Blog Posts

Will U.S. Intervention in Syria Influence Escalated Russian Cyber Attacks?

Earlier this week I conducted a follow-up discussion with an industry colleague about global cyber attack activity, specifically related to Russia and the situation in Syria. It was a valuable conversation so I want to share my thoughts on the topics we debated.

Our dialog began with a simple query: will Russia escalate its cyber attacks against the United States in retaliation for the military response the U.S. took against Syria after Assad’s chemical weapons attack against its very own citizens?

This is an interesting question for a few reasons. The chief issue with this specific question, and with discussions surrounding this topic in general, is there is no agreed upon, clear definition of what exactly constitutes a cyber attack. There is no way to answer the question before defining the term cyber attack. So lets start there.

Is a cyber attack defined as the mere exploitation of a vulnerability, and subsequent acquisition of access to a target network? Does an actor need to perform some malicious activity after obtaining access before the compromise is considered an attack?

In the context of attacking the electric power industry, is attacking the power grid and causing an outage, like what transpired in Ukraine in December’s 2015 and 2016, the demarcation line between what is and is not a cyber attack? Is sending phishing emails with malicious attachments, ultimately leading to establishing a foothold into a network for potential use later, a cyber attack?

This is where the media, the security industry, governments, and certain professionals tend to disagree on terminology. I feel it is important to dissect the words to better understand the original question. In the above, I would argue the latter – a phishing campaign resulting in mere command-and-control capabilities on a network – is not a cyber attack. Is most definitely is a network breach. I argue it is considered network exploitation or offensive cyber operations, but not necessarily a cyber attack. Generally it is part of a much larger, potentially multi-faceted campaign, but just breaching a network is not a cyber attack.

Just like breaking into a vehicle does not assume intent to steal the car, remotely accessing a network is likely equivalent to breaking and entering or trespassing. There may be intent to steal intellectual properly, disrupt network operations, surveil, participate in a botnet, or a host of other activities potentially rising to the level of a cyber attack. But mere access to a network cannot assume the actors intent.

Now back to the original question about the possibility of Russia increasing cyber attacks against the United States in retaliation for the airstrikes in Syria.

I do not believe Russian cyber attacks will increase as a direct result of the U.S. military actions in Syria. While Russia is likely not pleased with the airstrikes, there is no specific strategic reason for a cyber response from Russia. United States critical infrastructure is already purported to have been attacked on multiple recent occasions by Russia, most recently by leveraging a major Cisco router vulnerability.

Russia has already demonstrated sophisticated cyber operations capability, with the potential to own deliberate targets in the United States. However, they have yet to establish malicious intent. For the moment they have simply conducted a show of force, signifying their strength. This is the military equivalent of sending an aircraft carrier with an airwing aboard, accompanied by a battle group, off the coast of Russia. It suggests power and superiority.

It is unlikely Russia will currently attempt any cyber attack leading to major damage or disruption. In the short term they will continue to pursue network access, especially strategic targets within critical infrastructure, but doubtful anything beyond.

On the one hand, Russia has a high degree of cyber sophistication. Hypothetically, the Putin regime may explore false flag operations against the United States, but if the attack were ever unequivocally attributed to Russia then it may not end well. Although in this era of crying fake news left and right, even indisputable evidence of a Russian plot may not be convincing.

On the other hand, Russia could directly attack the United States. The problem with this approach is the U.S. policy on response. A cyber attack does not necessitate an in-kind response. Just because an adversary uses the cyber domain to attack, the United States does not limit its response to the same domain.

Put another way, if the U.S. is the victim of a major nation state backed cyber attack, it will likely respond kinetically. The U.S. government has stated on multiple occasions it has the option to respond via military force if it determines a cyber attack is above an as-yet publicly defined damage threshold. Expect bombs to be dropped, missiles to be launched, or troops to be engaged if the U.S. feels its sovereignty has been attacked.

Putin is most certainly cognizant of this, and is leveraging the ambiguity cyberspace offers to continue conducting operations and demonstrating Russian nation state capability. These minor operations will continue in the short term, but I find it hard to believe an actual attack will occur in the near future. Russia most assuredly does not want a traditional conflict with the United States. Russia will continue to pick at the proverbial scab since there are no repercussions.

