Security at Your Service

For the fourth entry in the CYDERES Technical Blog Series, we’re going to be talking about what businesses and executives should know about their digital footprint and OSINT. Open Source Intelligence (OSINT) is the practice of using publicly available resources to gather information (i.e., intelligence) about persons or entities.  The information gathered ranges from the relatively harmless, such as information from social media accounts, to more severe data like critical vulnerabilities on public-facing servers, and even login credentials.

This information gathering can take many forms and utilize multiple resources, but the most common method is the use of publicly available information from the internet.  Mind you, performing OSINT is perfectly legal.  It’s what is done with the data after it has been collected that determines if any laws have been broken, among other factors, i.e., your country’s laws, etc.

The reasons behind performing OSINT vary as much as the methodologies behind it. Still, one of the more common methods is reconnaissance for monetary gain through nefarious means.  For example, an adversary can impersonate an employee or business partner requesting the transfer of funds to a specific account perpetrating a business email compromise (BEC) attack.  They can also gain (unauthorized) access to a business’s computer network (cloud or on-premises) to steal proprietary or intellectual data, employee PII, credit card/banking information, or even employee credentials.  All of this data can be sold in underground markets for monetary gain.

Before an adversary can do this, they must perform reconnaissance utilizing OSINT resources found on the internet to get an understanding of their target – your company.  And there’s no shortage of OSINT tools available on the internet; try Googling “OSINT tools” and look at the number of results.  The OSINT Framework provides several tools that can be used by anyone to gather information on an individual or company.

Google itself is probably the first OSINT tool that an adversary may use to gather intelligence about your organization.  Try Googling your company and see how many hits return.  Aside from your company’s web site, there may be results from LinkedIn, Twitter, Facebook; etc., etc.  From there, it just becomes easier for the adversary to begin profiling your business, the employees, and other potential avenues that can be exploited to gain access to your network.

One vector of attack that adversaries employ is spear-phishing, and this targets specific employees within an organization.  Using the search functions on LinkedIn, adversaries can quickly identify a particular company’s employees by searching for job titles like ‘Accountant’, ‘Payroll Specialist’, ‘HR Representative’ or ‘System Administrator’.

In the example below, an adversary can search for “Fishtech Group” on LinkedIn and then scroll through the employees until individuals with the job title of interest, such as ‘Accountant’ are found.

From there, adversaries can use tools within the OSINT Framework, which includes resources that can either provide specific email addresses for employees or provide typical naming conventions for given businesses.

The information below is found using mailshunt.com via the OSINT Framework web site.  Simply typing in ‘fishtech.group’ returns several hits, including an employee’s email address. Now the adversary has names of individuals that can be targeted in the Accounting Department, along with the email format for those employees.

Along with additional information collected from social media sites, company web sites and the like, it’s not hard for an adversary to craft a realistic email impersonating an authority figure in the organization (or a business partner) and request fund transfers or other forms of payment from the targeted employee(s).

In 2019, the FBI recorded 23,755 instances of business email compromises that resulted in more than $1.7 billion in losses to targeted businesses.

Another common technique is looking for leaked credentials.  It’s not uncommon for individuals to use the same passwords for both their business and personal accounts, and an adversary will use OSINT to collect leaked credentials associated with an organization, or from the social media accounts of its employees as a potential avenue for compromise.

If the intellectual property or other sensitive information of a business is stored in a cloud service like Concur, Paylocity, Atlassian, etc., it’s not difficult for an opportunistic adversary to identify individuals with access to those sites via social media and use their leaked credentials to gain access to the company’s data.

These are simple examples of how adversaries use OSINT techniques to perform reconnaissance and enumerate your business’s digital footprint.  Other potential data sources could include internet-facing servers or applications that have system information posted on sites such as SHODAN, poorly managed cloud assets/applications hosting sensitive data and even a company’s web site “About Us” page could contain useful information for an adversary!

We live in an age where the internet has become ubiquitous and information is just a mouse-click away. Companies are quick to take advantage of this and develop their brand, but in doing so, can expose themselves to opportunistic hackers unwittingly by sharing too much information. The same can be said about a company’s employees. We are all too willing to showcase our skills by posting job titles and responsibilities on sites like LinkedIn to get the attention of future employers.

