Third-Party Risk Mitigation – If You Connect It, Protect It. #BeCyberSmart

In the modern business landscape, delivering products and services requires a network of partners and suppliers who will inevitably receive and handle sensitive information. Unfortunately, this increased reliance on third-party operators has led to an increased amount of breaches that originate from said third parties.

During this first week of Cybersecurity Awareness Month, in which we are focusing on the overall theme of “If You Connect It, Protect It”, we wanted to focus on ways you can protect your organization as you continue to connect with third parties. It is important to reduce your overall risk so that you can continue to grow your business with your network of partners and suppliers in a safe and efficient manner.

Third-Party Risk Mitigation with Zero Trust Network Access, or ZTNA

There are many ways to mitigate risks that emerge from connections with third parties. Earlier this week, our Chief Technology Officer and Co-Founder Dan Thormodsgaard talked about Zero Trust Network Access, or ZTNA, and the process of moving access controls away from being more IP-based to more application- and identity-based controls.

Later on in the video below, he also talks about how ZTNA can specifically tighten up access for third parties to reduce the risk of potential breaches by limiting what information third parties can have access to using these updated access controls.

There are also defined Third-Party Risk Management programs that can help you continuously assess the possible risks from partners you are in operation with so that you can work to remediate any potential issues before they become a bigger problem for your organization in the long run.

What better way to talk about best practices for partner operations than by focusing on great information from our own partner Prevalent and their “Six Steps to Complete Third-Party Risk Management”?

 

Six Steps to Complete Third-Party Risk Management

Step 1: Define/Build/Optimize – Basic Program Decisions

It’s important that you bring in experts to advise you during this step so that you can create solid foundational guidelines before you properly start your third-party risk program. The goal at this point is to establish which vendors need to send and receive what information, as well as how you will send and receive said information.

Step 2: Monitor for Vendor Cyber and Business Risks

This second step is critical to get an understanding of the risks your partners pose to your overall business and how it can affect your operations. It is important that you analyze both cyber and overall business risks.

Step 3: Collect Evidence and Perform Due Diligence

In this step, you will take action on collecting evidence and perform due diligence reviews. Depending on the make-up of your organization, you will need to decide if this is a process you will do yourself, share the responsibility with other vendors, or completely outsource the collection and analysis of evidence to a TPRM vendor, audit firm, or systems integrator.

Step 4: Analyze and Score Results

Here at the halfway point, you will have completed, and potentially even validated your collected evidence. You will now need to analyze and score all evidence so that you can prioritize risk migration activity.

Step 5: Remediate Findings

After collection and analyzation, you will need to now remediate the findings from your collection and analyzation of evidence. Vendors defined in step one that have greater criticality to the business or higher risk levels will need to be prioritized.

Step 6: Report to Internal and External Stakeholders

With a well-established third-party risk management program, you can organize your reporting process to avoid being bogged down by complex and time-consuming compliance reporting. Many partners, like Fishtech Group, can help you set up reporting for common regulations and industry frameworks to make sure you are reporting your findings efficiently and accurately.

Here’s a video of our own Michelle Thacker, Director of Cyber Risk and Compliance, talking about how Fishtech Group can help streamline your approach to reporting.

Benefits of TPRM

There are many benefits to third-party risk management in relation to compliance, but as you can see in the steps above, you are also establishing a rich repository of information that can help you identify risk areas in your organization, and help remediate them early, especially when problem areas may be critical to your overall operations.

Any third-party partner that is connected to your organizational activities in this era of mass information, needs to be assessed and protections need to be put in place to avoid opportunities for breaches to occur due to larger attack surface areas with your vendors and partners.

During Cybersecurity Awareness Month, take an opportunity to step back and think of any areas you may be vulnerable in your digital operations, including the often-overlooked capacity for breach through third-parties, among other vulnerabilities within your internal operations. The general guideline to focus on during this first week is “If You Connect It, Protect It”.

If you’d like a more detailed approach on the Six Steps to Complete Third-Party Risk Management, you can view the Prevalent white paper here.

If you’d like to talk to one of our experts about third-party risk management, or any other areas of cybersecurity, fill out the form below. Stay tuned to our blog all month long as we continue to focus on various areas of cybersecurity to help you #BeCyberSmart.


Cybersecurity Awareness Month 2020

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004 and has been a continued focus in InfoSec communities each October since. On this first day of October, we’re turning our focus toward spreading cybersecurity awareness to help members of our community and the organizations we serve do their part and #BeCyberSmart.

This year’s theme of ‘Do Your Part. #BeCyberSmart’ is a call to action for individuals to own their role in protecting their part of cyberspace. We each have a role to play in making sure we protect our own devices to ensure the broader security of the individuals of the organizations we are a part of.

To start off this critical month, we wanted to highlight some blog posts that will help to inform you about many areas of cybersecurity and lay the groundwork for your better overall awareness and understanding on the intricacies of cybersecurity and how you can #BeCyberSmart.

Why Cybersecurity Should Not Be an Afterthought in 2020

As organizations increasingly move their assets to the cloud, cybercrime has continued to mature, and the prominence of cyberattacks has grown. Cybersecurity, once a niche faction of a few forward-thinking organizations, is now a central pillar of the modern enterprise… or at least it should be. We read some statistics recently that shocked us. Most importantly:

Only 38 percent of companies listed in the 2019 Fortune 500 were operating without appointing a CISO in position.

Read more statistics like these, and how you can begin your start prioritizing cybersecurity within your organization with Fishtech Group in our blog post “Why Cybersecurity Should Not Be an Afterthought in 2020”.

