For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.
However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.
What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.
Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.
Consider booby trapping your network
As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.
These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.
Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.
Configure and pay close attention to failed login attempts
Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.
When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”
If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.
Monitor anomalous web traffic
Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.
That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.
Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.
Staying on guard against attacks
The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.
Here are a few quick tips:
- Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
- Disable powerful tools like PowerShell, Office macros and WMI where not needed.
- Limit access rights on your internal network so that only those who need access have it.
- Strictly control access to the dev and QA processes if these take place within your organization.
Buzzwords and acronyms abound in the MSP industry, an unfortunate byproduct of marketing years in the making. Cybersecurity is a hot watercooler topic at any business. Well, now probably more likely a virtual happy hour than a watercooler, but nevertheless cybersecurity remains top-of-mind.
To sleep at night, MSPs feel they must enhance or expand their security offerings beyond the standard layers, like; firewalls, firewall filtering, active directory protocols, DNS Filtering and antivirus/malware detection. One of the ways many MSPs feel they can satiate their cybersecurity concerns involves buzzword-y new acronyms floating around involving “EDR” or endpoint detection and response. But what is EDR really and what can it do for MSPs and their clients?
But first, besides EDR, there’s also ADR, MDR, xDR and the industry can surely expect newer blank-DR acronyms coming in the next few years. What are all these acronyms and how do they help MSP protect their clients? Here are a few definitions:
- EDR (Endpoint Detection and Response) – Technically, every security agent sitting on an endpoint is an EDR solution. The information the agents feed back to administrators determines what action to take and when.
- ADR (Automatic Detection and Response) – Newer technology allows the agent to automatically make a decision without human intervention. Ideally, ADR automatically remediates a situation and reports to the administrators on action taken.
- xDR – This newer acronym refers to agents across a network communicating to make a remediation decision or report decision across multiple endpoints.
- MDR (Managed Detection and Response) – A best-of-breed solution using EDR, ADR and possibly xDR tools in various combinations, MDR allows a human team to make decisions and respond to situations. While more complex and administrative heavy, MDR closes the gap that arises when suspicious applications are being monitored and observed, but not reacted to by an ADR or xDR solution. Human-driven MDR ferrets out the suspicious and reacts.
Here are five things MSPs should consider when evaluating EDR solutions:
1. All security tools with an endpoint agent are basically EDR.
Their job is to detect malicious code, applications, scripts or other malicious files and make a status determination on the fly. Most security agents use various methods like physically scanning file hashes, scanning file content, watching behaviors, looking at scripts, detecting known attack surfaces and other techniques to try to ascertain if a newly encountered file is good or bad.
How the security agent reports its activity depends on the EDR tool. So, while many security tools claim they offer an “EDR” solution, the key is to determine the level of threat, suspicions and action taken in reporting or alerting that adds value for MSPs.
2. The “R,” or response, is key to a successful EDR solution.
While many security tools report and alert, the level of response is the most important aspect of any security practice. If the security agent provides minimal information for decision making, it’s of limited use to the technical personnel responsible for intervening.
On the other hand, technicians can take advantage of security tools with consoles that display alerts, reports and visibility into whether an agent responded, how and the agent’s current status. Too often tools don’t provide necessary insight for reviewing or comparing threat data or approaches – like the MITRE attack framework or other sites with relevant threat information.
Solutions with a more comprehensive API are advantageous for custom review, integration into more dedicated threat review tools or for alerting through a log gathering and reporting tool. APIs are valuable for providing added information from which human technicians can make decisions.
3. What can be done with the EDR information? Is it actionable?
Once a tool has been selected, what should be done with the information it provides? Answering this is key to successfully setting EDR expectations for customers. If a client requires an MSP has an EDR solution in place, installing an agent is only half of the equation.
Gathering the information into a comprehensive tool or suite can be daunting. If the security solution provider has tools like alerts, reports or an API, start there. However, these tools are often limited and need to be supplemented by a solution with higher performance or a faster response time.
Log gathering tools are a higher performance option that allow many tools to feed into a single system. Once such a solution is in place, the next challenge is to build rules for sifting through the millions of ingested points of information. These rules provide human reviewers more details for making decisions. It may take several cycles to hone in on the rules that lead to successfully spotting suspicious or malicious activity and protecting customers.
4. Understand what’s behind the EDR hype.
What’s the buzz around EDR and why has it become such a topic for discussion? Fair question considering level of effort to stand up, manage, monitor and address a situation when it arise can be costly and time consuming. Simply having a security vendor “supports EDR” isn’t enough. Selecting a check box to satisfy a requirement is, again, only half of the equation.
So, why go through the time and expense of implementing EDR? Here are three top reasons:
- Cybersecurity insurance – With the rise of breaches across business and public sector landscapes, cybersecurity insurance on the rise. Many providers have requirements from governance to tools that meet a specific scope. EDR is one such requirement.
- Good practice – Having layers of protection for customers is important. Extending security offerings by adding an EDR solution with a process will increase that security footprint.
- Managed Security Service Provider (MSSP) – More and more MSPs are adding value to their customers by adding cybersecurity-specific services. With cybersecurity challenges on the rise, many service providers can increase revenue and provide greater security posture for their customers. Implementing an EDR solution will contribute to that effort.