Sometimes information sharing is necessary; however, companies and their employees should try to limit what is being shared and consider how their digital footprint may empower malicious actors.  The good news is that these tools are available to you as well and should be used to profile your company’s exposure for potential threats. Having a process in place to periodically review your company’s online presence can also help to identify sensitive data leaks, risks to brand reputation, and adversary targeting of executives. Whether your organization chooses to perform the research, or employs third-party services, understanding your threat surface is key to protecting your company’s assets.

At CYDERES, we can help you understand your threat surfaces, and secure your business. We will continue to post these technical blog posts on the third Thursday of every month to continue to increase your knowledge on the threats facing your business today, but if you’re ready to talk to us more in depth about the specifics of securing your own business, fill out the form below, and we will put you in contact with one of our experts. Stay tuned for our next article in July!

As the global business landscape continues to shift, organizations are learning what it takes to secure and scale a remote workforce efficiently. As this “new normal” emerges, a robust identity program must align with an organization’s compliance objectives and combine to form a robust solution set that enables business growth.

In order to address the related financial, legal, operational, and reputational risks, Identity Governance combines a prescriptive blueprint for effectively identifying and converging the foundational pillars of IAM with a right-sized and resilient GRC solution/program. Importantly, this also incorporates a Zero Trust Model of relevant security and technical controls.

As a result, organizations are able to prioritize, manage, and mitigate cyber risks that align with their business goals and objectives.

In part three of our ongoing webcast series Why Identity Governance Really Matters Fishtech Group experts flesh out the ideas covered in the first two webcasts and show practical and relevant examples on how Identity Governance can help you protect your business with modern strategies.

Missed Part 1? Catch the full replay on demand.

As organizations across the world have adapted to large-scale remote workforces, our teams continue to work hard to virtually help our clients minimize risk, maximize efficiency, and maintain compliance. As we do, we’ve made it our aim to grow the amount of education and demonstration about these real-world solutions via our live webcasts.

To make it easier to parse through each webcast to find the discussions that provide the most value to you, we’ve put together a few highlight clips from the four most recent webcasts to help you get a feel for the discussions and subject matter. We will provide links to each webcast under each clip, or you can visit the full page of all of our recent webcasts here.

Enable Your Business to Move Faster & More Securely with Governance As Code

Whether you are in development, operations, or security, DevOps is no doubt on your radar. As enterprises increasingly leverage the cloud to host business applications as part of their digital transformation, security and development teams need to transform how they work together.

In this moderated webinar panel discussion, hear from cybersecurity experts as they address best practices to bridge the gap between InfoSec and DevOps and the principles of security being part of the DevOps evolution. In addition, this webinar will address the following questions:

• How do you ensure compliance controls into your cloud native infrastructure?
• How do I ensure my developers can move quickly while remaining compliant and secure?
• How do you bring all the right technologies together successfully as you go down the automation journey?
• What are the best practices around Governance as Code to spin up resources and configure and manage them on day one, day two, and beyond?

Back to the Office: Solutions for the New Risk Landscape

After an incredibly quick shift to support remote workforces on a massive scale, businesses are now beginning plans to allow their teams back into corporate offices.

As this planning occurs, it is vital to understand what reactionary changes had to be made to accommodate the business needs of remote workers. Fresh strategies and opportunities MUST be identified in order to improve security, governance, and architecture.

This webinar sponsored by Fishtech Group, CyberArk, Ping, and SailPoint focuses on the potential risks that were allowed to accommodate remote workers, how to identify improvement opportunities, and how to apply those solutions from a Strategy, Governance, and Architecture perspective.

Link to full webcast here.

Insider Threat Mitigation: How to Identify, Prioritize and Protect Critical Assets

One of the most overlooked aspects of effective insider threat mitigation is the identification of an organization’s critical assets, which can include intellectual property, people, facilities, systems, customer data, and more.