Expect to see Russian cyber exploitation remain in the news cycle for the foreseeable future. Awareness of this threat is an important factor in ensuring U.S. government agencies, critical infrastructure, and businesses are prepared for the possibility of an attack. Resilient, proactive defensive measures and situational awareness will go a long way in limiting risk and potential exposure for the inevitable attack that will unquestionably materialize at some strategic time in the future.

Obama Administration Called Putin on Cyber Hotline to Warn Against Election Interference

The New York Post reports on the Obama Administration using the cyber hotline to Russia to warn Putin against interfering in the 2016 US Presidential election:

Michael Daniel, Obama’s cyber czar, said administration officials used the channel — added to the nuclear hotline in 2013 so the countries could communicate about hacking and cyberattacks — to tell the Kremlin to “knock it off.”

“We know that you are carrying out these kinds of activities. And stop. Knock it off,” Daniel told CBS’ “60 Minutes” about the call on Oct. 7, 2016.

Asked if Russia got the message, Daniel said he thinks so.

“The fact that this was the first time we had ever exercised this channel, which was supposed to be, you know, for very serious cyber incidents and cyber issues — I think that, in and of itself — sent a message,” he said.

The Obama administration resorted to using the hotline after earlier the same day, it released its first public statement about how Russia was behind the hacking of the Democratic National Committee.

I do not get the impression the average US citizen truly comprehends the problems the country faced in 2016 with the Russian interference. Too many people see this as a US-only political issue, meaning US politicians are using the interference to discredit President Trump, discredit Hillary Clinton, and even discredit and blame former FBI Director James Comey.

That is far too short-sighted and completely misses the point. It is time to look at the Russian interference from a wide-ranging, multi-faceted strategic level. This is objectively an attack on US sovereignty and its democracy.

The country needs to put aside its like or dislike for a particular political candidate, and focus on how a foreign country – in this case, the one foreign country who was the primary US adversary during the Cold War – interfered with a sovereign states election process to sow doubt and discord, effectively using propaganda to confuse citizens from understanding the true issues. Ostensibly the goal was to make sure Clinton was not elected given her relationship with Putin and position on Russia, not necessarily to get Trump elected.

It is time for the country to take a step back, take a deep breath, and take a look at this issue with renewed vigor, unshackled from the constraints of political affiliation and focus on it objectively. This attack unquestionably took place, unquestionably interfered with the election, and unequivocally played a pivotal role in the outcome of who was ultimately elected as the 45th President of the United States.

The time for playing partisan politics ended long ago. It is time to protect the future of the American democratic process. Enough with the games.

Iranian Hackers Breach Singapore Universities to Access Research Data

ZDNet discusses how Iranian hackers are breaching Singapore universities to access research data:

At least 52 accounts were affected across the Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University, and Singapore University of Technology and Design, according to a joint statement Tuesday by Cyber Security Agency of Singapore (CSA) and Ministry of Education (MOE).

Hackers had used phishing attacks to harvest credentials from affected staff members and used these to gain access to the institutes’ online libraries and research articles published by the academic staff.

Based on their investigations, CSA and MOE said no sensitive data had been stolen and the attacks did not appear to be linked to the APT attacks against NUS and NTU last year.

They were, however, believed to be part of last month’s attacks against education institutions worldwide including 144 universities in the US, after which the US Deputy Attorney General unveiled a series of indictments and financial sanctions against Iranians. The US government had identified nine Iranians thought to be part of the cyberattacks.

Iran is stepping up their cyber attack profile, hitting more locations outside their immediate vicinity. It is interesting to witness Iran maturing from a strong localized actor to a more globalized one. Likely the success of Chinese, Russian, and North Korean nation state backed actors is likely motivation enough for Iran, who wants to be recognized as a world cyber power.

In addition, Iran is well behind the rest of the globe in research. Much like how China primarily leverages cyber attacks for economic gain, to forego the need to spend a lot of time and money on research and development, Iran possibly sees the benefit of such an approach. By stealing intellectual property from research institutions like major Universities, Iran could potentially gain an economic advantage, or even a military one, depending on the application of the data they are focusing on collecting.

