Cybersecurity Insights

It’s over.

The year that has brought so much uncertainty and disruption is behind us. 2020 is no more.

Hooray! But… wait… how much is really going to change now that ’20 is ’21? It’s certainly nice to have the symbolic changing of the guard when the ball drops. A fresh start. A new beginning. It can help recenter us for the next 365 days. All things worth celebrating.

Unfortunately, many challenges from the year before also get carried over. The world is still battling a virus that has upended lives and, to center in on our area of expertise, whose fallout has increased cyber risk for the numerous organizations that have shifted to remote work. It may be a new year, but the landscape largely remains the same – a digitally accelerated world.

Spoiler Alert: Digital Doesn’t Die in 2021.

Adversity brings innovation, and adversity was in abundance in 2020. Organizations had to adapt to so many changes and adopt new ways of operating that last year could be considered the definitive jump into the digital age. Kids in classes online, employees in meetings online, events held online. The world was digital.

The digital age isn’t going anywhere – in fact, it will only pick up steam.

With each positive development in the battle against the global pandemic, we rejoice at the thought of the day we regain some of the normalcy we once knew. Until then, remote operations are still prominent and there is much to plan for as we begin 2021.

We have already seen massive cyberattacks come to light in the past couple months (read our previous blog “On State Actors and Cyber Readiness”). As we had discussed all last year, cybercrime has been on the rise, as there are more opportunities to breach unsuspecting organizations with so much data shifting to the digital space.

The public nature of these recent breaches just punctuates that point. From woefully out of date software to MFA-less programs to cloud security gates left wide open, opportunities are everywhere for cyber criminals, especially in our current landscape. How are you preparing to counteract their efforts?

Proper protection is key to weather the storms that our new normal has thrust upon us. Proper protection also allows opportunities for prosperity moving forward, as organizations save precious time and money recovering from cyber incidents.

The digital transformations that many organizations have undergone have had positive side effects as well. Greater efficiencies, and opportunities for growth. These gains are worth protecting. Innovation through adversity is still innovation proper. Therefore, it’s easy to see that digital transformation will remain even when the global pandemic does not.

Digital Doesn’t Die in 2021.

Whether to protect yourself from current threats, or to protect yourself to set your organization up for growth in the future, cybersecurity needs to be a key tenet of your plans for 2021.

Leveraging decades of experience in customer environments, we are constantly discovering new ways to help businesses big or small.

Not ready or currently capable to invest in a broad security division within your own organization? You aren’t stuck. Let us step in as a fully formed operational arm of your organization through CYDERES, our Security-as-a-Service division.

Need to bolster current capabilities? Leverage our experts to help you with maturing areas of your program.

We know digital transformation isn’t going anywhere, and we’re ready to help protect your organization in this accelerated digital age. In 2021, we’re security at your service.

Let’s be honest, if hindsight is 2020, well, we’d all be happier.

The multifaceted challenges of the year have brought an even greater need for actual, non-hyped, solutions in just about every area of our lives.

That stretches to include our (cyber) industry, which unfortunately is known for over-hyped, so called “next-gen” technologies which all too often under-deliver.

If over-hyped and over-priced got married, their kid would undoubtedly be some late great cybersecurity shelf-ware.

Enough.

Born in the cloud and primed to deliver the right solution the first time to our clients, Fishtech’s innovators took a listen-first approach to understanding each business’ unique challenges to customize a roadmap that led to real-world tangible success.

How did we do this? By bringing a 6-step approach to all our engagements to help us accurately define and zero in on customer success. As we round out 2020, let’s briefly take a look at each step that helped us bring greater protection in an unpredictable year:

STRATEGY

With our listen first approach, we want to understand what your business objectives are before we jump into building out or augmenting your security program.

Leveraging decades of expertise from industry pioneers as well as multi-time CISO’s (including Fortune 1’s former Global CISO) who understand both sides of the table, we are uniquely equipped to hear your challenges and promote proven strategies that have worked and are working for existing clients.

Further, we believe cybersecurity to be more than a “check-box” but rather a driver of business efficiency, risk mitigation, and overall growth. Far from being a simple compliance objective, a robust program will catapult your organization to achieve your goals.

Whether you are moving data to the cloud, your IAM program needs a tune-up, are looking to implement a strong CI/CD pipeline, or a myriad of other solutions, let us turn existing pain points into business drivers.

GOVERNANCE

Properly understanding all elements of your cyber risk remains critical for all organizations. Before we get to thinking through your architecture, let’s bake governance and compliance in from the beginning – matching your necessary compliance frameworks (NIST, HIPAA) with your day-to-day operations to make reporting a snap and audit nightmares a thing of the past.