This webinar will explain why and how to identify the critical assets in your company. We will present a step by step approach to identifying and validating critical assets, identifying and assessing the threats to those assets, evaluating risk appetite and tolerance, and prioritizing the most critical assets.

Participants in the webinar will learn:

• The importance of defining critical assets
• An approach to identify critical assets
• An approach to identify threats to critical assets
• The impact of critical assets on deterrence and protection activities
• The impact of critical assets on detection activities

This approach will help you establish a consistent and recurring process to protect your company’s critical assets against insider attacks.

Link to full webcast here.

Demand More From Your Cloud PAM

Attend this webinar to learn how Cloud PAM differs drastically from a traditional on-premise solution.  Saviynt and Fishtech will discuss client use cases and why a PAM solution needs to be cloud-architected and cloud-delivered to reduce risk, contain cost, and secure identities for applications, data, and infrastructure.

In addition, join us to discuss the following topics:

• How the risk of privileges in the cloud differs from traditional PAM and how to manage the velocity and scale of those changes
• How gaps in legacy PAM solution fail to accommodate the volume of change in the cloud
• How a single solution can meet PAM needs for both IaaS and SaaS
• How to meet the challenges of a multi-cloud ecosystem
• How to secure next-generation cloud workloads including instances/containers, cloud databases, serverless functions and APIs.
• Governing privileged access in your Hybrid Enterprise

Link to full webcast here.

Paying lip service to business continuity planning when times are calm and uneventful is one thing – who’s going to call you on that? It’s a completely different thing when there is a global pandemic that’s providing a true test across the board for organizations’ business continuity plans around the globe.

The impact may feel slightly lessened now that we have been in middle of the COVID-19 pandemic for the last few months, but to drive home the obvious, this was a truly unexpected event that shook many businesses to the core. “But, how could we have planned for a global pandemic?” That is a valid question. Ask anyone a year ago about what the greatest challenges to their business would be in 2020, and very few (if any) would mention anything even slightly resembling the word “coronavirus”.

The more apt question to consider is “how can we plan for future disruptions to our business?” To answer it, let’s start with a question of our own – when was the last time your senior leadership conducted a run through of various scenarios to strengthen the readiness of your corporate assets? Maybe it was pre-COVID-19. If so, that likely had a direct effect on how your organization has adapted to this crisis.

Making Your Business Continuity Plan Work for Your Business

At any time, unforeseen circumstances beyond a company’s control can influence the operational status of a business. To wait until these circumstances are knocking at your door is to throw caution to the wind, at potentially great costs to your organization and employees. The most successful businesses have a series of plans and strategies ready for any challenges that may come their way.

To start, key stakeholders should regularly monitor incidents that may cause a business disruption and/or have a serious impact to operations. It does no good to take a “set it and forget it” approach. The crucial word to look at for business that are ready pre- and post-disruption is “adaptability”. If you put a plan in place that does not adapt to your environment, or to changes in your organization, you will not be adequately prepared to weather the huge challenges that can occur at the drop of a hat.

A business continuity program should ensure Business Continuity Plans are applicable to relevant, realistic risks, and threats to their critical operations. This means adapting more of a playbook mentality, rather than a rigid series of step-by-step protocols. Several companies we have worked with already have business continuity plans in place, but they are oftentimes untested or ill-suited for evolving conditions and potential threats.

Business Continuity management should include strategies and playbooks around:

• Comprehension of basic Business Continuity principles and methods
• Ensuring consistency in business impact analysis to identify critical business functions
• Understanding of the correlation between operations, business continuity, IT disaster recovery, and emergency planning
• Ensuring that the Business Continuity Plan reflects the current hazard risk analysis, mitigation processes, business impact analysis, response management, and recovery strategies
• Encouraging coordination between all company staff while implementing a Business Continuity Plan
• Identifying and initiating appropriate, cost-effective strategies and procedures to recover critical business functions and information assets
• Formally assigning Business Continuity responsibilities to appropriate leadership and ensuring each receives proper training to implement the Business Continuity Plan
• Ensuring that necessary contractual agreements exist for recovery of critical business functions and information resources
• Reviewing, updating, and communicating Business Continuity content changes
• Continually improving the Business Continuity Plan as required
• Testing Business Continuity plans at least annually.
• Conducting Tabletop exercises with senior leadership, so that your business knows what to do in the event of a national, global, or disrupting event.