2020: Not Your Father’s Ransomware

Business leaders and IT professionals have become increasingly familiar with ransomware over the last several years. Time after time, we’re exposed to high-profile stories where brands and organizations we know and love are crippled by cyber criminals encrypting sensitive data and asking for money in exchange for the “safe” return of data.

In 2019 alone, the top 5 largest payouts to cyber criminals made by organizations struck by ransomware totaled over 1.6 million dollars.

Read more about ransomware and some of the straight-forward steps you can take to help reduce the risk of becoming a victim in our blog post “2020: Not Your Father’s Ransomware”.

Six Tips for Boosting Your Insider Threat Deterrence Capabilities

At various times in any insider threat program, there inevitably will be shortcomings in governance, gaps in detection, difficulties tying data to a threat, and substandard responses. So, what’s the best fail-safe when those other important program capabilities fall short? Deterrence.

Deterrence is one of the lowest-cost ways to decrease the threat that malicious and negligent insiders pose to your organization. Because it is often viewed simply as a dull or awkward communications and training function, it rarely gets a second look.

We compiled six strategies for how you can make your deterrence strategy more innovative and effective in our blog post “Six Tips for Boosting Your Insider Threat Deterrence Capabilities”.

Do Your Part. #BeCyberSmart

Throughout the rest of the month of October, we will be focusing on many areas of cybersecurity during Cybersecurity Awareness Month so stay tuned to our blog and our social media channels for blogs, videos, infographics, and more so that we can all do our part and #BeCyberSmart.

Next week we will take a deeper look at the theme of the first full week of Cybersecurity Awareness Month: If You Connect It, Protect It. The line between our online and offline lives is indistinguishable. This network of connections creates both opportunities and challenges for individuals and organizations across the globe. The first week of Cybersecurity Awareness Month will highlight the ways in which internet-connected devices have impacted our lives and will empower all users to own their role in security by taking steps to reduce their risks.

Learn more about Cybersecurity Awareness Month by visiting the official website, or fill out the form below to talk to our experts about any questions you may have on your journey to protect your part of cyberspace.


Insider Threat Program Lessons Learned

As Insider Threat Awareness Month draws to a close, it’s worth taking a look back at the trends and developments that shaped the industry’s thinking over the past year, what lessons were learned and how they can inform insider threat program best practices moving forward.

Here are our top three lessons learned, along with links to blogs and webinars from the past 12 months that go into greater depth on each point:

‘Whole-Person’ Analysis is Essential: Heading our list is the growing recognition among insider threat mitigation experts that technical indicators found in conventional SIEM and UEBA systems just aren’t adequate to find the really dangerous insiders, at least in time to avert a crisis. Analyzing non-technical indicators like personnel data, travel and expense records, badge data and even third-party records can reveal additional early indicators that someone is about to become an insider threat. Couple this with a probabilistic model that ‘reasons’ on the data to highlight the highest-risk insiders sooner rather than later and you’ve got a powerful tool that proactively prioritizes where you should focus your scarce analytic and investigative resources.

Develop a Five-Point Program: To be effective, an insider threat mitigation program must consist of five distinct elements. As we outlined in our five-part webinar series earlier this year, these elements are: Governance, Identification, Deterrence, Detection and Response. Skip one or more of these and your program won’t be nearly as effective.

Technology Doesn’t Solve Everything: This statement might sound strange coming from a software company, but the reality is that technology is only one component of a broader program that involves implementing the right policies and procedures, obtaining buy-in and ongoing support from top leadership and developing an effective program to communicate program missions and goals to staff and management. Use the governance element to create and manage the non-technology portions of the program.

Implementing an integrated insider risk mitigation program that combines clearly articulated policies, cross-departmental cooperation and leadership buy-in with the right investigative processes and analytical tools is not just good corporate practice, it also can save your company from data loss, reputational damage, civil liability exposure and, potentially, federal and state regulatory enforcement actions.

#    #    #

Note: Need a quick introduction to Haystax’s risk-based whole-person approach to insider threat mitigation? Check out our new solution intro video on the Haystax Insider Threat Mitigation web page.


Dissecting Valak (CYDERES Technical Blog Series)

Executive Summary

Valak was first discovered in 2019 as a malware loader and information stealer. Fishtech has seen an increase in thread hijacking being used by Valak threat actors to entice end users into clicking on phishing URLs or opening malicious documents.  Valak leverages a plugin responsible for harvesting emails to further spread the malware. The following blog will examine how Valak is delivered and its capabilities.

Background

Valak was publicly recorded in October 2019 when two rules to detect Valak were created on Proofpoint’s ET Pro ruleset. The malspam network delivering Valak, or Shathak as Twitter labels it, has been seen targeting English and German-speaking businesses. Valak has evolved from acting as a loader to becoming a sophisticated, multistage piece of malware able to update itself and expand its capabilities.

Valak Delivery Method

The malspam delivering Valak uses existing email threads to increase the likelihood of the victim opening the attachment. To bypass email security, the attachments are password protected. This approach also hinders any automated sandbox analysis used to detonate suspicious attachments.

Figure 1: Email reply with password protected attachment

There are several features in this email that should arouse suspicion:

  • The zip file attached to the email contains a 5-character password
    • Sending the password on the same email usually means the threat actor is using this as a way to bypass antivirus or email filtering
  • The email appears to be a reply to an email sent 9 months ago.
  • The word ‘attached’ is misspelled “attach_ed
  • A mismatch between the sender email and sender display name

Figure 2: Zip file containing a Microsoft Word Document

Attempting to open the file leads to a window prompt requesting a password.