ARCHITECTURE

Public, private, hybrid? The cloud can be a tricky thing to navigate. Yet, there are many best practices that can be leveraged to save you time, money, and headaches.

As we’ve done for 100’s of clients, let us sit down and build out a customized Cloud Ramp Framework that ensures you will accomplish the objectives you originally set out to achieve in the cloud and avoid the pitfalls.

VALIDATION

Innovation, disruption and a deep dedication to customer success are key ingredients to Fishtech’s strategy and success. That means no “widget-selling”, but a careful validating of each technology we recommend from our vast tech partner network.

Ensuring that each one is validated to work within the program the earlier steps have built as well as the rest of your existing stack is a requirement before full implementation and build out begins.

Our own Fishtech Lab is a powerful ally to combine proven methodologies with performance and security testing, POC’s, and reference architectures to ensure you are optimized for success.

INTEGRATION

You know your business objectives, but do you know the achievable outcomes the combined force of your carefully thought through security program can deliver?

Even beyond technology, building a security culture with repeatable processes in your organization is paramount. Leverage our expertise to help you build playbooks to fast-track your team culture, program deliverables, and measurable results.

OPERATIONS

A mature and robust cyber program involves people, process, and technology all working together, and is measured beyond avoidance of risk but rather achievement of expected outcomes.

Since those were defined early on in the process, the operational phase can be continuously monitored and measured by senior leadership.

And as your organization grows, you may find that having your own dedicated Security Operations Center (SOC) will be augmented (or better managed entirely) by our award-winning 24/7 CYDERES managed services.

Scaling and upgrading your managed defense and response, red team, and cloud governance with an around-the-clock expert team may streamline your cost, efficiency, and speed to value especially with a large remote workforce.

THE END IS THE BEGINNING

As unforeseen circumstances arise (see 2020), our 6-step approach can begin anew with another round of strategy sessions, further governance frameworks, architecture discussions, and more, to adjust in order to achieve even greater heights of efficiency and success.

Hype is overrated. Let’s #BeCyberSmart together, punch your challenges in the mouth and accomplish your goals. Whatever it takes, Fishtech is ready to earn your trust as we help you navigate and secure your future.

Ready to get started? Fill out the form below to be connected with one of our experts.

The end of 2020 is fast approaching. While many across the world are ready for this crazy, unpredictable year to end as soon as possible, there are a few items worth considering so that your organization can stick the landing and start 2021 with your best foot forward.

There are many classic “end of year activities” for businesses that become so routine that decision makers may miss opportunities to re-evaluate financial and strategic plans for the new year.

We’ll quickly cover a few areas you may want to put into consideration for a deeper dive as you round out December.

Compliance or Audit Requirements

Compliance and audit requirements must be met by the end of year. How are you accomplishing these tasks? The time is now to schedule a security assessment to mitigate any compliance gaps. Need a plan of action? We can help you with our Cyber Risk and Compliance experts.

Our team works to make sure you are not only meeting your compliance and audit requirements but doing so in an efficient manner. Check out our Director of Cyber Risk and Compliance Michelle Thacker talk more about end of year assessments.

2021 Budgets / License Renewal

With that license renewal looming, it may be time to re-evaluate why you are even renewing in the first place.

More than likely, you are now many years away from the analysis that supported the initial purchase decision. In that time, your business has evolved, and your needs have changed.

Performing even a cursory analysis of methods and tools will expose opportunities for consolidation, efficiency, and greater returns on technology investments, both human and financial.

As you are reviewing your budgets for next year, keep these renewals in mind. Need an outside perspective to help you find where these opportunities exist? We work to be technology agnostic to ensure we are providing guidance toward the best solution for your business the first time. This is especially important when you are looking at the relative cost to outcome of the solutions you use.

Move Forward Strategically

In the midst of the reviews of the above, it can be beneficial to review your overall security posture and how you can improve as you move forward. Sometimes, it can be as easy as a *click*.

There are many developments in cybersecurity that are changing the way organizations are protecting their assets and employees. Hear Co-Founder and Chief Technology Officer Dan Thormodsgaard talk about many areas that can improve your security posture in 2021 and beyond.

End the Year Strong

With just one more month left in 2020, we’re ready to help you reach your goals for this year and get you ready for the next. No more going through the motions for your end-of-year activities. Let’s be proactive and start 2021 off right.

If you’re ready to get started, fill out the form below to be connected with one of our experts.

The Black Friday phenomenon has grown exponentially over the years. So much so that new big deal days like Cyber Monday have been tacked on to extend the shopping season. Not only that, businesses have started advertising Black Friday deals at the beginning of November, if not outright start the Black Friday sales around the first of the month.