5. Plan out next steps for adopting EDR at your MSP
- Evaluate the need. Investing in potentially costly new solutions because of a buzzword is not advisable.
- Determine the level of effort required to adopt an EDR solution and devise a plan for doing it.
- Review existing tools and determine if existing solutions are being leveraged most effectively today.
- Build the team. Part of the plan for adopting EDR should include designating a security team to both manage the solution and respond to its findings.
Simply selecting ticking an EDR box won’t necessarily contribute to client security. MSPs should evaluate the needs EDR will satisfy, the level of effort it takes to implement and how EDR fits into their overall service offering. Vendors won’t hesitate to offer “EDR solutions,” but it’s up to the MSP to properly implement and establish process to support expectations. Simply having the solutions does no good. EDR done right requires the additional team focus, rules, review and responses. Implement an EDR offering with caution and planning.
Most people would categorically agree that increased privacy online is a good thing. But in practice, questions of privacy online are a bit more complex. In recent months, you’ve likely heard about DNS over HTTPS, also known as DNS 2.0 and DoH, which is a method that uses the HTTPS protocol to encrypt DNS requests, shielding their contents from malicious actors and others who might misuse such information. It can even address several DNS-enabled cyberattack methods, such as DNS spoofing or hijacking. On the other hand, obfuscating the content of DNS requests can also reduce admins’ visibility and control, as well as negatively affect business network security.
Ultimately, this DNS privacy upgrade has been a long time coming. While its creators’ original 1983 design has undoubtedly proven itself by scaling to meet the demands of today’s internet, privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.
“Privacy just wasn’t a consideration 38 years ago; thus, the need for DoH.”
When weighing the obvious privacy and security benefits against the visibility and potential security drawbacks, some businesses are having difficulty managing these new protocols. That’s likely why the NSA recently released a guide that not only explains the need for DoH, it strongly recommends that businesses protect their networks from rogue DNS sources to improve their network security. But what their guide doesn’t really focus on is how.
Correctly managing encrypted DNS can be very challenging. According to Jonathan Barnett, Webroot sr. product manager and DNS security expert, here’s what businesses need to know about the NSA’s guide and how to successfully embrace DoH.
What does the NSA guide recommend?
The NSA supports the privacy and security improvements DoH provides. However, they also recommend that DNS be controlled, which may leave some admins scratching their heads.
“The enterprise resolver should support encrypted DNS requests, such as DoH, for local privacy and integrity protections, but all other encrypted DNS resolvers should be disabled and blocked.”
What does the NSA caution against?
The NSA specifically warns about applications that can make DNS requests for themselves. Previously, if an application needed DNS, it would ask the local system for the resolution, ideally following whatever configuration the admin had set. These requests would then be sent to the network DNS resolver. This process provides a wealth of information to the network, helping with visibility in the case of a malware attack, or even in the event of a user accidentally clicking a phishing link.
With DNS encryption like DoH, this visibility not only disappears, but now DNS itself becomes incredibly difficult to control. The real challenge comes in as DoH hides the DNS requests using SSL, just as your web browser does when connecting to your online banking website. With this method, DNS requests appear as regular website traffic to most firewalls and networks, and can’t be identified by them as legitimate or malicious.
What other challenges should I consider?
DoH is fairly early in its adoption and only a few applications currently use it, though adoption will continue to grow. In North America, Mozilla Firefox uses DoH for DNS resolution by default. Other browsers, such as Google Chrome and Microsoft Edge have also begun to support DoH, though their default behavior will not enable DoH on most business networks.
Worth noting is that Microsoft itself has yet to support DoH on their DNS servers, so enforcing the NSA’s recommendations may be somewhat difficult. Additionally, as DoH traffic runs on port 443, just like a secure connection to a website, it is not easily regulated or blocked. You can’t just block port 443 at your firewall either, as this action would also block all secure websites. You could block some of the known DoH providers, but as with any new technology solution, more DoH resolvers appear daily.
How does Webroot address security with DoH?
The Webroot® DNS Protection agent already secures DNS requests by using DoH for all of its communications and leverages the power of Webroot BrightCloud® Threat Intelligence to identify and block alternate DoH connections. Our DNS Protection solution also includes an option to echo all DNS requests to your local resolver, so it maintains visibility into the DNS requests being made, leaving intact the powerful information provided by DNS.
Essentially, with a solution that works like Webroot DNS Protection, you still get the power of DNS filtering while also benefitting from DoH encryption. This protection secures remote and on-site users, devices, and networks, effectively fulfilling the NSA’s recommendations.
In today’s rapidly evolving cybersecurity landscape, the battle for privacy and security is relentless. Cybercriminals are masters at using technology and psychology to exploit basic human trust and compromise businesses of all sizes. What’s more, they often hide in plain sight, using both covert and overt tactics to cause disruption, steal money and data, and wreak havoc with MSPs and SMBs.
While cybersecurity advice is often focused on technology like endpoint protection, firewalls and anti-virus, it’s important to remember that behind every breach is a human. Knowing who they are and why they target your business is essential to remaining cyber resilient.
