Pulling the Rug Out on DDoS Carpet Bombers

Network attacks driven by traffic, such as DDoS, have long been classified by a capacity threshold or baseline limit. When traffic surpasses that limit, an alarm is triggered to indicate an attack. Internet service providers now face a more stealthy type of DDoS attack known as the “carpet bomb,” which flies below the baseline to escape detection. Fortunately, new forms of defense based on scalable contextual awareness can spot these attacks and render them harmless.

At one time, carpet bomb attacks were seen merely as a nuisance (if they were even noticed at all). And since network providers relied on DDoS protection that could only extend specialized protection to a handful of customers, this defense was only offered to the largest enterprise clients. Baseline detection worked pretty well for very large surge attacks on these single endpoints, meaning that attack traffic could be routed to racks of mitigation hardware for scrubbing.

The scale of today’s attacks have grown, employing not only captured PC botnets, but also botnets comprised of IoT devices and cloud services. With today’s larger, multivector carpet bomb attacks, tens of thousands of customers can be noticeably affected, even though no single endpoint goes down. For instance, they might only get SD quality video streaming instead of HD.

This doesn’t sound disastrous until you take into account the low tolerance that discerning viewers have for poor-quality video streaming. They don’t care why they’ve been receiving SD-quality video for the last half hour; they just want it to improve—now! Many of these customers are in danger of silently churning.

The ability of carpet bombing to confuse detection is also being used by attackers as a form of smokescreen to hide an attack against a single target. They can deploy slow and low attacks that gently increase the tolerance of baseline alerting solutions by incrementally injecting traffic across the entire network—eventually causing congestion and poor quality of experience for the user. Additionally, big surge defenses are designed to deal with tens of endpoints, not thousands. So, the network prioritizes the protection of the dozen or so large enterprises that have been extended specialty DDoS protection while the other tens of thousands fall victim to the attack.

When it comes to carpet bombs, the baseline method of detection is not the way to go. A new layer of defense is needed to deal with these kinds of attacks.

The latest approach to network protection uses scalable, contextual awareness to spot attacks, instead of solely relying on baselines. This multidimensional technology uses readily available public data to understand what is happening at any moment across the global internet. It connects to other systems to get service-related data from the network, including performance information, Syslog and information from security events from sFlow. It then correlates this information with DNS information and IP addresses.

This allows the network operator to see how traffic travels to and through the network. It sees beyond the IP address to immediately identify the difference between YouTube traffic and Amazon traffic, for instance. And then it identifies the servers, IoT devices, endpoints and service chains to which they are connected­, making it possible to pinpoint service issues or identify DDoS traffic in real time.

This real-time, end-to-end intelligence understands the difference between normal network behavior and identifies incorrect traffic signatures, making it possible to spot anomalies. One example of this is an amplification attack that exaggerates traffic flows and causes incorrect traffic ratios, such as too many SYN ACK in relation to the number of SYN flows across the network. Identifying abnormal traffic signatures instead of simply relying on baselines results in a more accurate and holistic line of defense. With this deep knowledge of traffic across the network, it is now possible to more cost-effectively filter a majority of the offending traffic at the network edge by utilizing the operator’s existing router infrastructure instead of sending all of this traffic to specialized hardware.

This approach has a number of advantages beyond carpet bombs. As we know, DDoS solutions were built to protect just tens of large enterprise customers from DDoS attacks. However, since they can only stretch this protection to a small number of customers, only the largest enterprises receive company-specific DDoS protection. This leaves hundreds of thousands of small and medium enterprises with rudimentary protection—despite their willingness to pay for better security.

It is also incredibly difficult to configure traditional DDoS defenses because it requires highly skilled security operators to set up and administer, further limiting the number of customers any one company can maintain. Additionally, legacy solutions are simply blind to new threats because they lack networkwide detection and multidimensional insight.

On the other hand, multidimensional techniques are self-learning and can be highly automated, so specialists are not required and the operator’s SOC can administer the system. And it scales to protect every endpoint and infrastructure across the network so that security services can be extended past dozens of customers to the other million.

Building a multilayer defense strategy starts with better intelligence and contextual understanding of what is happening across the network. This knowledge enables the IP routing infrastructure to handle the first layer of defense. The second layer of defense, traditional scrubbing centers, are then freed up to face the big surge, more complex attacks when they strike. And, as it turns out, pulling the rug out from under the carpet bombers gives the operator a better, more affordable defensive system that serves all its customers, not just the few.

Source: https://securityboulevard.com/2018/05/pulling-the-rug-out-on-ddos-carpet-bombers/

  • 0

Hackers replacing volumetric DDoS attacks with “low and slow” attacks

By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures.