UK Reveals Its First Major Government-Backed Cyber Attack Targeted Islamic State

Bloomberg is reporting the United Kingdom publicly announced its first major government-backed cyber attack, conducted in 2017, targeted Islamic State:

Jeremy Fleming, the director of GCHQ, which is better known for its communications interception work, said his agency had worked with the Ministry of Defence to make “a significant contribution to coalition efforts” against the al-Qaeda splinter group. He said that as well as making it “almost impossible” for the group to spread its message, the attack had protected forces on the battlefield.

“This is the first time the U.K. has systematically and persistently degraded an
adversary’s online efforts as part of a wider military campaign,” Fleming told a cybersecurity conference in Manchester, England, “Did it work? I think it did.”

He said other operations might “look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps destroy equipment and networks.”

Notice the qualifying “as part of a wider military campaign” added to the statement? What this likely means is this attack against Islamic State is not the first time the UK has conducted cyber attacks, but one in which a cyber attack was only one aspect of a multi-faceted, multi-domain operation.

There is no doubt the UK has conducted previous cyber attacks. Although the nation has never publicly proclaimed so, the country is one of the stronger purveyors of cyber capabilities, and absolutely leverages them when necessary. Since the inception of the UK NCSC, which is part of the GCHQ, this operation was likely the first time the organization worked in tandem with the Ministry of Defence for this strategic opportunity.

Average Attacker Dwell Time Nearly Six Months for EMEA

Computer Weekly on the average time an attacker remains undetected in EMEA-based networks increasing to just about six months:

The time taken by firms to detect breaches increased by 40% from 2016 to 175 days on average in 2017, according to the latest M-Trends report by security firm FireEye.

This dwell time for the Europe, Middle East and Africa (EMEA) region is also 74 days longer than the global average of 101 days, which is up from 99 days in 2016, according to the report, which is based on information gathered during investigations by FireEye’s security analysts in 2017.

The report attributes the increase in dwell time to the rise in the number and variety of attacks from multiple threat actors, a decrease in organisations using incident response to address destructive malware, an increase in notifications by law enforcement, and an increase in the discovery of existing compromises relating to industrial control systems (ICS).

Interesting to read that EMEA dwell time is two and a half months longer than the global average. While I understand the overall dwell time increase, what is unique about EMEA making the area appear less effective at detection than the rest of the world?

Primer on How to Detect and Prevent Crypto Mining Malware

CSO Online has a good primer on how to detect and prevent crypto mining malware:

Unfortunately, crypto mining traffic can be very difficult to distinguish from other types of communications. The actual messages are very short, and malware writers use a variety of techniques to obfuscate them. “It’s extremely difficult to write a rule for something like this,” Vaystikh says. “So not many companies can detect it. Pretty much every organization above 5,000 employees has the data already — the only problem is that it is very, very hard to go over the huge amounts of data that they have.”

SecBI’s Autonomous Investigation technology deals with this issue by using machine learning to look for suspicious patterns in the vast sea of data that come through corporate networks. There are thousands of factors that SecBI looks at, Vaystikh says. For example, crypto mining traffic is periodic, though malware writers will try to disguise the regular nature of the communication by, for example, randomizing the intervals.

Crypto mining also has an unusual message length. Incoming traffic, the hash, is short. The outgoing results are slightly longer. By comparison, with normal internet traffic, the initial request is short and the response is long. “In Bitcoin mining, I actually upload a little bit more than I download,” Vaystikh says. “That is something that we look for.” The technology can be applied to public cloud infrastructure like Amazon as well as to on-premises networks, he says.

Even if the traffic is encrypted — and 60 percent of all network traffic now is — the periodicity of the communications, the lengths of the messages, and other subtle indicators combine to help the system spot the infections. In fact, when crypto mining first showed up, SecBI’s platform flagged it as possibly malicious before it even knew what it was. “Now, after our users looked at it, they say, ‘Ah, it’s crypto mining!’ and the software now correctly classifies it as well,” Vaystikh says.

