The document summarizes the current state of IT security based on a presentation given at an annual security conference. It discusses the typical stages of a cyber attack including phishing, ransomware, and lateral movement with fileless malware. Examples are provided of detection delays for major data breaches. Recommendations are made for improving security posture such as applying patches quickly, segmenting networks, restricting admin rights, and disabling unneeded protocols. Best practices discussed include having dedicated breach response teams, limiting IoT devices, using security automation, and vetting managed service providers. The use of SPF, DKIM, and DMARC protocols for email authentication is also recommended.
In a globally connected world, technology brings new opportunities to collaborate and conduct business like never before. However, this increased connectivity can also leave organizations vulnerable to a host of new and unique threats. Federal agencies in particular must secure critical infrastructure, comply with regulations, and both protect and share sensitive information. With no room for system error, agencies require absolute certainty regarding the confidentiality, integrity, and availability of their information. PwC has the experience to meet the information-security needs of the federal government.
www.pwc.com/publicsector
Using SurfWatch Labs' Threat Intelligence to Understand Third-Party RiskSurfWatch Labs
Data breaches and cyber-attacks are often tied to vendors, partners, or other external organizations. Threat intelligence can help to shed a light on an organization's third-party risks and help to provide guidance on how to mitigate that risk.
In a globally connected world, technology brings new opportunities to collaborate and conduct business like never before. However, this increased connectivity can also leave organizations vulnerable to a host of new and unique threats. Federal agencies in particular must secure critical infrastructure, comply with regulations, and both protect and share sensitive information. With no room for system error, agencies require absolute certainty regarding the confidentiality, integrity, and availability of their information. PwC has the experience to meet the information-security needs of the federal government.
www.pwc.com/publicsector
Using SurfWatch Labs' Threat Intelligence to Understand Third-Party RiskSurfWatch Labs
Data breaches and cyber-attacks are often tied to vendors, partners, or other external organizations. Threat intelligence can help to shed a light on an organization's third-party risks and help to provide guidance on how to mitigate that risk.
Recorded Future Intel Cards provide actionable threat intelligence data neatly curated by investigation topic and presented in a comprehensive single view, saving analysts time otherwise spent connecting the dots themselves. The six Intel Card types are IP Address, Domain, Hash, Vulnerability, Malware, and Threat Actor.
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
Introduces "Hui's Hierarchy of CTIs", a reference model upon which cyber threat intelligence (CTI) can be classified, a 5W1H model for CTI contexts, and illustrates through examples what CTIs IR and TRM will find useful.
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
Misp(malware information sharing platform)Nadim Kadiwala
A threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. Discover how MISP is used today in multiple organisations. Not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks or threats against ICT infrastructures, organisations or people.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
The cyber security industry has spent trillions of dollars to keep external attackers at bay. To what effect? We still don't see an end to the cat and mouse game between attackers and the security industry; zero day attacks, new vulnerabilities, ever increasingly sophisticated attacks, etc. We need a paradigm shift in security. A shift away from traditional threat intelligence and indicators of compromise (IOCs). We need to look at understanding behaviors. Those of devices and those of humans.
What are the security approaches and trends that will make an actual difference in protecting our critical data and intellectual property; not just from external attackers, but also from malicious insiders? We will explore topics from the 'all solving' artificial intelligence to risk-based security. We will look at what is happening within the security industry itself, where startups are putting placing their bets, and how human factors will play an increasingly important role in security, along with all of the potential challenges that will create.
4 Rules for Successful Threat Intelligence TeamsRecorded Future
Threat intelligence is quickly becoming a core element of risk management for many enterprises. Putting a team in place to manage threat intelligence, however, isn’t as easy as other, more established areas of information security. First, it’s newer, and second, organizations might not yet have the right skills and tools in-house.
With that in mind, we’ve identified four simple rules that will help organizations build and maintain a successful threat intelligence team.
Brian Wrozek, Chief Security Officer, Alliance Data
Information Security Program Essentials by the Texas CISO Council
Security frameworks and control- specific guidance abound for organizations to utilize for technology risk management and information security operations. The lack of a strategic and business- oriented approach for establishing an effective and sustainable program, however, has forced organizations to define unique and in some cases limited approaches to the ongoing challenge of managing technology risk. As program leaders, we are often forced to blaze our own unique trail in the pursuit of stronger security and better protection of our organization’s information resources.