By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures. A report by CDNetworks in October revealed that more than half of all organisations had ended up as victims of DDoS attacks that regularly took their website, network or online apps down.
To deter cyber-criminals from launching powerful DDoS attacks, organisations began pouring in huge investments to shore up their defences against DDoS attacks. According to CDNetworks, average annual spending on DDoS mitigation in the UK rose to £24,200 last year, with 20 percent of all businesses investing more than £40,000 in the period.
Such investments also resulted in increased confidence amongst businesses in defending against business continuity threats such as DDoS attacks, but unfortunately, increased investments did little to stop the flow of such attacks. Kaspersky Lab’s Global IT Security Risks Survey 2017 noted that the number of DDoS attacks on UK firms doubled since 2016, affecting 33 percent of all firms.
An analysis of DDoS attacks published by Alex Cruz Farmer, security product manager at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks which impact applications and the end-user while ignoring traditional Layer 3 and 4 attacks whose effectiveness is no longer guaranteed. This has ensured the unabated continuance of DDoS attacks on enterprises.
“The key difference to these (Layer 7) attacks is they are no longer focused on using huge payloads (volumetric attacks), but based on Requests per Second to exhaust server resources (CPU, Disk and Memory),” he said, adding that by their very nature, Layer 7 based DDoS attacks, such as credential stuffing and content scraping, do not last too long and do not flood networks with hundreds of gigabytes of junk network traffic per second like traditional DDoS attacks.
Farmer added that Layer 7 based DDoS attacks have become so popular among hackers that Cloudflare detected around 160 attacks occurring each day, with some days spiking up to over 1000 attacks. For example, hackers are frequently carrying out enumeration attacks by identifying expensive operations in apps and hammering at them with bots to tie up resources and slow down or crash such apps. For instance, a database platform was targeted with over 100,000,000 bad requests in just 6 hours!
Indeed, the first signs of short duration yet persistent DDoS attacks were observed in May last year. Imperva Incapsula’s Global DDoS Threat Landscape Report, which analysed more than 17,000 network and application layer DDoS attacks, concluded that 80 percent of DDoS attacks lasted less than an hour, occurred in bursts, and three-quarters of targets suffered repeat assaults, in which 19 percent were attacked 10 times or more.
“These attacks are a sign of the times; launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber-vandalism in what is essentially a form of internet trolling,” said Igal Zeifman, Incapsula security evangelist at Imperva to SC Media UK.
Sean Newman, director of Corero Network Security told SC Media UK that reports of increasing application layer DDoS attacks are only to be expected, as attackers continue to look for alternate vectors to meet their objectives.
“A perception that volumetric DDoS attacks are on the decline, is understandable, especially if that is your only lens on the problem.  However, when your view is based on having deployed the latest generation of always-on, real-time, DDoS protection, you will find a rather different story.
““With this lens on the problem, you will find that there is a significantly increasing trend for smaller, more calculated, volumetric DDoS attacks. In fact, Corero customers saw in increase in volumetric attacks of 50 percent compared to a year ago, with over 90 percent of those attacks being less than 5Gbps in size and over 70 percent lasting less than 10 minutes in duration,” he added.
According to Joseph Carson, chief security scientist at Thycotic, organisations are adopting various mitigation techniques to defend against targeted and repeated DDoS attacks, but many a times, such technologies also consume a lot of bandwidth and system memory and thereby interfere with smooth functioning of databases and apps.
“A Target DDoS attack is something that is very challenging to mitigate against though luckily they are periodic meaning as they occur for a short amount of time usually from days to a few weeks. Techniques that are commonly used today are mitigation techniques using Access Control Lists, Rate Limiting and filtering source IP Addresses, though each of these are resource intensive and can prevent legitimate users from getting access to your services.
“A few important lessons can be learned from Estonia’s DDoS experience back in 2007, be very careful as to what mitigation techniques you use as some companies’ responses can be more costly than the DDoS attack itself so always respond to each attack with the appropriate mitigation response.
“Though the best way to really defend and protect against future DDoS attacks is to think in terms of geographic distribution and not have any centrally dependent location of service. Estonia learned this in 2007 and has now distributed itself beyond its own country’s borders using Data Embassies,” he added.
Source: https://www.scmagazineuk.com/hackers-replacing-volumetric-ddos-attacks-with-low-and-slow-attacks/article/767988/
  • 0

DDoS used to oust competition in crypto market

n the last 12 months, cyber criminals have been using distributed denial-of-service (DDoS) attacks to target crypto-currencies.

That’s according to Alex Cruz Farmer, product manager at Cloudflare, who spoke at the ITWeb Security Summit 2018 event this week.

Criminal perpetrators of DDoS attacks often target sites or hosted on high-profile Web servers such as banks or credit card payment . Revenge, blackmail and activism can motivate these attacks.

