Ransomware: Keeping Your Business Safe
Which cyber security processes would have kept you safe from NotPetya/GoldenEye?
Ransomware has plagued businesses for several years, but the recent outbreaks of WannaCry and NotPetya have marked the beginning of a new era of hybrid malware that combines multiple exploits into something much more dangerous. What can organisations do to remain safe when the cyber criminals are innovating so quickly?
The cyber-attacks that are currently making the headlines, dubbed NotPetya or GoldenEye depending on who is taking credit for its analysis, don’t appear to be typical with respect to their motivation of extortion. It may seem like a peculiar conclusion, given it is a ransomware virus, but researchers are now suggesting that its amateur ransomware capabilities were designed to cover the fact that it is a dangerous cyber weapon targeting the Ukraine. Furthermore, if its motive is cyber warfare rather than extortion, then it is reasonable to conclude that the perpetrator was a nation-state. The Ukraine’s security service has publically stated its belief that Russia is behind the attack.
Some recognition should be given to the malware creators, given its virulence and efficacy when it takes hold in an organisation. However, if the Ukraine security services are correct, it seems it also backfired as it caused widespread damage in Russia as well as the Ukraine.
Nevertheless, businesses should have been prepared. The foreshadowing of the WannaCry attack a few weeks ago should have seen every business on the planet apply the Microsoft patch that resolved the vulnerability being exploited by EternalBlue.
Interestingly, GoldenEye was transmitted to targets from a compromised Ukrainian news site rather than via the usual ransomware vector of email. This suggests it was aimed at Ukrainian targets rather than being a widespread organised criminal attack. Furthermore, several researchers think that despite the screen demanding a ransom, it does not save the victim’s data. Thus there is no way to recover it. Before this, the basis of ransomware’s success was that the criminals always got paid and then, nearly always, handed over the decryption keys. GoldenEye comes with no such promise, so word soon spreads that it is not worth paying up.
So what can you do? There is little doubt that if you are in the sights of an attacker, there is a limited amount you can do – this is especially true if the attacker has the resources of a nation-state. Many of GoldenEye’s victims were collateral damage rather than specifically targeted. Collateral victims are not of concern to these attackers. If you practice good cyber security hygiene, in most cases it keeps your business safe. These following proactive operational security processes, if properly executed in your business, will assist in protecting you from most opportunistic or accidental malware infections:
- Patch everything as soon as you can;
- Institute real-time vulnerability management;
- Institute protective monitoring; and
- Regular off site back-ups and operational testing.
Security experts say it time and time again: patch your operating systems, patch your applications and keep patching them as soon as the patches are available. Most malware strains need at least one unpatched vulnerability to exploit.
A vulnerability management system gives you immediate, contextual feedback on where weaknesses and vulnerabilities exist in your enterprise. You can use a vulnerability management system to prioritise the work of your systems administrators to make sure security fixes are dealt with promptly.
A modern and contemporary approach to security operations requires you gain better visibility of what’s going on in your network. To do this, collect the security events from your operating systems, network devices, security devices, vulnerability management systems and administration systems into a security information and event management (SIEM) system so that your security analysts can correlate what they see on your networks and investigate for patterns of attacks.
These four processes can proactively assist in protecting your organisation from most attacks. If you remain patched and compliant, most malware is unable to access your enterprise. Even the most sophisticated malware and malware-free attacks still require vulnerabilities or configuration weaknesses, so the real-time feedback from a vulnerability management system helps you find and fix these issues before the bad guys exploit them.
WannaCry Ransomware: What is it and how can you protect your organisation?
The recent global deluge of media reports regarding WannaCry has served two purposes. Firstly, its speed and proliferation has spread fear, uncertainty and doubt across the world. It has certainly spooked enterprises everywhere by demonstrating the power and reach of a coordinated cybercriminal campaign. More importantly, it has put business stakeholders, at all levels, on notice that poor cyber security hygiene and complacency about cyber security controls must be addressed by us all. As participants across global data supply chains, no-one is immune from these sorts of risks; we need to improve our performance. Whether this is a timely warning, resulting from a less than perfectly executed mass attack, or the beginning of a spate of new weaponised vulnerabilities we all need to be prepared. Let’s take a more detailed look.