Figure 3: Enter Password Window

Analyzing the document using ViperMonkey (a VBA Emulation engine) provides the following Summary of action carried out by the macro code:

Figure 4: Vipermonkey results for material06.20.doc

Examining the results show that the Macro ‘autoopen’ runs each time the victim opens the document.  The API function ‘URLDownloadToFile’ is used to retrieve a file with a .cab extension. Once the file gap5.cab has been downloaded, it’s saved as 44312539.dat in the Directory c:\programdata. Regsvr32 is then used to run the 44312539.dat file.

As malware authors constantly change their tactics, it is always a good idea to verify analysis using multiple tools. To manually examine the Macros of the document, please see a previous blog here.

Similar URLs have been seen in URLhaus, urlscan.io and VirusTotal Intelligence. All the listed URLs are associated with Valak.

Figure 5: Download url listed in URLhaus

Opening the document in a virtual machine shows a message requesting the victim to enable macros. If macros were enabled for all documents, the file gap5.cab would have been downloaded automatically upon opening the document.

Figure 6: Microsoft Word Document requesting to enable Macros

After enabling macros, the Valak DLL is downloaded and saved to the C:\ProgramData directory.

Figure 7: Valak Dll saved to ProgramData directory

Regsvr32 is then used to run the Valak Dll. A window will confirm if the file was properly executed. Several versions of Windows failed to execute the file properly. The following screenshot was retrieved from a Windows 10 machine that executed the malware properly.

Figure 8: Pop up window where the Valak Dll was run

As shown below, the malware failed to run on a Windows 8 machine.

Figure 9: Pop up window showing file was not able to run

Once the Valak Dll is run, the file iVIwVADQD.eLxan is created in the “public” user directory and executed.

Figure10: Javascript configuration file

Figure 11: Process execution after enabling Macros

Additionally, placeholder, expired and legitimate domains can be seen in the contents of the configuration file along with the C2s, which are likely included to complicate manual static analysis. The legitimate domains are registered to Microsoft and Facebook:

  • vo.msecnd[.]net – Microsoft
  • msnbot-207-46-194-33.search.msn[.]com – Microsoft
  • atdmt[.]com – Facebook

Placeholder domains that were never registered might be used in the future.  Expired domains might have been C2s in the past:

  • Knockoutlights[.]com – Domain Creation Date May 3, 2019
    • Expired on Sunday, May 3, 2020
  • d0d0f3d189430[.]com – No current IP address and appears it has not been registered

This leaves the following C2s:

  • d0d0abee1d18255e[.]com
    • Creation Date: 2020-06-18T12:32:43Z
    • Current IP:               22.26[.]248
    • Web Server Location: Portugal
  • Organicgreensfl[.]com
    • Domain Creation Date: June 4, 2020
    • IP Address:  106.18[.]130
    • Web Server Location: Germany
  • a-zcorner[.]com
    • Domain Creation Date: June 1, 2020
    • IP Address:   119.156[.]128
    • Web Server Location: Russia

The screenshot below shows the software signature, software version, and plain text variable names and values. As of this writing, Valak has evolved to using variable names and values with encoded strings.

Figure 12: Contents of configuration file (Part of the script)

Capabilities

The main purpose of the Dll loader is to write the initial scriptlet shown in figure 12 above and detonate the payload. This Dll loader is crypted and the crypter reconstructs the code placing it into memory. It will then perform multiple XOR loops and decompression which results in the unpacked Dll.

Valak script features:

  • Create persistence in the victim’s machine
  • Store Valak configuration in the registry
  • Retrieve the “PluginHost” plugin
  • Retrieve Client scripts

To create persistence, Valak creates entries under the registry key “HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\” followed by a javascript file (Disk0.js) in the public directory which is called by a scheduled task named “Disk Diagnostics”.

Figure 13: Registry and Scheduled Task for persistence

The function “Loader.Persist” shows the javascript file “Disk0.js” being created and calling Loader.DeployHost at the end. The data retrieved by Loader.DeployHost using “Http.Request” is decoded and saved as an executable. This plugin is known as “PluginHost” and provides Valak with the ability to download additional plugins, making Valak more sophisticated than standard loaders. Notable additional plugins retrieved by Valak include “Exchgrabber” and “Clientgrabber” which target businesses by harvesting emails for ‘Thread Hijacking’ and used for stealing email credentials, respectively.

Figure 14: Loader.Persist function calling Loader.DeployHost

Figure 15: PluginHost Plugin being retrieved to further expand Valak’s capabilities

Conclusion

Valak has evolved from being a loader to a sophisticated piece of malware able to update and expand its capabilities. Malspam distributing malicious Word Documents delivering Valak is likely to continue.

CYDERES recommends that organizations conduct user-awareness training to educate users on commonly utilized phishing techniques and how to identify them. Common indicators that could indicate a phishing attempt include mismatched sender and reply-to addresses, a reply to an old email thread, grammatical errors or spelling mistakes, generic subjects or greetings, and emails that contain unsolicited documents. Additionally, organizations are advised to ensure that all security patches, especially those relating to Microsoft Windows, are applied as soon as they become available.

To become part of customer stories of breaches prevented, compliance achieved, costs slashed, technology optimized, or other real-world tales of digital transformation, take advantage of EDR solutions with CYDERES. If you are interested in talking more about how you can take advantage of EDR solutions with CYDERES, fill out the form at the bottom of the page, and we can connect you with an expert to help you find the right solution for your organization.