However, when targeting crypto-currencies with DDoS attacks, “it’s not for the good old ransom, it’s a way to run the competition out of town”.

Cloudflare is one of the biggest DDoS mitigation platforms in the world, serving over eight million domains across more than 150 data centres.

Soon to be the norm

A crypto-currency marketplace customer, who had migrated to Cloudflare, had an attack which according to Farmer demonstrated the complexities of modern day attacks, which he believes will soon be the norm.

“The customer noticed that there were a huge number of sign-ups to their Web site, way more than usual, and had assumed this was spam or some other scam. After a week or two, they found that thousands and thousands of these accounts were logging in, and repeatedly checking their account balances, which in turn caused their database platform to grind to a halt.”

He explained that within a very short period of time, it was identified and the attack was dealt with, but the attackers did not stop there.

“Further application-based attacks occurred, focusing on almost every endpoint possible, to find another area of weakness. Fortunately, we were wise to these games, and our security teams were able to put adequate protections in place to block any further attacks.”

DDoS evolution

He pointed out that DDoS attacks have evolved over the years, noting that the first ever DDoS was in 1988 caused by the Morris Worm, written by Robert Morris.

“It was a complete accident, the purpose was to gauge the size of the Internet. However, due to an oversight in the code, it ended up taking down the Internet, causing huge amounts of damage, leading to the first ever cyber-related felony in the US.”

From then, he said DDoS attacks inherently were focused on exhausting CPU or other resources.

“For example, a simple TCP SYN attack on an Apache server would exhaust open sockets, rendering servers useless, causing any new connections to timeout. The only resolution was to restart the Web server.”

TCP SYN flood (aka SYN flood) is a type of DDoS attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

“Unfortunately for the attackers, there were quick and easy solutions for server administrators to protect themselves from SYN attacks, so naturally, the evolution was to find the next destructive option; exhaust the network.

“Come to 2003, we had one of the most epic DDoS attacks ever seen, caused by the infamous SQL Slammer virus. Not only did these attacks cripple the target server, they also crippled the network, and in some cases even their upstream ISP,” Farmer said.

Fast forward five to 10 years, we then saw the birth of User Datagram Protocol (UDP) based reflection attacks, primarily utilising NTP services (the service which sets the time on a computer, mobile phone or any other connected device), he pointed out.

“But, like always, patches are created, and the community came together to build necessary protections. It was UDP-based, so it was easy to block for most networks.”

According to Farmer, 2016 is when things really changed. “Mirai was born, with its debut attack of 540Gb/sec targeting the Rio Olympics, then a few weeks later generating the largest attack the world had seen against security blogger Brian Krebs.”

He explained that Mirai was orchestrated used IOT devices to generate the attacks. “While these devices may seem harmless, under the hood they run a real, fully-loaded operating system, mostly Linux. This means an attacker is able to run whatever script they wish, have it call home, update its firmware and most importantly, lock out the owner.”

Source: https://www.itweb.co.za/content/VgZey7JAZa8vdjX9

  • 0

Malware with bricking capabilities poses major threat after infecting 500,000+ networking device

A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

Researchers from Cisco Systems’ Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber espionage that Russia allegedly used in past cyberattacks to disable the Ukrainian power grid.

The campaign’s connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber assault.

Talos observed markedly heavy infection activity in Ukraine on May 8 and again on May 17. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.

The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.

It can even “brick” devices — individually or, far worse, en masse –rendering them unusable by overwriting a portion of the firmware and forcing a reboot. “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the Talos blog post explains.

“This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware,” the post continues. “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.

Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.

“The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Talos warns in its blog post. “We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server’s IP address.

Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the “kill” function” that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. “The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Talos reports.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend,” warns Talos, which does suggest several mitigation techniques in its report. “Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.”

In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.

“Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. “This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement’s efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”

Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.

“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come,” said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory,” resulting in a “dead state.”

Source: https://www.scmagazine.com/malware-with-bricking-capabilities-poses-major-threat-after-infecting-500000-networking-devices/article/768231/

  • 0

2018 Is the Worst Year for Corporate Security; Executives Lack Cohesive Security Plan

Security executives fear cyberattacks will heavily target critical infrastructures in the near future, but they don’t seem to be doing much about enforcing security policies that also cover IoT devices. Despite the major threat they pose, connected devices have so far been overlooked in security policies. It appears that in general, in spite of the increasing awareness of high-profile cyberattacks and threats, enterprises tend to look the other way rather than invest properly in a cybersecurity strategy.

2018 appears to be the worst year in terms of corporate security, according to current research rom the Pwnie Express. In interviews with more than 500 security executives, IoT security has proven a major common concern as enterprises understand the growing risks of the threat landscape. However, if hit by a cyberattack, companies would mostly worry about the negative publicity their brand would receive.

