“Actionable” Information vs. Practical Cyber Threat Intelligence

I am a practical guy. I don’t like to waste a lot of time and tend to gravitate to things that work, whether I originally thought up the idea or if someone else did. I’m of the “if it works then it works” mantra. Much of that attitude stems from joining the military and being thrust into a culture that demands outside-the-box-thinking. Assess the problem and work through scenarios, use past experience and lessons learned, use the right tool for the right job and lastly, be mission oriented.

When it comes to cyber threat intelligence (CTI), the key value can be unlocked by making it practical. What are the answers to the “so what” questions? Why would anyone want to spend budget on this? CISOs and like roles have a lot of headaches. How does this help that headache? How do I make this stuff useful to decision makers? Who are the decision makers? Why would they care?

The problem is the value from CTI is being misrepresented. What I’ve noticed is that there is an overwhelming drum beat towards tools — tools that will sprinkle pixie dust over your threats and make things “actionable.” But getting an avalanche of data is not the same as evaluated intelligence — and yet they get confused way too often.

Information is raw and unfiltered. Intelligence is organized and distilled. Intelligence is analyzed, evaluated and interpreted by experts. Information is pulled together from as many places as physically possible (creating an unnecessary and unrealistic workload for any analyst team to organize, distill, evaluate, etc.), and may be misleading or create lots of false positives. Intelligence is accurate, timely and relevant.

The reality is that “actionable” really just means a new alert/alarm/event that you now have to whack-a-mole. In some of the presentations I’ve given I’ve talked about the “actionable, actionating, actionator.” Sounds ridiculous right? That’s the point. But this is more common than it should be. And because of this teams are getting dragged away from productive efforts and into areas that are less productive.

This should not be surprising as many of the CTI vendors are tool builders, and no surprise, they push tools to solve the problem. However, here is where I will deviate, my background is that of a CISO, Program Manager, Team Builder. I am seeing a big disconnect between threats that are present in our industries and the practical application of resources — combination of people, process and technology — to reduce the likelihood of those threats from becoming a reality.

You see there’s a big difference between security tools and programs. Security tools (or feeds) are bolt-on and output-driven while security programs encompass people, process and technology … and they are OUTCOME-driven.

Threat intelligence should be outcome-driven vs. output driven. In my previous role as a CISO, I wanted and needed to know about threats that were specific to my organization. I needed to know what capability, opportunity and intent those threat actors had, along with a plan to ensure we were well-positioned before an event occurred (and in case we were not ready, that we had an effective plan in place as we moved from event to incident to breached).

So as you look at the many “threat intelligence” options out there, ask yourself this: will this intel drive the organization to make the right decisions and take the right actions?

Don’t try to bite off more than you can chew and start simple by focusing on evaluated intelligence. From there make your risks learnable by separating out random (or un-analyzed) risks from what is more likely so you can reduce your uncertainty — and then tie those learnable risks to the characteristics of your business.

Dark Web Insights: Misconceptions About the Dark Web

The Dark Web is often misunderstood. For the unfamiliar, it is often viewed as either a mysterious place full of technological gurus communicating via primitive interfaces or else something akin to the Wild West — a no-holds-barred free-for-all of dangerous and illicit activity. 

However, neither is the case.

The most popular marketplaces, where everything from stolen identities and credit cards to drugs and weapons are for sale, are more reminiscent of popular e-commerce sites than of the shady, backdoor dealings one may expect from criminals. Buying stolen accounts and intellectual property — as well as exploit kits, hacking-for-hire services, and the infrastructure to distribute malware is actually quite simple.

This reality runs contrary to much of the media coverage around the Dark Web. Stories such as the 2013 take down of the infamous Silk Road marketplace tend to focus on the scary aspects of “hidden” websites or scandalous details such as the Silk Road’s murder-for-hire plot — ignoring the fact that most people with an hour of free time and a few Google searches can easily find these sites and purchase illicit goods and services if desired.