On Friday, 12th May 2017, WannaCry shot to prominence across the world’s computer systems. Like an emergent strain of the flu, this was different from the normal ransomware that washes over computer systems world-wide. There are now links being drawn between the recent theft of classified US cyber weapons and the emergence of WannaCry. Not just another clone, it was a pathogen that was exposed to the right blend of people, environment and luck to make it much more threatening. The developers of WannaCry combined several different exploits into something significantly more insidious and, in doing so, they have changed the ransomware landscape. WannaCry is a blend of a ransomware variant called WanaCrypt0r that was first spotted a few weeks ago, combined with a self-propagating lateral movement exploit technology (known as a worm), which strengthens its virulence dramatically.
WannaCry uses a vulnerability in the Windows SMBv1 protocol meaning that once it gets into an organisation, it can spread sideways to other unpatched computer systems. Any Windows based computer that has not been patched is at risk. The SMBv1 vulnerability (MS17-010) was identified and patched by Microsoft on 14th March 2017 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), so the best advice to stop this ransomware in its tracks is to apply the patch and stay alert to future security advisories as, is highly probable, further WannaCry variants emerge.
Since WannaCry started spreading on Friday, thousands of private and public sector organisations around the world have been infected (particularly the National Health Service in the UK). The Australian Federal Government reported that infections were far less prevalent in Australia although the number is growing (three to eight small businesses in Australia) so, in comparison to other places, Australia has escaped the worst of it, at least for now.
Fortunately, very early on in the attack, the British security researcher MalwareTech, took advantage of a flaw he discovered in WannaCry’s behaviour, whereby it tried to contact an unregistered domain name. By identifying what has been mooted as a built-in kill switch he was able to dramatically slow down the spread of the attack. New variants of WannaCry have been reengineered with the kill switch removed; this might only be the beginning.
What can you do to protect yourself?
As always, sound risk based decision-making is the cornerstone of a good cyber security strategy and advice should be sought if you are in any doubt. Ransomware is just one of many types of malware causing harm to organisations. The infection vectors (i.e. methods of delivery) are common to most other types – most infections these days are transmitted via email or hijacked websites, with an element of social engineering built into the transmission to feign trust (enticing users to click on malicious attachments or links to malicious sites). You can minimise the risk of being infected by ransomware by putting in place the same set of basic safeguards that you would against any malware in general.
- Keep your systems patched – make sure all of your security patches have been applied and where something cannot be patched, compensating controls should be considered.
- Backup your files. If you can recover your files and systems after a ransomware attack, then reverting back to a known good state will fix the problem.
- Test your incident response capabilities. There is no use in saying your backup and restore strategy will address the risk of being hit with ransomware if you’ve never tested the efficacy of your recovery methods.
What can security operations teams do?
If your organisation has a security operations team or you contract a service provider to keep your systems and information secure, we have created a security advisory containing signatures, indicators of compromise and other remediation advice that may help not only detect an infection, but also heighten your preparedness. This information is current at time of publication, please consult the most recent advisory for any updates.
Governance, Risk and Compliance in Real-time for real security
Is your IT Security team equipped to protect your organisation? Does your executive team get WHAT they need, WHEN they need it….to make informed decisions? Providing meaningful, actionable intelligence about security issues, to multiple stakeholders in a language they can understand is fundamental to the success of business. Reports that meet the needs of middle managers differ from those appropriate for operational teams, or from those intended for the board. Reporting should be tailored for the audience.
The majority of enterprises are required either by law or an industry regulator to meet a variety of information security standards: PCI-DSS, HIPAA, NIST or the Australian Signals Directorate’s ISM/UK CESG’s GPG13, to name but a few. Alignment with internationally recognised information security standards, such as COBIT or ISO 27001, can also demonstrate to customers, suppliers or partners that your business takes information security seriously. The question is though….. how do you get measureable improvement in your security posture as a result of ongoing investment in your information security?
Security Management and GRC
The three main pillars of organisational control, Governance, Risk and Compliance (GRC), underpin any effective information security management system (ISMS), irrespective of whether it’s a home-grown ISMS or based on a standard like the ISO 27000 series. Each of these foundational pillars should be integrated into the DNA of the business to allow relevant information to flow between the management and security teams, to make sure the business’s strategy is successfully implemented despite the variable cybersecurity environment.
GRC has become synonymous with assurance frameworks and costly audits that deliver little in the way of sustained improvement in security resilience. The importance of these controls demands closer attention; and that is why Huntsman® originally released continuous GRC reporting and dashboards to enable continuous operational feedback for organisations as they negotiate today’s operating environment.
Huntsman® delivers Real-time GRC Reporting
Huntsman Security understands the importance of security GRC and how it should be embraced as an enabler to improve operational posture; but it’s more than that, particularly as it relates to cyber security, where the implications of GRC need to be understood by stakeholders across the organisation.
A new approach is required that more directly addresses the interdependency between the business and its operational security team. GRC has the ability to tie security into the organisation at all levels so the relevance of any change in the technological status quo is recognised for both its security and business impact. Business stakeholders need security GRC information to be translated into a language they can understand and a form that they can act upon.
Huntsman®’s Answer for business: Real-time Role Based Reporting
Our challenge was to develop a business-centric reporting solution that provides tailored security metrics to meet the needs of the different business stakeholders for fast, effective decision making. They needed to align with GRC controls and compliance frameworks with information being available in real-time, as dashboards, displaying context to each audience to allow responders to comprehend and action threat intelligence.
I’m delighted to say that the Huntsman® team has now delivered a brand new reporting capability that we are extremely proud of: Role Based Reporting. The interface provides business-relevant security and compliance reporting, that highlights the effect of any given risk across the governance and compliance landscape, immediately reporting on its implications for the report audience.
No longer will business managers be trying to understand what the operational security GRC report means or its implications for the board. Role Based Reporting will highlight what the GRC report means to them, the business implications and any bases upon which resulting business decisions need to be made. In a digital world cyber security is like any other risk, it needs to be managed and Huntsman® Role Based Reporting makes the identification, implications and management of that risk much easier for all stakeholders.
Cisco’s latest report shows why automated threat verification should be a key weapon in your cyber security armoury
I was concerned to read the latest findings of the Security Capabilities Benchmark Study in the Cisco 2016 Annual Security Report. Concerned, but not too surprised. The global study surveyed security heads in organizations of various sizes from different industries. It looked at their perceptions of security operations and practices.
One of the report’s key findings was that the confidence of security professionals in their security readiness seems to be dwindling as cyber threats become more sophisticated. The report concludes, inter alia, that organizations should deploy tools that detect threats, and explore effective solutions to help ensure an integrated threat defence.
I couldn’t agree more.
So, why is confidence in security readiness falling?
Too often, I’m hearing concerns from organisations I visit about products that just don’t deliver as promised. They not only feel they have wasted some of their precious security budget – they are also starting to lose faith in the efficacy of security products. And the dearth of solid, independent advice on the right technology to invest in is making it even harder for them to make an informed decision.
Automated threat verification brings a step change to how business can deal with cyber risk.
I’d strongly advise all organisations to look into proven security solutions that integrate with and support existing investments. The Huntsman Analyst Portal® automatically aggregates and examines threat information from a range of sources across the enterprise to deliver real-time threat verification. Automating the threat verification process brings huge advantages. Obviously, the faster you detect and understand a security breach, the sooner you can respond, avert data loss, reduce impact, safeguard reputation, and meet regulatory obligations.
Automation also brings repeatable and streamlined processes that save analysts from fire-fighting, data-crunching, and dealing with a mountain of false positives. It frees them up to proactively hunt for undetected threats, active attacks, vulnerabilities or signs of misuse or compromise.