This year, Black Friday has been even more pervasive in the Year of the Quarantine, with new cyber deals popping up every day, and discount codes urging you to “STAYINSIDE”. In what is sure to be a more cyber-heavy shopping year, it is more important than ever to take steps to ensure your money and your data stay safe this holiday season.

In today’s blog post, we’re putting together a few tips to help you protect yourself as you shop from the comfort of your couch. Here are a few Black Friday / Cyber Monday Safety Tips:

1) DON’T USE DEBIT CARDS

Using a debit card allows cyber criminals direct access to your bank accounts. Using payment options with added layers of protection is key to reduce your risk while you shop. Try using a credit card or a third party like PayPal or Venmo.

2) DON’T CLICK ON LINKS OR OPEN ATTACHMENTS IN EMAILS

Many cyber criminals are using the flood of Black Friday emails from retailers to send their own copycat versions with malicious links. Beware of links and attachments in the emails you receive. Hovering over links can help show you where exactly each link is sending you to.

3) DON’T SHOP ON PUBLIC WIFI

Make sure you are only shopping on a secure connection. Shopping online requires you divulge sensitive information, like credit card numbers, addresses, and more. You don’t want this information visible to outside eyes. When you are shopping online, make sure you are on a private network, or are using your cellular data plan to stay secure.

4) USE A VARIETY OF PASSWORDS

Many online retailers require you to create an account to purchase items, which includes creating a password. It may be easier to use the same password everywhere, but should that retailer be breached in the future, many of your other accounts are now susceptible. Use a variety of passwords to mitigate your overall risk.

5) ENSURE YOUR SOFTWARE IS UP TO DATE

Before shopping til you drop, make sure your device’s software is up to date. From your operating system to your web browser to your password manager and beyond, take some time to ensure you have the latest versions for security’s sake. Outdated systems are often littered with vulnerabilities, so you’ll want to fully update to block cyber criminals from gaining access.

6) ENABLE 2-STEP VERIFICATION

We’ve recently covered how to achieve better security for your organization through 2-step or multi-factor authentication, but many online retailers give individuals the option to ensure all logins (and even final order submissions) are secured through confirmation via a secondary device. Sending an authorization code to your phone or email may be a momentary inconvenience but compared to dealing with stolen credentials is a very worthwhile use of time.

With so much excitement surrounding Black Friday, Cyber Monday, and the holiday season in general, it can become easy to overlook the basic tenants of cyber safety. Follow these tips, and use common sense to stay safe as you shop. Have a happy Thanksgiving, and stay safe this weekend!

After years of ransomware wreaking havoc on victims worldwide, threat actors doubled down with their extortion tactics earlier this year by introducing a new technique. This was previously described in the “2020: Not Your Father’s Ransomware” CYDERES technical blog post. It’s a relatively simple concept, with an innovative and ingenious spin on the traditional ransomware attack. Rather than just encrypting a victim’s sensitive data, the operators behind the attacks added the additional step of exfiltrating that sensitive data and threatening to leak the data if the requested ransom is not met. In the past, victims with access to system backups might be able to sneak by without paying the ransom. However, now they may have to consider paying because they are faced with the threat of their data being leaked. The risk of public disclosure and potential brand damage being leveraged in these attacks can be very lucrative for the operators behind these attacks.   

While the concept of double extortion might have been the first significant twist relating to ransomware we would come across the year; it would unfortunately not be the last. Adversaries have proven that they are opportunistic in nature and will exploit any avenue they can. COVID-19, perhaps being the most significant opportunity of all, has drastically impacted the cyber landscape. The shift to remote working has opened up a new assortment of security vulnerabilities and has left users increasingly vulnerable to phishing emails and malware-involved attacks as they perform work-related tasks on their home networks, which often have minimal security measures in place.  

The shift instigated by COVID-19, along with the opportunistic nature of malicious operators and other uncertainties in today’s world, has had a damaging impact on the cyber landscape worldwide. Research conducted by Check Point concluded that during the third quarter of 2020, there was a 50% increase in the daily average of ransomware attacks when compared to the first half of 2020. Additionally, the number of ransomware attacks that have plagued the United States has approximately doubled in the third quarter of 2020, making it the most targeted country for ransomware attacks. [source]

Figure 1: Check Point Research showcasing the rise of ransomware incidents

Now it is time to introduce the tried-and-true concept of distributed denial of service, or DDoS, extortion. The idea of this form of digital extortion is relatively straight-forward; if the victim gives the adversary what they request, then the adversary will not attack the victim. Victims will often receive communication from the adversaries threatening to unleash a wrath of junk traffic in a DDoS attack if the victim does not supply the adversaries with the ransom amount they request.