As we mentioned in a previous blog, hackers come in many forms, but their methods can generally be classified into three distinct types of cybercriminals:
- The Impersonator – Hackers that pretend to be others, often using social engineering and human psychology to trick users.
- The Opportunist – Hackers that exploit public events and socio-political crises for disruption or personal gain.
- The Infiltrator – Hackers that target specific organizations and work to breach systems using a variety of tools and tactics.
Each one has their own methods and protecting against them requires a multi-layered approach. Let’s look at a few primary examples.
Who is the Impersonator?
An impersonation attack recently made headlines with the 2020 Twitter/Bitcoin scam, in which 130 high-profile Twitter accounts were compromised by outside parties to steal bitcoin. The perpetrators gained access to Twitter’s administrative tools in order to pose as legitimate CEOs and celebrities to trick users into sending bitcoin with the promise of doubling their investment. Unfortunately, attacks like this work, and the hackers received $121,000 that was never paid back. This is a scam that’s been around for years and since no one can reverse a cryptocurrency transaction, it’s very likely here to stay.
This type of cybercriminal manipulates victims into opening doors to systems or unwittingly sharing sensitive information by pretending to be someone you would inherently trust. The most notable attack is the “Nigerian prince” email scam, also known as “foreign money exchange” scams. These typically start with an email from someone overseas claiming to be royalty, offering to share a financial opportunity in exchange for your bank account number. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows.
Impersonators are known to use phishing, Business Email Compromise (BEC) and domain spoofing to lure victims, and they’re always looking for new ways to innovate. In fact, our 2020 Threat Report found that impersonators are now imitating legitimate business websites to release malicious payloads or steal data, and a shocking 27% of phishing sites use HTTPS to trick the user into clicking phishing links, which makes these attacks even more dangerous. It’s easy to assume an official-looking website with an HTTPS address is safe, but hackers can also use HTTPS sites to launch phishing emails and distribute BEC scams as obtaining SSL certificates is trivial now. This is why a multi-layered approach that can block phishing sites (including HTTPS) in real time, is key for staying safe.
What Does the Opportunist Want?
While attacks of opportunity are nothing new, the tactics of the opportunist have gone to a new level with the recent coronavirus pandemic. According to our COVID-19 Clicks report, at least one in three people have fallen for a phishing email in the past year. This year has been all about the pandemic and the fear surrounding it. These phishing attempts often appear in the form of articles about the best ways to avoid coronavirus or links to documents that have lists of people with COVID-19 “in your area.” These documents will ask users to enable an embedded macro that then delivers malware, usually in the form of ransomware. Over 90% of malware campaigns used the pandemic in their initial phishing email this past year.
Opportunists wait for the right opportunity to strike, and just as impersonators take advantage of trust, opportunists also rely on trust and familiarity to deceive users into downloading malicious payloads. Unlike other hackers, however, they don’t have specific victims in mind. The opportunist capitalizes on urgency, fear and unpreparedness to catch as many victims in their net as possible.
As we point out in a popular Hacker Personas podcast, other opportunist attacks like those exploiting U.S. government stimulus payments are also on the rise. Business leaders in particular should watch out for these tactics, as phishing emails can compromise company devices. With the increase of remote workers using unsecured systems and personal devices to access corporate networks, all businesses are at risk from opportunists who bait remote employees.
How Do Infiltrators Breach Systems?
One of the best examples of an infiltration attack is the 2020 SolarWinds breach, in which a foreign state hacked the SolarWinds supply chain to infiltrate at least 18,000 government and private networks including over 425 of the fortune 500. Nation-state hackers took advantage of SUNSPOT malware to insert the SUNBURST backdoor into software builds of the Orion platform, and unbeknownst to SolarWinds developers, they released it as a normal update to their customers. Several significant US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. What’s more, the fallout of this attack is still ongoing and we may never know the full damage.
The Infiltrator is the opposite of an opportunist in that they target specific victims and have a clear-cut approach to getting what they want. Rather than casting a wide net and hoping for the best, they usually know the system they want to infiltrate, and they use stealthy measures to breach systems, often coming away with a large payout in the form of a costly ransom to criminal enterprises or valuable intel to nation states.
What Steps Should MSPs and SMBs Take to Stay Cyber Resilient?
If knowing your enemy is the first step to protecting your business, the next step is to develop a strong cyber resilience posture that protects against their attacks. Part of that is understanding that cyberattacks are often a matter of “when, not if.” Even if you’re not the target of an infiltrator, for example, your business or employees may be the unknowing victims of an opportunist or impersonator.
Protecting your business includes:
- Implementing a multi-layered cybersecurity approach that includes complete endpoint protection, firewalls, real time anti-phishing as well as Security Awareness Training
- Continuously educating and training employees, staff and customers to follow cybersecurity best practices and to stay up to date on cyberattack news
- Using a backup and recovery solution that can restore critical files after an attack and keep the business up and running during a crisis.
To learn more about hacker personas and strategies to protect against their various attacks, check out our eBook, Hacker Personas: A Deeper Look Into Cybercrime. You can also follow our Hacker Files and Lockdown Lessons series that include a variety of guides, podcasts and webinars covering these topics and more.