Investing in automated threat verification technology doesn’t mean you have to ‘rip and replace’ your current security technology. A major benefit of the Huntsman Analyst Portal®, for example, is that it integrates with, and leverages, your existing security investments and processes. It means that earlier security investments can continue to yield a return.
Creating the right culture is also critical.
As Cisco correctly points out, having the right technology is only part of the solution, because security is built up by technology, people and cultural processes working together. All organisations also need to create a culture that underscores the importance of security, to provide an environment that is as close to Cyber Resilience as you can get.
You can read the key findings of the CISCO study at http://apjc.thecisconetwork.com/site/content/lang/en/id/5279.
Can we really manage Cyber Risk?
When I used to speak to organisations about the need to manage their cyber risk, my recommendations were often met with blank looks and “we’ve never had a problem”.
Now, cyber-crime is rightfully recognised as a significant risk to the business of every organisation.
The nimbleness of cyber criminals, and the ease with which they regularly breach defences, has many managers asking: what should we do to manage cyber risk?
Firstly, there are no silver bullets and don’t believe anyone who is offering one.
There are however a few steps your organisation can take.
There are internal controls every organisation should have to boost cyber resilience. These include firewalls, AV gateways, malware sandbox solutions, IDS/IPS, network access controls, and host/endpoint protection. Building in-house security skills and awareness will increase the effectiveness of these investments.
Despite these internal controls, breaches can, and do, occur. So your organisation also needs to deploy threat detection and response measures.
Today, there are a few excellent applications – like Huntsman’s defence-grade security platform – that detect threats in real time and cut the time your organisation is exposed to cyber risk to seconds.
These applications can reduce the potential financial impact, reputational damage and remediation costs that inevitably flow from a breach.
As well as internal controls and threat detection, your organisation will probably also need to outsource expertise in areas like penetration testing, assurance, incident response and – perhaps most importantly – monitoring. A 24/7 monitoring service can detect alerts and other indicators of security compromise like anomalous network traffic patterns, and unusual behavior on the IT system.
Finally, there’s insurance, to assign your cyber risk to an insurer.
Like any insurance policy, the premium correlates with the size of the risk. So anything your organisation can do to limit that risk should reduce the premium.
But beware: if your organisation does not have the requisite internal controls in place, an insurer may prove unwilling to underwrite your risk.
So, in a nutshell, cyber resilience requires a balance of building internal capabilities, procuring outside help where you need it, and insuring against any related risks you can’t reasonably manage.
The investment may seem large. But the consequences of not adequately addressing cyber threats can be massive.
If you’d like to know more about how to boost your organisation’s cyber resilience, please feel free to contact me at Huntsman Security.
Welcome back for 2016. As it turned out 2015 was a year marked by the increasing number, scale and prominence of security breaches as cyber risk to businesses increased and spread. Additionally and probably related, the technology environment in which enterprise security teams operate became more complex.
At the start of 2016, the continuing arms race between attackers and defending organisations suggests no let-up in the need for preparedness.
Traditionally, companies that suffer from attacks or data losses have been “fair game” for professional advice meted out by profile seeking experts. But we shouldn’t be too hasty in our condemnation of the victims. In a number of recent cases, once the furore died down, there was often more to a story than met the eye. Organisations that fall victim to many of these attacks are not always as careless or naive as first appears and we should learn from their experiences.
The continuing skills shortage of cyber security resources, for example, is a case in point. This talent shortfall impacts absolutely on what can be achieved when cyber defenders are faced with an increasing volume of complex attacks to address.
This will become a profound trend in 2016, one in which Huntsman® is at the vanguard, and that is the development of automation and orchestration of security technologies that:
- provide “cleaner” security intelligence by pre-qualifying alerts to weed out false positives, benign threats or mitigated vulnerabilities;
- support investigators to more quickly understand the threats that matter by aggregating relevant diagnostic data as it happens from networks, applications, platforms and end-points and automatically initiating the investigation processes;
- provide greater confidence in the interpretation of threats to enable faster and more certain evidence-based decision making; and
- integrate with network and systems orchestration technologies to implement a response to quarantine affected systems, mitigate ongoing attacks or increase the volume of diagnostic data collected about a particular threat.