One in three security professionals worry their businesses are not yet prepared to detect and contain IoT threats, while almost half fear the threats posed by consumer IoT devices because less can actually monitor them.

As many as 85 percent of security executives worry their countries will go through a crucial infrastructure attack in the next five years. However, although they believe IoT security is among their responsibilities, security professionals say they are rarely consulted when device purchasing decisions are made.

More than half of organizations dealt with malicious attacks in 2017. Contrary to expectations, small to medium-sized companies are more observant regarding employee practices and more security-aware than larger businesses. 80 percent of executives named the BYOD trend a key concern because it is very difficult to keep track of activity. According to the report, larger companies are not even aware of the number of devices connected to their infrastructure, while SMOs are more aware of the actual number of entry points created into their network.

The number of attacks has gone up so far in 2018, as new classes of threats and more sophisticated attacks have been detected compared with previous years. The attack on Schneider Electric proved how cybercriminals “might cause physical damage to a plant, or even kill people by sabotaging safety systems before attacking industrial plants,” Reuters is quoted as saying in the report.

The report indicates malware (59 percent) and ransomware (32 percent) were not the only threats businesses dealt with in 2018. One-third of security executives said they struggled with DDoS attacks caused by IoT botnets. In addition, over 22 percent detected attacks on wireless communications of access points. For the rest of the year and 2019, the attack surface will probably increase and more devastating attacks will take place on critical sectors such as healthcare, public health and energy, which have so far done a poor job in network security.

Source: https://securityboulevard.com/2018/05/2018-is-the-worst-year-for-corporate-security-executives-lack-cohesive-security-plan/

  • 0

How to Stop Advanced Persistent Threats

A security professional’s guide to advanced persistent threats and how to stop and prevent them.

An advanced persistent threat can be as scary as it sounds. Gone undetected in an enterprise, these network breaches can lead to fraud, intellectual property theft or a headline-grabbing data breach.

Here’s what CISOs and IT security pros should know about this worrisome cybersecurity trend.

What are advanced persistent threats?

As you may have already guessed, an advanced persistent threat (APT) is no run-of-the-mill cybersecurity hazard. It involves cyber criminals penetrating your network and probing it for valuable data and other vulnerabilities. The average APT can last for many months and can do untold damage to an enterprise in stolen data and trade secrets. In 2016, attackers were lying in wait for six months, undiscovered within the networks of Ukrenergo, Ukraine’s national power company, before plunging Kiev into darkness in what would become an alarming reminder of the cybersecurity risks faced by the operators of critical infrastructure.

An advanced persistent threat is less of a “what” and more of a “who,” according to Keith McCammon, chief security officer and co-founder of Red Canary. As tempting as it is to ascribe the APT label to pernicious forms of malware, there’s something more human at play in an APT.

Muddied somewhat over the years by marketers and the media, advanced persistent threats represent an ongoing danger to organizations, beyond the latest malware strain or software vulnerability. APT describes “a determined, capable and deep-pocketed adversary,” said McCammon. “Note that evidence of an active, human adversary is a requirement; APT is not and has never been a malware classification.”

Over the past few years, APT has come to represent a wider set of attackers. “As the tactics, techniques and procedures (TTPs) of the ‘true APT’ have proliferated,” McCammon observed, “it is becoming increasingly difficult to tell whether an attack is perpetrated by a national actor, organized crime or an individual.”

In short, APTs are often characterized by sustained, sophisticated and multi-pronged efforts to gain access to an organization’s network and the computers and servers connected to it.

Advanced persistent threat examples

“Advanced persistent threats are threats that use advanced techniques to avoid detection, like anti-sandboxing, polymorphism and multiple-stage payloads, and also guarantee persistence on a compromised host across reboots by registering as a service, adding registry run entries” and the like, said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “There are countless examples in the wild – GootKit banking Trojan, LockPoS point-of-sale malware, LokibotInfostealer – to name just a few.”

GootKit is notable for its evasiveness and the stealthy way it steals confidential data and sends it back to the operators of its command and control (C&C) server. Primarily targeting European bank account holders, the malware has been known capture to videos of victims’ desktops and dynamically inject fraudulent web content into the browsing sessions of users when they attempt to access their banking websites. To prevent detection by security tools, it checks for the presence of virtual machines that may be used by cybersecurity researchers to study the malware’s behavior.

Attackers use several methods to keep the pressure on enterprise networks and their users.

They often rely on botnets – historically networks of infected PCs but now can also be comprised of legions of Internet of Things (IoT) devices – to establish a foothold on a comprised network, not to mention spread malware and spam. In many cases, they are used to launch distributed denial of service (DDoS) attacks that overwhelm a company’s internet-facing servers, often knocking the organization’s online services offline. It’s a blunt instrument compared to some stealthier APT tools, but it’s staggeringly effective in causing harm.

