Practical Risk Tolerance

Excellent article on security risk management from Black Swan Security:

“…but I don’t hear any formalisation of measuring and assessing controls that are beyond the Control Tolerance of an organisation. We care about risk tolerances and exceptions, the risk owners care about these but the risk owners and the business managers also care about the ‘Control Tolerance’ or at least they care about controls beyond it.”

“If the practical risk tolerance that the security teams are working to is below the control tolerance then such a reset is inevitable. If the control implementations are below the Control Tolerance but the Risk Tolerance would practically have allowed for less stifling control environments then such a reset will likely not only reduce the impact of stifling controls but also unnecessarily increase the overall risk tolerance and associated exposure to security risk. Ironically over-zealous security controls lead to a less well-secured environment.”



Analyzing Documents for Insights into Malicious Macros

Recently read an interesting piece asking the question why so many attacks/compromise analysis papers/articles only focus on the malware and not the dropper/document which is often (and increasingly so) the method of initial compromise (from either an infected web page or attachment). The author (Harlan Carvey) points out that understanding the way in which a document is used (via macros) to infect a target machine gives the defenders lots of useful insight and threat data which can be used to thwart future (or on-going) attacks.

“In the output we see what appear to be 2 base64-encoded Powershell commands, one that downloads PupyRAT to the system, and another that appears to be shell code.  Copying and decoding both of the streams gives us the command that downloads PupyRAT, as well as a second command that appears to be some form of shell code.  Some of the variable names ($Qsc, $zw5) appear to be unique, so searching for those via Google leads us to this Hybrid-Analysis write-up, which provides some insight into what the shell code may do.”

See here for a great write up and deconstruction of one such document:

“Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.”



The Future of Ransomware – It’s Bad & Getting Worse

Schneier has written a great post outlining the current and future risk of criminals/organisations/individuals holding our digital enabled devices against us for ransom. The impact of this is already being highlighted by attacks like WannaCry and are only going to get more server in the coming months.

“Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.”



A Private Network for IoT Devices

Cloudflare has just announced an interesting and potential game changer for IoT-based threats:

“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.

For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. Lockitron is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.””

Source: https://blog.cloudflare.com/orbit/



Included on the Tech 100 for Scotland

Very happy that I have had something published in the Holyrood Tech 100 magazine! I have included the original piece below, but highly recommend viewing it on their site!

2016 has been notable for some fantastic events, like Andy Murray winning his second Wimbledon title and, of course, the Rio Olympics.

But it has also been notable for a remarkable number of malicious events, for example, the sheer volume and scale of the security breaches suffered by some of the world’s most high-profile firms.

Disturbingly, some of the breaches that made the headlines actually occurred months or even years earlier but were only discovered recently.

Today’s cyber security technologies and processes are designed to flag up anomalies and causes for concern in real time, so these delays in identifying breaches shouldn’t be happening in 2016.

Unfortunately, this trend is unlikely to cease without considerable investment in new tools to detect and adapt to these mounting threats.

It doesn’t take an expert to predict that cyber attacks are set to become even more commonplace during 2017 and the types of threats – external attacks, malicious insider attacks or fraud – even more sophisticated.

In this environment, legacy passive security monitoring is no longer fit for purpose.

Fortunately, these depressing newspaper headlines have kickstarted a counter movement. Business leaders are waking up to the very real risks to the company bottom line and reputation, and are ready to take proactive steps to counter these threats.

In practice this means adopting a new, flexible cyber security strategy that uses big data to facilitate ‘always on’ monitoring, fast incident response and the ability to detect and respond to known, unknown and advanced threats.

During my time with ECS I have helped some of the UK’s largest businesses prepare themselves against cyber threats in this way.

For any business that has ‘better preparation against cyber threats’ on its list of New Year’s resolutions, here’s a handy checklist:

  1.  Assume that your computer network – and all devices attached to that network – have been, or currently are, compromised. This will allow you to keep one step ahead of a would-be attacker because you’re operating with the assumption that you’re fighting an active threat, not some old computer virus that just happened to flag up on your antivirus software for the 1,000th time.
  2. Keep a log of everything: every email, every voicemail and every iteration of a customer database. This applies to all data sources and all data types (audio/video/text etc.). This is important because you can’t predict what data will be lost or altered in a breach. If you suffer a breach, you will need to bring back the entire history of your computer systems and network to find out what happened when and hopefully pinpoint the perpetrators. This becomes even more important when would-be perpetrators are intentionally encrypting data for either ransom or destruction. This is often unrecoverable, so back-ups are also for mitigation.
  3. Store all of your data in a big data security hub (e.g. a data lake or pool). This will make it much easier to assess any attempted and successful breaches by giving you the ability to search across all of your data and business silos in real time.

Gain valuable, contextual insights from all of your data by using machine learning and behavioural analytics.

These techniques automate most of the legwork and offer up a detailed analysis of information on users, attacks, context, time and location. This leads to much faster threat identification, investigation and response.

The amount of data involved in the steps above gives a clue to the importance of big data in the fight against data breaches.

And this focus on big data analysis also has another upside: it can be used by line of business managers to help them make more informed business decisions, decisions that have a positive effect on the bottom line.

A recent example involved a national retailer who already had data from its website coming into a big data platform to detect security incidents.

After investigating this data, a number of additional (and more business-relevant) use cases emerged and were subsequently developed.

These included fraud detection on the e-commerce part of the website, and tracking and reporting on user stories as they moved through the website.

This enabled the developers to see and track errors in real time before users started complaining on Twitter.

By automating the collection, processing, enrichment and presentation of all this data – and with the right tools and training – line of business personnel will be motivated to analyse any data relevant to their roles themselves, reducing the burden on the IT team.

This self-service model is the key to a mature, agile, data-driven business, enabling businesses to respond quickly to market changes and so gain competitive advantage.

In summary, today’s threat landscape means that no business should assume it is immune to a cyber attack. In fact every business should assume it has been compromised.

Being at least one step ahead by putting in place a range of proactive processes and measures that instantly alert businesses to potential threats is crucial. Big data platforms offer a solid, data-driven approach to these problems.

Harry McLaren is a security consultant for ECS and won the Best New Cyber Talent at the first Scottish Cyber Awards, held last month in Edinburgh

Original Publication: http://www.holyrood.com/articles/comment/tech-100-%E2%80%98today%E2%80%99s-threat-landscape-means-no-business-should-assume-it-immune-cyber