It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage. This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain. If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity). I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big. Best con-talk I have watched in a long time.
What security people need to understand is that the end users are not the problem. The end users are our customers (and one of the main reasons we have jobs). The problem arises from the increasing sophistication of attackers and their tools and ruses. In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money). Since then, the attackers have been getting better and better at their jobs. They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails. They do their homework, mining social media for personal and business information to make their clickbait more convincing. End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.
I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks. It has a great return on investment for just about every organization.
We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them. Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).
End users are not stupid. They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day. We have to step up our efforts to protect them, not call them a problem. That’s what we get paid for.
There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely. My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment. Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs. This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs. For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.
I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier. MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.
It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine. If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection. So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.
Another day, another Android vulnerability which allows malicious actors to inject malicious code into Android applications without triggering cryptographic safeguards. And another reason to refrain from using app stores other than Google Play for the time being.
Some spear phishing wisdom from Security BSides SFO today…
Rohyt Belani of PhishMe told an interesting story highlighting just how much research attackers do when choosing their targets and crafting spear phishing payloads. In an attack on an energy company, employees received an email appearing to be from the company’s HR department offering information on discounted health care premiums for employees with more than 3 children. The only employees to receive the message? The two people at the company with 4 or more children.
This raises two issues for InfoSec professionals…
First, the attackers are doing their homework, people. They are taking the time to craft their social engineering payloads in ways that target very specific targets. This means (IMHO) that they are extremely motivated – most probably by money or ideology.
Second, our coworkers are helping the attackers with their targeting by sharing all sorts of personal information via social networking platforms. We need to educate them about:
+ The fact that their social media profiles are visible not only to friends and family, but also bad guys who will use that information to craft their attacks. The “familiarity cues” which we tend to use to determine whether a message or request is from a friend or a foe just don’t work anymore.
+ Their ability to control who sees their social networking information by using the privacy features offered by Facebook, LinkedIn, and to a lesser extent, Twitter. They need to think about what they are posting and who will see it – not only to protect the company, but to protect the privacy of themselves and their families.
While we put all sorts of technical solutions in place to protect our systems and information from malware, our users are the front line defense against the most serious threats we face. Educating them to be aware of how their actions both inside and outside the office affect the organization’s security is one of the most important tasks we face as InfoSec professionals.
According to a recent study by security firm Symantec, you are far more likely to encounter malware when visiting religious web sites than when visiting, ahem, adult sites. In an article describing the finding, Network World had this to say:
Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site–a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs.
Apple has been getting some grief over the past week or so for their handling of the “FlashBack” trojan which infected over 500,000 Mac users worldwide. Well, yesterday, they released a new Java patch to address Flashback, and it has some interesting properties:
It looks for and removes FlashBack
It requires users to specifically enable Java on their systems
It automatically disables Java if no Java applets are run for “an extended period” – some bloggers are stating that this period is 35 days.
I’m glad Apple is taking these steps – if users are not using Java, disabling it will protect them from the rising tide of Java based malware that is out there. I just hope that the process for re-enabling Java when needed is made easy for the non technical user. It would be nice if Apple added a feature to “Software Update” which would be a little more proactive in nagging users to install security related updates as well.