Showing posts with label Analytics. Show all posts
Showing posts with label Analytics. Show all posts

Striking a Blow against El Machete

Alfred Chung

There’s a renewed weapon of malware destruction in the fields of war, and it goes by the name “Machete.” A targeted attack campaign that kicked off in 2010 and now boasts an improved infrastructure, Machete has mostly hit victims in Ecuador and Venezuela, with a smattering of victims in other countries from the U.S. to Malaysia. Some of those affected are reportedly military and intelligence organizations, embassies, and government agencies.

Machete is cyber-espionage malware that can log keystrokes, capture audio from a computer’s microphone, grab geolocation data, and copy files to a remote server or even to a special USB device, among other things.

Hiding in Plain Sight: Spotting Botnet Activity in the UDP Channel with EnCase Analytics

Alfred Chung

In its 2014 Application Usage and Threat Report, Palo Alto Networks shared their finding that hackers are using old-school exploit techniques in new ways and in new places. Their research found that common network applications such as FTP, RDP, SSL, NetBIOS, and UDP are being used as gateways or pivot points to communicate directly with endpoints for the purpose of data exfiltration.

The company’s analysis showed that nearly all threat activity was visible in only a small number of applications, and that “nearly 99 percent of all malware logs were generated by a single threat across a single application: unknown UDP.” UDP has become the command-and-control channel for botnets as a safe place to “hide in plain sight,” with the ZeroAccess botnet generating the heaviest amount of malware activity. 

Detecting and Mitigating a CryptoLocker Attack with EnCase

Alfred Chung

The most recent Verizon Data Breach Investigations Report (DBIR) revealed that crimeware is a serious problem for the construction, information, and utilities industries, representing over 30 percent of incidents. Among the most devilish in the ransomware trojan category is CryptoLocker.

How CryptoLocker Works

CryptoLocker arrives as a ZIP file attached to a seemingly innocent email. Once unzipped, the malware installs its payload in the user profile folder, adds a key to the registry to initiate run on startup, then starts phoning home to a command-and-control server. After connection, the server pushes out a 2048-bit RSA key pair and sends the public key back to the computer, encrypts files across local hard drives and mapped network drives with the public key, and logs each encrypted file to a registry key. At that point, the user gets a message that his or her files have been encrypted and a Bitcoin ransom is demanded.

The Heartbleed Bug: Proof of the Open-Source Concept

Jason Fredrickson

So the Heartbleed bug within OpenSSL has caused a big ruckus this week. OpenSSL is one of the most widely used encryption software programs on the planetand rightly so. This means that most of uswe billions of users of some of the most highly trafficked and trusted retail, search, and web services sitesmay have unwittingly allowed our passwords and other sensitive information to be compromised within the last couple of years or so with absolutely no idea that this was happening.

So how did this vulnerability go undetected for the past year and a half by the legions of volunteer experts who have access to the code? Isn't open-source software meant to be more secure because it has such unlimited availability for review by the best of the best?

In a word, yes.

ATM Hacks: Spotting Attacks that Begin with Valid Login Credentials

Alfred Chung

There’s a new hack in town, and the U.S. Secret Service calls it “Unlimited Operation.” Targeting ATMs belonging to small- and medium-sized banks, the hackers use stolen credentials to log in to the ATM systems’ remote admin panels and change the cash withdrawal limits to “Unlimited.” They then use stolen debit cards to withdraw as much cash as possible—sometimes more than victims actually have in their accounts.

Why Signature-Based Cyber-Defenses are Bound to Fail

Sam Maccherola

You will never see an alert from your security information and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for the malware that was custom-built for your organization and secretly colonized your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly morphing, and because the sophisticated and dedicated minds under those black hats are working night and day to design a data breach specifically for each organization it decides to invade. When it hits you, it will be the first time its signature has ever been seen.

How Endpoint Security Analytics Could Have Cut the Target Hack Short

Alfred Chung

Recent intelligence about the Target breach, its scope, and its attack vectors has included the fact that memory-scraping malware was instrumental in hijacking credit-card data prior to its encryption for transmission to remote payment processors. Symantec reported on the registry keys and files dropped by the malware that are even now being used by software vendors to update their signature-based antivirus and alerting systems.

The critical point, however, is that the malware that was undoubtedly designed specifically for Target is probably already morphing into something unrecognizable by those signature-based tools for the next organization being drawn into the hackers’ crosshairs. Each organization that is hit with a form of this malware in the future will be on the receiving end of its own, customized attack for which no signature can be created.

