It has been said that those who fail to learn from history are doomed to repeat it. With that in mind, Bromium Labs today has published “Endpoint Exploitation Trends 2015,” a research report that analyzes the ongoing security risk of popular websites and software. The report highlights that software vulnerabilities and exploits in popular applications spiked in 2015 with vulnerabilities increasing nearly 60 percent and Flash exploits increasing 200 percent. The report also highlights common attack trends, including the resurgence of macro malware, the continuous growth of ransomware and the ubiquitous presence of malvertising.
Adobe Flash vulnerabilities and exploits are nothing new, but this spike is 2015 was noticeable. The continuous growth of malvertising is also noteworthy, with malvertising attacks detected on more than a quarter of the Alexa 1,000. Currently, Flash exploits and malvertising go hand-in-hand, so this trend represents how two vulnerable systems can be attacked to compromise an end user or an enterprise.
Flash is widely used – although we may be witnessing the slow death of Flash – which is one reason we see so many exploits and vulnerabilities for it. The second reason is that attackers tend to focus on the weakest link; as Internet Explorer and Windows have improved its attack mitigation, attackers have been driven to more easily exploitable technology, such as Flash.
Interestingly, as systems have become more advanced and secure, many attackers are relying on a dated technique, macro malware, which masquerades as a legitimate document, such as an invoice or tracking number. Macro malware requires the user to launch the attack, so these documents are spammed through phishing emails. The malware itself is obfuscated in large repositories of code pulled from legitimate projects, making it difficult of signature analysis to detect the attack.
Not all attackers are relying on these dated attacks; we have witnessed the explosive growth of ransomware, which has increased 600 percent since 2013. Not only is this a common attack vector, but it continues to evolve. Most recently, we have witnessed ransomware “as a service” that enables an attacker to obtain ransomware for free by agreeing to share the profits with its creator. Ransomware is distributed through every possible attack vector, from email spam and macro malware to drive-by downloads and malvertising.
In conclusion, the Bromium Threat Report “Endpoint Exploitation Trends 2015” highlights how attackers continue to use whatever attack works best, old or new. The spike in software vulnerabilities and exploits should be a first step for security teams to address; patching vulnerable machines has never been more urgent. With the rise in macro-malware, it is imperative to re-educate users about phishing emails. Hackers will attack the weakest point they can find, so security teams must adapt to remain secure. The most important thing to realize is that malware is hiding in plain sight: it is spammed through email as malicious documents and embedded in advertisements in some of the most popular web sites on the Internet.
Given this, it’s easy to see that the more software introduced into a network, the greater the attack surface becomes. Any successful security solution must fundamentally change the way security is provided by reducing the attack surface and decreasing software surface areas for attack.
As 2015 draws to a close and we look ahead to 2016, it’s that time of the year when we look into our crystal ball and try to prognosticate predictions for the next 12 months. Fortunately, Bromium has some big brains and our erudite co-founder/CTO Simon Crosby has been busy putting pen to paper to share his 2016 security predictions with Forbes.
Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links; IT will still be bad at patching; the bad guys will still attack; and the tide of misery from breaches will continue. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to high ground based on a well-considered, security-first strategy.
As co-founder and CTO of Bromium, a cybersecurity solution focused on endpoint threat isolation, I have spoken with hundreds upon hundreds of CSOs and CIOs who recognize that the cybersecurity industry continues to repeat the same mistakes. Unfortunately, even though these CSOs and CIOs recognize the shortcomings of the security industry, their organizations tend to hold them responsible when something goes wrong — not the vendor.
Crosby also had the opportunity to share his predictions with The VAR Guy, which noted:
Cloud computing will become more relevant than ever as people understand the importance of automation in preventing errors: With an increase in cloud automation, enterprises are bound to see less human errors as people are removed from the day-to-day task of monitoring information, according to Simon Crosby, the co-founder and CTO of Bromium. While some form of human interaction is still necessary for the proper operation of cloud systems, Crosby believes that the less hands are touching sensitive data, the less chances there are for major mistakes.
With the change in how infrastructure is managed there is bound to be a change in spending habits and practices among enterprises, according to Crosby. This will cause a great deal of disruption among legacy security vendors as their products and services will be forced to evolve to meet changing market demands. Many of these legacy security vendors are bound to push back against this new way of thinking, but Crosby believes change is inevitable – for consumers, the real solution for securing infrastructure will be to allow vendors to build security natively into their solutions, rather than relying on patches and after-market corrections to ensure data security.
“Companies need to get out of the business of trying to patch things themselves,” said Crosby. “They need to let vendors patch them.”
Simon’s sentiment resonates with my own, which I had the opportunity to share with IDG Connect:
The biggest security threat is the endpoint; you can’t patch users.