ATT&CK

Initial Access

Phishing attachment – ATT&CK ID: T1193

Execution

Regsvr32 – ID: T1117 1

User Execution – ID: T1204

Scripting – ID: T1064

Defense Evasion

Modify Registry – ID: T1112

Deobfuscate/Decode Files or Information – ATT&CK ID: T1140

Process Injection – ID: T1055

Command and Control

Remote File Copy – ID: T1105

Persistence

Schedule Task – ID: T1053

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ID: T1547.001

References:

https://www.proofpoint.com/us/daily-ruleset-update-summary-20191022
https://twitter.com/luc4m/status/1265194192768315392
https://www.virustotal.com/gui/domain/2zvdoq8grm7vwed20-zz.com/relations
https://urlscan.io/search/#2zvdoq8grm7vwed20-zz.com

IOCs:

0aa589d6a1ddbf20647af5ceff898d92b72e6ea4d1c79f658bcb6d0213b71d95
8b25aa9582427a476c2e5b66cb00d59946e07021b9708571bb9187cb3d98917a
4c0d7b112dfd99c751a85ad9539152c413ede7e5d976f75ae13a8b46ebf53e66


Tesseract Ventures + CYDERES: A Layer of Safety and Peace of Mind.

Editor’s Note: This post was originally shared on the Tesseract Ventures blog, found here.

At Tesseract, we’re working to create a technology ecosystem that helps modern organizations become smarter and better connected through next-generation robotics, 21st-century software, and radically connected platforms. Each piece of this ecosystem has the ability to produce huge amounts of valuable, actionable data—data that can transform the companies that possess it, making them safer and more fulfilling for their workers, as well as more innovative and more efficient.

However, with great power comes great responsibility. Data is a precious commodity that must be protected from attackers, and each piece of an advanced technology ecosystem like Tesseract must be secured against intruders. This is why we have entered into a partnership with CYDERES, Fishtech Group’s Security-as-a-Service division, to secure that data, as well as analyze and respond to possible threats.

By integrating CYDERES’ innovative security and analytics solutions with our own technologies, Tesseract is able to protect its intellectual property as well as strengthen the service we provide to current and future customers.

We asked Tesseract Ventures CEO John Boucard, and CYDERES President, Eric Foster to discuss this exciting new partnership, and how it will impact both companies and their clients.

 

Eric Foster and John Boucard pose for the original TESS robot at the inception of Tesseract Ventures when John spent time as EIR at Fishtech/Cyderes.

Eric Foster and John Boucard pose for the original TESS robot at the inception of Tesseract Ventures when John spent time as EIR at Fishtech/Cyderes.

 

How do Cyderes and Tesseract’s offerings complement each other?

John Boucard, Tesseract Ventures:  The alignment of Cyderes and Tesseract completes the offering to our customers by adding a layer of safety and peace of mind. Tesseract will supply an IoT, Robotics, and Analytics platform, and CYDERES will provide both security for the data that is being generated and the high level of customer support and monitoring this kind of advanced technology requires.

Eric Foster, CYDERES: The two offerings will work together seamlessly to create, analyze, visualize, and investigate data. Tesseract sensors and robots feed the CYDERES data pipeline, which analyzes that telemetry for threats. The vast amounts of data produced by Tesseract’s cyber-physical tools are delivered into Google Chronicle and the CYDERES Cloud-Native Analytics Platform to enable intelligent analytics at the speed of thought. Alerts from the analyzed telemetry and the Tesseract robots flow into the CYDERES SOC for 24/7 investigation, detection and response, and then flow out to the client’s Tesseract hub where it can be easily visualized and investigated.

 

Cyderes 24/7 Command Center

Cyderes 24/7 Command Center

 

What are some unique threats IoT networks need to be protected from, compared to traditional networks? 

John Boucard:  Any IoT network creates new threat vectors that can be exploited to create entry points into your private network and data. Each IoT node can be a potential access point. CYDERES provides a hardened network structure to prevent attacks and also identifies potential aggressive activities that need to be responded to.

Eric Foster: We also use the term “attack surface” a lot—meaning how much of your network exists and is exposed to attackers. For most organizations, adding a significant IoT presence means that you are significantly expanding your attack surface, and creating an environment that needs to have both prevention, detection, and response to security threats.

 

The Tesseract Smart Space in our KC office.

The Tesseract Smart Space in our KC office.

 

Does CYDERES approach cybersecurity for IoT and AI networks differently than you would more traditional digital platforms?

Eric Foster: Yes and No. Ultimately IoT and OT environments have a lot of the same challenges we’ve been dealing with for 20 or more years in information security, such as knowing where your assets are, ensuring they’re kept up to date with the latest patches and with the properly hardened configurations and are protected with preventative and detective technologies at multiple layers.

At the same time, there are definitely novel cybersecurity challenges presented by IoT and AI technologies. Many run on technology platforms where traditional cybersecurity controls fall short. Luckily, CYDERES has partnerships with leading IOT security solutions like Armis (armis.com) for agentless device security in a world of unmanaged and un-agent-able devices, Illusive Networks (illusivenetworks.com) for deception technology via Illusive IoT Emulations, and Extrahop Reveal(X) (extrahop.com) for network layer detection of IoT threats.

 

On the construction site, PRISM anchors and badges combined with IoT feed data into Mosaic and the Tesseract SMART SPACE, all under the umbrella of safety Cyderes provides.