A list of that caliber can seem daunting, but so are the emergencies they are in place to mitigate. If the strategies above are taken correctly, you can move forward confidently with your organization knowing that you have a plan in place for the next “COVID-19” caliber surprise.

Even a cursory look at the impact this crisis has had on the global business landscape reveals the shocking truth – some organizations have adapted well, and others have failed spectacularly. There are so many examples to show the power of a solid Business Continuity Plan, or lack thereof. It truly is a global case study with a single event as the control. The value of Business Continuity Planning, especially during the digital era, has never been more apparent.

Many organizations rely on us to help them navigate these troubled waters into secure digital transformation. If you are looking for a seasoned guide, let our experts at Fishtech Group help you begin the next steps toward a robust Business Continuity Plan with a number of exercises and actionable steps to help lead your organization to a more secure future. As your team continues to discuss this critical issue, fill out the form below and let us know how we can help.

Executive Summary

“Flattening the curve” refers to efforts to implement community isolation and personal hygiene measures that help keep COVID-19 cases at a manageable level for medical practitioners. In the digital world, you can flatten the curve of COVID-19 phishing incidents by staying vigilant and practicing good email security hygiene. Attackers have adapted to this pandemic by using COVID-19 lures to deliver malware and direct victims to phishing sites, taking advantage of the current global situation and how humans react during stressful times.

The purpose of this blog is to keep you informed on the current phishing emails being delivered to your inbox. Staying updated on trends in the usage of COVID-19 and other lure themes will help your organization stay protected.

COVID-19 Phishing and Malware distribution

Attackers have long taken advantage of public anxiety surrounding global and regional crises and the current pandemic is no exception. During the 1^st quarter of 2020, we have observed a significant number of phishing emails leveraging COVID-19 themes. These emails have included attachments or URLs commonly leading to phishing sites or malware such as Lokibot, NanoCore, and other Remote Administration Tools (RATs). Some recently observed email subjects include the following:

• You missed a call Corona Update
• CDC HEALTH emergency coronavirus COVID-19 Pandemic
• COVID Report
• COVID-19 Payroll Adjustment
• Security Update Stimulus Check Failed

Conducting analysis on an example phishing email resulted in some interesting findings. The following screenshot shows the email subject and attachment but no content. The “From:” section shows “+1917-3757-6473 Notice@nhaschools.com”. “Nhaschools[.]com” is the site for a US National Heritage Academy charter school. At first glance a victim with children attending this school might open the attachment if they see the school’s name and the phrase “Corona update” on the subject line. Other victims might open the attachment to read any information related to the current pandemic.

Looking at the headers, specifically the sender “IP” and “Return path”, we see the following information:

Sender IP: 52.231.152.110

Return-Path: r-nishikawa@ecru-color.com

“You missed a call Corona Update” Email headers

The sender IP can be traced back to South Korea and ecru-color.com appears to be a Japanese styling salon school.

Sender IP Geo Location

Domain from the Return path address

Returning to the email and opening the attachment in a virtual machine, shows the attachment opening a .html document from the email which pretends to be an online web page. These types of phishing emails play a vague voicemail message before the victim is redirected to a phishing page. Performing a right click and selecting view source, shows us the script being used.

Performing a quick google search shows it’s been scanned by the site urlscan.io, 10 times. As we can see, it is an Outlook Web App phishing page which was still active at the time of this writing.

Attackers leverage free, compromised, and dedicated infrastructure to host COVID-19-themed phishing content.