In a recent example of DDoS extortion, adversaries claiming to be affiliated with the Lazarus Group sent an extortion letter to Travelex in which they demanded 20 bitcoins, or approximately $200,000 at the time, and stated that the ransom would increase by 10 bitcoins every day that elapsed after the initial deadline. Travelex did not pay the ransom and instead chose to face the DDoS attack. The DDoS attack did not prove to be effective and is indicative of its spotty effectiveness. [source]

Similar to exfiltration, DDoS extortion on its own is nothing new or fancy. However, it is a means to add some extra leverage when demanding a ransom payment, which is all an adversary needs. If an organization is not willing to or does not need to pay to decrypt their data, they will perhaps pay to prevent a DDoS attack that could result in service downtime. Not to mention the downtime organizations may face from other consequences, such as further impacting their brand reputation.

At the beginning of October 2020, the security community observed one of the first attacks that leveraged the technique of combining ransomware and the threat of a DDoS attack. When negotiations stalled in a SunCrypt ransomware attack, the operators and its affiliates initiated a DDoS attack against the victim’s website. Upon logging back into the ransomware’s Tor payment site where the negotiations were being conducted, the victim was provided with an explanation that SunCrypt was responsible for the DDoS and threatened to continue the attack if negotiations did not resume. In this scenario, the SunCrypt operator’s use of this tactic to force negotiations was successful, as it ultimately led to the victim paying the demanded ransom. This technique was especially effective because the victim was a smaller organization. The combination of data theft, the threat of a data breach, a lack of access to encrypted files, and a DDoS attack could have completely caused them to shut down. [source] 

Figure 2: Communication between SunCrypt operators and their victim

The effectiveness of this technique boils down to simple principles. First, the adversaries must present a threat that introduces unacceptable consequences. It must be drastic because if it is not, no victim is going to pay the demanded ransom. In the case of DDoS extortion, it is the system and resource downtime, along with the consequences that come with it, that are unacceptable. Secondly, adversaries are going to have a much better shot of being successful if they can force the victim to react with emotion rather than logic. DDoS extortion attempts to accomplish this by setting deadlines, such as threatening to continue to increase the ransom demand as more and more time passes. This is more likely to elicit an emotional response from the victim because they might not have the opportunity to think rationally or even engage law enforcement. 

While the introduction of data exfiltration and DDoS extortion makes preventative efforts less cut-and-dry, there are still many measures and best practices that can and should be implemented to help mitigate these threats. Best practices for mitigating ransomware include network segmentation, the principle of least privilege, anti-malware software, up-to-date systems, and most importantly, backup solutions that are not only implemented but also practiced to ensure a smooth recovery. Besides using unique, complex passwords, enabling multi-factor authentication (MFA) where possible, and regularly applying security updates and patches to maintain a strong network security posture, knowing what a DDoS attack looks like and having a plan to react to it are important steps to take for mitigation.

Now that there are use cases and evidence to suggest that both the threat of data exfiltration and DDoS extortion are effective when it comes to providing additional leverage to persuade the victim to pay the ransom, it will likely be increasingly adopted. Not only that, but these tactics and techniques will continue to evolve in an attempt to stay one step ahead of defensive measures that could stand in the way of raking in a profit. Coupled with the additional challenges of a rushed transition to a remote workforce and everything else that has come along with the COVID-19 pandemic, some companies have been left in a vulnerable position. Combating the ever-changing cybersecurity threat landscape will require an extraordinary amount of creativity, perseverance, and collaboration from cyber professionals, business leaders, and organizations worldwide.

CYDERES is primed to help with threats like ransomware and can help organizations in situations like those detailed above. If you are interested in finding out more about how CYDERES can help your organization combat ransomware and beyond, fill out the form below.

By David Sanders

Part 1

A common question among companies seeking to mitigate the risk of an insider attack is: “What tools should we buy for our mitigation program to be successful?”

Our view is that every effective insider threat program must have two tools. One is a user activity monitoring (UAM) system and the second is artificial intelligence-based analytics software.

It’s important to understand that these tools perform distinctly different functions, and that no single technology will meet the breadth of requirements that UAM and AI analytics do when combined.

UAM is a structured, consistent and continuous collection and reporting process across the whole of an organization at the device level. It helps users identify, assess, decide on responses to and act on specific analysis of employee behaviors.

The purpose of UAM is to gather detailed and substantive activity information (e.g., screen captures, text content, keystrokes, etc.) in the digital realm that may be indicative of an insider threat. UAM tools gather a level of detail not available from other tools, including data loss prevention (DLP), security information and event management (SIEM) and user and entity behavioral analytics (UEBA).

Some UAM tool vendors are adding dashboards and scoring to help focus analytical attention on users generating the most severe and frequent alerts. This is a helpful and positive development within the context of user activity on networks and devices, but it fails to include other data sources not generated by the UAM tool. It is important to remember that UAM systems provide only a limited digital view of the user, which precludes a broader understanding of the user’s full range of activities and behaviors.