Spear phishing is a common tactic used by APTs. Instead of the shotgun approach used by most spammers, this type of attack uses social engineering and targets victims with specially crafted email messages that coax recipients into infecting their machines by clicking on malicious attachments. Betting that users will jump at seemingly legitimate emails from their bosses, attackers may research a company’s organizational structure, identify the leaders of various departments (finance, HR, etc.) and send out convincing emails urgently requesting that they review attached files or take some other action.

Of course, APTs don’t stop at the infiltration phase. Living up to the “persistent” part of advanced persistent threats, victims can expect an attacker’s foothold to expand over time. Eventually, infected systems begin to siphon data out of a network on an ongoing basis, a process that often goes undetected for extended periods of time.

How to prevent APTs

Now that you know what an APT is, here’s how to stop it.

Employee training

Apart from an organization’s IT professionals, it’s likely that cybersecurity is a low priority for rank-and-file employees just trying to earn a paycheck. Proper training can open their eyes to the severity of the threats they may face at work and help instill a security-first culture. Confirm the training with phishing simulations, periodic refreshers and tough policies that discourage unsafe behaviors.

Access control

As a general rule, APTs can’t harm what they can’t touch.

Network access control (NAC) enables IT departments to block attacks using a variety of access policies and parameters. If a device on a network fails an automatic security check (the presence of anti-virus software, outdated or unpatched operating system, etc.), an NAC solution will block access, preventing APT from spreading.

Meanwhile, identity and access management (IAM) can help keep attackers from hopping from system to system by using stolen credentials.

Administrator controls

Here are some strategies that systems administrators can take to take the bite out of APTs.

Given the prevalence of attacks that exploit buggy code, vulnerability assessments and rigorous patch management practices are a must. Echoing the NAC concept above, user access management should be tightly controlled. As a rule of thumb, only IT administrators and qualified personnel should be granted administrator access.

In terms of bulking up one’s defenses, intrusion detection and prevention solutions detect the signs of possible attacks, allowing security personnel to take corrective action fast. Erecting a web application firewall will help keep the ever-increasing amount of sensitive data stored in web-facing applications out of the hands of wrongdoers.

Although this is not an exhaustive collection of APT-blocking technologies and techniques, it’s a good starting point.

Penetration testing

One way to see how susceptible your network is to an APT is to act like one.

Penetration testing is a tried-and-true way of unearthing an organization’s security shortcomings. Whether conducted internally using red teams (attackers) and blue teams (defenders) or with an outside penetration testing service, the exercise can be used to shore up an organization’s cyber-defenses and keep IT security teams on their toes. So set up a threat-hunting team and establish ongoing testing of your vulnerabilities.

How to detect APTs

It’s already been established that APTs are often characterized by their stealthy and evasive nature. Fortunately, there are cybersecurity tools that can help unmask them.

User behavior analytics

User and entity behavior analytics (UEBA) is an indispensable tool in uncovering APTs. Increasingly employing artificial intelligence (AI), they monitor and analyze how users interact with an organization’s IT systems and can detect when they engage in anomalous behavior, often a sign that their accounts were hacked and an attacker has infiltrated the network.

Deception technology

Turning the table on attackers, deception technology lures attackers into attacking fake servers, services and many other networked IT resources that are found in the typical enterprise network. Whey attackers waste time and energy attempting to exfiltrate valuable data, security researchers gather valuable information about the methods they use, including insights into an attacker’s kill chain, and adjust their network defenses accordingly.

Network monitoring

Just like user behavior analytics, network monitoring can expose the suspicious activities that signal an APT.

“Detection of payloads can be done using network APT detection solutions, as well as endpoint AV engines,” Hahad explained. “Post-infection detection relies on Command and Control communication detection and anomaly-based detection combined with automated threat analytics platforms.”

How to respond to APTs

If you discover that you’ve been a victim of an APT, you need to fight back hard and fast.

It’s critical to collect all the relevant information, document the evidence, which may be in the form of log files or reports from security forensics tools, and report it to the proper personnel. With luck, the APT will be discovered early in the kill chain, especially if you’re using the right detection tools, which will allow IT security professionals to boot attackers, enact new policies, tighten controls, restrict access or take other actions to mitigate the APT and minimize the damage.

If an APT has burrowed deep into the network, take the affected systems offline and restore from a clean backup to effectively prevent attackers from accessing critical data, if they haven’t already done so. Before bringing affected system back online, ensure that the vulnerability, malware or other cause of the breach has been addressed. Finally, prepare a formal report based on the lessons learned, along with policy recommendations to prevent a repeat.