The Texas CISO Council has addressed this problem by capturing the essential elements of a complete program, and through the Information Security Program Essentials Guide has provided a reference that can benefit every organization. This Guide will help bridge the gap for small or large organizations that have immature or well established security programs.
Director of Industry Engagement and Resilience Kevin Coleman and Cybersecurity and Technology Business Liaison Hala V. Furst will unpack DHS’s cyber toolkit designed specifically for small and medium-sized businesses. You’ll learn best practices for risk management, including how to identify the most common cyber vulnerabilities and how to conduct your own cybersecurity resilience review.
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
Most cybersecurity professionals know the CIS Top Five Critical Security Controls. Yet, the evidence that they are effective is slim. Using data on cyber-incidents, researchers looked at the attack paths used by adversaries and determined what controls could have disrupted these attack paths. The result is a new set of critical controls that organizations should implement on a priority basis.
Learning Objectives:
1: Understand evidence-based approach to selecting controls.
2: Understand why the “new top five” controls were selected.
3: Chart a pathway to implementing the new top five controls.
(Source: RSA Conference USA 2018)
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
With 2015 cybersecurity themes and realities nearly in the rearview mirror, “Cybersecurity – Securing your 2016 Audit Plan” will shift our outlook to looking forward into what cybersecurity predictions are being made for 2016, and what key topics and themes will drive 2016 audit planning in the cybersecurity area.
Recorded Future Intel Cards provide actionable threat intelligence data neatly curated by investigation topic and presented in a comprehensive single view, saving analysts time otherwise spent connecting the dots themselves. The six Intel Card types are IP Address, Domain, Hash, Vulnerability, Malware, and Threat Actor.
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
Introduces "Hui's Hierarchy of CTIs", a reference model upon which cyber threat intelligence (CTI) can be classified, a 5W1H model for CTI contexts, and illustrates through examples what CTIs IR and TRM will find useful.
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
Misp(malware information sharing platform)Nadim Kadiwala
A threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. Discover how MISP is used today in multiple organisations. Not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks or threats against ICT infrastructures, organisations or people.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
The cyber security industry has spent trillions of dollars to keep external attackers at bay. To what effect? We still don't see an end to the cat and mouse game between attackers and the security industry; zero day attacks, new vulnerabilities, ever increasingly sophisticated attacks, etc. We need a paradigm shift in security. A shift away from traditional threat intelligence and indicators of compromise (IOCs). We need to look at understanding behaviors. Those of devices and those of humans.
What are the security approaches and trends that will make an actual difference in protecting our critical data and intellectual property; not just from external attackers, but also from malicious insiders? We will explore topics from the 'all solving' artificial intelligence to risk-based security. We will look at what is happening within the security industry itself, where startups are putting placing their bets, and how human factors will play an increasingly important role in security, along with all of the potential challenges that will create.
4 Rules for Successful Threat Intelligence TeamsRecorded Future
Threat intelligence is quickly becoming a core element of risk management for many enterprises. Putting a team in place to manage threat intelligence, however, isn’t as easy as other, more established areas of information security. First, it’s newer, and second, organizations might not yet have the right skills and tools in-house.
With that in mind, we’ve identified four simple rules that will help organizations build and maintain a successful threat intelligence team.
Brian Wrozek, Chief Security Officer, Alliance Data
Information Security Program Essentials by the Texas CISO Council
Security frameworks and control- specific guidance abound for organizations to utilize for technology risk management and information security operations. The lack of a strategic and business- oriented approach for establishing an effective and sustainable program, however, has forced organizations to define unique and in some cases limited approaches to the ongoing challenge of managing technology risk. As program leaders, we are often forced to blaze our own unique trail in the pursuit of stronger security and better protection of our organization’s information resources.
The Texas CISO Council has addressed this problem by capturing the essential elements of a complete program, and through the Information Security Program Essentials Guide has provided a reference that can benefit every organization. This Guide will help bridge the gap for small or large organizations that have immature or well established security programs.
Director of Industry Engagement and Resilience Kevin Coleman and Cybersecurity and Technology Business Liaison Hala V. Furst will unpack DHS’s cyber toolkit designed specifically for small and medium-sized businesses. You’ll learn best practices for risk management, including how to identify the most common cyber vulnerabilities and how to conduct your own cybersecurity resilience review.
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
Most cybersecurity professionals know the CIS Top Five Critical Security Controls. Yet, the evidence that they are effective is slim. Using data on cyber-incidents, researchers looked at the attack paths used by adversaries and determined what controls could have disrupted these attack paths. The result is a new set of critical controls that organizations should implement on a priority basis.
