SurfWatch Labs provides you with an all-in-one intelligence function that includes:
- Building and updating your personalized cyber risk profile
- Continuous risk monitoring
- Specific threat mitigation recommendations
With SurfWatch Las, you know what threats to worry about and how to address them before it's too late.
While cyber-attacks continue to grow and evolve some companies are claiming to be “non-hackable” – and they’re often startups. The problem with this logic is that it is simply incorrect; all companies are potentially vulnerable to being hacked.
“Every organization can be hacked by a clever person with patience. I personally avoid all companies who say they are non-hackable.”
We had the opportunity to speak with Barbera about angel investing, how serious startup companies are taking cybersecurity, and what he is looking for a startup company to have in place in terms of cybersecurity before he invests.
Our edited conversation follows.
As an angel investor, when a startup company tells you that they are “non-hackable,” what is your initial reaction?
So, a cloud storage company comes up and says you can store your files with them. Those files are encrypted, and once it is on their server if it were to ever get hacked, the hacker would receive an encrypted file and it looks like a bunch of junk. That means nothing to me. If the US Army can get hacked, if the CIA can get hacked, so can your little company. Nothing is foolproof, so why are you going around and saying it is? I don’t think they can practice what they preach.
Do you think these startup companies are simply saying what you would want to hear, or are they ignorant and truly believe they are “non-hackable?”
I think there is a lot of ignorance, and I think these companies really believe that they have a product or service that is foolproof. I also think some say it as a marketing technique for non-tech savvy people. If you had a baby boomer generation target market, they don’t know much about IT, or the Internet and how it works. They can barely operate a Facebook account. So when they hear a service is “non-hackable,” they are more likely to use that service. So it might be a marketing technique for some companies.
Years ago, LifeLock had an actor or spokesman put their social security number on a commercial. He got hacked.
[Laughs] Well of course he did.
What is your overall view on how cybersecurity is evolving when you learn about these new companies?
It really changes based on each company’s business model and strategy. So when you have a startup dependent on their budget and their goals, IT and security may or may not be a big part of it. It all depends on what they are doing.
Say you have a small mom-and-pop shop that is selling goods from their brick-and-mortar store that is also selling on their website, their minimal requirement is to be PCI compliant. Their biggest concern is being hacked. In the larger scheme of things, hackers will probably won’t look at a smaller target like a mom-and-pop store. It might not be beneficial to them.
Other companies who do more stuff on the Internet have more of a liability to protect that information, so they need to take it more seriously.
Focusing on cybersecurity, when you are looking to invest in a company, what are you hoping to hear from them when making a decision to invest or not?
If it was anything more than being PCI compliant, I would want them to have an in-house IT specialist that could provide the services needed. If it is a smaller company needing to be PCI compliant, we can outsource that. It really goes toward the organizational services that they are working with. If they are working with people’s finances, then we are going to have to implement advanced security systems. If they are working with names, addresses, and they are PCI compliant, that is a different story. There are different levels, and it really goes back to business models.
What you have to understand is a lot of people – like small business owners – their everyday life is making a sale. On top of that, while they are sweeping they are supposed to do their books, their IT, and their taxes. A lot of people don’t think about [cybersecurity] until it is too late, and that is unfortunate.
I heard a story yesterday about a friend’s nephew that lost his SD card from his smartphone. The SD card contained data on his games, pictures, and pretty much everything else he used his phone for. He searched everywhere for this SD card until it finally dawned on him where it was.
Turns out, the SD card was in his old smartphone that he traded to a cellular store for a newer phone. Honest mistake, right?
It was an honest mistake, but it is also a symptom of a bigger issue.
Data recycling can lead to big problems, problems that most people are unaware of. For many people that are looking to get rid of electronics, they probably go through a few basic steps to get rid of data such as a factory reset or manually erasing any data they see. However, this won’t get rid of all the data contained on the device.