APT solutions

On some level, nearly all security vendors can claim to be an APT vendor for the role their solutions play in detecting, responding to or preventing the spread of this type of threat. Combating APTs requires a combination of tools and techniques that ideally work in a somewhat synergistic manner, so looking at your overall security posture is a good place to start.

Fortunately, a number of advanced threat detection and prevention vendors that offer products that check many boxes, although many enterprises will likely use various solutions from multiple vendors, tied together by a security information and event management (SIEM) product, to keep APTs at bay. Here’s a sampling, in alphabetical order.

  • Barracuda
  • Cisco
  • Fidelis
  • FireEye
  • Forcepoint
  • Fortinet
  • Kaspersky
  • McAfee
  • Red Canary
  • Symantec
  • Sophos
  • Trend Micro
  • Webroot

Source: https://www.esecurityplanet.com/threats/how-to-stop-advanced-persistent-threats.html

  • 0

Verge [XVG]’s DDOS attack dampens the process of their blocks

According to a recent tweet by Vergecurrency, there has been a delay in their blockchain due to a DDOS attack which raises questions of security concerns in the community. Currently, there is a FUD in the Verge community. There has been chaos as they have seen such hacks and crashes even in the past.

Verge tweet.

Despite the attack, investors are expecting the temporary decrease in the prices as an opportunity rather than a threat in their investment. In its Twitter community, there have been witty responses and genuine concerns.

toefur, a Twitter user commented:

“Full faith in the Verge Devs !! #vergefam . mean while I’ll keep buying the dip.”

Verger Army [XVG] commented:

“Doing some research maybe we should ask all the mining pools to impliment Response Rate Limiting(RRL) walls in their code.”

Daniel Eberhardt, an optimistic twitter user commented:

“This is gonna cause a temporary decrease in price. The few that see this as an opportunity instead of a threat are the ones that will reap the rewards in the future.”

However, despite the vulnerability of the community at present, Vergecurrency posted in the comment section about their current competition, a giveaway of 10,000 ETH. The investors are expecting a new price discount on the token. In the cryptocurrency world, DDOS attacks are common causing technical handicaps in the mining pool, thereby creating FUDs in the market.

24-hour value graph.

Verge [XVG] is trading at a price of $0.052 with a market capital value of $785.42 million at the time of writing. It has experienced a decrease of 0.36% in the last hour on 22nd of May 2018 and a drop of 6.71% in the last 24-hours in the market. Verge [XVG] holds the 31st position in the global market of cryptocurrency as per CoinMarketCap.

Source: https://ambcrypto.com/verge-xvg-ddos-attack-dampens-process-blocks/

  • 0

Is the Internet of Things impossible to secure?

Device manufacturers can no longer afford to take a back seat when it comes to IoT security.

The use of Internet of Things (IoT) technology is growing rapidly as more consumers and businesses recognise the benefits offered by smart devices. The range of IoT hardware available is huge, including everything from smart doorbells and connected kettles to children’s toys. What’s more, this is not only limited to smart home tech for consumers. IoT sensors are being increasingly used by businesses of all sizes across numerous industries including healthcare and manufacturing. However, despite its life-enhancing and cost-saving benefits, the IoT is a security minefield. So, is it even possible to secure the IoT?

This was one of the themes discussed at this year’s Mobile World Congress (MWC). IoT technology featured heavily at the trade show, with connected items ranging from a passenger drone to the next generation of smart city technology, and IoT security taking centre stage. One session focused on how blockchain might help to secure IoT devices in the future. Best known as the backbone of cryptocurrency Bitcoin, blockchain is a shared ledger where data is automatically stored across multiple locations. The indisputable digital paper trail makes it ideal for financial applications, but it could also be applied to IoT.

IoT devices increase the amount of entry points into a home or business network, which in turn could give hackers access to devices such as computers that contain sensitive data. Using blockchain technology could reduce the risk of IoT devices being put at risk by a security breach at a single point. By getting rid of a central authority in IoT networks, blockchain would enable device networks to validate and protect themselves. For example, devices in a common group could potentially stop or alert the user if asked to carry out tasks that appear unusual, such as being commandeered by hackers to carry out Distributed Denial of Service (DDoS) attacks.

IoT security and drones

Also highlighted at MWC was the importance of securing IoT technology for use by drones. Drone technology is a rapidly emerging sector within IoT and the risk of hacking could not only cause a data breach, it could also pose a major risk to public safety. Thanks to their versatile application and access to real-time data, commercial drones are used across a wide variety of sectors including agriculture, military, construction and have even been used to deliver packages, while consumer drones have also grown in popularity in recent years. However, as with many IoT devices, security is often an afterthought leaving many drones vulnerable to hackers.