On the construction site, PRISM anchors and badges combined with IoT feed data into Mosaic and the Tesseract SMART SPACE, all under the umbrella of safety Cyderes provides.

 

Tesseract’s motto is “There’s nothing more human than technology.” How do you view the role of human workers evolving as technologies like IoT networks and predictive analytics become more common in the workplace?

John Boucard:  The future we see is one where human workers become more efficient and effective by allowing them to focus on the areas where they add value. An IoT solution is nothing more than data acquisition that is reviewed by both human and predictive models to determine both meaning and direction. In the process, the human workforce becomes better informed, with relevant data delivered faster and in more useful ways than ever before.

Eric Foster:: One of our core philosophies at CYDERES is “human-led, machine-driven.” This alignment in thinking makes us and Tesseract ideal partners. We believe cybersecurity is a problem analogous to flying a modern aircraft—too many decisions need to be made for a completely manual, human-based approach to detection and response of cybersecurity threats. This is what many legacy security services providers offer, however. At the same time, automation, AI, and machine learning are important but are far from the panacea that many security vendors will sell it as.

We find that a skilled human piloting “fly-by-wire” controls, significantly enhanced with automation, orchestration, and judicious application of intelligent statistical analysis (including, but not limited to machine learning) presents a superior approach to both extremes.

Once the building is complete, the same tech stays in place for the new tenant.

Once the building is complete, the same tech stays in place for the new tenant.

 

Can you walk us through a potential real-life problem, and solution that Cyderes and Tesseract would bring to the situation? 

Eric Foster: Let’s take the example of a major retailer who wishes to enhance its employee safety and its guest safety in the post-COVID-19 world. The goal is also to raise shareholder value through increased productivity and reduction of workplace accidents and incidents. The retailer decides to get there by leveraging Tesseract PRISM Proximity Tracking Wearable Sensors in conjunction with a smart building powered by Tesseract Prism Anchor sensors, as well as Tesseract semi-autonomous robotics such as the T.E.S.S. Multi-Mission Sensor Platform.

Now, employee and guest safety and security can be optimized through the creation of proximity alerts for workers, automated analysis of social distancing guidelines including reporting on social distancing and compliance, intelligent analysis of hot zones and chokepoints that cause productivity issues, and the ability to cross-reference individuals and their encounters over a specific period of time.

These sensors and robots generate a tremendous amount of IoT and security telemetry and alert data, which are fed into the CYDERES Cloud-Native Analytics Platform for both intelligent real-time analytics and optionally for human-led, machine-driven analysis by the skilled team of analysts working 24/7 from the CYDERES Cyber Defense Centers.

These analysts can triage alerts, respond to threats, and produce reports, including addressing safety violations, public health, public safety, and more. Instead of being overwhelmed with alerts, the client knows a team of experts is handling it in real-time, and they can instead focus on their business.

All the data and results can be visualized on-premise in the Tesseract Environment, a collaborative workspace designed to create immersive situational awareness and control over highly disparate information streams. It can also be accessed from anywhere via Tesseract’s Mosaic Extended Reality (XR) through virtual reality headsets.

All the while, Tesseract’s networks, data, intellectual property, and the significant interconnected networks of IoT devices and deployed Tesseract technologies throughout the retailer are protected by the award-winning managed detection and response offering from CYDERES, including the CYDERES Cloud-Native Analytics Platform powered by the revolutionary analytics of Google Chronicle and in partnership with the unmatched scale, availability, and performance of Google Cloud.


Six Tips for Boosting Your Insider Threat Deterrence Capabilities

At various times in any insider threat program, there inevitably will be shortcomings in governance, gaps in detection, difficulties tying data to a threat and substandard responses.

So what’s the best fail-safe when those other important program capabilities fall short? Deterrence.

Deterrence is one of the lowest-cost ways decrease the threat that malicious and negligent insiders pose to your organization. Because it is often viewed simply as a dull or awkward communications and training function, it rarely gets a second look.

Here at the halfway point of Insider Threat Awareness Month, however, we think it’s worth challenging your insider threat program managers to give deterrence a chance.

Below are six strategies for how you can make your deterrence strategy more innovative and effective.

  1. Training isn’t the only answer. Many think deterrence just means more training. If your answer to every problem at the organization is to hold a training session, throwing another one on top of the pile is unlikely to succeed. Think about other strategies like those mentioned in the webinar link at the bottom of this post (clip 43:01 – 46:53). There’s so much more to deterrence than training.
  2. Make it a juicy story. Share stories that are relevant and Just like people rubberneck when they drive past an accident, they have a hard time not participating and engaging when there’s a compelling story on the table. Talk about cases where people were caught in acts that highlight the effectiveness of your insider threat program. This can be anything from group emails to putting up awareness posters in the restrooms to ‘public service announcement’ at the beginning of a virtual meeting.
  3. Survey your employees about how seriously their managers take insider threats. Not many people feel strongly about an insider threat program unless they have seen positive changes because of it. And chances are that positive impact won’t happen for all your managers. But you can artificially increase that impact by acknowledging managers who score highly, or counsel those that aren’t taking it seriously.
  4. Don’t just threaten potential insiders. Research shows that if you can appeal to someone’s desire not to be an insider threat, it’s almost as effective as someone knowing that they are being watched. Meaning that messages like “losing information isn’t only costing the company millions, it’s compromising your coworkers’ life work” can be just as effective as installing a highly sophisticated (and expensive) monitoring system.
  5. Message your insider threat program. Be deliberate about the way you message the program to the organization. A short clip from the deterrence webinar below (15:23 – 17:34) talks about all aspects of a deterrence program and how you might think about messaging it.
  6. Have an offboarding process, and don’t deviate from it. Rarely do people leave a company (voluntarily or otherwise) feeling 100% positive about their experience. Offboarding is a time to communicate expectations and create physical boundaries to sever ties amicably and professionally.