The entire article is a valuable resource for those unfamiliar with cryptocurrency and the mining malware actors and criminals are using these days. Outside of endpoint security technologies using signatures, sandboxing, machine learning, or behavioral analytic techniques, network-based detection may be difficult but also may be the best option.

Even the endpoint side has some issues, as there appears to be less-than-effective collaboration between browser developers and the security industry. So not all endpoint security is capable of detecting in-browser malware leveraging Javascript for malware deployment. Turning off Javascript in 2018 is impossible, as it would render 90% of the websites inaccessible or unusable. So generally, the best detection and prevention method may in fact be network-based tools like intrusion prevention systems and other similar technologies.

Fin7 is the Billion-Dollar Hacking Group Behind a String of Big Breaches

WIRED has a nice expose’ on Fin7, a highly sophisticated actor responsible for major breaches of The Hudson’s Bay Company, Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, and Chipotle:

While lots of criminal hacking gangs are simply out to make money, researchers regard Fin7 as a particularly professional and disciplined organization. The group—which often appears to be Russian-speaking, but hasn’t been tied to a home country—generally works on a normal business schedule, with nights and weekends off. It has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly. In the Saks breach, Fin7 used “point of sale” malware—software secretly installed in the cash register transaction systems customers interact with—to lift the financial data, a signature move.

“They’re connected to almost every major point of sale breach,” says Dmitry Chorine, cofounder and CTO of Gemini Advisory, a threat intelligence firm that works with financial institutions and that first reported the Saks/Lord & Taylor breach. “From what we’ve learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”

While the natural inclination would be to tie a criminal operation like this to Russia, especially with hints of the group purportedly Russian speakers, that may simply be an extension of their sophistication. The actors may be so advanced they are capable of accurately copying Russian hacking groups, to take the heat of their own true identities. This will certainly buy them some time, but at some point they will likely make a small mistake leading to exposing exactly who the real criminals are hiding behind the screens.

So far Fin7 has largely succeeded at staying just out of reach, but it works at such a massive scale on so many heists at once that there are bound to be missteps. Just last week, Spanish police working with Europol, the FBI, and a group of other international agencies arrested what they called the “mastermind” behind Carbanak’s financial institution hacking, particularly a spree of ATM jackpotting and other money laundering. “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” Steven Wilson, the head of Europol’s European Cybercrime Centre, said of the operation last week.

Though an impressive step, researchers are skeptical that the arrest will really destabilize or neuter such a robust criminal syndicate. “Someone who was using part of the tools was arrested in Spain. He may be at a higher level of the food chain, but it definitely doesn’t necessarily mean the whole group has been dismantled,” says Gemini Advisory’s Chorine. “Even if you observe the chatter on criminal forums, there’s no clear indication of who was arrested.”

So as has been the case for years now, Fin7 will likely live to steal another credit card number. Or, more likely, millions of them.

Fin7 does appear to be a massive operation, with this one takedown likely not affecting their entire strategy. They will likely rebuild this capability rather quickly, and be right back to their criminal ways.

Organizations likely going to be targeted by this group should not only invest in traditional cyber defense technologies, but need to consider threat intelligence as well. The days of merely installing a firewall, intrusion prevention system, web gateway, file sandboxing, and endpoint security are over. Technological solutions require a strategic layer, constant vigilance, and a more thorough understanding of the threat actors and their capabilities. This is why threat intelligence is far more important today than it ever has been.

Nation State Actors Undermining Trust in the Entire System

ZDNET explores nation state actors not just breaching critical network assets, but their attempt to undermine trust in the entire system:

“We’ve really got to think about the fact our adversaries are attacking more than just our technology. Our adversaries are now starting to critically undermine the trust that our stakeholders have,” said Cooper.

There are many in the cybersecurity industry who would argue that technology alone can solve this problem — protect systems with the relevant tools to keep them safe from attacks. But this is perhaps ignoring the wider issue: there isn’t an antivirus product to protect against declining faith in big institutions, or to defend against fake news.