Therefore, insider threat programs need to integrate data from across the organization into a separate tool that can perform advanced analytics, with the goal of creating a continuous, comprehensive and accurate assessment of insider behaviors to determine if a trusted individual has conducted or is likely to conduct acts of concern.

The analytical tool must be able to make sense of an abundance of data from technical (i.e., digital) and non-technical sources, and then transform the results into actionable risk intelligence for purposes of detection, risk prioritization and response.

Technical data includes voluminous raw feeds from DLP, web proxies, access management systems, UAM, printers, scanners, email and firewalls.  Non-technical data includes information about the individual from multiple departments within the organization, including:

1. Human Resources (e.g., role, location, performance, incidents, status, leave patterns, projects, objectives, training records);
2. Finance and Accounting (credit card activity, travel and expense records); and
3. Security (badging activity, incidents, special access).

Prior to the advent of structured insider risk/threat programs, this broader non-technical data set was rarely integrated and analyzed. That said, there are some tools that were built specifically to conduct this type of multi-source analysis.

Within the CIO or CISO departments, SIEM and UEBA (now known as SIEM 2.0) are used predominantly for this purpose. Without question, the strengths of these two classes of tools are their ability to connect to multiple data sources (i.e., ingest, format, correlate and process data); search and report; and apply advanced analytical processes (e.g., rules, machine learning and other artificial intelligence techniques) to generate alerts.

However, SIEM/UEBA tools are not good at generating actionable risk scores, which are vital to identifying insider threats in a proactive, even predictive, manner. There are several reasons for this:

1. Scoring is simplistic – adding scores together, sometimes applying a multiplier or adding a very large value when a specific high-threat event occurs to move users to the top of the scoring list;
2. The tools do not effectively score non-technical behaviors, but rather create watch lists with the information; and
3. Scoring models are not built specifically for the insider threat domain, but rather relate to specific use cases such as data exfiltration and attempted unauthorized access, which can often be ‘explained away’ as a product of non-malicious and non-negligent activity.

With UAM and SIEM/UEBA tools, then, organizations have abundant alerts but lack an effective scoring capability to identify insiders whose behaviors indicate that they have conducted or are likely to conduct acts of concern.

So what is the best analytical tool to make sense of the volumes of alerts and behavioral indicators that can be found buried in all that technical and non-technical data? At Haystax, we believe in the power of a probabilistic model known as a Bayesian Inference Network, or BayesNet.

BayesNets are a place to capture the knowledge and insights of domain experts and then apply data as evidence to support this or that belief. They are ideally suited to situations where the problems are complex and don’t lend themselves to black-or-white binary answers, and where the data is sparse, noisy or even non-existent.

The Bayesian model at the core of our Insider Threat Mitigation Suite was purpose-built to assess the probability that a user’s behaviors indicate potential or actual insider risk. The model is the single environment where all of the technical and non-technical data and alerts generated from UAM and SIEM/UEBA systems can be applied and effectively evaluated, which is why we call it a ‘whole-person’ model. If a customer does not have a SIEM/UEBA system already in place, the Haystax Insider Threat Mitigation Suite can fulfill many of the data integration and analysis functions in its place.

The screen image above represents a portion of the Haystax whole-person insider threat model. Ingested and processed data can be applied to any model node. The impact of each new piece of evidence is determined by the strength and frequency of the event and probability attributes of how one node in the model affects another.

These nodes and their probabilities were developed with input from experts in the fields of behavioral psychology, security, counterintelligence, human resources, investigations and analytics. The result is a detailed yet understandable model that continuously assesses the probability that an insider has committed an adverse act or has exhibited concerning behaviors, and then produces a risk score on a dashboard in the Haystax user interface that allows decision-makers to proactively mitigate their highest-priority insider threats.

In Part 2 of this post we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.

Part 2

In Part 1 of this post we explored the basic characteristics of user activity monitoring (UAM), security information and event management (SIEM), user and entity behavioral analytics (UEBA) and artificial intelligence-based analytics software systems.

In this part we will compare and contrast how data-driven UAM and SIEM/UEBA solutions detect insider threats versus how the model-driven Haystax solution does it.

For illustration purposes, let’s consider a company with 10,000 trusted insiders that has the following circumstances:

• 500,000 files per week are copied to removable media by 2,500 employees
• 50,000 files per week are being sent outside the company via email
• 100,000 DLP alerts per week for files being copied to removable media
• 10,000 DLP alerts for email
• 500,000 web page visits per week
• 100,000 files downloaded from websites
• 7,500 files uploaded to websites

The above assumptions are reasonable if there are few or no controls on the use of removable media and on sending files via email. The number of alerts generated would require a significant effort to review in a timely manner; therefore, there needs to be effective threat scoring to point the analysts to the insiders that pose the greatest threat to the organization.