While we can all rejoice that 2020 is over, cybersecurity experts agree we haven’t seen the last of the pandemic-related rise in cyberattacks. Throughout the last year, we’ve seen huge spikes in phishing, malicious domains, malware and more, and we don’t expect that to slow down. As employees around the world continue to work from home, 2021 is shaping up to be another year of record highs in terms of malicious online activity.
What is the cyber-demic?
Cybercriminals have always been opportunistic, taking advantage of all possible avenues that disrupt businesses, steal data, trick end users, and more to turn a profit. As the threat reports Webroot produces each year have shown — not to mention the increasing number of major hacks in the headlines — threats keep evolving, and their growth is often exponential. That means even before the pandemic, cyberattacks and resulting data loss were already becoming a case of “when,” not “if.”
Still, the COVID-19 pandemic brought unprecedented surges in threat activity as cybercriminals capitalized on chaos and security gaps caused by the switch to WFH. Particularly by targeting vaccine production and distribution, COVID-19 trackers, videoconference applications, and other pandemic-related topics in their scams, criminals have upped the ante on what would have already been a record year; hence “cyber-demic.”
What types of malicious activities should we expect?
“It’s all about data,” says Matt Seeley, senior solutions consultant at Carbonite + Webroot, OpenText companies.
“Whether you’re a business or an individual at home, your data is important to you. Not having access to corporate data can put companies out of business. Not having access to your personal files can also have devastating consequences. The scammers know how important data is. That’s why stealing it, misusing it, holding it for ransom, or threatening it in some other way is such an effective way to get what they want – i.e., the money.”– Matt Seeley, sr. solutions consultant, Carbonite + Webroot, OpenText companies
Recent trends in ransomware back up these insights. Thought to be pioneered by the Maze ransomware group, a new tactic emerged in 2020 in which ransomware authors changed their business model. Instead of infiltrating systems to encrypt data and demand a ransomware to unlock it, they instead encrypted the data and further incentivized ransom payment by threatening to expose that data if the victim chose not to pay. Using leak/auction websites, criminals can display or auction off victim’s data to the highest bidder; the cake-topper here is that organizations that are subject to privacy regulations, such as GDPR, PCI, etc., would also have to pay the fines associated with improperly securing sensitive data.
Additionally, the modular nature of modern malware means many malware groups are teaming up to increase their chances of a successful payday. For example, a phishing email might drop a botnet/Trojan that listens for domain credentials. Once the criminals have domain credentials, they can disable security and/or tamper with backups. That way, when they eventually drop ransomware, businesses may have no choice but to pay, since their backups are also compromised.
How IT will Prevail in 2021
“The answer, once again, is data,” says Seeley, “though, in this case, it’s part of overall cyber fitness. If your data isn’t secured, properly segmented, backed up and tested, then 2021 is likely to be a bad year.”
Stressing the need to combine comprehensive cybersecurity layers with proven backup and disaster recovery solutions, Seeley explains, “To bring your cyber fitness up and become more resilient, I recommend businesses start off by assuming they will definitely get breached this year, even if they’ve been lucky and have never been breached before. Once you accept that as your foundation, you can prepare for it. It’s that preparation that’s going to be key.”
Here are his top 3 tips for businesses to stay safe.
- Know your data.
“This is the #1 most important advice I can offer. You can’t secure data if you don’t know where it lives or how important it is. The folks who don’t know their data, who don’t know all the places it resides, how up-to-date it is, or what kind of security it needs, are the ones who are going to suffer the worst if they get attacked or experience some kind of physical damage, like hardware failure or a natural disaster. They’re the ones who, even if they have backups in place, will go to restore their data and realize they don’t have the right information after all. You don’t want to have to learn that the hard way.”
- Classify your data.
“This is part of knowing your data. If you accept that the data breach is going to happen sooner or later, then you need to know which data is mission-critical to get through your day, vs. other historical data that is nice to have, but won’t make or break your business if you lose access for a little while. Once you know the timing of which systems and data need to be available this second and which ones can wait a few days or weeks, you can properly plan your disaster recovery strategy and choose the right backup solutions and schedules.”
- Test your data recovery plan.
“The biggest obstacle to your cyber fitness is overconfidence. Just because you have antivirus and backups doesn’t guarantee your protections will be there and functional when you need them. Bad actors are going to keep getting craftier. They’re going to keep finding new ways to target data. You need to regularly monitor and test your backup and disaster recovery strategy to ensure that your data is exactly as safe and available as you need it to be.”
For more details on stress testing your disaster recovery plan, read his blog on the subject.
While these tips apply more to businesses than home users, Seeley says the same fundamental principles apply to anyone. “Think about all the data you could lose if your personal computer crashed right now and the hard drive died. Do you have it backed up? Are those backups secure? Do you know all the places your data lives? Do you have protection for it? Whether you’re a business, an MSP, a regular person at home, a student… These are the types of questions we should all be asking ourselves, so we can all be more resilient in this cyber-demic.”
The supply chain attack that Trojanized a SolarWinds update to infect and spy on the IT management platform’s customer base continues to be analyzed. Early reports have called the methods highly sophisticated and the actors highly trained. We do know that IP addresses, a command and control server and a malicious product update file were used. While details continue to come to light with further investigation, one thing has been made clear by the incident: the fundamental elements of tactical threat intelligence still have a critical place in a layered cybersecurity strategy.