“The bigger system, that’s the thing we have to defend, not just the technology. While we’re focusing on protecting the technology, our adversaries are focused on attacking the system. And by attacking the system, they’re critically undermining the trust in that system,” said Cooper.

In order to achieve that, it can’t just be about “looking for our technology comfort blanket,” he said, adding: “we’re going to find it lacking”.

The idea nation state actors are eroding trust in the entire system is an insightful distinction many people overlook. It is the difference between viewing an attack through a tactical lens versus a strategic one.

All too often nation state backed breaches are part of a much larger, multi-faceted operation rather than a singular goal. We need to always consider attacks from this perspective so we can better understand a potential end state. Merely focusing on the obvious goal will not allow us this insight and will ultimately cement failure to adequately defend the crown jewels.

This is where solely employing technological cyber defense is inadequate. Leveraging threat intelligence will be far better at allowing an organization to craft the right strategy to defend against a variety of attacks, actors, and vectors. There is no one-size-fits-all solution to cyber defense. There are some basic tactics, but using a combination of technology and strategy will almost always be the correct mix.

Corporate Culture is the Primary Rule Of Organizational Cyber Security Strategy

Retired Lieutenant General Rhett Hernandez, the first commander of US Army Cyber Command, has a great write-up on today’s cyber threats and the types of strategy organizations need to consider to properly defend their assets:

Cybercriminals are just beginning to think about the ways in which they can leverage their abilities. Any belief that if we pay them it will be okay will break down. You can’t trust agreements between people with values and people without values. Paying them will not ease the pain. Defining and mitigating the risk to prevent these threats from making you a victim is the key. And if prevention fails, your resiliency will depend on how prepared you are to recover and restore operations.

Taken together, the overall threat from cybercrime will result in far more expense to companies—not just from the breaches themselves, and working to prevent them, but also from litigation and, in all likelihood, additional regulation. Breaches at companies over the last year, especially Equifax, generated increased scrutiny among lawmakers and regulators around the country—and on Capital Hill. Expect a growing push for companies to start to do some of the necessary security basics.

In this environment, the main issue for CEOs and top leaders isn’t which software to buy. When it comes to cybersecurity, culture is the most important thing because people are the weakest link. It isn’t just in corporate America. In every large organization, including the Army, where high discipline and high standards are expected, people often fall short, given the anonymity the virtual world provides. In my experience, soldiers—and employees—often fail to remember that a risk to one is a risk to all.

After discussing threats, Hernandez gets into techniques leaders should employ to counter the cyber threat. Most of the ideas are common sense, but you would be surprised how many in upper management are unaware of how to develop sound cyber defense strategy.

But Hernandez is right in that the primary issue is culture. The weakest link in the security chain is often what ends up allowing an attacker to breach a network. Ensuring corporate culture prioritizes security pays huge, likely unquantifiable, dividends. It is not what guarantees breach prevention, but it definitely helps ensure employees are far more cognizant of the threat, take is seriously, and employ the necessary individual steps they can to thwart attacks.

Just like how safety is ingrained in most corporate cultures, cyber security needs to be at the forefront of peoples minds when operating or accessing their organizations IT assets, whether they are in private or public cloud environments.

Japanese Couple Chastised by Ignorant Ojisan for “Conceiving Before Their Turn”

The Telegraph has some truly WTF news from Japan about a couple being forced to apologize Japanese couple for ignoring unwritten workplace rules by having conceived a child “before their turn”:

A Japanese worker has been reprimanded by her boss for “selfishly breaking the rules” after she became pregnant before it was her “turn”, according to media reports.

The woman was working at a private childcare centre in Aichi prefecture, north Japan, when she found out she was pregnant.

However, the timing reportedly clashed with “shifts” drawn by the childcare centre director, which listed when female staff were allowed to marry and have children.

The plight of the woman, who has not been identified, highlights the unsettling practice of some Japanese companies dictating when female staff are allowed to marry and have children, depending on their level of seniority.

Straight WTF but completely unsurprising for those familiar with Japan and some of its more traditional workplace practices.