To contrast the differences of how SIEM/UEBA solutions develop threat scores versus Haystax, and the effectiveness of each approach, we will evaluate three user behavior scenarios:

1. User A has contextual, technical and non-technical behaviors;
2. User B has contextual and technical behaviors; and
3. User C has contextual and non-technical behaviors.

The scenarios and resulting scores are presented below.

User A has both cyber and non-cyber behaviors that should be considered in the overall threat analysis. The SIEM/UEBA score, on a relative scale of 0-100, is low. Scoring assumptions for the SIEM/UEBA are:

1. Non-cyber behaviors and contextual data did not impact the score;
2. The non-productive web browsing has low impact because it is not data exfiltration; and
3. Sending files via email has low impact because the volume is low.

The Bayesian Inference Network (aka BayesNet) probabilities consider all of the activity, resulting in higher threat probabilities. The behaviors of User A could be indicative of many things – disengagement from the organization, unfamiliarity with company policy or attempts to test controls and monitoring. Identifying the increased threat level allows for further investigation (perhaps using the UAM tool) and proactive risk mitigation.

User B has contextual and technical behaviors and the SIEM/UEBA score is high, on a relative scale of 0-100. Scoring assumptions for the SIEM/UEBA are:

1. The cyber behaviors are scored high due to the large volumes of data being sent outside the network; and
2. The contextual data has no impact on the score.

The BayesNet probabilities consider all of the activity, resulting in higher threat probabilities. Specifically, the “Conducts Potential Insider Threat Activities” is high due to the data exfiltration. But the overall “Is Insider Threat Concern” is lower because it is impacted by the “Exhibits Concerning Characteristics,” which is lower due to the contextual data (e.g., position as recruiter, longevity with company, absence of other negative behaviors to increase the score). The behaviors of User B are likely that of an employee doing their job – sending company information to prospective employees.

User C has contextual and non-technical behaviors and the SIEM/UEBA score is zero, due to the absence of technical behaviors and the lack of scoring non-technical behaviors.

The BayesNet probability scoring indicates a low probability of “Conducts Potential Insider Threat Activities” due to the attempted access behaviors, and a medium probability of “Exhibits Concerning Characteristics” due to the access to critical data, attempted access, performance review and being a relatively new employee. User C does not appear to be a threat based on this information, but these behaviors should be retained and considered in the light of future behaviors.

These use cases demonstrate that insider threat programs should implement both UAM and advanced analytics. The UAM tools provide necessary details about users’ activities on computers and laptops, but do not contain all the data required to detect insider threat activity.

A broader set of data, usually at a higher level, needs to be integrated into and effectively analyzed by an advanced tool that can effectively consider both technical and non-technical indicators. The Haystax Insider Threat Mitigation Suite employs just such a tool: a BayesNet that effectively and consistently evaluates both of these behaviors, thus developing a picture of the whole person – and any early indications of insider risk.

#    #    #

Note: A former high-flying corporate executive suffers a series of personal and professional setbacks and gradually develops into an insider threat. Find out how Haystax would have used probabilistic analysis and technical/non-technical data to discover him prior to his massive theft of intellectual property, in To Catch an IP Thief.

Cybersecurity can be daunting.

How many acronyms and buzzwords can there possibly be within one industry? ZTNA, SaaS, SASE, the list goes on. Where do you start when you’re wanting to secure your business? Today, we’re keeping it as simple and practical as possible, because honestly, sometimes a single step can make huge strides for an organization’s cybersecurity.

Today, we’re talking about multi-factor authentication.

Multi-factor authentication is under the umbrella of Identity and Access Management, or IAM, but forget all of that for a second. We said we’re keeping this simple, right? We’re just focusing on how one or two clicks can improve your security posture as you look to start building out a cybersecurity program that can handle the most advanced threats.

Everyone is used to the traditional way of securing your applications online. Submit your correct username and password, and you’re off to the races. Unfortunately, this approach is quickly becoming outdated as more and more sophisticated attackers find ways to break through this minimal defense.

In a presentation at the recent RSA Security Conference, Microsoft’s Director of Identity Security, Alex Weinert, said 1.2 million Microsoft accounts were compromised in January 2020 alone. Of those compromised accounts, 99.9% were not using MFA.

With multi-factor authentication, the goal is to add an extra layer of defense so that even if malicious attackers crack your password, they do not gain immediate access to your applications and information.

So, what does that look like in practice?

*Click*

Seriously.

It can be as simple as a click or two to add a much-needed extra layer of defense to your organization.