If a drone’s own telemetry data is accessed, hackers could take control of it while in the air. This could place people in physical danger if the drone was purposely crashed or hijacked to carry harmful substances such as explosives or chemical agents. A hacked drone could also be used for spying through on-board cameras, or malware could be installed enabling hackers to strip out sensitive data collected by the drone, including pictures and video.

While there is an increasing amount of drone legislation being introduced, much of the focus is on air space and where drones are allowed to fly. However, the importance of securing the network that drones submit data on should not be underestimated.

Why is securing IoT technology such a big challenge?

Securing IoT devices is challenging for a number of reasons. A rapidly increasing number of gadgets are being turned into smart devices and as manufacturers roll out new products more quickly, little priority is given to security. Eventually we could see almost every home device connected to the Internet, not necessarily with any consumer benefit but instead geared towards data collection, which is incredibly valuable for manufacturers. A lack of awareness among consumers and businesses is also a major obstacle to security, with the convenience and cost-saving benefits of IoT tech appearing to outweigh the potential risks.

Another challenge is securing not only the IoT devices but also the networks over which their data is transferred. In the past, businesses haven’t always focused on building end-to-end security into the network. This is set to change as attitudes evolve, with 46 per cent of organisations ranking ‘securing IoT within the organisation’ as a high priority for 2018, according to the Hiscox Cyber Readiness Report.

What happens next?

So, is it really impossible to secure the Internet of Things? While it’s certainly a challenge, the industry is developing new ways to protect IoT devices from increasingly sophisticated hackers, and there will be significant opportunities for those working in the IoT security space. Blockchain may well be part of the solution, though a group effort will be needed to ensure that IoT technology evolves in a way that is both beneficial to consumers and businesses and secure from hackers.

Education is also key and makers of IoT devices, ISPs and the government must play a vital role in boosting awareness of IoT security among consumers and businesses. At a government level, it may also be necessary to provide education to boost the digital literacy of policymakers. More regulation and standardisation is needed to ensure that IoT devices adhere to a certain level of security, while manufacturers must develop clear privacy policies for their IoT devices and ensure that consumers know how to adjust the security settings. Even simple steps such as not setting default passcodes as ‘0000’ or ‘1234’ could help keep devices more secure in the future.

While security has too often taken a back seat in the development of IoT technology, manufacturers must begin to build protection into their devices. Network providers can also help address the IoT security threat by creating end-to-end infrastructure that meets industry-wide standards. Providers that offer a secure network will have a competitive advantage in the long run.

Source: https://www.itproportal.com/features/is-the-internet-of-things-impossible-to-secure/

  • 0

Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges

A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.

Gammell took measures to avoid exposing his real identity online, including through the use of cryptocurrencies to pay for the DDoS attacks and VPNs. However, a couple of taunting emails he sent to his victims during the DDoS attacks – asking if they had any IT issues he could help with – were sent from Gmail and Yahoo addresses that had been accessed from his home IP address.

The man initially rejected a plea deal and his attorney sought the dismissal of the case, but in January he pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm. Gammell, a convicted felon, admitted having numerous firearms and hundreds of rounds of ammunition.

In addition to the 180-month prison sentence, Gammell will have to pay restitution to victims of his DDoS attacks, but that amount will be determined at a later date.

Source: https://www.securityweek.com/man-sentenced-15-years-prison-ddos-attacks-firearm-charges

  • 0

Vulnerable connected devices posing immense security risk to organisations

Even though thousands of smart devices are being regularly connected to enterprise networks, many organisations do not have security policies for connected devices, or their employees do not follow existing policies by the book.