Some examples of recently observed URLs include the following:

• hXXps://cnncoronavirus[.]000webhostapp[.]com/
• hXXps://c0vid19-aid-ca[.]org/
• hXXps://cecollc[.]com/infrastructure/covid/FBG/
• hXXp://coronana[.]000webhostapp[.]com/
• hXXp://gift-covid19[.]000webhostapp[.]com/

How you can stay safe:

While email spam using COVID-19 themes are a relatively new and increasingly prevalent phenomenon, these lures ultimately leverage common social engineering tactics capitalizing on sentiments of fear, anxiety, and curiosity. Once this theme runs its course and dwindles in popularity, it will undoubtedly be replaced by a mix of themes related to current events and common phishing themes like financial transaction, parcel delivery, and file sharing. The positive news is that users can protect themselves from these tactics by improving their awareness and practicing basic security hygiene.

Technology can help to protect users from many of the attacks that attempt to reach inboxes; however, education is the best defense against the phishing attacks that inevitably make it past these defenses. Staying up to date on phishing lure themes that are currently being used and learning how to spot a phishing email will help you flatten the curve.

When reading your emails, ask yourself the following questions:

• Does this email contain a personalized greeting?

If not, it’s likely unsolicited and may be a phishing email, so proceed with caution.

• Is this email attempting to instill fear or a sense of urgency to convince me to act?

If yes, it may a phishing email, so proceed with caution.

• Are there basic grammatical or spelling errors in this email?

If yes, it may a phishing email, so proceed with caution.

• When hovering over links, do I see any signs that they may be malicious?

If you cannot identify the link as a trusted resource, it may be a phishing email, so proceed with caution.

• Do I recognize the sender and was I expecting an email from them?

If not, it may be a phishing email, so proceed with caution.

• Are any brand names being used in the email?

Attackers often use logos to create convincing phishing email, so proceed with caution.

We can help your organization flatten the curve

What is better than technology and education? A combination of human-led and machine-driven security as a service. CYDERES’ 24/7 security as a service gives you the people, process, and technology to help organizations manage cybersecurity risks, detect threats, and respond to security incidents in real time. Take a look below at some of the benefits of having a team of security professionals detecting and mitigating your organization’s threats.  For more information, visit our site and download the full services factsheet at: https://fishtech.group/solutions/security/

• Managed 24x7x365 Security Operations Center (Tiers 1-4)
• Threat detection and triage for all technologies
• Security incident response
• Proactive threat hunting
• Build playbooks (phishing, malware, lateral movement)
• Endpoint detection & response management
• Sole EMDR 100% powered by Chronicle Backstory
• Backstory forwarder 24×7 management and monitoring
• Custom Backstory integrations/parsers

As the global business landscape continues to shift, organizations are learning what it takes to secure and scale a remote workforce efficiently. As this “new normal” emerges, a robust identity program must align with an organization’s compliance objectives and combine to form a robust solution set that enables business growth.

In order to address the related financial, legal, operational, and reputational risks, Identity Governance combines a prescriptive blueprint for effectively identifying and converging the foundational pillars of IAM with a right-sized and resilient GRC solution/program. Importantly, this also incorporates a Zero Trust Model of relevant security and technical controls.

As a result, organizations are able to prioritize, manage, and mitigate cyber risks that align with their business goals and objectives.

In part two of our ongoing webcast series Why Identity Governance Really Matters Fishtech Group experts describe best practices and winning solutions that we are architecting for customers every day.

Missed Part 1? Catch the full replay on demand.

We have been writing multiple blog posts in the last few weeks that have had references to disruptions that have been caused by shifts in the workforce due to COVID-19. Many organizations were so caught off guard by the immense changes that were sprung upon them at such a rapid pace that they didn’t have time to prepare for a largely “work from home” world.

There are many lessons to be learned from what has occurred during this period of disruption, but there is also still a lot to plan for in the coming weeks, including data management strategies.

Data management strategies have become even more important with the expansion of the “work from home” workforce. This is becoming all the more relevant as we prepare staff to return to work inside an office environment – it is critical to understand what has been deployed, to whom, and how.

Many organizations are facing challenges around SaaS applications, especially around visibility and security into new collaboration tools currently in use. The often-reactive measures many organizations have utilized to deploy these remote access solutions has put priceless data at risk.