For example, you want access to a cloud application your organization utilizes. Using a multi-factor authentication approach, you would first enter your username and your password. Upon the correct entry of your credentials, a notification would be sent to your personal phone asking if you just logged in. All it takes is a *click* confirming that it was you. Upon this second step, you would then be granted access to your cloud application.

You can see how this can be a deterrent for potential attackers. If they don’t have access to your phone, they don’t have access to your applications.

Now, don’t get us wrong, this isn’t a one and done way to fully protect your organization. Identity and Access Management has many pillars that increase in complexity to further protect your organization to ensure there are even fewer chances that your applications and information will not be breached. As a start, check out our video on the pillars of IAM.

But truly, diving down that rabbit hole is a conversation for another time. The point is that multi-factor authentication is an easy way to get started down the path of a more secure future for your organization.

See? Cybersecurity doesn’t have to be daunting. Sometimes huge strides forward are just a *click* away.

Interested in learning more about implementing multi-factor authentication within your organization? Fill out the form below to get connected with one of our experts.

(And if you’re really itching to learn more about other forms of authentication RIGHT NOW, check out our blog post on “The Rise of Passwordless Authentication”. Overachiever over here!)

Executive Summary

CYDERES, Cyber Defense and Response, is the security as a service division of Fishtech. This division was created to help organizations with 24/7 security operations through our award-winning managed detection and response offering. This article focuses on the day to day activities of a SOC Analyst.

Thursday Morning

Through the Missouri Innovation Campus I was provided with an opportunity to learn with a position as an intern in the CYDERES SOC. With the help of analysts and other CYDERES resources, I was able to recently apply some of the knowledge I have learned to a recent Bazar loader campaign. On September 24, 2020 I started off my day by grabbing a nitro cold brew from the break room before heading though the man trap that leads into the Security Operations Center. Using face recognition for the first door and my badge for the next, I headed to my desk. Once there, I looked at the Twitter feeds which are kept on the large display and noticed reports regarding a malspam campaign being linked to Bazarloader. Since I was working the abusebox, which is a service offered to clients in which suspicious emails are sent for analysis, I started to research on what the campaign looked like and noting any similarities to previously seen campaigns.

Figure 1: SOC in the Cyber Defense Center 

Thursday Afternoon

Later that day, CYDERES received multiple copies of emails being delivered to different customers with a close resemblance to the emails seen that morning. The first item that stands out is they all had the same two subjects, “Re: what time?” and “Re: debit confirmation”. The second item that stood out was that they all had the same sending email address, “mike_warner@parkshorebmw[.]com”, which appears to be a legitimate email for a BMW dealership in Vancouver that was likely compromised or spoofed. While the sender looked reputable, investigating the body of the email showed similar items to previously seen phishing campaigns that lead to credential harvesters.

Figure 2: Sample email 1

Figure 3: Sample email 2

I observed that the emails contained common spear-phishing (Mitre T1566.002) techniques which address the email to the target company, while claiming to be an outsource specialist. The email also contained a sense of urgency by discussing payroll information and setting a time where a reply is needed, then requesting the user download a PDF file.

The link in the email shows it was sent via Sendgrid and contains a masked URL that will redirect to the payload. This follows the trend reported by Brian Krebs on how Sendgrid is commonly used to send out malicious emails to evade detection. The link in the email leads to a Google Document which looks very similar to ones that have been linked to Emotet malspam campaigns.

Figure 4: Screenshot of the requested download pdf

The page contains a message that claims that Google has verified this page and calls it “safe”. However, this is added by the threat actors in an attempt to make the page look legitimate. The page is hosted via Google’s cloud services which means that this document could have been created by anyone, so it should not be trusted for employee information.

The link on the page was observed to download an EXE file even though the email and the website claim that the document should have been a PDF file.

Running the file command shows the following:

Figure 5: File command on suspicious “pdf” file

The downloaded binary had not yet been identified in Virustotal as malicious. The binary was then detonated in a sandbox environment but did not run in a Windows 10 32-bit environment. Switching to a Windows 10 64-bit sandbox, the sample loaded modules, but then after reading the GUID information it unloaded them. This appeared to be because the sample identified that it was in a VM or that it would not run on Windows 10. This is a common threat actor tactic used to try to avoid analysis which aligns with technique T1497 of the Mitre ATT&CK model.

Research on the PDB path from the binary led to a github page with a theory that the binary might run on a Windows 7 VM. The referenced Github page talks in detail on how to escalate privileges in Windows 7. After detonating the sample in a local Windows 7 virtual machine, it was found that the sample was generating domains ending in “.bazar”. Similar to Trickbot, this loader evades detection by abusing the trust of certificate authorities. This loader, however, uses EmerDNS domains for command and control due to the domains being uncensorable. According to the emercoin site:

Because of Emercoin’s secure and distributed blockchain the domain name records are completely decentralized and uncensorable and cannot be altered, revoked or suspended by any authority. Only a record’s owner can modify or transfer it to another owner, and a record’s owner is determined by whoever controls the private key to the associated payment address.