Earlier this year, I asked “Are We Witnessing the Death of Flash?” A blog post prompted by a series of Flash exploits and a negative industry response to the ubiquitous software. At the time, Amazon and Google each announced they would be blocking or pausing Flash ads.
This week, Adobe told people to stop using Flash. Except really they just mean to stop using the Flash authoring tool. In its announcement, Adobe cites recent trends in HTML5 and open web standards, which have driven the creation of Adobe Animate CC. Of course, the question remains, is a rose by any other name still just as insecure?
A Bromium survey of Black Hat attendee found that 90 percent of security professionals believe their organization would be more secure if it disabled Flash. Unfortunately, this announcement from Adobe seems like little more than a marketing move. Adobe Animate CC has the potential to produce HTML5, but it can still continue to produce Flash content.
The announcement itself has nothing to do with Flash players and Flash content, which refuse to die, despite being an overwhelmingly popular attack vector. For example, malicious advertisements can be served through Flash without an end user even having to click on them.
The only silver lining to this announcement is that Adobe is well aware of the security issues of Flash and has pledged to continue working with Google and Microsoft to secure Flash content. Adobe is also working with Facebook to ensure the security of Flash-based games on Facebook.
There continues to be a huge amount of Flash content out there, especially video and gaming content, and we plan to do all we can to keep Flash Player stable and secure because it is the responsible thing to do.
There is a very real risk that some Web sites will become unusable or insecure because of all of the Flash content that exists. Even if Adobe pledges to keep supporting Flash, not every organization will be able to manage.
If you’re an optimist, this announcement from Adobe acknowledges the ongoing adoption of the more-secure HTML5 standard and a commitment to better security, but if you’re a realist you know that Flash content refuses to die.
Earlier this year, Brian Krebs spent a month without Adobe Flash, so uninstalling the browser plug-in is certainly an option. However, 41 percent of organizations believe that disabling Flash would break critical applications or negatively impact productivity.
Another option is to deploy threat isolation security solutions. Bromium vSentry uses micro-virtualization to isolate the Web browser from the host system. This means that users can keep using Flash, even if it is vulnerable, because any threats (even zero-day attacks) will be contained in a micro-VM.
Looking back at 2015, it’s clear that IT security is a real and growing concern. Just a few years ago, online retailers were the source of most security failures. Now, cybercriminals are getting more sophisticated. In 2015, cybercriminals have successfully attacked governments, hospitals and insurance companies — the organizations that store our most personal data.
With millions of records stolen in each data breach, the potential liability for companies in charge of keeping users’ personal information safe is larger than ever before. IBM’s 10th annual Cost of Data Breach Study, conducted independently by Ponemon Institute, found that the cost per stolen record has increased 6% in 2015, to a consolidated average of $154. Even more concerning is that the total average cost per breach increased by 23% to $3.8 million.
Data breaches are not limited by company size or industry. This list of large data breaches in 2015 shows the spectrum of companies being targeted.
This list of high-profile data breaches from 2015 includes more than 277 million individual user records. To put that in perspective, in 2013 just under 75% of households reported Internet use (https://www.census.gov/history/pdf/acs-internet2013.pdf), that’s about 240 million people.
A data breach does more than put users at risk. It erodes consumer trust and can damage a company’s reputation for years. Bromium uses isolation technology to prevent breaches, keeping company data safe from modern cyber attacks.
It’s that time year. For one thing, get ready for the onslaught of ‘predictions’ from those chatty security vendors (present company included). And of course, there’s another telltale sign that the New Year is upon us. Whether it’s losing weight, spending more time with the family, kicking smoking—we’re going to start hearing all types of ambitious New Year’s resolutions.
When CIOs and endpoint computing managers—particularly those running versions of Internet Explorer prior to IE11 on Windows 7 or 8.1—take stock of what needs to get done in the new year, a big day is looming. On January 12, 2016, Microsoft is eliminating support for all but the latest versions of IE supported in each version of Windows and Windows Server. There’s a pretty big penalty for not upgrading (to IE 11 in this case)— no security updates or technical support for the earlier browsers.
While many organizations have in fact made the move, either to IE 11, IE 11 Enterprise Mode, Chrome, or another browser, we’re hearing from a surprisingly large number of customers and prospects that the transition will not be easy. Even with Microsoft’s helpful 17 months of advance notice, there are a number of reasons why some enterprise and government shops will struggle.
For one, it may surprise folks how prevalent the use of IE is in corporate environments and how much of a “long tail” exists for earlier versions. According to Gregg Keizer of Computerworld, who has published a series of articles on pending EOL of IE, substantial fractions of the IE user base continued to run versions slated for shutoff.
