May 14th, 2013 | Posted By Mike Horn
CSO Online recently reported that many cybercriminals are still targeting outdated Operating Systems and browsers. At many organizations some population of users are typically stuck on older generations of Windows and their respective browsers.
The report highlighted that attackers, who were suspected of being nation state attackers, know that public sector users are often unable to upgrade their systems to the latest versions of OSs and applications, either due to limited funding or limited resources. New attacks are frequently crafted against these outdated systems, rendering the traditional security solutions ineffective.
Making the problem even worse, attackers are attempting to mask their code with what appear to be legitimate names. The report highlighted that in the attack targeting the Department of Justice, the malware was masking it’s callback servers by including the phrase “microsoftUpdate”. This is clearly an attempt to disarm even the most vigilant and security conscious users.
The behavior of this particular attack is similar to that of many zero-day attacks, which rely on Command and Control (C&C) servers to successfully deploy the malicious code and eventually exfiltrate the data the attackers are seeking. While there is no silver bullet to stopping these ongoing advanced attacks, it is important to be able to respond and contain the attack as soon as it it detected.
By implementing a combination of advanced malware detection solutions, security devices like firewalls & web proxies and our Threat Response platform, organizations can coordinate an immediate containment and response strategy. Containment can include simply blocking just the individual user from connecting out to the C&C servers, or it can include proactively protecting all of an organization’s users from this particular attack.
This proactive protection is achieved by detecting the initial vector of the attack and immediately implementing proactive protection – all while utilizing your existing firewall and other perimeter security devices.
May 1st, 2013 | Posted By Mike Horn
As we talk with organizations about security events and our upcoming Threat Response solution one common discussion we have is the difference between containment and remediation.
When a security event is first detected, whether that’s by a SIEM or APT detection device like FireEye, that event typically goes into some type of incident response process. Depending on the size of the organization this might be a dedicated incident response team or it could be the “security guy” on the IT team.
Regardless of the size of the organization, one critical first step when a security event is detected is to contain the threat in order to prevent data loss and avoid the infection spreading to other machines. Not all organizations have the manpower to do this, but almost everyone we talk with aspires to be able to quickly contain security threats as they are detected.
Typically containment will include a wide variety of activities such as adding an IP address to a “block list” on a firewall or quarantining the infected user onto a dedicated remediation VLAN. Usually the goal is to quickly restrict network access in order to buy more time to investigate and determine what, if any, remediation actions should be taken.
Remediation on the other hand often involves steps like cleaning a user’s PC or even re-imaging the system depending on the level of infection and sensitivity of data. This can be a much more involved process and one that you don’t want to rush into.
Due to resource constraints organizations are often forced to choose between containment and remediation, but we believe they are both critical elements to a successful security incident response. Organizational politics can also come into play since containment and remediation activities are done by different groups in the IT organization.
As we’ll be exploring in the coming weeks and months, our Threat Response solution is designed to quickly and effectively help organizations contain security events as they are detected, buying critical time for resources to investigate the issue at hand.
April 18th, 2013 | Posted By Mike Horn
You probably already saw it, but earlier this week there was a US-CERT announcement about a botnet-based attack that’s attempting to brute force passwords for the default admin account in WordPress.
The attack targeted tens of thousands of WP sites. It’s unclear how many sites might have been compromised, or what the perpetrators of the attack plan to do with these compromised sites, but one obvious concern is that these sites will be used to host malware for future attacks. By compromising legitimate sites and using them to distribute malware, it becomes more difficult to protect users through common sense approaches and systems like web proxies.
A recent example of this was when NBC.com was compromised. When a popular legitimate site becomes the source of malware infections the risk of infection for even well behaved users goes up dramatically.
These types of attacks just reinforce the need for defense-in-depth architectures and the need to stay constantly vigilant and ready to respond quickly to new attacks.
April 16th, 2013 | Posted By Mike Horn
Spring is not just for cleaning, it’s also the time of year when security companies release their latest threat reports. And this year’s reports all have a common theme – both the volume and sophistication of attacks is growing.
For example, in their recently announced 2H2012 threat report FireEye states that “On average, enterprises experience a malware event up to once every three minutes”. And increasingly these attacks are targeted attacks where the attacker is attempting to compromise a specific organization for financial gain.
As any security practitioner knows, security has always been a cat-and-mouse game. The bad guys are always finding new vulnerabilities and the good guys are always scrambling to react to these vulnerabilities. In recent years the ability to detect security breaches, including the dreaded “zero day” attacks, has gone up dramatically. This is due to advances in technologies like virtual sandboxing, network behavior analysis, machine learning among others.
Typically these advanced detection solutions are deployed in “span” or “tap” mode and not inline. Which leaves organizations with the challenge of how to respond to the information they are receiving from their detection systems.
I was recently talking with a very large technology company that spends millions of dollars on “security intelligence” systems that provide advanced security event detection. While they have a pretty streamlined process for responding to detected events, in many cases it still can take hours or days to implement security device updates to block the infection and stop any data loss.
Today’s security intelligence systems provide much richer visibility into what security events are occurring, but as they say, knowing is only half the battle. In our view the ability to rapidly respond to detected events is a critical element of any complete security solution.
NetCitadel’s Threat Response solution is designed to address these challenges. If you are suffering from security event overload, and want an easier way to triage and respond to events, drop us an email at info @ netcitadel.com or register for updates here.