Describing how his wife felt “glum and anxious” after finding out she was pregnant, the husband wrote: “The director at the child care center where she works had determined the order in which workers could get married or pregnant, and apparently there was an unspoken rule that one must not take their ‘turn’ before a senior staff member…”

The couple formally met with the director to apologise about the pregnancy in person, but the husband claimed that his wife has since been “chided” for “selfishly” breaking the rules of the child care center.

The Director should be chastised and chided for enacting such selfish, unspoken and unwritten, highly inhumane rules. Traditional Japanese workplaces can already tough enough to begin with, but having to deal with additional peculiarities should be unnecessary. The ojisan managing these operations rarely ever consider the long term effects of their shortsighted policy fetish.

Nothing is Safe as Cyber Attacks are Targeting 911 Call Centers

NBC News discusses denial-of-service attacks against 911 call centers across the country:

The Next Generation 911 systems will have advanced security baked into their foundations, including the ability to instantly identify suspicious activity, immediately shut down in response to intrusions, and simultaneously move incoming calls to other centers in a way that is undetectable to someone dialing for help, officials say.

But the increased connectivity also opens the modern systems to new potential modes of attack, experts say. No matter how sophisticated a defense, all it takes is one overlooked vulnerability to let hackers in, experts say.

That makes it essential to develop sophisticated defense systems run by in-house cybersecurity teams, they say.

In Baltimore’s case, the ransomware attack was discovered and repelled by Baltimore City Information Technology, which maintains defenses across the local government. It determined that the hackers had found access after a technician troubleshooting the computer-aided dispatch system made a change to a firewall and mistakenly left an opening, the city’s chief information officer, Frank Johnson, said in a statement. The FBI is now helping the city investigate.

Howard, in Tennessee, knows how his attacker obtained access to the 911 center — by finding a weak password left by a deceased former system administrator. The FBI told him it looked as if the attack came from Russia. But he still isn’t sure.

The December 2015 attack against a Ukrainian power company, which left over 230,000 people without power for up to six hours, experienced a call center denial-of-service. The attackers purposely targeted the support desk to confuse operators, so they would remain unaware their customers were experiencing an outage. It is a smart tactic from an offensive perspective, and likely a technique most groups will increasingly use in the future. Citizens need to be made aware this is a possibility, especially with Russia targeting the US power grid and other critical infrastructure.

Frankly I am surprised it has taken so long for these attack types to become mainstream news. Nation state attackers will use any means necessary to achieve their goals. Every available technique and tool in their arsenal will be used, and often times they come in shapes we do not normally associate with what is generally considered a traditional cyber attack.

That I even used that phrase – traditional cyber attack – demonstrates a certain level of expectation in cyber warfare. While there are to-date a number of traditional models, cyber attacks do not follow normal kinetic attack patterns. This is not necessarily only because cyber is ethereal, but also because of its infancy, and the sheer number and scale of attack vectors. As cyber warfare continues to age there will be a greater understanding of the techniques, the targets, their effectiveness, and the strategies used by sophisticated nation state actors.

Mitre’s ATT&CK Framework is a Great Red Teaming Tool

CSO Online discusses Mitre’s five-year old ATT&CK and how it is an effective tool for organizations desiring to build red teams to perform penetration testing and vulnerability assessments:

As adversaries get more skilled, defenders have to up their game too. By classifying attacks into discreet units, it’s easier for researchers to see common patterns, figure out who authored different campaigns, and track how a piece of malware has evolved over the years as the author added new features and attack methods.

While other tools can identify malware hashes and behaviors, ATT&CK is one of the more comprehensive methods that can look at the actual malware components and lay them out in detail. Most modern malware uses a combination of techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. Finding these various building blocks is a key part of defending against their perfidy.

The first matrix is a “pre-attack” collection of 17 different categories that help to prevent an attack before the adversary has a chance to get inside your network — when an attacker is reconnoitering your domain, for example. Three matrices, each with a collection for Windows, Mac or Linux endpoints that cover a total of 169 different techniques. Finally, a fifth collection offers additional categories for mobile-based attacks.