In this series of blog posts, SurfWatch Labs hopes to shine on light on various aspects of the Dark Web, starting with what the Dark Web actually is — and what it isn’t.

1. Most Dark Web Markets are Customer Friendly

Those new to the Dark Web are often surprised by the level of customer service and the ease of which fraudulent goods and services can be obtained. However, this makes sense given the fact there are many competing marketplaces on the Dark Web. Customers and sellers are going to gravitate towards markets that appear the safest and have the best features.

AlphaBay is among the most popular and established Dark Web marketplaces (Nucleus Market, another popular marketplace, recently went offline). These marketplaces try to emulate the features seen on popular e-commerce sites such as Amazon or eBay.

AlphaBayMarket_edited.png
PayPal accounts for sale on AlphaBay

Some of these features include:

  1. Easy Navigation – Items are categorized into high-level categories such as fraud with subcategories like accounts, credit cards, personal information, data dumps and others.
  2. Vendor and Trust Levels – Sellers often have ratings. In the case of AlphaBay there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users.
  3. Feedback and Refunds – Buyers can also see feedback from customers and often have the option of returns or replacements such as credit card numbers that may no longer work due to being reported stolen.

Although these Dark Web markets tend to not be discoverable through Google and often require special software such as the Tor browser in order to access, they do want users to find and use them — so they are easy to locate, search for goods or services and make purchases.

2. They’re Concerned About Security and Trust

Most people know the old adage “there is no honor among thieves,” and these illicit markets work hard to help assuage those fears. This begins at the customer level with ratings and reviews.

AlphaBayFeedback_edited.png
Seller ratings on AlphaBay Market appear similar to the ratings on eBay. The system includes independent ratings for stealth, quality and value of the product; the total number positive, negative and neutral ratings over set periods; and text reviews from previous customers about their purchases.

These features help to establish trust when buying things like malware and stolen credit cards. Through ratings and feedback the community can collectively judge whether the items for sale can be used for legitimate fraud and attacks – or if they are just a scam.

In fact, these markets are actively trying to combat spammers and other bad actors just like e-commerce sites on the surface web. In March AlphaBay announced that they were rolling out mandatory two-factor authentication. As Motherboard’s headline ironically noted, “Some Dark Web Markets Have Better User Security than Gmail, Instagram.”

“We now enforce mandatory 2FA (two-factor authentication) for all vendors,” read the AlphaBay announcement. “This is part of an increasing effort to stop phishing on the marketplace. We recommend that everyone uses 2FA for more security.”

In addition, many markets try to avoid coming to the attention of law enforcement. Following the November 2015 terrorist attacks in Paris, which killed 130 people, Nucleus Market posted this message on its homepage:

Nucleaus_Weapons.png
Message posted on Nucleus Market stating they would now longer allow the sale of weapons.

The decision came just a week after the shootings and news reports that the guns used in the attacks may have been acquired from the Dark Web. Likewise, although child pornography is prevalent on the Dark Web, most of the markets do not sell it alongside the drugs, counterfeit goods and other illegal stolen items because that would attract unwanted attention to them and their user base.

Some Dark Web markets combat the the influx of law enforcement and researchers by requiring a referral in order to gain access. Others only show items that are for sale to established users or require authorization from the seller to view details about the product. This can make it harder for agents posing as “new customers” to monitor activity, and it helps to increase the trust factor around those marketplaces and forums.

3. No, the Dark Web is Not That Massive

In the summer of 2015, two researchers set an automated scanning tool loose on the Tor Network in an effort to find vulnerabilities on Dark Web sites. After just three hours the scan was over and they’d uncovered a little more than 7,000 sites.

A more recent effort to index the Dark Web put that number at close to 30,000 sites — a sizeable amount, but still far less than the massive underground world many have described.

As Wired wrote last year, the number of people on the Dark Web is quite small:

The Tor Project claims that only 1.5 percent of overall traffic on its anonymity network is to do with hidden sites, and that 2 million people per day use Tor in total. In short, the number of people visiting the dark web is a fraction of overall Tor users, the majority of whom are likely just using it to protect their regular browsing habits. Not only are dark web visitors a drop in the bucket of Tor users, they are a spec of dust in the galaxy of total Internet users.

4. It’s a Valuable Source of Threat Intelligence

The Dark Web is a valuable place to gather threat intelligence. SurfWatch Labs threat intelligence analysts proved that recently when they uncovered a breach into web hosting provider Invision Power Services.

That’s not to say everyone should jump on the Dark Web and poke around. It is easy to stumble across illegal things such as child pornography, and without the proper precautions companies or individuals may end up infecting their computers or putting themselves on the radar of cybercriminal groups — making themselves a potential target. However, what better way is there to understand the current threat landscape and the motivations of these malicious actors than to see for yourself what they are talking about, what they are selling, and if your company — or anyone in your supply chain — is being mentioned.

The Dark Web isn’t the cybersecurity cure-all that some companies make it out to be, but it is a significant part of a complete threat intelligence operation. Without visibility into these markets and the active threats they contain, your organization is operating at a disadvantage.

W-2 Data Breaches Were Abundant During 2015 Tax Season

The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.

2016-04-25_Tax_groups
Tax-related cybercrime impacted companies across a wide variety of industry groups in 2016.

The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.

Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.

2016-04-25_tax_itt
The chart above lists the top trending organizations pertaining to tax and W-2 cybercrime for the most talked about industry groups. The IRS garnered the most discussion of any organization. 

IRS and FBI Release Warnings About Tax Fraud

In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:

Abusive Return Preparer
Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”

Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”

Nonfiler Enforcement
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal.  The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments.  Take the time to learn the truth about frivolous tax arguments.”

The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.

“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.

A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.

This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.

Protecting Yourself From Tax Fraud

One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.

Here are a few tips on protecting yourself from tax fraud in 2016:

File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.

Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.

Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.

Podcast: DDoS Attacks Return, QuickTime Support Ends and a Massive Trade Secret Verdict

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 67: DDoS Attacks Return, QuickTime Support Ends and a Massive Trade Secret Verdict:

The Lizard Squad is back with DDoS attacks against gaming company Blizzard. The Janet education network was also hit with more DDoS attacks. More stolen W-2 and personal information was used to file fraudulent tax returns, this time affecting employees of Baltimore City and the Catholic Archdiocese of Denver. On the advisory front there were more WordPress warnings, scary new ransomware, and the end of support for QuickTime for Windows. Legal stories included a jury awarding electronic medical record company Epic Systems $940 million in damages, Microsoft suing the federal government, and breach-related class action lawsuits moving forward against several organizations. Plus, a judge told Ashley Madison users they cannot remain anonymous.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

Talking PowerShell and Stealth Attacks with Carbon Black’s Rico Valdez

Malicious actors are increasingly using legitimate tools such as PowerShell in order to lessen their digital footprint and evade detection, and the use of such ubiquitous and legitimate technology can be a problem for organizations when it comes to defending against those threats.

That’s according to Carbon Black senior security researcher Rico Valdez, who joined us for this week’s Cyber Chat podcast to discuss recent research on PowerShell, including a new report examining more than 1,100 security investigations in 2015.

Windows PowerShell is an automation platform and scripting language that Microsoft describes as “providing a massive set of built-in functionality for taking control of your Windows environments.”

The legitimate use along with the built-in functionality makes it a perfect tool for attackers to exploit.

“It used to be the kind of thing where only really sophisticated adversaries would use it, but it’s gotten to the point now where it’s being incorporated in a lot of commodity malware,” Valdez said. “It’s another way to stay under the radar and try to remain undetected.”

Utilizing PowerShell fits into the overall trend of attackers avoiding dropping a lot of tools onto a system; instead, they utilize what’s already there in order to further their goals.

“Monitoring it can be very tricky,” Valdez said. “I don’t think it’s very well understood even by the larger SOCs (security operations centers). Its one of those things that’s a little bit further down on the list for a lot of these organizations to really dig into.”

How are criminals using PowerShell?

When looking at the data from a variety of Incident Response and MSSP partners, 38% of confirmed cyber incidents used PowerShell. This included all industries and multiple attack campaigns.

04-21-2016_CarbonBlack_PowerShell
PowerShell is used for a variety of malicious purposes, according to Carbon Black’s report.

“It’s quite powerful in that it can pretty much touch any part of the system, and if you’re running it with the right privileges it can pretty much do anything on the system,” Valdez said.

For example, last month a new family of ransomware was discovered dubbed “PowerWare.” PowerWare uses the popular technique of duping users via phishing messages containing a macro-enabled Microsoft Word document. The malicious macros then use PowerShell to further the attack.

Eighty-seven percent of the attacks leveraging PowerShell  were commodity malware attacks such as ransomware, click fraud, fake antivirus, and others. Only 13% were described as “advanced” attacks.

This technique is a good example of how attacks tend to evolve, Valdez said. First they’re discovered by sophisticated actors and used in targeted attacks. Then — if they work well — they become mainstream.

“This is a real risk in your environment and you need to be aware of it, because, again, most people aren’t watching it, monitoring it, anything like that.”

Listen to the full conversation with Carbon Black’s Rico Valdez for more about PowerShell and how organizations can protect themselves.

About the Podcast
A new ransomware was recently discovered dubbed PowerWare, which targets organizations via Microsoft Word and PowerShell, and just last week Carbon Black released a report looking at how PowerShell is being utilized for malicious intent. They wrote in the report that “the discovery of using PowerShell in attacks such as PowerWare is part of a larger, worrisome trend when it comes to PowerShell.”

On today’s Cyber Chat we talk with Carbon Black senior security researcher Rico Valdez about the company’s recent findings and how cybercriminals are increasingly using PowerShell to remain under the radar while targeting organizations.

 

Consumer Goods Sector Most Impacted By DDoS In 2016

The consumer goods sector has seen more chatter around DDoS than any other sector so far in 2016, according to data from SurfWatch Labs.

2016-04-20_ddos
The Consumer Goods Sector has seen the most DDoS-related CyberFacts this year, including attacks against Blizzard, the BBC, Ireland’s National Lottery, and many more.

The consumer goods sector has become a popular target for DDoS attacks, with new groups like DD4BC emerging on the scene and attempting to extort money from victims in exchange for not launching a DDoS attack against them. Retail stores – especially online retailers – make appealing targets for cybercriminals as they are more likely to pay a ransom demand to avoid service interruption due to the amount of money that could be potentially lost during a DDoS attack.

Gaming networks such as Steam, Xbox Live, and the PlayStation Network are popular targets. Last week, the infamous cyber group Lizard Squad launched a DDoS attack against Blizzard’s gaming servers, effectively taking the servers offline for a couple hours.

DDoS attacks are a popular method of cyber-attack due to their ease of execution and price point. There are DDoS-for-hire services on the web that can be utilized for just $38 per hour. This price is shockingly low considering companies have reportedly lost anywhere from $5,000 to $40,000 per hour during a DDoS attack.

DDoS will remain a popular trend in cybercrime. However, DDoS related CyberFacts have decreased since peaking in January 2016.

2016-04-18_ddos3
DDoS attacks against high-profile targets such as the BBC and Ireland’s National Lottery led to a surge in DDoS-related chatter in January 2016. However, the number of CyberFacts related to DDoS has since dropped. 