Tactical threat intelligence typically focuses on the latest methods threat actors are using to execute attacks. It’s examines indicators of compromise (IOCs) like IP addresses, URLs, system logs and files to help detect malicious attacks. This type of threat intelligence is most often deployed in network and security devices like firewalls, SIEMs, TIPs and other tools, and is usually set to apply policy-based settings within these devices based on intelligence criteria.
Recent attacks continue to prove that these fundamental tactical threat intelligence pieces are still critical. While web filtering and URL classification, IP reputation, and file detection and reputation may be less flashy than threat actor profiles and takedown services, they continue to be the building blocks of core threat intelligence elements that are key to stopping attacks.
These IOCs – files, IPs, URLs – are proven methods of attack for threat actors and play a consistent role in their malicious campaigns. Having tactical intelligence concerning these internet items is one key step security and technology providers can take to ensure their users are better protected. For tactical threat intelligence to be effective it must be both contextual and updated in real-time.
Why context matters
Context is what allows threat intelligence providers to take a mass amount of data and turn it into something meaningful and actionable. With context, we can explore relationships between internet objects and better access their risk.
As the recent SolarWinds attack shows, IOCs are often interconnected and rarely only one is used. Seeing the connections surrounding various internet objects, like a benign website that may be one step away from a malicious IP address, allows us to map and analyze these objects not only as they are classified but in their contextual relationships. These relationships allow us to better predict whether a benign object has the potential to (or is even likely to) turn malicious.
Over the course of a year, millions of internet objects change from benign to malicious and back many times as cybercriminals attempt to avoid detection. Showing a single IOC at a single point in time, as happens with static IP blocklists, doesn’t paint the full picture of an object’s activity. Both real-time and historical data, however, canhelp in the development of a reputation score based on behavior over time and common reputational influencers such as age, popularity and past infections. It also helps to protect users from never before seen threats and even predict where future attacks may come from.
Once the fundamental intelligence is present, it’s also critical to make sure policies are enabled and configured correctly to best take advantage of the threat intelligence. In the instance of the SolarWinds attack, when we evaluated the initial data we found that seven of the IP addresses used in the campaign were previously identified by BrightCloud® Threat Intelligence months prior to discovery of the attack. These IP addresses were marked as high-risk and had fairly low reputation scores. In addition, the IPs consistently remained in the high-risk category throughout the year, meaning there was a high predictive risk these IPs would attack infrastructure or endpoints. Depending on the threshold set in the policy, many end users could have already been prevented from experiencing malicious behavior initiating from one of these identified IP addresses.
Necessary, not sufficient
Many security companies treated the Orion software update released by SolarWinds as one coming from a trusted partner. That factor contributed to the widespread success of the suspected espionage operation. It also allowed the threat actors’ reconnaissance operations to go undetected for months.
But Webroot BrightCloud® Threat Intelligence associated the IP address with a botnet in the summer of last year. A properly configured security tool using Webroot BrightCloud Threat Intelligence data would have blocked communication with the command and control server.
When used as part of a wider defense in depth strategy, essential threat intelligence components and proper policy configurations that apply that intelligence can help to make vendors and their partners more resilient against complex attacks.
We’ve been doing our homework, and two things seem to be true about cybersecurity awareness training simultaneously:
- It can be very effective at protecting businesses from one of the most common security threats they face (the majority, according to the Ponemon Institute). Namely, phishing.
- MSPs, often the single most reliable source of cybersecurity for small business, want to offer training as a part of their services but unwillingness on the part of their clients prevents them from doing so.
If you know, as we do, that one in three American workers admits to clicking on a phishing link in the past year, what’s the reason for such reluctance? Here are four we commonly encounter and how to overcome them.
The “higher-ups” don’t see the value of training
For (the lucky) companies who’ve yet to be hit by a significant cyberattack, security awareness training may not hold obvious value. After all, very few organizations have zero cybersecurity measures in place. “What’s my endpoint security for, anyway?” “Threats are stopped by my firewall.” So the thinking goes…
Even if they see the need for user training from cybersecurity standpoint, some small businesses aren’t sure it’s worth the effort. IT budgets are often strained as it is, and couldn’t those dollars be better spent on the latest high-tech trend in the cyber defense industry?
Well, the numbers don’t lie, as they say. And in survey after survey, anecdote after anecdote, the numbers tell the same story: training works. In our latest survey of more than 4,000 managed service providers, for instance, 59 percent reported more suspicious emails being reported to IT. Thirty-seven percent reported fewer security incidents in general. Our own internal data tells us that our customers who use security training see up to 90 percent less malware than those that use an antivirus alone.
Leadership expects a “set it and forget it” or “one size fits all” experience
Executives will also often back off security awareness training when they realize it’s not a one-time test or a certificate they hang on a wall in their office. It’s true that the most effective cybersecurity training programs are tailored to a specific business and delivered on an ongoing basis.
Ensuring that training is tailored to a business’s operations is one of the best ways to overcome our next objection—that training doesn’t accurately represent the threats facing employees. That means providing industry-relevant compliance training and providing riskier users more training than tech savvy ones. This doesn’t happen by itself.