Deterrence is so much more than training. And every deterrence strategy is going to look a little different depending on what your corporate culture looks like. For more information and ideas about how you can make your employees more resilient, aware and prepared for the risks posed by insider threats, check out our recent webinar on deterrence here.

#   #   #

Note: For a compelling (and juicy) story about a formerly high-flying corporate exec who becomes a malicious insider, download a free copy of our paper To Catch an IP Thief here.


Talking DevOps with Chuck Crawford, Co-Founder and Chief Strategy Officer

Over the course of the last 20 years in cybersecurity, security practitioners have had to adapt to the many challenges that have emerged as data has moved from on-premise data centers to cloud, or multi-cloud environments.

We recently sat down with Chuck Crawford, Co-Founder & Chief Strategy Officer, to talk about how modern organizations can address these evolving challenges with a DevOps culture that brings security to the table as a primary part of the CI/CD pipeline.

Chuck addresses the importance of bringing teams up to speed on the necessary people, processes, technologies, and terminologies of the various teams they work with, from development, to operations, to security, and beyond.

With the growing speed at which organizations deploy their applications and services, a proper DevOps culture is more important than ever. With security integrated in a meaningful way, you can ensure you are proactively addressing governance, compliance, and security issues, so that you can continue to quickly bring value to your customers without setbacks that may emerge if you are constantly approaching your deployments from a reactive standpoint.

Hear more from our DevOps talk with Chuck Crawford.

 

https://vimeo.com/452344834/73fe1c32cb

[/vc_column][/vc_row]


Governance and Compliance Q&A with Michelle Thacker, Director of Cyber Risk and Compliance

Governance and compliance strategies and concerns have taken on new importance this year with the mass adoption of remote work from organizations all over the world.

Throughout this monumental shift, business leaders have been doing their best to navigate the new hurdles that have presented themselves. We've heard from many customers about how difficult it has been to prioritize where their focus should be so that they stay compliant and secure in order to ensure their business moves forward.

With that in mind, we recently sat down with our Director of Cyber Risk and Compliance Michelle Thacker to ask what questions she's been hearing from clients on present compliance priorities, what companies should be planning for the remainder of 2020, GRC technologies, business continuity planning, and more. You can find the videos from this Q&A below.


Compliance Priorities for Companies

Governance and compliance in an ever-changing landscape can be tough for organizations, especially in an abnormally turbulent year. The most important thing is to ask - what are our strategic goals as an organization? Michelle talks about what these goals may look like, and what companies should focus on for the remainder of 2020.

 

https://vimeo.com/438622072/e0021ab00c

What's Your Risk Posture?

Showing risk posture to executives within your organization is also a pain point for many of our customers. There can be such a sprawl of information, and it's important to present information in a clear and concise manner. Michelle talks about how tools can be of great use to accomplish these goals.

 

https://vimeo.com/438975330/73a2b89199

Helping Clients with Governance

Curious about how Fishtech is helping current clients from a Governance standpoint? This video will be a great way to find a starting point for how we can help your governance program get up to speed using Fishtech's advisory offerings.

 

https://vimeo.com/440364952/73baa3a1ff

GRC Technologies

Current GRC technologies are helping customers more efficiently conduct GRC operations and may be of great assistance to your organization. Michelle speaks to a few of these technologies and what they bring to the table.

 

https://vimeo.com/440400344/034291a747

Business Continuity Planning

The value of business continuity planning has never been more clear than in 2020. Disaster can strike at any moment, and it is important to have a plan in place to make sure your organization can continue to operate, even in adverse situations. Michelle dives a little deeper into this critical offering.

https://vimeo.com/440099359/82d7accd58

Working with Other Fishtech Practices

One of the great benefits of Fishtech Group is our robust practice offerings and their ability to work together to create the best solutions for our customers. Michelle talks about how these various practices tie into CRC.

 

https://vimeo.com/440420875/97236e16fe


Ransomware in Healthcare (CYDERES Technical Blog Series)

 

In the first 7 months of 2020, 41 healthcare providers have reported ransomware attacks. Some organizations may opt to pay the demands of an attacker to keep the incident private, consequently avoiding potential harm to their reputation. Others may have controls in place that effectively prevent the attack or mitigate the impact of any damages. It is difficult to determine how many organizations have been targeted as well as how many have been affected by ransomware attacks. Below is a sample of industry-related, publicly acknowledged ransomware attacks:

Maryland Health Services (Lorien Health) disclosed a Netwalker ransomware attack in June. Earlier this year, CYDERES observed a new trend by ransomware operators wherein sensitive data is exfiltrated from the network prior to data being encrypted. The data is then used as an additional point of leverage to encourage the victim to meet the attacker’s demands. Maryland Health Services experienced this as the ransomware operators were able to collect sensitive data on up to 47,754 individuals. Following the attacker’s demands not being met, decryption keys and portions of the stolen data was publicly released.

Cozer-Keystone, SFI Health, and UCSF also recently disclosed similar Netwalker attacks. In the case of UCSF, the university paid attackers approximately $1.14 million (USD) to obtain the decryption key and prevent the disclosure of their data. Best practices to prevent and respond to a ransomware attack are encouraged, as paying attacker’s demands does not guarantee decryption and return of data. This may also serve as an indicator to other malicious actors that the organization is willing to capitulate to ransom demands, increasing the possibility of a future attack.

