Showing posts with label Threat hunting. Show all posts
Showing posts with label Threat hunting. Show all posts

Striking a Blow against El Machete

Alfred Chung

There’s a renewed weapon of malware destruction in the fields of war, and it goes by the name “Machete.” A targeted attack campaign that kicked off in 2010 and now boasts an improved infrastructure, Machete has mostly hit victims in Ecuador and Venezuela, with a smattering of victims in other countries from the U.S. to Malaysia. Some of those affected are reportedly military and intelligence organizations, embassies, and government agencies.

Machete is cyber-espionage malware that can log keystrokes, capture audio from a computer’s microphone, grab geolocation data, and copy files to a remote server or even to a special USB device, among other things.

Black Hat 2014: Live Demo of Threat Detection and Intelligence for EnCase

We invited Jessica Bair, one of the ThreatGRID experts with whom we have partnered at Cisco, to write a guest blog post for us about their upcoming presentation in our booth at Black Hat 2014, and she has delivered. We welcome her and Cisco SourceFire and ThreatGRID to our Guidance Software booth #1141--and to the Endpoint Intelligence blog.

The threat landscape is rapidly evolving and organizations are having a harder time keeping up. The negative consequences of security incidents continue to be more impactful. The trends, unfortunately, are favoring the adversaries:

  • Attackers getting better and faster than the defenders. Attackers now compromise organizations in days or even hours, while it takes defenders weeks or even months to discover that they have been compromised. This gap is increasing.
  • The number of incidents detected continues to grow. Organizations are detecting 25 percent more incidents than last year. While some of this may be the result of better detection, it still points to the growing number of incidents that need to be responded to and handled--not to mention the time pressure.
  • The financial costs of incidents are rising, particularly among organizations reporting high dollar-value impact.
  • There is a major shortage of skilled cybersecurity professionals, more than any other role within IT.
What is required is a threat-centric, integrated solution for breach detection, threat analysis, and remediation. Guidance Software, Inc. partnered with SourceFire and ThreatGRID (both now part of Cisco) for a best-in-class integrated approach:

The combined approach provides you with efficient and rapid incident response, including:

  • Proactive breach and threat detection with SourceFire NGIPS
  • Analysis of unknown threat files in ~5-30 minutes with ThreatGRID
  • Remediation across the enterprise with EnCase Cybersecurity
The business value and benefits are immediate and lasting. Our combined approach:

  • Decreases the time between detection and remediation
  • Increases the productivity and efficiency of security professionals to manage threats
  • Reduces risks and associated costs by lowering the exposure to related breaches
  • Increases the accuracy of malware analysis and threat intelligence.
We invite you to come see a live demonstration of this integration in action at Black Hat 2014. The demonstration will be held at 1:50 p.m. on Thursday, August 7 in the Guidance Software theater in booth #1141. Security experts will be on hand to answer your questions and discuss how you can improve your breach detection, conduct efficient threat analysis, and complete rapid, enterprise-wide remediation. See you there!

Jessica Bair, EnCE, EnCEP
Sr. Manager, Business Development
Advanced Threat Solutions - Cisco Security Group

The Heartbleed Bug: Proof of the Open-Source Concept

Jason Fredrickson

So the Heartbleed bug within OpenSSL has caused a big ruckus this week. OpenSSL is one of the most widely used encryption software programs on the planetand rightly so. This means that most of uswe billions of users of some of the most highly trafficked and trusted retail, search, and web services sitesmay have unwittingly allowed our passwords and other sensitive information to be compromised within the last couple of years or so with absolutely no idea that this was happening.

So how did this vulnerability go undetected for the past year and a half by the legions of volunteer experts who have access to the code? Isn't open-source software meant to be more secure because it has such unlimited availability for review by the best of the best?

In a word, yes.

ATM Hacks: Spotting Attacks that Begin with Valid Login Credentials

Alfred Chung

There’s a new hack in town, and the U.S. Secret Service calls it “Unlimited Operation.” Targeting ATMs belonging to small- and medium-sized banks, the hackers use stolen credentials to log in to the ATM systems’ remote admin panels and change the cash withdrawal limits to “Unlimited.” They then use stolen debit cards to withdraw as much cash as possible—sometimes more than victims actually have in their accounts.

RDP Hacks: Thwarting the Bad-Guy Network

Jason Fredrickson

Brian Krebs of Krebs on Security just posted an article on RDP hacks that exploit weak or default login credentials, and goes on to describe how that provides the basis for a cybercrime business. His article explains that Makost[dot]net rents access to more than 6000 poorly configured and, therefore, compromised Remote Desktop Protocol (RDP)-enabled servers around the globe. As Krebs says, “…the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password.” It’s a classic brute-force attack and it’s aimed directly at an extremely weak target.

Many people on first reading this would consider this capability a “vulnerability” of Windows, but that’s like saying that an automated teller machine (ATM) has a “vulnerability” that allows you to get cash from your bank account. It’s a feature of the operating system and Windows is not alone in exposing functionality like it.