Layer 7 DDoS Attack Makes Headlines

Earlier this month, a humongous Layer 7 DDoS attack was spotted reaching 8.7 Gbps of bandwidth through the Nitol botnet, which set a new record for this specific type of DDoS attack. While 8.7 Gbps doesn’t seem like much of a figure compared to traditional DDoS attacks of over 100 Gbps, Layer 7 DDoS attacks are different.

A DoS attack is an attempt by a criminal or hacktivist group to make a computer or network resource unavailable. This is done by interrupting a host’s services that are connected to the Internet. The most common method of DoS is a DDoS attack. DDoS attacks use botnets –- an enslaved group of computers –- to push massive amounts of communication to a targeted server to achieve its goal of service disruption.

A Layer 7 DDoS attack has the same end goal as a traditional DDoS attack, except for a few small differences. It only needs to use a small amount of network packets to disrupt service as this will create massive server processing operations that will exhaust a target’s CPU and RAM resources. This means that a Layer 7 DDoS attack can be pulled off by sending only a few thousand requests per second.  

As recent DDoS attacks have shown, cybercriminals have a variety of different ways to disrupt services or attempt to extort money from organization. Businesses should be prepared for the possibility of these attacks and work with a reputable DDoS mitigation company if they are concerned about those risks.

When it Comes to Cybersecurity, Take a Good Look in the Mirror

Recently, we participated on a webinar panel – What You Need to Know about the FFIEC Cybersecurity Assessment Tool – where audience members were asked the following question:

How would you rate your organizations’ cybersecurity maturity level today?

Possible options (taken directly from the FFIEC CAT) for the attendees were:

  1. Baseline – meets the legal minimum; compliance-driven objectives
  2. Evolving – risk-driven objectives in place; cybersecurity formally assigned and broadened beyond protection of customer info
  3. Intermediate – detailed, formal processes with consistent controls; risk management integrated into business strategies
  4. Advanced – formally assigned throughout the business; automation and continuous improvement
  5. Innovative – cutting edge practice potentially extending beyond firm

Interestingly, a majority of attendees put their organizations’ cybersecurity maturity level at “Evolving”.

There are two ways to look at this:

  1. The pessimist would say that organizations have a long way to go still with protecting information (the regular stream of data breach headlines back this up).
  2. A more positive outlook is that through real self-assessment, understanding where we are and where we need to reach is a good thing.

Many folks who aren’t in cybersecurity and/or don’t follow cyber-related news have an enormous false sense of security. People are too trusting and too curious. Cybercriminals know this and use it to their advantage. So it’s good to see that as security professionals many are taking a good hard look in the mirror and recognizing where we are at. Now the question becomes what do you do/where do you go from here?

Clearly doing the same thing over and over again isn’t working. Cybersecurity is not a technical problem, it’s a business problem in a technical venue. Cybersecurity should and can be viewed in the same way other parts of the business are run.

Another important self-assessment to make is knowing you cannot defend everything perfectly. There simply are not enough resources or budget to do so. Shifting from a reactionary mindset to proactive, data-driven intelligence approach can help you focus on your biggest cyber risk areas.

Look at data, analyze it, understand trends and make decisions. This approach is relied upon to run other areas of the business – it’s what business intelligence is all about. And it can be applied to cyber risk mitigation. The business and IT security sides of the house need to work together and look at cyber from a risk perspective. What are your high value targets (what would a “bad guy” go after and why?)? Then what vulnerabilities and threats are out there that apply to your targets?

Looking at your cybersecurity program and your risk posture through this lens can help you unearth big problems that are coming or identify active threats to your sensitive information and brand. An organization’s appetite for risk is fluid – when all is quiet on the cyber front, there is typically less urgency. That urgency level increases significantly if an organization is breached. But waiting for all hell to break loose isn’t usually a good strategy from a risk management perspective.

In spring, we’re told to change our batteries in the smoke detectors as a precaution. I’d suggest we take a step back and take an honest look in the mirror to see where we’re at from a security perspective and how we can use threat intelligence to drive more effective risk mitigation decisions.