In a study conducted by Blancco Technology Group, it was found that 78% of hard drives examined in the study still contained residual data that could be recovered. The study focused on 200 used hard disk drives sold on eBay and Craigslist.
What is this data? Well, let’s start with photos (with locations indicators), personal information, Social Security numbers and other financial information.
Perhaps more alarming, about 11% of studied devices contained company information such as emails, sales projections, product inventories and CRM records.
Unfortunately for organizations, this is another way neglectful actions on the part of human beings can cause a data breach or other malicious activity. People make mistakes all the time, and these unintentional mistakes can have severe consequences.
Erasing Computers, Tablets and Phones
Going through all your devices and making sure they are clear of any data can be a chore (especially if technology is not your thing). There is good news: the Internet is full of information that can help you solve this problem.
Obviously, there are different devices that hold your data and the steps taken to get rid of that data will be different. Below are some helpful links that can guide you through erasing all the data from a device:
USA Today: 3 simple ways to delete your data for good: This article from USA Today talks about steps you can take on Windows computers to delete data from the hard drive. The latest version of Windows covered in the article is Windows 8. It does offer information for Windows 7 OS and below.
As the Blancco Technology Group noted, many organizations struggle when it comes to securing the data on old drives.
“One of the more troublesome challenges is related to wiping the data from them when employees leave the company, the drives hit their end of life or the data itself needs to be removed to comply with IT policies and security regulations,” the report read.
Ensure your organization has a clear policy in place so that — unlike my friend’s nephew — you’re not scrambling later and trying to figure out the source of sensitive information being compromised.
In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.
The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.
“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”
The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.
“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.
In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.
Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.
“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.
“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”
The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.
Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.
Over the last week, at least five separate cyber-espionage-related news events have made headlines ranging from attacks against governments to company-related targets. The primary goal of cyber-espionage is to uncover company or government secrets, such as military plans, blueprints, or coveted intellectual property. SurfWatch Labs has collected CyberFacts on exactly 300 targets tied with espionage so far this year.
In 2016, central government is the top trending industry target of cyber-espionage.
Several groups have appeared in SurfWatch Labs’ data concerning espionage in 2016. Group 27 – a cyber-espionage group linked with the Seven Pointed Dagger malware campaign that utilizes a remote access Trojan known as Trochilus and has ties to Asia – is the top trending espionage actor in 2016.
Recent Espionage Activity
As mentioned above, there have been five espionage-related events that have made headlines over the last week.
In February 2014, North Korea began targeting about 140,000 computers throughout several South Korean defense contractor firms and government agencies. The attack was discovered back in February of 2016.
Companies that were not defense contractors were also targeted, such as SK Holdings group and Korean Air Lines, but it appears no data was actually obtained. According to researchers, about 95% of the data obtained in the attack by North Korea was defense related. One of the most coveted pieces of information that was obtained were blueprints for the wings of F-15 fighter jets.
North Korea has denied any involvement concerning cyber-espionage attacks on South Korea. However, evidence obtained from these attacks have been traced back to the North Korean capital Pyongyang.
Two separate hacker groups with ties to the Russian government have infiltrated the network of the Democratic National Committee. The names of both groups have been lovingly named “Cozy Bear” and “Fancy Bear.”
The attacks took place at different times. Cozy Bear first infiltrated the database in the summer of 2015 and was monitoring email and chat communications, while Fancy Bear appeared last April and targeted opposition research files. The Fancy Bear group was able to obtain information held on Donald Trump. Information held on Hillary Clinton and several other GOP political action committees were also targeted.
A Russian-linked cyber-espionage group — known as Sofacy — sent a spear-phishing email to a U.S. government official from a compromised computer belonging to another country’s Ministry of Foreign Affairs. The email had a malicious attachment that, if opened, would have loaded two DLL files on the official’s computer.
One of the files contained a Carberp malware variant of the Sofacy Trojan of which the group’s name is derived. The group has also been called Fancy Bear — which is tied to the Democratic National Committee hack — APT28, Sednit, Pawn Storm, and Strontium.
The good news in this attack is that it was full of mistakes. First of all, the RTF document attached to the email didn’t show any content, which immediately pointed to something being wrong. Also, old IP addresses and C&C server domains were used from past campaigns, which was another flag that this email was malicious.
The Mofang Chinese APT cyber-espionage group has been around since 2012. The group is identified through their ShimRat malware and is unique from other APT groups because they exclusively use social engineering tactics to target computer networks, not exploits. More specifically, the groups’ attack vector of choice is spear phishing.
The bulk of activity displayed from this group has been against the Myanmar government. The group has also been spotted targeting companies in the United States, Canada, Germany, India, and Singapore. Attacks from this group have continued throughout 2015.
On Tuesday, a former Chinese employee from the tech company IBM was charged by U.S. authorities with economic espionage for allegedly stealing source code from the company and handing it to the Chinese government.
Xu Jiaqiang, the defendant, offered the code to undercover U.S. FBI agents posing as tech company officials that were seeking software for their company. Jiaqiang was also intending to provide this source code to the Chinese National Health and Planning Commission where he was previously employed.
Jiaqiang’s indictment also brings with it three counts of economic espionage and three counts of trade secret theft. In total, he faces a maximum of 75 years in prison if convicted of all charges.
Cyber threat intelligence offers an in-depth look at the potential threats and attack vectors facing an organization. Each organization is different, and in these differences there are a variety of ways cybercriminals can exploit a company. Security tools such as firewalls and antivirus software protect against several of these threats, but they cannot protect an organization from everything. This is where cyber threat intelligence plays a crucial role.
Threat intel gives an organization the ability to identify threats, understand where any lapses in security have already occurred, and gives direction on how to proceed concerning these vulnerabilities. This is a lot of information for any organization to handle on their own, especially since the cyber landscape continues to change.
“The field is constantly growing and evolving; there is no shortage of cyber information, which means it can be very easy to get overwhelmed with it,” said Aaron Bay, chief analyst at SurfWatch Labs. “We sometimes forget to take a peek at what is going on with the rest of the world.”
Yesterday we talked with Bay about the role of the cyber threat analyst. Today we finish our conversation, and focus on how threat intelligence can help organizations.
Why does a company need to implement threat intelligence on top of their existing security?
Having security tools such as firewalls and antivirus software is critical; you have to have them. If you don’t have these tools, you are already at a disadvantage. These security tools are paramount, but the information derived from them can be overwhelming. From what I have seen, a lot of time companies will simply buy these tools, plug them in and forget about them. From a threat analyst perspective, what we do when we give companies information about threats affecting their industry is show them the known mitigation of the threat. We can only lead the horse to water; we can’t make it drink. But if we can give organizations enough pertinent information where they are asking, “Does my defense actually protect us against this?” that goes a long way.
A lot of the time companies are putting up boundaries to stop threats from getting in, but they might not necessarily know when information gets out. They may be breached, and their information could have been compromised. They could also be attacked at a point they weren’t protecting such as point-of-sale systems. A bank has credit and debit cards, and the bank itself is usually pretty well protected against direct attacks. All of that can be defeated by a skimmer on an ATM. Knowing these attack vectors and knowing this is another way cybercriminals can get to your customers’ data can really help mitigate risks. If we as threat analysts are looking for these attack vectors and alternative methods, then we can help an organizations be better prepared and protected against threats.
Cyber threat intelligence is a relatively new avenue in cybersecurity. Are companies seeing value in this?