Insider Threats in the Federal Agency: Endpoint Security and Human Analytics

Manning, Snowden, Wikileaks… Recent headlines have made the dangers of insider threats for federal agencies even more of a flashing red light than before. The risk of intentional data breaches is a critical problem, but certainly not the only one. The latest report from the Ponemon Institute, the 2013 Cost of Cyber Crime Study: United States, found that more than one third of all data security breaches at government agencies are caused accidentally by internal employees. Intentional or not, both are problematic.

Human error as insider threat
A study by the Privacy Rights Clearinghouse noted not long ago that government agencies have experienced a steady rise in data breaches caused by employees over the last four years. In addition, employee negligence caused over 150 breaches and the loss of more than 92.5 million records since January 2009.

Barbarians Inside the Gate: Finding the Needle in a Data Haystack

Sam Maccherola

Despite most corporations’ robust perimeter security solutions, advanced persistent threats may already have evaded perimeter detection and be lying in wait for some future launch date. Of even more concern is the fact that some of the barbarians who are already past the gate may not be Ukrainian hackers, they may be someone working at a neighboring desk.

Insider Threats: There is something you can do

Some methods for dealing with insider threats are exercised by managers with good people skills and the ability to spot early signs of attitude or work-satisfaction issues. However, the best source of raw intelligence on potential threats in the modern enterprise is found directly at the endpoints such as laptops and servers—the targets of most serious information-security threats.

SANS Survey Reveals Need for Analytics to Tackle Big Data


While organizations are still relying heavily on log management or SIEM platforms, only a small percentage are confident about their ability to analyze large data sets for security trends, according to the newly released  SANS Security Analytics Survey.

Guidance Software recently co-sponsored the survey with Hewlett-Packard, Hexis Cyber Solutions (a KeyW Company), LogRhythym, and SolarWinds on awareness and use of analytics and intelligence to augment current monitoring practices. 

Announcing EnCase Analytics, the Industry’s First Proactive Endpoint Security Analytics Solution

Just in time for the Department of Homeland Security’s National Cyber Security Awareness Month, Guidance Software has unleashed one of the most powerful weapons in the war against security risks--EnCase® Analytics. In fact, we announced  the general availability of EnCase Analytics just yesterday. This is big news for information security, incident response, and risk and compliance teams, because EnCase Analytics gives you something you could never get before: an early look at previously unknown and difficult-to-detect threats through the use of “big data” analytical techniques. It does this by analyzing the reams of data generated by your users’ endpoint activity, producing for the first time a clear picture of organization-wide security risk—both internal and external. 

The Cybersecurity Framework: Identification, Collaboration, and Proactive Defense

Alex Andrianopoulos

Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:

  • The bad guys launch a new type or method of attack
  • Some (if not all) organizations attacked are breached
  • Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
  • At least one organization names the new attack method
  • The organization or a security vendor finds a defense to the new threat
  • The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.

 Here is the problem: The delay between a breach, developing a defense and sharing the solution can take months, if not longer. Why the delay? Because the good guys do not share enough information. The black hats are aggressively sharing techniques and new approaches. Thus, we applaud anything that the government can do to encourage exchange of information on cybersecurity threats and new methods employed by hackers and other cyber-criminals.

Beyond Reactive: Your Security Game Plan

Sandy Lii The well-known military general and strategist Sun Tzu said it best in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” In today’s war against cybersecurity threats, two types of enemy have been classified: known threats and unknown threats.

The known threats, true to their name, are tracked by their known and readily available signatures and are typically stopped by perimeter security solutions such as antivirus software, firewalls, or SIEM (security information and event management) systems. While these tools are necessary and can be effective at stopping known threats, the unknown threats--the ones with no defined modi operandi or signatures--remain at large within organizations, lurking undetected, waiting for the right moment to strike. Sometimes, these threats can even be a careless or disgruntled employee.

How Many Data Scientists Does It Take to Find the Bug?

Guidance Software

Ideally, zero.
When thinking about corporate security teams, we often conjure up the image of a large group of people with state-of-the-art technology, monitoring end-users’ every action, 24x7 around the clock. The reality is, corporate security teams are often under-staffed and can barely keep up with just reacting to the threats that have already surfaced, let alone looking at all the endpoints in Big Data scale.
And as much as I live and dream Big Data, I cannot deny that without analytics, Big Data is just noise. Regardless of the sources and richness of the data, Big Data in itself does not provide big insights. That said, you would think almost every organization would embark on the journey to Big Data analytics to improve operations and enterprise security. The reality is, the desire to do Big Data analytics is often extinguished by these challenges: