However, bringing them into effect is not always easy. We will all need to work together, government to government and business to government – through efforts such as these and these – to create and then promote an international corpus of effective and practical CBMs in order deliver the confidence everyone needs to trust in the Internet and in the technology that is increasingly central to their lives.

 

from Paul Nicholas

Microsoft’s Cyber Defense Operations Center shares best practices

This post is authored by Kristina Laidler, Security Principal, Cyber Security Services and Engineering

Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. In 2016 alone, over 3 billion customer data records were breached in several high-profile attacks globally. As we look at current state of cybersecurity challenges today, we see the same types of attacks, but the sophistication and scope of each attack continues to grow and evolve. Cyber adversaries are now changing their tactics and targets based on the current security landscape. For example, as operating systems became more secure, hackers shifted back to credential compromise. As Microsoft Windows continually improves its security, hackers attack other systems and third-party applications.

Both the growth of the internet and the Internet of Things (IoT) is creating more connected devices, many of which are unsecure, to carry out larger Distributed Denial-of-Service (DDoS) attacks. Due to the insecure implementation of internet-connected embedded devices, they are routinely being hacked and used in cyberattacks. Smart TVs and even refrigerators have been used to send out millions of malicious spam emails. Printers and set-top-boxes have been used to mine Bitcoins and cybercriminals have targeted CCTV cameras (common IoT devices), to launch DDoS attacks.

Microsoft has unique visibility into an evolving threat landscape due to our hyper-scaled cloud footprint of more than 200 cloud services, over 100 datacenters, millions of devices, and over a billion customers around the globe and our investment in security professionals focused on secure development as well as protect, detect and respond functions. In an effort to mitigate attacks, Microsoft has developed an automated platform, as part of Microsoft Azure, that provides a rapid response to a DDoS attack. On our software-defined networks, the data plane can be upgraded to respond and stay ahead of network traffic, even while our service or corporate environment is under attack. Our DDoS protection platform analyzes traffic in real-time and has the capability to respond and mitigate an attack within 90 seconds of the detection.

Microsoft Cyber Defense Operations Center operates 24×7 to defend against cyberthreats

In November 2015, we opened the Cyber Defense Operations Center (CDOC) to bring together the company’s cybersecurity specialists and data scientists in a 24×7 facility to combat cyber adversaries.

In the year since opening, we have advanced the policies and practices that accelerate the detection, identification and resolution of cybersecurity threats, and have shared our key learnings with the thousands of enterprise customers who have visited the CDOC. Today, we are sharing a Cyber Defense Operations Center strategy brief that details some of our best practices for how we Protect, Detect and Respond to cyberthreats in real time.

Microsoft’s first commitment is to protect the computing environment used by our customers and employees to ensure the resiliency of our cloud infrastructure and services, products, devices, and the company’s internal corporate resources.

Microsoft’s protect tactics include:

• Extensive monitoring and controls over the physical environment of our global datacenters, including cameras, personnel screening, fences and barriers and multi-factor authentication for physical access.
• Software-defined networks that protect our cloud infrastructure from intrusions and distributed denial of service attacks.
• Multifactor authentication is employed across our infrastructure to control identity and access management.
• Non-persistent administration using just-in-time (JIT) and just-enough administrator (JEA) privileges to engineering staff managing infrastructure and services. This provides a unique set of credentials for elevated access that automatically expires after a pre-designated duration
• Proper hygiene is rigorously maintained through up-to-date, anti-malware software and adherence to strict patching and configuration management.
• Microsoft Malware Protection Center’s team of researchers identify, reverse engineer and develop malware signatures and then deploy them across our infrastructure for advanced detection and defense. These signatures are available to millions of customers using Microsoft anti-malware solutions.
• Microsoft Security Development Lifecycle is used to harden all applications, online services and products, and to routinely validate its effectiveness through penetration testing and vulnerability scanning.
• Threat modeling and attack surface analysis ensures that potential threats are assessed, exposed aspects of the service are evaluated, and the attack surface is minimized by restricting services or eliminating unnecessary functions.
• Classifying data according to its sensitivity—high, medium or low business impact—and taking the appropriate measures to protect it, including encryption in transit and at rest, and enforcing the principle of least-privilege access provides additional protection.
• Awareness training that fosters a trust relationship between the user and the security team to develop an environment where users will report incidents and anomalies without fear of repercussion

Having a rich set of controls and a defense-in-depth strategy helps ensure that should any one area fail, there are compensating controls in other areas to help maintain the security and privacy of our customers, cloud services, and our own infrastructure environment.

Microsoft operates under an Assume Breach posture. This simply means that despite the confidence we have in the defensive protections in place, we assume adversaries can and will find a way to penetrate security perimeters. It is then critical to detect an adversary rapidly and evict them from the network.

Microsoft’s detect tactics include:

• Monitoring network and physical environments 24x7x365 for potential cybersecurity events. Behavior profiling, based on usage patterns and an understanding of unique threats to our services.
• Identity and behavioral analytics are developed to highlight abnormal activity.
• Machine learning software tools and techniques are routinely used to discover and flag irregularities.
• Advanced analytical tools and processes are deployed to further identify anomalous activity and innovative correlation capabilities. This enables highly-contextualized detections to be created from the enormous volumes of data in near real-time.
• Automated software-based processes that are continuously audited and evolved for increased effectiveness.
• Data scientists and security experts routinely work side-by-side to address escalated events that exhibit unusual characteristics requiring further analysis of targets. They can then determine potential response and remediation efforts.

When we detect something abnormal in our systems, it triggers our response teams to engage.

Microsoft’s respond tactics include:

• Automated response systems using risk-based algorithms to flag events requiring human intervention.
• Well-defined, documented and scalable incident response processes within a continuous improvement model helps to keep us ahead of adversaries by making these available to all responders.
• Subject matter expertise across our teams, in multiple security areas, including crisis management, forensics, and intrusion analysis, and deep understanding of the platforms, services and applications operating in our cloud datacenters provides a diverse skill set for addressing incidents.
• Wide enterprise searching across both cloud, hybrid and on-premises data and systems to determine the scope of the incident.
• Deep forensic analysis, for major threats, are performed by specialists to understand incidents and to aid in their containment and eradication.
• Microsoft’s security software tools, automation and hyper-scale cloud infrastructure enable our security experts to reduce the time to detect, investigate, analyze, respond, and recover from cyberattacks.

There is a lot of data and tips in this strategy brief that I hope you will find useful. You can download the Cyber Defense Operations Center strategy brief to gain more insight into how we work to protect, detect and respond to cybersecurity threats. And I encourage you to visit the Microsoft Secure website to learn more about how we build security into Microsoft’s products and services to help you protect your endpoints, move faster to detect threats, and respond to security breaches.

from Microsoft Secure Blog Staff