Magellan Health disclosed a second security incident earlier this year after sensitive personal data including social security numbers, usernames, and passwords were exfiltrated. This occurred after an attacker phished an employee, deceiving them into installing malware which propagated to the server housing said information. Details around the ransomware type and responsible actors are limited and CYDERES intelligence partners have not seen mentions of the attack across the darkweb services they monitor. Still, Magellan serves as an example of the importance of preparation for an attack given a similar phishing incident from 2019.

Mat-Su Surgical, Woodlawn Dental Center, Argus Medical Management, and Indoco Remedies have also disclosed recent ransomware attacks. The degree of impact on each organization varies but illustrates the breadth and size of services within the health care industry that malicious actors target.

A ransomware variant Netwalker, aka Mailto, has been distributed by attackers exploiting the COVID-19 pandemic with COVID-19 themed email messages. The messages often contain tainted Word or Excel attachments and users are enticed into opening the files and executing the malware initialization. Operators of Netwalker have also been known to disguise the malware as legitimate software such as Sticky Password. The payload may allow access for the actor to install additional malware, surveil the network and exfiltrate data. Once the ransomware executes, it scans for and begins encrypting files on the infected device and presents the user with a demand for payment to unlock files and prevent public disclosure of data.

Several different ransomware variants exist that function similarly to Netwalker. Operators of the Maze ransomware and Sodinokibi (REvil), like Netwalker, have been observed exfiltrating data from impacted networks prior to executing encryption protocols to maximize the potential for an organization to pay to prevent public data disclosure. Some ransomware variants target specific types of devices or organizations. Snake (aka EKANS) is one such ransomware found to target industrial and manufacturing organizations with the capability of identifying and terminating common industrial control systems related processes to deliberately impact production capabilities.

Ransomware attacks against health care providers increased by 350% in the last quarter of 2019. The evolving tactics of ransomware operators, impact of the global pandemic, increasing regulatory penalties, and low cost/effort to operate malware will likely result in this trend continuing.

Fortunately, there are several steps that can help prevent, identify, and respond to ransomware provided by CYDERES below:

System backups

Device backups should occur frequently. Multiple copies of the backup should be made and stored offsite in addition to locally. Cloud backups should also be considered where appropriate. Having multiple backups stored in separate, nonconnected locations gives the ability to confidently restore lost or encrypted data in the event that local backups are compromised.

Network Segmentation

Flat networks allow an attacker or malware to easily discover and spread to nearby network assets. Sensitive or critical assets should be segmented to limit the amount of damage that can be caused by a malware/ransomware infection. A segmented network can also help prioritize deploying detection and response capabilities as the movement of data on sensitive segments can be more highly scrutinized than non-sensitive segments.

Technical controls may also be easier to implement for cordoning off access to unnecessary services within sensitive segments. A client segment for instance may require internet access where storage devices should not have a default route out to the internet.

EDR/AV

Next-generation endpoint detection and response/Antivirus agents should be deployed to any connected device where possible. Procedures should be in place to constantly review agent health and remediate noted exceptions. Signature files should be updated as soon as vendors make them available and currently installed versions should be part of the agent health check process.

Classic or legacy signature-based endpoint agents like anti-virus can be ineffective protecting against ransomware and modern threats. These solutions should be phased out in favor of modern tools that leverage AI and behavioral-based detections.

Least Privilege

User and system accounts should be limited to only the permissions needed for their assigned tasks. Local admin accounts on devices should be disabled, passwords rotated, and use of these accounts permitted only after a request has been reviewed and approved. Service accounts should be set to non-interactive and their use limited to the devices necessary to carry out their purpose.

Roles should be routinely reviewed, and permissions adjusted as users transition to new positions or shift responsibilities.

Separate accounts for power users can be created with elevated privileges. These accounts should enforce more stringent password requirements and be controlled via multi-factor authentication where possible.

Training and Awareness

A user education program should regularly conduct training and awareness campaigns covering topics such as: password usage, identifying phishing emails, data classification and handling, and reporting security incidents.

24 x 7 x 365 Security Operations

Security logs should be collected with systems running detection logic against the telemetry for threats to the environment. Logs and detection events should be monitored 24 x 7 for signs of intrusion or malware execution.

Incident response plans should be on file and kept up to date. Third-party IR retainers should be in place prior to a security incident to augment response capabilities, provide expertise, and to assist in limiting the impact of a ransomware incident.

Penetration tests should be routinely ran against applications, servers, and network infrastructure in search of vulnerabilities.

Network Hygiene

Maintain an inventory of server and application assets. The asset list can be used to prioritize detection and response capabilities as well as inform monitoring for and applying patches on critical systems.

A patching schedule should be maintained so that critical firmware, OS, or application patches are applied as soon as possible after the release of patches.

SMTP gateway should be configured to enable spam and malware filtering.

Email and HTTP(s) traffic to/from the network should be filtered to only known-good external entities where possible. Uncommon TLDs such as .ru, .tv, etc., and webmail like gmail, yahoo, etc. should be limited to approved vendors or third-party contacts. An exception process should be in place and updates implemented based on periodic review.

User installed applications and associated plug ins should come from a trusted package or software management repository. Unsigned or internet downloaded application installation and execution should be blocked.