Cyber threat intelligence is still a growing field; it is definitely still evolving — as it should be. Threats are evolving, so this field that focuses on these threats is evolving as well. I think, for the most part, everybody is doing the best job that they can. It’s hard for a business to feel like they are getting a return on their investment from IT security in general. When you get that big win, when you catch something that no one else caught, either protecting some data or helping stop something before it became a big deal, then it is easy to see the value of it. For companies, as long as everything is working, the people who make decisions about IT and their infrastructure don’t necessarily want to know what goes into keeping everything running. They just want it to work. If everything is working, it is easy to not respond and spend money on keeping everything running. In their mind, everything is working. It appears that not much has to be done to keep things running, why would they spend more money on it?
How can companies providing cyber threat intelligence improve?
If there is a way to improve our field it is really just to work together as a community to make sure companies understand the value of cyber threat intelligence. I feel like we are doing a good job, but I feel that the industry isn’t ready for the message. These companies are being attacked left and right, and it feels like all we are doing is showing up and telling them they need to be doing security better. To actually translate everything that is going on, distill it and focus it on the company specifically is really the best approach. I am glad that SurfWatch Labs is going down this road. Showing companies why they need to care about this information that is being presented to them is very valuable.
I also think that internally, for our customers, we sit between business operations and the IT department. We aren’t just supporting IT security or just enabling compliance with the various IT regulations a business must adhere to. A Cyber Threat Intel Analyst should be assisting the translation between business units — and the various IT and cyber risks they face — and helping them understand sometimes how two separate threats are actually part of a larger threat against the company. I believe that is when we can really show our value.
For example, let’s say an attacker breaks into a company and steals credentials to the gaming platform that is hosted by that business. The network defense team should detect that and stop it. If a new attack is being used that has never been detected before and no signatures have been created for it yet, it’s possible the attack may go unnoticed. Soon after this undetected attack, separately, your cyber threat intel analyst discovers that someone dumped some credentials to your game on the dark web or is selling them. If that credential dump is only passed on to a third group such as customer service in order to reset accounts, but the network defense team isn’t made aware, then the source of the leak may not be plugged. Or if the developers are not notified, and the vulnerability came from a bug in the software that the company created, then again the problem will still be there.
What are some of the achievements cyber threat intelligence has accomplished. Is it changing the game?
It is changing the game for sure. Some of the big wins cyber threat intelligence has gotten comes from exposing malicious activity in general. When you can find those hidden gems and expose what is going on those are the big wins. Seeing the new carding efforts and all the things that are going into combating organized crime is very rewarding. The big ones are of course things like uncovering STUXNET, and all of the pieces that went along with that. The Mandiant APT1 report I think spawned a whole new movement with regards to CTI, some good some bad, but it got a lot of people to sit up and take notice, and that’s really what we want.
We talked about how new the field of cyber threat intelligence is, but that is also exciting. Being in a field with all of this different stuff going on makes cyber threat intelligence a very exciting field to be a part of and stay focused on. I look forward to the future.
As cybercrime continues to grow and evolve at a rapid pace, organizations are faced with difficult decisions in finding solutions to this problem. Deploying security tools to combat cybercrime is a crucial part of this dilemma, but this brings with it the herculean task of attempting to process massive amounts of data in order to keep up in the game defending against cyber-attacks.
In order to get the most up-to-date and accurate cyber threat intelligence, SurfWatch Labs employs talented analysts with a focus on threat intelligence. These threat analysts are the backbone to a new and developing field of cyber threat intel, providing valuable information to organizations that go well beyond identifying threats.
“Being a threat analyst often requires being a chameleon or wearing many hats,” said Aaron Bay, chief analyst at SurfWatch Labs. “You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives. It’s not an easy role, but it is one that is becoming increasingly important to organizations.”
We spoke with Bay to get some insight about the role of a threat analyst and how cyber threat intelligence can benefit organizations.
Tell us a little bit about being a threat intelligence analyst.