Persistence is also key when it comes to user security training. Our data indicates that the average click-through rate for a phishing simulation campaign is 11 percent. That drops to eight percent in the second campaign, but by the eleventh it’s down to five percent. Commit to 20 campaigns and you can reduce that rate to two percent.
Training doesn’t mirror real-world threats
Cybersecurity “tests,” especially of tactics like phishing, are of dubious effectiveness. When an employee knows a test is being administered, his or her guard goes up in unnatural ways. Results are skewed by the subject merely knowing a test is underway. Additionally, as any former student knows, studying up on cybersecurity principles is no guarantee of long-term retention.
For training to be effective it needs to be topical and believable. A healthcare provider needs to be familiar with HIPPA compliance protocol, for instance, and be able to identify an email spoofing a large insurance provider.
Real-world training should also mirror real-world events. The COVID-19 pandemic prompted a rise in scams related to the virus, so users should be cautious of any communications that look like they could have been ripped from the day’s headlines. Training that can’t be tailored to this degree won’t be as effective.
Employees aren’t onboard
Several factors can negatively affect employees’ willingness to adopt training. Some may believe they know all there is to know about cybersecurity. Some may believe it’s hopelessly over their head. For some, it’s simply not in their job description and that’s enough to stop them from pursuing training.
Whatever the reason for reluctance, buy-in starts at the top. Executives and other leaders should make it clear to employees that they subject themselves to the same training as their employees. (And if the C level doesn’t believe it’s an attractive target, encourage them to read up on spear phishing or “whaling.)
Some training is also just poorly designed. Courses don’t have to be drawn-out, black-and-white, bubble-filling multiple-choice tests. Sometimes simple awareness-raising of current security threats is enough. There’s evidence to suggest that micro learning modules are more effective. Courses can be aesthetically pleasing and feature good UX. It’s key to getting employees to engage, in fact.
The right approach requires the right platform
Whatever the reason a client or employee has for being reluctant to adopt security awareness training, there’s a good chance it can be overcome with the right tool. Visit the Webroot® Security Awareness Training page to learn more and to see why the research firm Info-Tech had this to say about Webroot:
“Our SoftwareReviews data shows that Webroot and their customers have a very positive relationship, with 91% of sentiments being positive.”
Dairy farm group faces $30 million ransom
The Dairy Farm Group, one of the largest retailers in Asia, has suffered a ransomware attack by the REvil group, which has demanded a roughly $30 million ransom. The attack is still ongoing nearly nine days after being first identified. The attackers still have full control over the company’s email systems, which they will likely use for additional phishing attacks or identity theft operations. Officials have confirmed the attack was isolated to a small number of devices, but they have not been able to stop the continuing transmission of data to the attacker’s systems.
Norway to fine dating app over user data sharing
The dating app Grindr will receive a fine from Norwegian government for sharing user data with several of their advertising partners. Multiple complaints were made against the app in the past year for making users accept their license agreement without being able to opt out of third-party data sharing. The fine equates to $11.7 million, or nearly 10 percent of Grindr’s annual revenue.
Multiple zero-day exploits patched by Apple
Apple has just released patches for three zero-day iOS exploits that may have already been used. Two of the exploits involved remote execution through a vulnerability in their WebKit browser, while the other could have been used to elevate privileges on multiple devices. An unknown researcher is responsible for bringing these vulnerabilities to Apple’s attention and likely received compensation through their bug bounty program.
Global authorities take down Emotet botnet
In the wake of a push earlier this week by global law enforcement, authorities have gained control of the servers responsible for operating the infamous Emotet botnet. This organization was responsible for infecting millions of devices across the world and using them to further the devastating spread. Police in Ukraine have also arrested individuals who face up to 12 years for their involvement in criminal activities. Emotet started out as a banking trojan but has since become an entry point for other ransomware variants.
Austrian crane manufacturer hit by ransomware
The Palfinger Group, which owns companies in 30 countries around the world, has recently fallen victim to a ransomware attack. For the past three days the organization has been under a steady assault on their networks, causing major issues with email communications and other crucial internal systems. It is still unclear on how the attack was initiated or the extent of the damage since the attack is ongoing.
Today, the average enterprise uses over 2000 cloud applications and services, and we expect this number will continue to grow as more businesses realize the efficiency, flexibility and collaboration benefits these services bring. But the use of cloud-based applications also comes with a few caveats; for example, the apps themselves may pose potential security vulnerabilities, and it’s also hard to prevent employees from using unsanctioned applications outside of the approved list (aka “shadow IT”), meaning critical business data could be floating out there in the ether without proper encryption or access controls.
When implementing these types of solutions, security should be a central concern in the vetting process. Unfortunately, it isn’t.
The State of Security with Cloud Applications
A full 92% of enterprises admit they have a gap between current and planned cloud usage and the maturity of their cloud security program. Meanwhile, 63% of web-borne malware and 15% of phishing attacks are delivered over cloud applications. And although 84% of organizations report using SaaS services at their company, more than 93% of those said they still deal with unsanctioned cloud app usage.
Even though cloud transformation is a strategic focus for many businesses, CISOs and IT teams are often left out of the discussion. That may be because the adoption of cloud services is generally billed as quick and easy with a rapid time to value, while IT security vetting processes don’t typically boast the same reputation. That often means that, for reasons of speed and perception, security may be treated as an afterthought — which is a potentially devastating oversight.
