Cyber Threat Analysis for 19 Aug 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

‘Shadow Brokers’ Claim to be Selling NSA Malware, in What Could Be Historic Hack

A mysterious online group calling itself “The Shadow Brokers” is claiming to have penetrated the National Security Agency, stolen some of its malware, and is auctioning off the files to the highest bidder. The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. (Foreign Policy)

People seem to be forgetting that NSA connection or not (and it is speculation), if the code stands up to scrutiny, a trove of high-level offensive capabilities is being released into the wild. Capabilities that are not for random apps, but systems that if attacked could cause serious disruption across all sectors. Not everyone who gain access will be able to make use of these tools, and desired targets may be hardening as we speak, but let’s be clear: in the name of ‘transparency’ someone has unleashed a whole lot of danger.

Lack of awareness despite an increase in staff-related security incidents

The infographic reveals that the proportion of security incidents in 2015 that were related to staff was up from 58% to 75% for large organisations, and from 22% to 31% for small business. Moreover, 36% of adults within the UK do not know what phishing is, and 76% don’t know what ransomware is. Alan Calder, founder and chief executive officer of IT Governance, said: “These stats show that, despite the increase in phishing attacks, employees are still not aware of what phishing is, and consequently do not know how to avoid an attack. (Cambridge Network)

That there is a difference between what practitioners know and what everyone else knows should come as no surprise. I understand that water takes on the form of its vessel, but that doesn’t qualify me as a plumber. Does training help improve employee awareness and consequently reduce security incidents? That’s a debate that has yet to finish. The more seamlessly you can incorporate sound security practices into the day-to-day operations of your enterprise – with compliance having a corresponding link to the rewards system – the less likely your employees will fall victim to stupid hacker tricks. Security cannot be a ‘special’ or ‘extra’ thing or it will quickly fall away while people focus on ‘getting real work done.’

Study reveals effectiveness of low-tech hacking

The 2016 Global Visual Hacking Experiment has revealed that low-tech hacking methods involving little or no technology are alarmingly effective. Sensitive information was successfully compromised in 91% of the time. In the experiment, a white hat hacker was grated access to a company in the guise of a temporary worker. The experiment reveals a troubling and often overlooked aspect of cyber security and corporate espionage. In spite of significant investments in technology and human resources dedicated to securing cyber assets, they remain vulnerable to some of the simplest methods of theft. (World Tech Today)

Trust but verify. There is an inherent bias towards believing that people are doing what they are supposed to, and that suspect activity is probably not what it seems. It is worth noting that in the aftermath of most espionage cases, co-workers all describe observing some activity that should have been reported but was not due to not wanting to seem paranoid or to unjustly jack up a co-worker. Reporting of suspicious activity is more likely to occur when Security is not seen as the ‘heavies’ who only know how to drop the hammer on people. Cultivating an image of someone who is there to advise, improve, or otherwise make things better – not punish wrongdoing – can go a long way towards changing attitudes about a Security team.

Federal cybersecurity needs a paradigm shift

Insecure. Vulnerable. Victimized. Reactive. In many ways, the current cybersecurity prevention theme focuses on security itself as an end game. This focus accentuates what constitutes bad cybersecurity and the ensuing risks to high-value business assets. In order to advance cybersecurity thinking, we need resilient, well-implemented cybersecurity as a business liberator. By putting smart, business-centric security in place that addresses critical and prioritized risk areas, executives can re-focus their energy, passion and resources to the unchartered and breakthrough performance improvements created by today’s technology options.  (Federal Computer Week)

Cyber security is not the issue we think it is. Every enterprise security leader who wants to remain relevant needs to remember the importance of operations and costs. Companies have a job to do and security that does not support that job is a non-starter. Make friends and gain supporters by putting “security” knowledge to work addressing business problems (e.g. knowing what runs on an end-point can help with software license audits – potentially reducing costs). Regardless of what your approach, support from the highest levels of the organization, and the ability to provide hard numbers (or at least clear improvements) are essential if a revolution in security affairs is going to take place.

Largest ransomware-as-service scheme pulls in $195,000 a month: Report

Tens of thousands worldwide have fallen victim to a global ransomware-as-a-service scheme. The researchers at Check Point Software and IntSights Cyber Intelligence released a report Tuesday saying the service, which it calls Cerber, is currently running 161 active campaigns with a total estimated profit of $195,000 last month alone. Each day an average of eight new campaigns on average are launched. (IT World Canada)

Look upon my (malicious) works ye might, and despair. The idea that we will overcome malicious activity online – or even compete on the same playing field – using traditional methods is beyond laughable. Offense is not necessarily easier from a technical perspective, offense is merely is able to take advantage of aspects of technology that defense cannot, at least not on the same scale and in the same time-frames. While the latter is asking for permission, the former has seized the initiative and begun to act. The former does what will yield the best ROI, the latter can’t demonstrate ROI and struggles to hold on to their meager budget. If as a defender you feel like the Poles at Krojanty, you’ve found a much more appropriate martial analog than “Pearl Harbor.”

Pokémon Go’s strategy could thwart cybersecurity threats

Today, targeted hackers are ahead in the game of cybersecurity and winning too often by circumventing even layered defense systems of enterprises. We need innovative ideas and thinking to go after hunting cyber attackers the way Pokémon GO players go beyond the private areas, restricted areas, and trespassing on property belonging to businesses even cross borders to capture creatures. We need this sort of cybersecurity threat hunting strategy to uniquely develop technology and solutions to eliminate cyber adversaries and attacker’s infrastructure and its presence no matter where they are. (CSO Online)

The game is afoot. Serious threat actors have specific goals in mind when they carry out their missions. They are rewarded when they achieve those goals. There is no corresponding ‘gamification’ in defense. At a meta level, instilling a sense of curiosity in defenders is one step towards taking defense out of the doldrums and turning it into something more exciting. Developing and implementing a methodology that rewards defenders for “leveling up” through the course of their investigations is another. Right now defense is essentially a binary situation with defenders either viewed as overhead when there is nothing to report, and failures when there is.