Each cell of these matrices contains a single tactic, such as forced authentication using Server Message Block (SMB) protocols and how a malware author can use this to gain entry to your network. The framework also contains information on recent malware that uses this technique (in this case, Dragonfly), the way you can detect it (monitor SMB traffic on the appropriate ports), and how you can mitigate its abuse (using egress filters to block SMB traffic).

I am heretofore completely unfamiliar with ATT&CK but it sounds like a unique and highly useful tool for organizations with the right amount of expertise. This is not something to be used by a small organization with little to no resources or capabilities, but mature ones with credentialed cyber professionals.

The basic goal of ATT&CK is quite solid, but what makes it genius is its ability to be extended. There are a number of free and open source projects to add functionality to ATT&CK, such as creating scripts for several dozen ATT&CK techniques for testing endpoint detection tools among others.

Just like the malware it is designed to investigate, ATT&CK is constantly being updated and modified to stay ahead of the power curve. If you are interested in the white hat side of malware, ATT&CK is a strong project worth checking out.

Cyber Criminals Targeting Magento to Steal Credit Cards and Install Cryptocurrency Mining Malware

Dark Reading on cyber criminals using brute-force password attacks against open source e-commerce system Magento to steal credit card numbers and distribute cryptocurrency mining malware:

He describes the types of compromised websites as ranging from small to midsize organizations that had installed the Magento CMS for e-commerce transactions. Online retail stores appear to have been the mostly heavily affected, followed by healthcare and education websites, Kremez says.

“The actors exploit and monetize their Magento panel accesses in three unique ways depending on [the] sites,” he says.

The favored way is to install JavaScript sniffers on the compromised site for scraping payment card data, which is then later sold on Dark Web stores. If the breached website does not yield payment card data, the attackers resort to uploading cryptocurrency mining tools such as Coinhive.

The third tactic is to use the compromised site to host code — typically a phony Adobe Flash Player update — which, if executed, results in a data-stealing malware tool dubbed AZORult being downloaded on computers belonging to site visitors. AZORult in turn downloads Rarog, a Coinhive cryptocurrency miner on the user’s system.

The attackers have shown a tendency to update the malicious files daily in order to avoid detection by signature-based anti-malware tools, according to Flashpoint.

The Magento sites are initially compromised with a brute-force password attack to gain access to the administrative panel. In many cases it appears the default administrative credentials were never modified, and thus essentially offering free access to the malicious actors.

Overall, this is a fairly sophisticated operation. Not many attack groups have the wherewithal to update their malicious code daily to avoid signature-based detection tools. It takes a fair bit of work to make the changes and deploy them out to the thousand plus compromised Magento sites.

How Cambridge Analytica’s Facebook Targeting Model Really Worked

TNW had a conversation with Cambridge University scholar Aleksandr Kogan, one of the architects of Cambridge Analytica’s Facebook targeting model, to learn how exactly the statistical model processed Facebook data for use in targeting and influencing voters:

In 2013, Cambridge University researchers Michal Kosinski, David Stillwell and Thore Graepel published an article on the predictive power of Facebook data, using information gathered through an online personality test. Their initial analysis was nearly identical to that used on the Netflix Prize, using SVD to categorize both users and things they “liked” into the top 100 factors.

The paper showed that a factor model made with users’ Facebook “likes” alone was 95 percent accurate at distinguishing between black and white respondents, 93 percent accurate at distinguishing men from women, and 88 percent accurate at distinguishing people who identified as gay men from men who identified as straight. It could even correctly distinguish Republicans from Democrats 85 percent of the time.

It was also useful, though not as accurate, for predicting users’ scores on the “Big Five” personality test.

This is exactly why allowing nefarious companies like Cambridge Analytica to use personal data provided to Facebook is extremely dangerous. It becomes rather easy to profile and subsequently target people with scary accuracy. The average Facebook user never stops to consider the potential unintended consequences of their providing data to the platform. They merely look at the immediate benefit rather than the long term effect.

Knowing how the model is built helps explain Cambridge Analytica’s apparently contradictory statements about the role – or lack thereof – that personality profiling and psychographics played in its modeling. They’re all technically consistent with what Kogan describes.