As adoption continues to grow, it’s critical for enterprises and small and medium-sized businesses (SMBs) alike to balance their cloud application use with security and access control; otherwise, the benefits they see may quickly turn into regulatory compliance nightmares, data loss disasters and security breaches.
Bringing Security and Visibility to Your Cloud Transformation
To improve visibility into the cloud applications being used, and to create usage policies and address security risks, many businesses are turning to Cloud Access Security Brokers (CASBs). CASB services are typically placed between the businesses who consume cloud services and providers who offer them, effectively protecting the gateway between a company’s on-premises IT infrastructure and the cloud service provider’s infrastructure. As such, CASBs can provide a central location for policy and governance simultaneously across multiple cloud services — for users and devices — and granular visibility into and control over user activities and sensitive data. They typically help enforce data-centric security policies based on data classification, data discovery and user activity surrounding data.
Faced with a continually growing and changing number of cloud applications and services, it’s critical to have accurate, up-to-date cloud-specific intelligence, not only for CASBs but also other security tool providers who provide support and policy control capabilities around cloud applications.
To better enable CASBs and security device vendors to identify and categorize cloud applications Webroot recently released its newest service: Webroot BrightCloud® Cloud Service Intelligence. This service is designed to offer full visibility, ensure security, enforce compliance, and identify shadow IT through three components: Cloud Application Classification, Cloud Application Function, and Cloud Application Reputation.
By embedding these components into a CASB solution or other security device, partners can identify a given cloud application, classify it by purpose, and control access to it based on the application’s group, name, and the action being performed. Additionally, customers can assess risk and compliance for all cloud applications with a reputation score. Cloud Service Intelligence can also be layered with other BrightCloud® services, such as Web Classification and Web Reputation, for a complete filtering solution that won’t impact product or network bandwidth.
The use of cloud applications is only going to continue to grow. Actionable threat intelligence can provide critical data around which cloud applications are being used within an organization, how they are being used, and what their security reputations may be. Armed with this kind of visibility and security information, enterprises, businesses, and the CASB and security providers who serve them can reduce risk and minimize shadow IT for a stronger overall cyber resilience posture. Learn more about this new service and its applications in our datasheet.
Skyrocketing Bitcoin prices prompt resurgence in mining malware
As the price of the cryptocurrency Bitcoin pushes record highs, there’s been a corresponding resurgence in cryptomining malware. Illicit miners had slipped off the radar as Bitcoin’s value plummeted in recent years, but now authors are hoping to profit off the latest price increase. Researchers have identified multiple forms of cryptominers, from browser-based applications to fileless script miners used against a variety of system configurations.
Major increase in malicious vaccine-related domains
The number of domains containing the word “vaccine” has increased 94.8% in the month since the first COVID-19 vaccine became publicly available. As with malicious COVID-related domains registered since March of last year, cybercriminals are taking advantage of the pandemic’s hold over the public’s consciousness in order to turn a profit. With over 2,000 new domains with COVID-related keywords, finding accurate and reliable information has become more difficult.
Millions of Nitro PDF user records leaked
A database containing over 77 million user records belonging to Nitro PDF has been found available for almost nothing on a dark web marketplace. The data was leaked in an October data breach, which Nitro confirmed, and was bundled for auction with a high price tag. Now, several months later, a member of the hacking group ShinyHunters has released access to the download link for a mere $3.
Scottish environmental agency falls victim to ransomware attack
Officials for the Scottish Environmental Protection Agency (SEPA) have confirmed that data stolen in a ransomware attack last month has been posted for sale on the dark web by the group responsible for the Conti ransomware variant. While it remains unclear how the attackers gained access to the agency’s systems, many of the infected systems are still not operational and have timetable for a return to service.
Hackers leak nearly 2 million Pixlr records
The ShinyHunters hacking group posted a database containing nearly 2 million user records for the Pixlr photo editing application to the web in recent days. The group claims to have stolen the database during a breach at another photo site, 123rf. Both sites are owned by the company Inmagine. Though Pixlr has yet to confirm the breach, it’s recommended users change passwords on Pixlr and any other sites sharing the same login credentials.
Webroot BrightCloud® Threat Intelligence relies on the collective power of millions of devices working together. But what sometimes gets lost is the actual humans behind bringing this technology to market. In this Employee Spotlight, we talk to Account Development Executive, Jordan Gray, who works with C-level executives to integrate threat intelligence solutions within their environments.
What brought you to Webroot?
In 2018, I was looking for a career change away from insurance. After doing some extensive research into the market, I decided that the tech industry, particularly in Ireland, was right for me as more and more tech companies start setting up offices here. After initially setting up a call with a recruiter to discuss a role at Webroot, I fell in love with the product and company vision. The rest is history!
What is your role in the company?
My main role requires me to conduct high level discovery calls and sessions to BANT qualify C-Level and VPs before passing qualified opportunities onto our Sales Director to discuss integration and pricing in detail.
Have you ever had any close calls with malicious actors?