Being a threat analyst feels a little bit like a cross between a weatherman, an interpreter and someone trying to find a needle in a haystack. It’s not just about knowing the latest attacks and staying up on the latest jargon. There is a lot of translation that has to take place to get that information to the decision makers in such a way that they can actually make a decision based on it. So being able to speak “cyber” but also being able to translate that to someone who is not a cyber person takes some work as well. Powerful Google-fu is also helpful in this position; even though Google is not the only source, knowing how to find data using it and other tools is invaluable.
Describe your typical day.
My typical day is probably a little bit different than most cyber threat intel analysts. Because SurfWatch Labs focuses on the bigger picture, we aren’t typically gathering the latest signatures from the latest malware or putting together snort rules for all the new bad stuff that’s been detected by various sensors or honey pots.
I spend a lot of time reading blogs, Twitter, various forums and general Web searching. To support SurfWatch Labs’ customers, a lot of my focus is on them: what they’ve said is most important to them, things they want to stay aware of, constantly looking for information that may be of interest to them in general, keeping track of that and reporting it to them, and then getting their feedback on what we’ve told them to tailor our internal processes so that we constantly evolve and stay current with their needs, as well as stay current with the threats out there.
Is being a cyber threat intel analyst mostly about IT security?
Firstly, I think the term IT Security is becoming archaic. When it is used, the person who hears it or uses it has a preconceived notion about what IT Security is. Computers and routers and switches and firewalls and all things traditionally associated with IT security come to mind. But our businesses and our personal lives have become so connected and dependent on technology, that just calling it “IT” seems to leave out things that should be included, but aren’t. I have to say that I am not a fan of the term “cyber” or “cybersecurity,” but I can understand the reason for having a new term that’s a little more ambiguous.
Credit cards used to just be numbers printed on plastic read by zip-zap machines until magnetic strips were created and used to save information in a way that could be read by a computer and transmitted via telephone back to your bank. Forty years later, those are being replaced by sophisticated memory cards that keeps your information encrypted. Do you consider your credit card to be IT? You should. Credit card fraud has been around as long as credit cards, and the more IT we throw at the problem, the more it becomes an IT security problem. I know that banks and organizations like Visa consider this an IT security issue, but most people still do not, I would assume. And that’s just one example.
For a Cyber Threat Intel Analyst to do their job correctly, they need to understand that it really is about IT security, but the scope is usually bigger than most people realize. The analyst needs to be aware of that, but they need to help their employer or customer understand that as well.
What is one of the biggest things to understand about cyber risk?
Typically, cyber threats enter an organization by way of something every user touches: browsing the web, reading their email, opening files, etc. Traditional IT security has been tasked with solving that. But that’s not the only way cyber threats can harm an organization. As soon as you do business with another organization, the scope of your risk increases. You have to send and receive information from them, send and receive money from them. This information is at risk if one organization protects it less than the other. If pieces of the business are outsourced, whatever that is, it’s now at risk to however that third party protects its business or its infrastructure.
Some of this even just comes in the form of what software a business chooses to use for its customer portal, where customers can post questions or the business otherwise interacts with its customers. Any vulnerabilities in that software or where that software is hosted translates to risk to the primary organization. Again, none of this is meant as a reason not to function this way, only as a way to say that these risks need to be understood and monitored. As new threats or attacks or vulnerabilities are discovered, an organization needs to be made aware of them so actions can be made to mitigate or remove them.
What are some cybersecurity trends you are seeing as a threat analyst that are concerning?
The biggest trend I am really starting to see is the continuation of cybercriminals using cyber means to make money. They steal credit card numbers, people’s personal identities, and the profits from these crimes and frequency of attacks continues to grow. Ransomware is now growing. It’s not growing because people think it is funny to do. It’s growing because people are making a lot of money off of these attacks. In these attacks, cybercriminals don’t care about obtaining information from our computer. All they care about is getting you into paying them money to get back your information. This is a scary trend, because it is really working.
Denial-of-service is still going on; people will pay to conduct denial-of-service attacks or pay ransoms to have these attacks stopped. It will be interesting to see what attack shows up next in an effort to make money.