Figure 6: Screencapture of bazar dns domains in Wireshark

Performing OSINT review on the IP address, 92.242.40[.]137, resulted in a tweet by @JAMESWT_MHT listing this IP as “Bazarloader” signed by “Nordkod LLC”:

Figure 7: Tweet listing the ip as bazarloader

A look at the binary properties show the same signature listed on Twitter:

Figure 8: File signed as Nordkod LLC

The next steps were to follow customer specific playbooks to report and mitigate this campaign for our clients. For one customer, this included quarantining around 100 emails which had reached users but were mostly unread. Leveraging Chronicle, a search was made for any IOCs in the customer’s environment, which resulted in 0 hits. For a detailed analysis of Bazarloader, check out Cybereason’s article titled “A bazar of tricks: following team9’s development cycles”.

Leverage Fishtech’s Expertise

Analysts in the GSOC, Global Security Operations Center, provide 24×7 security monitoring, triage, and investigations across the entire security stack. From abuse box monitoring and human threat hunting to managed deception and network traffic analysis, CYDERES ultimately owns detection of threats in the client’s environment to be a force multiplier for in-house security capabilities. To learn more on GSOC or other services offered by Fishtech, fill out the form below, or check out the drop down menus at the top of the page.

References:

IOCs

The theme for the second full week of Cybersecurity Awareness Month has been “Securing Devices at Home and Work” which has taken on such an unprecedented importance in 2020. We recently caught up with Fishtech Group’s Co-Founder and Chief Technology Officer Dan Thormodsgaard to ask him a few questions on the state of cybersecurity after a tumultuous year. We go further into how he sees our industry adapting to what’s to come in 2021 and beyond and how it all relates organizations securing home and work devices. Along the way, we hit on newly-emerging hot topics in our industry like ZTNA, SASE, and Infrastructure-as-Code, and dive into Fishtech practice areas like CRC and IAM. Without further delay, here is our interview with Dan Thormodsgaard.

Is ZTNA Just Another Buzzword?

Is ZTNA just another buzzword? We don’t think so. Zero Trust Network Access can bring a lot of added security to your access controls as you move away from IP-based access controls to more application- and identity-based access controls.

What is SASE?

SASE, or Secure Access Service Edge, encompasses not only ZTNA, but the security stack as well. Dan elaborates on another recent hot topic in our industry.

Accelerate Your Business with Cyber Risk & Compliance

Cyber Risk and Compliance, or CRC, is a Fishtech practice that is based around helping you meet your compliance objectives that can ultimately win you new contracts, thus accelerating your business, while simultaneously working to keep you more secure.

The Power of Infrastructure-as-Code

Infrastructure-as-Code is the future of the modern enterprise. With the mass adoption of the cloud, Infrastructure-as-Code will become important to achieve efficiencies in your business to allow you to thrive in ways that were not possible in data-center-centric environments.

Identity & Access Management Priorities for 2021 & Beyond

Earlier this year, as remote work started to accelerate, access management was a primary focus for many organizations, but what should IAM priorities look like for 2021 and beyond? Dan talks about the four pillars of IAM and explains where we should go from here.

Best Practices for Insider Threat Visibility

There are many factors at play when you start talking about successful insider threat programs. It is important to have a great foundational layer of controls from many other practice areas to set your organization up for success. Dan explains some best practices for getting these controls up and running to make sure you are able to more easily and successfully implement an insider threat program for your business.

Biggest Cyber Challenge of 2020

2020 showed a lot of cracks in many organizations with regard to business continuity and their abilities to adequately adjust to work from home environments. Dan talks about a couple specific examples he saw in 2020 of how organizations adjusted to the unpredictability of this year, and why cloud adoption is so important.

The Importance of Validating Technology

Fishtech has built out a state of the art lab, not only for cloud-based environments, but for on-premise environments as well. Dan talks about our philosophy on validating technology and the steps we take to make sure we’re providing the right solution the first time.

Building a Flexible Cloud Architecture

Fishtech was lucky to be able to start from the ground up five years ago with decades of experience in our back pocket to create a flexible cloud environment that we could proudly show as a model for our customers of how to operate in a native cloud environment. Dan talks about how this was a huge help during the unpredictability of 2020.

Up-and-Coming Technologies

To round out our interview with Dan Thormodsgaard, we’re talking about the up-and-coming technologies that are getting his attention, most notably surrounding SASE.

Ready to discuss strategies for 2021? Fill out the form below to be connected with one of our experts.