In October last year, security researchers at both Check Point and Chinese security company Qihoo 360 Netlab discovered a new IoT botnet that they said was “more sophisticated than Mirai” and had been found on millions of IoT devices including routers and IP cameras from companies including GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys and Synology.
The researchers warned that threat actors behind the botnet could cause greater damage than Mirai and could essentially take down the Internet by recruiting IoT devices in the millions.
If we go by a new report from Infoblox, even though organisations are embracing IoT devices on a grand scale, most of them are either impervious to such warnings or do not believe that hackers can truly cause havoc by hacking into IoT devices.
A survey carried out by the firm revealed that in the UK, the United States and Germany, 35 percent of large organisations had more than 5,000 non-business devices connecting to their networks each day, and 10 percent of them had over 10,000 such devices connecting to their networks on average.
Over half of small businesses with 50 to 99 employees had more than 1,000 business devices connecting to their networks and similar was the case with one in every four small businesses with 10 to 49 employees, signifying how reliant organisations are on IoT devices for increased performance and efficiency.
In the UK and the US, around 39 percent of employees connect IoT devices to their organisations’ networks to access social media, 24 percent do so to download apps, 13 percent to download games and seven percent to download films. External devices connected to enterprise networks range from fitness trackers such as FitBit or Gear Fit, digital assistants such as Amazon Alexa and Google Home, smart TVs, smart kitchen devices, and games consoles such as Xbox and PlayStation.
Even though thousands of such smart devices are being regularly connected to enterprise networks, a significant percentage of organisations either do not have security policies for connected devices, or their employees do not follow existing policies by the book.
While 24 percent of IT leaders from the US and UK surveyed by Infoblox did not know if their organisation had a security policy, 20 percent of them in the UK said they rarely, or never followed such policies. According to researchers, such non-adherence to security policies is exposing organisations to social engineering hacks, phishing, and malware injection.
“Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices, like Shodan. Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP, and SNMP services.
“And, as identifying devices is the first step in accessing devices, this provides even lower level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities,” they warned, highlighting the fact that in March, there were 5,966 identifiable cameras deployed in the UK, 1,571 identifiable Google Home deployed in the US, and 2,346 identifiable Smart TVs deployed in Germany.
Not only can vulnerable connected devices be exploited by hackers to infiltrate an enterprise network and to exfiltrate data via DNS port, they can also be hijacked to leverage DDoS attacks by sending repeated and frequent queries that bombard the Domain Name Server (DNS), thereby inhibiting the ability of a network to process legitimate queries.
For instance, the Mirai botnet leveraged over 600,000 IoT devices to target DNS service provider Dyn in 2016. This resulted in the repeated interruption to Dyn’s services and shutting down of popular websites including Twitter, Netflix, Reddit, and CNN.
“IoT devices are not protected by nature. We need them to improve our businesses and life, but they are a very easy attack surface, and by far the easiest way to get into an organisation, enabling hackers to scan your network, install malware, conduct reconnaissance, and exfiltrate data by bypassing other security mechanisms,” said Daniel Moscovici, co-founder of Cy-oT, to SC Media UK.
“The real risk is the fact that these devices are an open door in and out of an organisation. For example, if a hacker is able to infiltrate a video camera, they would be able to steal your pictures and videos; however, this is not the main issue. More importantly, the hacker can reach your more sensitive assets by accessing your network though an insecure device.”
The report also revealed that a number of organisations, especially those in the healthcare industry, are now taking steps to strengthen the security of their enterprise networks. While 85 percent of them have increased their cybersecurity spending over the past year, 60 percent and 57 percent of them invested heavily on antivirus software and firewalls.
At the same time, half of organisation have invested in network monitoring, one third have invested in DNS security solutions to disrupt DDoS attacks and data exfiltration, 37 percent have taken steps to secure their web applications, operating systems, and software, and a third of them are investing in employee education, email security solutions and threat intelligence. However, Moscovici believes these steps aren’t enough.
“We have seen organisations investing a lot of money in mechanisms to protect their networks, perimeters, and endpoints, so attackers will use the path of least resistance in terms of attack surface – connected devices, especially in a wireless environment. However, organisations are unaware that it’s not only the corporate network that is in danger; its airspace is also under threat. Hackers can connect via P2P directly to these assets and, from there, get into the corporate network.
He added that while many connected devices have built-in vulnerabilities, they can also be exposed through unsecured cloud or web application services, and sometimes wireless networks surrounding IoT devices are also highly unprotected.
“What is needed is a dedicated cyber-security solution that monitors both the IoT device and its activity 24 x 7, and can neutralise the threat. By doing this, an organisation will be able to detect when and which devices are at risk, as well as mitigate the threat in real time without physically looking for it. The answer does not lie within the device itself, but with a solution that brings your Security Operations Team visibility and control,” he added.
Commenting on the widespread use of vulnerable connected devices, Alex Hinchliffe, threat intelligence analyst at Unit 42 of Palo Alto Networks, said that the proliferation of IoT expands the attack surface for enterprise networks.
“Our own research recently into the Satori malware family demonstrates that IoT malware is evolving all the time from the simple password brute force attack to the vulnerability exploit attack. It would be a notable trend if IoT malware authors continue to rely on using more known vulnerabilities or discovering zero-day vulnerabilities to attack IoT devices.
“Complete visibility is crucial for security teams trying to prevent these attacks. You cannot prevent attacks you cannot see. Visibility and zero-trust network design are critical, to safe guard users, their devices and other corporate assets and to see who’s doing what, where and with which devices.
“The move to a classic zero-day attack against unknown, unpatched vulnerabilities is a logical next step on the part of attackers, which is why security policies for connected devices are essential, and these have to be correctly communicated to staff as well as being built into security systems. Enforcing policies requires a mix of company processes and technology to successfully implement them,” he added.
Source: https://www.scmagazineuk.com/vulnerable-connected-devices-posing-immense-security-risk-to-organisations/article/766545/
  • 0