Massive Ransomware Outbreak Highlights Need For A Digital Extortion Decision Tree

5/12/2017 might be another day of cyber-infamy based on malware as hospitals and critical infrastructure providers are locked out of their machines due to what appears to be a new variant of ransomware dubbed WannaCry spreading through corporate networks. Like the ransomware outbreaks in mid-2016 here in the US, NHS hospitals are experiencing patient care issues as a result of the malware, with some shutdown completely as of 11:37 AM Eastern time.

Early analysis indicates the malware spreads via SMB protocol, possibly using a vulnerability published by Microsoft on March 14th, per CCN CERT National Cryptologic Center. This same exploit mechanism appeared to be in use by ETERNAL BLUE, included as part of the Shadow Brokers dump. Patching and update information from Microsoft is located here. For the specific list of affected systems, along with CVE Number, specific MS patch details, and alternative mitigation techniques check here.

Read more

NIST Is Jealous That PCI (Still) Matters More Than It Does

The summary of the new Executive Order is a bit of a letdown:

Government agencies must complete a risk management report within 90 days. The risk report should align with NIST.

Outside of those with a risk fetish, this new EO probably isn’t that exciting from the perspective of any near-term cybersecurity transformation. That said, there are some aspects worth mentioning:

  • Cybersecurity is now a multi-agency public policy issue driven by the Executive Branch. The Department of Homeland Security, Office of Management and Budget, Department of Commerce, Department of Education, Department of Labor, and Office Personnel Management are all mentioned in the order.
  • The government wants to go shared services – including email, cloud, and cybersecurity services. The President requires a specific report on the costs related to modernizing government IT and cybersecurity by utilizing shared services.
  • Cybersecurity, services, and innovation are tied together with the order placing the Director of the American Technology Council as one primary stakeholder for the report modernizing IT and cybersecurity.
  • The order emphasizes workforce development as a key component of the United States cybersecurity advantage. Within 120 days the order requires the President receive a report on how to support the growth and sustainment of cybersecurity education.

Does the order change much? Not really.

Is it worth getting excited over? Absolutely, for those that felt the government had too few reports and committees.

For security practitioners? Probably not, but we are a cynical bunch by trade. It isn't transformative, but it does show incremental improvement by existing.

Then again, cybersecurity requirements for accepting credit cards are still tougher (and more enforceable) than ones for providing electricity....

Exploring The IoT Attack Surface

Merritt Maxim and I just published our research on the IoT Attack Surface. This report gives a realistic, but not sensationalized, view of how enterprises need to think about IoT. Three factors motivated our research for this topic - attacks on IoT will transcend the digital-physical divide, the sheer scale of IoT will challenge security teams, and IoT devices collect massive amounts of data.

The following methodology allowed us to hone in on concrete enterprise scenarios:

  • We went for offense first. We started by interviewing prominent security researchers that spend their days thinking about how to attack IoT devices and systems. Our outside in approach allowed us to develop a threat model for intrusions, as well as identify weak points in the defenses of IoT makers, users, and operators.
  • We explored the ramifications of an attack. We wanted to understand what an attacker would - or could - do when successful. We also wanted to understand the amount of friction that existed for whatever came next - credential harvesting, persistence, or disrupting operations.
  • We examined existing security practices to understand what works, and what doesn't when defending IoT devices. This step highlighted that while IoT is different, defending IoT looks similar to other security problems S&R pros have dealt with. You can bring security lessons forward and apply them to IoT without having to learn them all over again.
Read more

Automated Malware Analysis Technologies Central To Defense Strategies

"The most important security alerts we see."

That’s how one customer described the importance of Automated Malware Analysis technologies in their security workflow. After months of demonstrations, reference calls, and analysis we are thrilled that The Forrester Wave™: Automated Malware Analysis, Q2 2016 is live! Many clients we talked to used multiple vendors to analyze malware in order to maximize analysis results.

The underlying mechanisms for automated malware analysis are fascinating for the technophile - combining content security, hypervisor-driven execution, behavioral analytics, and algorithmic API analysis. Incredibly sophisticated software engineering and statistical modeling adds another layer of intrigue. Mix those together with evasive adversaries attempting to bypass the technology and it's an intense discussion!

We used the importance of AMA solutions as the dominant element of detection and prevention in client environments to inform our assessment.

Here’s an overview of our approach:

  • Visibility is a cornerstone of detection and protection. In order to detect it, you must see it in the first place.
  • Flexible deployment models are key to dynamic production environments. If it is hardware or on-premise only, then it only fits in environments that match the form factor.
  • Scalability avoids creating a problem as the environment grows. Scalable infrastructure allows the business to orchestrate workloads based on need and priority, AMA solutions should offer the same capabilities to better align with technology needs.
Read more