To encapsulate that trend, it is becoming a lot more organized. In years past, the traditional “organized crime” groups were the only ones really making money off of cyber attempts. Today, however, all parts of cybercrime are becoming more accessible, and as it becomes easier a lot more people are going to be doing it.
Along that vein, attacks that produce the most results are of course going to trend. Ransomware as I mentioned, but a lot of businesses are getting better at detecting and eliminating threats … but don’t quite understand or monitor threats coming from their third-party suppliers, so attacks will start to come from that angle.
What is your biggest fear as a threat analyst?
My biggest fear is people not taking this information seriously or people not thinking it is useful information. I am fearful that people view this information as no big deal, viewing it as just another report and moving on. I hope that companies feel this information is useful, and it is taken seriously instead of thinking they don’t need the information anymore. Some of that could be that an organization doesn’t quite have a mature enough cybersecurity program so it can’t properly digest and protect against what an analyst may be telling them. The failure of the analyst to correctly translate risks and threats and trends into something meaningful could also contribute to the message being lost.
In the next post, Aaron shares his thoughts about how cyber threat intelligence can help your organization.
In 2014, point-of-sale (PoS) data breaches against mainstream retail stores like Target and the Home Depot were primary talking points in cybersecurity. In 2016, PoS data breaches haven’t garnered as much attention, with threats like ransomware and more sophisticated phishing attacks taking up the mantle of the leading concerns in cybersecurity.
Over the last two years, the amount of chatter around PoS breaches has dropped dramatically.
PoS breaches still occur, but the frequency of attacks, as well as the targets, have changed. In 2014, department stores were impacted the most by PoS data breaches. Since that time, cybercriminals have turned their attention towards hotels, restaurants and bars. In many instances, a hotel had an associated restaurant or bar’s payment system compromised. The payment card breach against Starwood properties is one example of this activity.
New EMV Standards Having an Impact on PoS Cybercrime
Back in October 2015, the United States implemented new EMV standards aimed at protecting against PoS cybercrime. Many big retail stores have adopted the technology, which has helped thwart the amount of payment card cyber-attacks against them.
There have been well-documented problems so far with EMV, from customers not having access to chip-enabled cards to retailers offering customers the option swipe their card rather than force them to use the Chip-and-PIN technology. Perhaps the biggest problem with the EMV shift is the amount of retail companies that simply do not offer customers payment terminals that accept the new Chip-and-PIN cards.
Despite the problems, EMV has positively impacted PoS cybercrime. However, due to the increased security, cybercriminals are turning their attention to other, more lucrative attack vectors. In 2016, phishing and ransomware attacks have both trended highly.
Latest PoS Data Breaches and Malware
However, cybercriminals haven’t completely turned away from attacking payment terminals. To date, SurfWatch Labs has collected information on 23 industry targets related to PoS data breaches.
In what is probably the most recent of those breaches, security researcher Brian Krebs has reported fraudulent activity involving the Texas-based restaurant chain CiCi’s Pizza. In this event, a cybercriminal posed as a “technical support specialist” for the company’s PoS provider, which allowed access to payment card data. This social engineering technique is one way cybercriminals can circumvent EMV (assuming CiCi’s Pizza utilized these payment terminals).
The old-fashioned malware attack vector is still being utilized as well to conduct attacks on PoS systems. New variants are still being created and continue to evolve. Some of the latest PoS malware families to make headlines include:
With EMV implementation taking place at new retail locations daily, the amount of PoS-related data breaches is bound to decrease. Protecting customers at the point of physical payment is paramount to retail operations, but organizations can do more. Social engineering and phishing attempts are among the biggest threats facing organizations today, and Chip-and-PIN won’t protect against this threat. Deploying physical security features like firewalls is obviously important, but educating employees about phishing and social engineering tactics is arguably just as important a cybersecurity strategy.