Learning Objectives:
1: Understand evidence-based approach to selecting controls.
2: Understand why the “new top five” controls were selected.
3: Chart a pathway to implementing the new top five controls.
(Source: RSA Conference USA 2018)
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
With 2015 cybersecurity themes and realities nearly in the rearview mirror, “Cybersecurity – Securing your 2016 Audit Plan” will shift our outlook to looking forward into what cybersecurity predictions are being made for 2016, and what key topics and themes will drive 2016 audit planning in the cybersecurity area.
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
A presentation delivered at the 2014 meeting of the Municipal Information Systems Association of California. Includes suggestions for security awareness programs.
This webinar presents a best-practices framework on assessing your risks, using the National Institute of Standards and Technology (NIST) privacy risk assessment methodology.
Matt Eshleman, Community IT Innovators’ CTO and resident cybersecurity expert, will teach you how to
Understand the cybersecurity threats facing nonprofits
perform a basic assessment using our NIST survey tool
understand the recommendations
budget for risk prevention
engage nonprofit executives in supporting proactive cybersecurity
create an actionable road map with next steps for your organization
Over the last few months, many organizations began to use personal computers and devices for work, quickly set up cloud file sharing platforms, put the entire remote office on Slack or Teams, or moved to using Zoom for conference calls.
Even if we did our best to implement thoughtful security protocols and train new users on new tools, circumstances have made measured approaches to cybersecurity difficult. Your practices are probably out of sync with your security needs.
You know your nonprofit organization is at risk.
But do you know how to manage cybersecurity risk?
Now is the time to better manage risks by reviewing your cybersecurity stance and (re)training your users on security best practices.
Presentation by Dr David David Isiavwe, President Information Security Association of Africa -Nigeria for NETPLUS LIMITED's CYBER SECURITY CONFERENCE FOR TERTIARY INSTITUTIONS
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
Are Cybersecurity threats increasing? Learn about protecting your business with a security program and understanding ransomware threats. Join us as Google's Biodun Awojobi and Wade Walters join us to discuss "Security Programs and Ransomware in the Cloud." We expect to have additional Cybersecurity events in future to cover security posture, Zero Trust, Google's Cybersecurity products & more!
#cybersecurity #ransomware #google #gdg #gdgcloudsouthlake
How underground markets for stolen data and hacking tools are driving cybercrime today, and some of the possible security responses, defenses, and strategies
Why is cyber security a disruption in the digital economyMark Albala
As we enter the digital economy, companies will quickly realize that the differentiator in the digital economy is information and information being a valuable resource is subject to theft, hacking, phishing and a host of other issues which compromise a company’s ability to participate in the digital economy. Cybersecurity misfires compromise the trust of buyers and partners necessary to participate in the digital economy. It is up to every company to ensure that the information shared with them is protected to the best of their ability and proactively notify persons and organizations who entrust their information necessary to transact business (any personal identity information including but not limited to addresses, credit card information, social security numbers, account information, credit information, medical records, etc.) with any potential compromises which can yield harm to them by that information either being used maliciously or shared with others.
The digital economy is different than other versions of commerce because in the digital economy, information is the lifeblood of digital commerce that passes through the hands of many platforms involved in a digital event. Each of these platforms are an opportunity to wreak havoc on your well-intended but incomplete intents to protect the information contained within the network you control. In the digital economy, it is not only the network you control, but the platforms that touch the personal data entrusted to you as a means of enabling digital commerce, and several techniques have begun to emerge to protect personal information contained within your information domain and the domain of platforms participating in digital commerce.
Because the life blood of the digital economy is information, information hacked in the digital economy is akin to shrinkage in the legacy economy. Both are means to directly attack your bottom line, whether it is redirecting customers elsewhere because they don’t trust your privacy program, ransomware which makes your site or one of your partner platform sites dangerous to use or some other reason which challenges your ability to participate in the digital economy. Shrinking the potential market share because of information safety and security challenges is a disruption, making cyber-security a disruptive activity, particularly if it is not dealt with swiftly.
If your cyber-security program is focused entirely on protecting the information housed in your four walls, you have exposed yourself to problems you will have difficulty in identifying both the source and the entry point of these issues.
Presentation on current security trends, prevention and detection. This presentation was initially given at a WatchGuard partner event for Equinox IT. http://www.equinoxits.com/
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
Presentation on the 2015-2016 State of Cybersecurity and Third Party Vendor Risk Management, presented by Matt Pascussi and Rishi Singh.