In today’s post we’re going to be talking about common challenges for data protection with the current remote workforce, and then take a deeper dive on data loss protection strategies so that you can be prepared for the coming weeks and months as the global workforce continues to make huge shifts in operation.

Identity and Access Management

A solid Identity and Access Management program must be a primary tenet of securing a mobile workforce. With a solid Identity and Access Management program in place, you can build upon this firm foundation to evolve to deeper levels of secure remote access to greatly reduce the risk of unauthorized users accessing your organization’s data.

An important step is to achieve a multi-factor authentication approach to move past passwords as your users’ primary authentication tools. This is especially important at a time where users are becoming more mobile and may be using more devices than ever as they work from home, and gradually migrate back to the office.

There are a variety of ways to of achieving multi-factor authentication (MFA), but a huge challenge is implementing MFA at scale throughout the organization. There are great physical devices like security tokens, but they can be difficult to deploy while everyone is apart.

There are other technology solutions that can transform devices like employees’ smartphones into authentication tools so that each user can quickly be onboarded into a MFA program. It is imperative to have a guided and strategic approach so your organization can move quickly, while staying secure by adding an extra layer of protection to your data.

Securing Cloud Applications

Many companies have been using cloud applications for communication and collaboration to help keep their productivity up during this extensive period of work from home. While these tools have been vital, over the last couple months, cloud applications have continued to present potential security risks by way of compliance violations, identity theft, malware infections, and data breaches. Understanding how to address these risks is crucial in today’s changing environment.

There are a number of solutions that can help secure your organization so that your users can continue to safely use cloud applications to keep up productivity and efficiency of work while they are working remotely. One such solution is the implementation of a Cloud Access Security Broker or CASB.

This is a cloud-based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies. A CASB can offer a variety of services such as monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware.

We have also talked in a previous blog post about the implementation of Governance as Code to ensure that organizations avoid any potential compliance violations, especially when their workforce becomes increasingly decentralized.

Governance as Code moves your governance, including implementing best security practices, adhering to compliance requirements and standards, and allocating business resources, away from a manual, human-based approach to a more consistent, efficient, and highly repeatable code-based approach.

We Can Help You Navigate This New Normal

We have only scratched the surface of the challenges that have presented themselves to organizations around the world due to the massive migration to remote work over the last couple of months. Fortunately, we have also only scratched the surface of potential solutions to these challenges as well. Though these potential problems aren’t over just yet, we can absolutely help bring stability to this period of uncertainty.

How can Fishtech help?

We recently had a detailed discussion on a webcast that focused specifically on the challenges and solutions around data protection strategies, which you can check out here. This can help give a broader insight on areas you may need to focus on in the coming weeks and months in this state of constant change. Furthermore, we are ready to help give you consultation on your current security posture with our listen-first advisors, and provide guidance on the best way forward with solution-focused technology.

If you are ready to talk about data protection strategies for your organization, fill out the form below, and we will connect you with one of our experts.

Fishtech Group has long been a proponent of securing your business as a data-driven cybersecurity services provider for any computing platform. Over the last four years we have been helping businesses minimize risk, maintain compliance, and increase efficiency in this new, modern cloud-based digital ecosystem.

In the midst of the current COVID-19 crisis, securing the cloud has taken on a new level of importance as a huge portion of the global workforce has moved to working from home. This has created new challenges in cybersecurity, and we want to help organizations meet them head on. So, with this huge change in modern business operations as a backdrop, let us reintroduce ourselves.

Below is a video replay of a recent webcast we did with the International Association of Plastics Distribution (IAPD) talking about how to navigate cybersecurity challenges and secure your business, largely in context of the current COVID-19 crisis. Co-Founders Chuck Crawford (CCO) and Dan Thormodsgaard (CTO) along with Kerry Kilker (EVP/CISO/COO) talk about many foundational aspects of Fishtech Group, and how we are navigating this new normal and steps businesses should be taking to secure themselves in this time of uncertainty. Give it a watch, and if you have any questions of the information you heard in the video, or anything else you may want to know to help secure your business, fill out the form below, and we will connect you with one of our cybersecurity professionals. We hope you are staying safe and healthy.