A model like Kogan’s would give estimates for every variable available on any group of users. That means it would automatically estimate the Big Five personality scores for every voter. But these personality scores are the output of the model, not the input. All the model knows is that certain Facebook likes, and certain users, tend to be grouped together.

With this model, Cambridge Analytica could say that it was identifying people with low openness to experience and high neuroticism. But the same model, with the exact same predictions for every user, could just as accurately claim to be identifying less educated older Republican men.

Using statistics to influence the response to appear as if the data use was less evil than reality.

Cyber Security is Not a Discipline Warranting its Own Special Word

This is a slightly pedantic issue I have spent likely too much time contemplating and not enough time discussing. While I find myself being finicky about it, words are important, and the vernacular we use when talking about cyber is vital. It is imperative the entire industry speaks a common language, uses common terms, and has a common baseline understanding of the complex issues we face every day. This is why I am concerned with industry and media discourse around cyber, and its peculiar obsession with using the term cybersecurity as opposed to cyber security.

What, after all, makes this domain so important as to warrant its own word? While cyber is a relatively new security realm when compared to more traditional areas, its newness should not award it any superior stature. Even though cyber has permeated almost every aspect of modern human culture, does this somehow automatically provide it with superior stature above other security specialties?

There are a host of other security disciplines just as important to everyday life as cyber is, yet in every other case no special status was granted to their naming. Here are just some of the various security vocations for reference:

  • Application security: discipline focusing on ensuring applications are developed securely throughout the various stages of the application development lifecycle.
  • Asset security: discipline dedicated to protection of computer assets, whether that is hardware, software, data, or any component providing or supporting information-related activities.
  • Industrial security: this is more of a government and defense industry related security domain rather than something general. It focuses on managing the needs of private industry to access classified information, and ensuring organizations have implemented specific criteria before being provided with access to highly sensitive data.
  • Information security: discipline dedicated to preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of data. This is type agnostic, and applies to any form of data, regardless if it is printed, recorded, on a network, etc.
  • Network security: policies and measures implemented to prevent unauthorized access, misuse, modification, or denial of network resources.
  • Operations security: also known as OPSEC, its goal is to protect the entire puzzle by ensuring smaller, seemingly benign pieces of a larger puzzle are not knowingly or accidentally disclosed. The desire is to ensure potential attackers are unable aggregate enough of the puzzle to fully comprehend what data they have acquired.
  • Personnel security: a discipline dedicated to managing insider threat risk and ensuring employees are trustworthy enough to be provided legitimate access to highly sensitive information. This is done through a series of background checks, interviews, and potentially even polygraph tests, depending on the level of security clearance required.
  • Physical security: discipline dedicated to denying unauthorized physical access to facilities, equipment, and resources to protect personnel and property from harm or damage. This could be in the form of human actions like theft, terrorism, or espionage; or it can be natural disasters like floods, typhoons, earthquakes, and more.

Now we come back to cyber, which is a discipline dedicated to, like many of the above, protecting information technology assets from unauthorized access, theft, destruction, misuse, disruption, and misdirection. There are various strategies employed in this endeavor, often times requiring aspects of multiple security domains to properly achieve the stated goal.

In no case above does the space between the domain and the word security disappear. There is no assetsecurity, networksecurity, physicalsecurity. Yet for some reason the world seems enamored with cybersecurity.

Cyber is just another security discipline and should not be afforded its own special word. In fact, many people already seem to use various forms, confused which is appropriate to use at which time.

The proper way to write it is as cyber security, to denote it as another security discipline, while not elevating it to some special status above others. Cyber security is important, but so is application security, physical security, and the myriad other disciplines.

Cyber security is merely a modern manifestation of security as society has evolved towards a more data-centric lifestyle. While physical security remains just as important as ever, especially with current terrorism threats, cyber has invaded our lives in ways we never imagined. That does not warrant a new word for this discipline, just a reimagined focus on strategies for protecting this new realm.

Stop using cybersecurity to describe this topic, and stick with the tried and true cyber security. It makes more sense, looks far better, and is aligned with the various uses of security throughout history.

Now that I got that off my chest I can surely begin to focus on more important security topics.

Site Footer