This presentation was sponsored by TekSystems.
Similar to Fears and fulfillment with IT security (20)
Protecting your digital and online privacyDavid Strom
I gave this talk in October 2019 about ways that your digital and online habits can be tracked and what kind of data you inadvertently leak, along with tools that you can use to protect your privacy.
How to market your book in today's social media worldDavid Strom
Self-published authors need to learn how to use various digital tools to help them market their books. This seminar will show you some of the more common and inexpensive ones
This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.
How to make your mobile phone safe from hackersDavid Strom
While the news about laptop camera covers can make any of us paranoid, the real cyber threat comes from the computer we all carry in our pockets and purses: our mobile phones. I will describe some of the more dangerous cyber threats that can turn your phone into a recording device and launch pad for hackers, and how you can try to prevent these in your daily life.
Slides from a webinar that I and Dell Virtualization Evangelist Hassan Fahimi gave in March 2016. We provide a complete overview of OpenStack and Foglight for OpenStack.
Listen to Your Customers: How IT Can Provide Better SupportDavid Strom
For a weibar sponsored by Citrix 11/15.
IT needs to provide the best possible support to its end users. Indeed, treating them as your customers is critical. We’ll cover some of the lessons learned from the best and worst customer-facing organizations to see how IT can make improvements in this area.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
2. Agenda
• Current state of IT security
• Typical multi-stage cyber
infection chain:
• Phishing probe
• Ransomware and data theft
• Lateral movement with
fileless malware
• Recommendations for
improving your security
posture
3.
4.
5.
6. Four stages of a typical breach
COMPROMISE EXFILTRATION DISCOVERY CONTAINMENT
7. A sample of breach detection delays
• Yahoo (3B accounts, 2013): many years to detect and notify
• Marriott (383M guests, 2014-18): 4 years to detect, 2 mo. to
notify
• Advent Health (42k customers, 2017-18): 16 months to
detect, 18 months to notify
• Uber (57M customers, 2016): 1 year to detect and notify
• eBay (145M users, 2014): 7 months to detect and notify
• Heartland Payments (134M accounts, 2008): 9 months to
detect
8.
9.
10. Let’s look at the
telltale signs of
a typical
phishing attack
12. Phishing
prevention
suggestions
Examine the tone and phrasing of the
email
Have shared authority on money
transfers
Understand the underlying social
engineering ploy
Don’t get sucked in with a phony sense
of urgency
Trust but verify -- phone calls can be
spoofed
16. Don’t become
Georgia!
• City of Atlanta
• State Department of Public
Safety
• State and local court systems
• City hospitals
• County governments
• Small city police departments
19. The wrong
things to
focus on
Did the victim pay up?
What did it cost to restore
data?
What data was deleted or
lost?
How long were things out of
commission?
20. Six bad IT decisions exposed by ransomware
Sloppy infosec
makes it hard to
find root cause
Inconsistent IT
infrastructure
ownership
Delay patching and
updates
Poor disaster and
backup procedures
Lousy staff comms
and poor disruption
planning
Mismatch asset
value and
protection policies
21. Three general types
of attacks:
•Return-object
programming
•Scripting-based
•Polymorphic
22.
23. Sample fileless malware campaigns
• Target 2014 breach (flat network)
• DNC 2016 hack (PowerShell and WMI entry)
• August Stealer 2016 (Word macros and PowerShell)
• 3ve group November 2018 (ad click fraud)
• Netwire phishing campaign February 2019 (Vbscript, Gdrive)
• Astaroth campaign July 2019 (PowerShell)
• Poison Ivy 2018 (Word macro, shown next slide)
24.
25.
26.
27. Here are four
practical tips
to help
protect your
network
Apply patches quickly across all
systems
Segment your network carefully
Restrict admin rights severely
Disable un-needed Windows
apps and protocols (SMBv1!)
28. Best practices for better security
Have dedicated
and trained
breach response
teams
1
Limit and
segment IoT
devices on your
network
2
Use security
automation
tools whenever
possible
3
Find breaches
and contain
them quickly
4
Vet your MSP
security
procedures
5
29. Use these three email authentication
protocols
SPF DKIM DMARC
Some somerbing stats from the Verizon 2019 report And phishing and emails were the most common entry points for attackers.
Compromises happen in minutes, discoveries in months.