Thankfully, I never had any close calls with real malicious actors. However, about six months into my role at Webroot, I was successfully phished by our IT department who were sending out simulated phishing emails at the time. They sent me a delivery notice from a courier that was sending me a parcel and I clicked the link without checking. Nonetheless, I brushed up on my security awareness training afterwards! Lesson learned from me.
What are the top three malicious actors you think people should be concerned about?
Coronavirus scams are spreading nearly as fast as the virus itself. As of Jan. 3, the Federal Trade Commission (FTC) had logged more than 298,000 consumer complaints related to COVID-19 stimulus payments, 68 percent of them involving fraud or identity theft. They’ve also shut down hundreds of suspected phishing sites, which promise vaccines and other aid. That being said, our Tier-1 URL filtering can really help organizations block access to malicious sites keeping them and their customers safe.
Malware is the second big threat facing businesses. It encompasses a variety of cyber threats, such as trojans and viruses. It’s a general term for malicious code that hackers create to gain access to networks, steal data or destroy data on computers. Malware usually comes from malicious website downloads, spam emails or from connecting to other infected machines or devices. Businesses can stay safe by using Webroot’s industry leading endpoint protection.
Ransomware is one of the most common cyber-attacks, hitting thousands of businesses every year. They’ve grown more common recently, as they are one of the most lucrative forms of attacks. According to Forbes, ransomware payments have more than doubled in the last 12 months.
How have malicious threats evolved since the early days of the internet to now?
Cyber threats are evolving every day. Hackers are constantly looking for new ways to exploit individuals and organizations. It’s becoming easier for even amateur hackers to access high-level malicious software, with the availability of ransomware as a service (RaaS). This allows highly skilled cyber criminals to create malware and sell it off to other cyber criminals, making a profit without the risk of deploying the malware themselves.
How have our defenses evolved to match the growing threats that malicious actors represent?
Webroot is currently using 6th Generation machine learning (ML), which uses complex neural networks that allow the machine to more accurately and autonomously identify relevant patterns and concepts within continually growing amounts of telemetry from Webroot customers.
What specifically is Webroot doing with regards to its threat intelligence platform to combat these increasingly sophisticated attacks?
Webroot’s threat Intelligence platform continues to improve every day. We have a uniquely diverse customer base, from consumer to small and midsize businesses and all the way up to the enterprise. So, we see every type of online threat. Also, we have started to work closer with our partners to identify how we can solve industry problems such as the cloud access security broker (CASB) market and become leaders within these market segments.
Where do you think the future of threat intelligence is headed?
The market is still growing. Research suggests threat intelligence could be a $13 billion market by 2023. Organizations of all sizes are starting to use threat intelligence. I personally think cybersecurity will move from reactive to proactive. Threat intelligence will effectively predict and prevent attacks at the earliest stage, and sooner or later, underpin the whole concept of proactive cybersecurity and organizational risk.
What else are you into besides threat intelligence?
I am a big football fan, or soccer as the guys in the U.S. would say. In my free time, you’d find me watching Manchester United play while having a Guinness or spending time going on road trips with my girls when COVID and the weather permits.
Top gaming companies positioned to be next major cyberattack target
After healthcare and higher education emerged as lucrative targets for cyberattacks in 2020, researchers have identified the video gaming industry as another key target. By scouring the dark web for stolen data belonging to any of the top 25 largest gaming firms, over a million unique and newly uploaded accounts were discovered. Additionally, researchers found credentials for over 500,000 gaming company employees exposed in previous data breaches but used for multiple accounts.
Hardcoded backdoors discovered in Zyxel devices
Researchers recently stumbled upon an undocumented admin account on multiple Zyxel devices using basic login credentials and granting full access to devices commonly used to monitor internet traffic. This vulnerability was first spotted when several warnings for unauthorized login attempts were identified using admin/admin as the username and password, presumably in hopes of accessing other unprotected devices on the network. This undocumented account can only be viewed through an SSH connection or a web interface and could be an issue for over 100,000 Zyxel devices currently connected to the internet.
Vodafone operation reveals major data breach
Vodafone’s budget operators ho. Mobile has revealed their systems were compromised late last month and a database containing sensitive information belonging to nearly 2.5 million customers was leaked. Along with personally identifiable information is data related to customer SIM-cards, which can be used to enable SIM-swap attacks that allow attackers to control specific users’ messaging services. The stolen database has been for sale on a dark web for a starting price of $50,000 since shortly after the attack was discovered.
ElectroRAT quietly steals cryptocurrency across multiple operating systems
After operating for nearly a year the silent cryptocurrency stealer ElectroRAT has finally been identified using multiple different Trojanized apps to operate on Windows, Mac and Linux systems. To make these malicious apps appear more credible, authors placed advertisments on social media and cryptocurrency-related websites that have led to thousands of installations. By spreading the attack across multiple different operating systems, the attackers increased their chances of accessing information of value.
Vancouver’s TransLink Suffers Ransomware Attack
Nearly a month after officials identified technical issues with IT systems at Metro Vancouver’s TransLink transportation authority, the interruption was discovered to be the work of the Egregor Ransomware group. While the attack didn’t compromise customer data, it is believed that employee banking and personal information was stolen. TransLink employees are working to restore systems to proper functionality, though some seem to have been more damaged than others.