Securing the organization from threats like ransomware may seem a daunting task, but the experts at CYDERES can help. If your organization needs managed detection and response across both your cloud and on-premise environment, Fishtech Cyber Defense and Response (CYDERES) can help. CYDERES offers a better, faster and scalable SOC with a managed SIEM. CYDERES solutions include:

  • Enterprise Managed Detection & Response
  • Global Security Operations Center
  • CYDERES Cloud
  • CYDERES Security Incident Response Team
  • CYDERES Red Team
  • CYDERES CNAP

Fill out the form below to get in contact with one of our CYDERES experts to find out how we can best leverage our services to secure your business.


Take Advantage of EDR Solutions with CYDERES

Every time we hear customer stories of breaches prevented, compliance achieved, costs slashed, technology optimized, or other real-world tales of digital transformation, we rejoice – it’s why we do what we do. More and more, we hear these stories come from the winning solutions presented by Fishtech’s CYDERES and Google Cloud’s Chronicle.

Often, we’re going into detail about the specifics of how CYDERES and Chronicle complement each other to bring out the best in each other’s offerings, with Chronicle’s revolutionary telemetry analysis at a mass scale, and the next generation managed detection and response from CYDERES that analyzes and reacts to the security telemetry and potential threats that Chronicle illuminates.

Next up, we’re excited to showcase how these already powerful solutions integrate with best-in-breed technology in other areas of your cyber program. Imagine a fully tech-agnostic platform that has the ability to integrate with other solutions in your current stack, seamlessly fitting into what you are already running to bring unprecedented value and protection to you and your data.

A great example of an integration that is a fantastic complement to what CYDERES and Chronicle bring to the table comes from the world of Endpoint Detection and Response, or EDR. Specifically, we’re looking at a feature from SentinelOne that allows more freedom with how you can gather and use the mass amount of telemetry generated from your endpoints making it a fantastic accessory for the ingestion capabilities of Chronicle, and the full enterprise managed detection and response from CYDERES.

For more on this, we’ll hand the reins over to John Tuckner, Director of Customer Success Engineering at CYDERES, who recently wrote about this SentinelOne feature and how it integrates with Chronicle and CYDERES. If you are interested in talking more about how you can take advantage of EDR solutions with CYDERES, fill out the form at the bottom of the page, and we can connect you with an expert to help you find the right solution for your organization.

Without further ado…

SentinelOne Deep Visibility Export

By John Tuckner

Editor’s Note: This article was originally posted on John Tuckner’s blog which you can find here.

The EDR market has proven itself to be incredibly valuable over the past 5–6 years. I think many security practitioners would agree there is no larger return on investment than buying an EDR. It has even become such a large and wide market that 1. marketing has taken the entire segment over and 2. the vendors have started really competing against each other for dominance from a features perspective (both probably very related). One feature I key in on is the ability to make your endpoint telemetry (the data you own!) accessible outside of the vendor provided platforms.

The most intriguing aspect to me in the EDR realm is the telemetry that all EDR platforms are able to capture. From CrowdStrike to Sysmon, there are varying levels of effort to capture and stipulations tied to each in order to gather that telemetry. One new and incredibly promising vendor that makes telemetry available now is SentinelOne! I can’t get enough of the progress they are making in this space with their expanded “Deep Visibility” features turning the corner from a traditional EPP platform into a telemetry rockstar. It is a solution that can help provide the data needed for detection from nearly anywhere at the speed at which attacks occur.

With the Deep Visibility feature set enabled in your instance, SentinelOne will provide a Kafka instance and give customers (+ MSSPs) access to that instance to process that data.

https://support.sentinelone.com/hc/en-us/articles/360026565994-Subscribing-to-Your-Events-Using-the-Deep-Visibility-Exporter-Hermes-

I could go on for days at the value of message queues for security data, but this is really a great way to provide data for use. Looking through SentinelOne’s community boards, it had been a common ask for their Deep Visibility data to be accessible for SIEM use and now we’re there!

Currently, the Deep Visibility data provided in the Kafka stream falls into these categories:

  • Process Creation
  • Process Termination
  • Process Exit
  • File Creation
  • File Modification
  • File Deletion
  • File Rename
  • DNS
  • TCPv4 Connection
  • TCPv4 Listen
  • Persistency
  • HTTP Request
  • Login
  • Logout
  • Registry Key Creation
  • Registry Key Rename
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Security Changed
  • Registry Value Creation
  • Registry Value Modified
  • Registry Value Delete
  • Registry Key Import
  • Scheduled Task Register
  • Scheduled Task Update
  • Scheduled Task Delete
  • Scheduled Task Start
  • Scheduled Task Trigger

I am a power user of Google Cloud’s Chronicle platform and there is no better platform right now to process the huge amounts of data that endpoints generate from that list. For this ‘small’ deployment I’ll be working with, we’re at 18GB of unmetered ingestion a week.

The blog post goes deeper into specific use cases. If you’d like to read the rest of the post and the more technical examples, follow this link.

To summarize, giving customers visibility into all their security telemetry is incredibly important, and we appreciate SentinelOne as well as others who are giving this much needed attention inside their solutions.

And what’s the best way to procure the necessary high-volume and long-access storage at a price point decoupled from volume or usage? Not only that, but a solution that has combined with the search speed of Google and the robust reporting and response capabilities of CYDERES?

CYDERES CNAP.

Learn how we can “CNAP on” this solution to modernize your existing SIEM/SOC, or start a all-new one with a CNAP. Learn more about CYDERES CNAP here, or fill out the form below and let’s start a discussion.