One report found that The average number of days between the breach discovery and reporting has gone back up, from 38 days in Q1 2018 to 54 days in Q1 2019. However, this average obscures one important fact: breaches that were reported by external sources (such as researchers or law enforcement) were found faster (43 days) versus internally (74 days). (Risk Based Security 1q2019 report)
A Ponemon study in 2018 found it took US co’s an average of 200 days to detect.
https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Then add in this CEO impersonation attack to pay an invoice to a new bank account
Sense of urgency, using fear tactics, brand imitation with a fake email address, impersonal “dear user”
More urgency with “required immediately” language and malicious link in the rollover URL
More scare tactics -- “deactivation”,
Impersonal signature
Old copyright date and odd location in KY
An attached ZIP file is icing on the cake
From https://www.varonis.com/blog/spot-phishing-scam/
Now add in criminal spoofing services such as this one to create more confusion
Use security awareness training regularly, not just once
The city of Baltimore has become everyone’s favorite ransomware poster child. The city IT infrastructure experienced a series of ransom attacks over the past 15 months. The first two occurred in March and April of 2018; the others began almost a year later. The city refused to pay, despite repeated attacks of both SamSam and RobbinHood strains.
All of these government entities were hacked in the past year. The note is from an office in Baltimore city hall.
This particular ransomware strain hit more than 20 different city government agencies in Texas in August happened through a vulnerability in remote desktop services that was used by an MSP running a managed endpoint protection agent.
This story in Pro Publica talks about how MSPs are becoming richer targets because hackers can hit multiple entities at once, such as what happened in Texas and elsewhere. Instead of targeting local government agencies, hackers are looking for vulnerabilities in the software supply chain, including managed email and backup services, ERP and accounting systems. This enables them to hit multiple targets with one exploit. MSPs are profitable because these agencies are more motivated to pay the ransoms to get back online and continue to serve their constituents. This article in ProPublica has a screencast video that shows how a hacker can disable AV and install the ransomware using a remote desktop program.
https://www.propublica.org/article/the-new-target-that-enables-ransomware-hackers-to-paralyze-dozens-of-towns-and-businesses-at-once
Lets move to the third stage of a typical attack, fileless malware. Its goal is to not leave any evidence behind that defenders can find. There are three general methods.
ROP is the classic attack method and typically executes a DLL that can compromise a target PC. It could include code from your web browser or a desktop app routine that the malware piggybacks on to run.
Scripting attacks uses built-in tools from MS Office or PowerShell or HTML Application Host and hook particular processes to run. If your detection routines don’t understand the details about script execution, they could easily miss these cues. These attacks are on the rise because there are so many scripts included in a modern endpoint.
Then there is polymorphic, which adapt to changing conditions and try to evade your scanners and endpoint prevention tools. These can shift signatures and methods, look to see if they are running inside a VM for example.
“Live off the land” – leverage existing Windows OS tools, typically powershell but there are increasing other pieces of code that fileless can leverage. Back in the early days of the Internet, most blocking routines looked for certain signatures, either as the name of one of the running programs on your computer or specific patterns of behavior across your network. These worked until the malware authors got better at hiding their signature moves.
Poison Ivy infects PCs by creating a remote-access connection to log keystrokes and capture screens and videos from the PC.
also tried to evade detection by Microsoft’s AppLocker protection system by inserting a reference to itself in AppLocker’s whitelisted applications using a series of Windows programs and scripts. It also created a series of decoy documents to make its operations seem benign to the infected user. As you can see, this software is very complex, with several different stages and methods to find its way into a user’s PC.
Because fileless attacks mimic legit Windows processes and executables, you have to get better at figuring out what these hijacked processes are actually doing. Something like this tool can help visualize the logic flows and point out when the malware is doing something odd.
Another technique is to use a tool such as AltFS, which can detonate a piece of malware in safety and show what happens in both Windows and Mac environments, to see where a piece of malware is hiding its artifacts.
https://github.com/SafeBreach-Labs/AltFS
So let’s look at a few practical suggestions on how to improve your cyber security.
Make sure your patches are deployed for remote users too: one of the city-based ransomware attacks this year happened because of an employee who missed one of the updates because he was on the road and clicked on a phishing link.
Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain
DomainKeys Identified Mail (DKIM) ensures that the content of your emails remains trusted and hasn’t been tampered with or compromised
Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies
https://www.csoonline.com/article/3254234/mastering-email-security-with-dmarc-spf-and-dkim.html?nsdr=true