Compounding these observations, is the growing complexity of the IT environments; both cloud and mobile adoption are continuing apace and the massive rise of connected devices (often referred to as the “Internet of Things”) means that the enterprise IT environment is increasing in scale and diversity, is less controllable, and increasingly suited to machine based analyses for timely threat resolution.
In short, businesses have an increasing challenge to secure their networks and that’s before you factor the plethora of new security technologies; see the latest batch released at the recent Consumer Electronics Show in Las Vegas www.cesweb.org. As an industry we will continue to be challenged on a number of fronts in 2016 as we stretch the capacity, and maybe even the ability, of security teams to monitor their environments and respond to early signs of threats.
Cyber Risk reduction: Why Automated Threat Verification is key
Alarmingly, recent findings indicate that organisations are increasingly exposed to cyber security risk for longer periods of time. This is despite ongoing investment in deployments of up-to-date threat intelligence platforms and teams of highly skilled security experts. It’s little wonder that industry experts are calling for a new weapon to reduce the time between threat detection and resolution. Automated threat verification promises to do just that, filling an important hole in the incident management process.
Whilst large volumes of new intelligence provides valuable contextual threat information, there is no doubt that finding a better way to process is shifting to front of mind for the security industry. Mandiant 2015 M Trends Report notes: despite security investments the improvement over the last year’s average time from infection to detection was a single day, 205 to 204. This is a real problem and it’s before an analyst or data scientist starts to investigate and resolve a single threat.
Why so long? Well, all too often this flood of new threat intelligence is presented to the SOC team in inaccessible information silos that require manual collation, analysis and interpretation. On top of that threat intelligence is often mistakenly flagged as malicious when in fact it’s benign and will not impact the enterprise. This means security analysts often end up spending countless hours, distracted from the threats that matter, sifting through this logjam of potential ‘threats’ – only to find its a false alarms.
The cause of this situation is ‘intelligence overload’ as organisations try to interpret more and more new threat intelligence using their existing security resources. This manual solution, for an industrial problem, is proving very costly for organisations – not just in terms of the expense of finding, hiring and retaining these expert security analysts, but also because of the time at risk to cyber threats.
Adding to the problem is the apparently global shortage of security analysts able to comb through the mountain of potential cyber threats to find the ones that matter. Cisco suggests we are short 1 million analysts.
The solution is already here – automated threat verification
The Huntsman Analyst Portal® delivers a step change in threat management by automatically verifying threats, removing false alarms, and quickly pinpointing the threats that matter. This has two key benefits for every organisation:
- It slashes the time at risk. Huntsman shrinks the delay between threat detection and response to seconds. This means security analysts can focus on the most risky threats; contain them, stop the loss, and minimize the time at risk.
- It dramatically cuts costs. Huntsman reduces the workload of the security team by automating routine investigation workflows, and streamlining the processes of the Security Operations Center (SOC). The end result is better decisions at a significant cost saving.
Only this week Cisco demonstrated an aligned vision by announcing the deep integration of pxGrid and the Huntsman Analyst Portal®. PX Grid, launched one year ago, provides a suite of context sharing and network control capabilities that enable Cisco ecosystem partners to extend their reach into the network infrastructure and take “Rapid Threat Containment” actions. We are delighted to announce that Huntsman Security has integrated both the “User Access and Device context” and “network control” capabilities into the Huntsman Analyst Portal®, enabling delivery of:
Real time automated correlation of pan-platform intelligence
Real time threat verification of all validated threats
Rapid Manual & Automated Threat Containment…..in seconds
Put simply, when it comes to speed from threat detection to resolution, Huntsman Analyst Portal® is the fastest, most cost-effective way to slash your time at risk to seconds.