What’s behind the reluctance? A big obstacle involves website and application dependencies. Many government and enterprise customers we talk to simply cannot switch browsers, or not nearly as easily as can consumers. Often their internal websites and Web-based apps still require older versions of IE to work. An example would a very expensive and workflow critical third party Web app that is built to only use a specific add-in for IE. And this functionality gap won’t be resolved with IE11 Enterprise Mode. Often times it’s a matter of 3rd party web sites needing to be updated just as much as the browser, which can be time consuming. Finally, any change is difficult and expensive, especially when tied to an external deadline. Abandoning the years of investment in trusted enterprise applications is a risky and expensive bet for many.
The good news is with Bromium, customers running Windows 7 and Windows 8.1 systems don’t need to move mountains to adhere to the Jan 12 timeline. With vSentry-protected endpoints, every Web link click or interaction in IE is opened in a hardware-isolated micro-virtual machine – essentially a secure, isolated container – ensuring that the endpoint remains secure at all times, whether you’re running an insecure browser version or not.
If an untimely upgrade to IE is giving you angst, attend our on-demand Webinar where we dive into how Bromium makes browser vulnerabilities irrelevant. In the meantime, you can cross that upgrade off your resolution list.
November has quickly become one of the biggest months for crypto-ransomware all year. Multiple new crypto-ransomware variants have been introduced, as cyber criminals prepare to prey on vulnerable users heading online for their holiday shopping.
The first variant, Chimera, has been encrypting both files and networks drives, as well as threatening to publish personal data and pictures online if the ransom is not paid. Chimera has been in circulation since September, using business-focused emails as its primary avenue of compromise.
According to the Anti-Botnet Advisory Centre:
“Several variants…try to target specific employees within a company and they have one thing in common: within the email, a link points to a source at Dropbox, claiming that additional information has been stored there.”
Users naïve enough to click on the link are infected with Chimera, which encrypts all locally stored data and demands a nearly $700 ransom.
Currently, there is no evidence that Chimera is following through on its threat to publish the compromised data, but the threat alone is a new modus operandi for crypto-ransomware.
Next up, Cryptowall has been updated to Cryptowall 4.0. Previously, Bromium has chronicled the history of Cryptowall and crypto-ransomware, in its report, “Understanding Crypto-Ransomware.” Cryptowall is one of the original crypto-ransomware variants, first appearing around November 2013. In addition to encrypting user files, Cryptowall 4.0 also encrypts file names, making it even more unlikely for file recovery.
Third, CryptoLocker Service is also an update to one of the original crypto-ransomware variants, CryptoLocker. CryptoLocker Service emerged from the Darknet this week, being run by an individual known as Fakben (known for his participation in stolen credit card forums). Fakben is making CryptoLocker available as a service for $50, plus ten percent.
Fakben notes that this ransomware shares only a name with CryptoLocker, making It clear the new code is different than the original.
Regardless of the variant, crypto-ransomware targets exploits and vulnerabilities in products such as Flash and Java. A recent Bromium survey determined that 90 percent of security professionals believe their organization would be more secure if it disabled Flash.
Finally, Linux servers have been hit by a ransomware attack that gains administrative access and encrypts key files. These attacks should be of little concern to end users since the attacks were against admin servers.
Organizations should be concerned with crypto-ransomware because once an attack succeeds, recovery options are limited to installing from back-ups. Detection and reaction are destined to fail against crypto-ransomware. The only hope for preventing crypto-ransomware attacks is proactive protection, such as the threat isolation provided by Bromium vSentry.
Microsoft today announced the availability of the “Windows for Business” update to Windows 10, which (for geeks) was code-named “Threshold 2”. The update includes a slew of new features and bug fixes.
Rather than focus on the visible changes, I wanted to know just how much Microsoft had changed the OS, given its new “Windows as a service” approach to aggressively patching the OS, and to delivering only cumulative patch updates. WaaS has put IT departments on notice that not patching is not acceptable – which has predictably riled some IT folk, but is nonetheless the right way to address the major contributor to breaches, in which 70% of breaches result from malware exploiting a vulnerability for which a patch has been available for over a year.
On to the data: TH2 delivers massive changes under the hood. A typical Windows 10 installation (with 3 language packs) numbers about 130,000 files. For build 10240, the total number is 130,266, and for build 10565 (the TH2 preview released to the fast ring of testers about a week ago), that number changed to 131,404. Did they simply add 1,138 files? Far from it. Upgrading from 10240 to 10565, Microsoft modified 26,434 files, added 94,431 files and deleted 93,264.
Probably the vast number of deletions and additions is due to the way the WinSXS works – the files are logically moving from folders that include a Windows version number; but at the same time, the binaries in them are indeed different. Without the SxS folder structure the delete/add totals would probably diminish, but the “files modified” count would correspondingly rise.
So, if you roughly tot up the files modified (~26k), plus the “swaps in and out” (~94k) (== ~120k) you’re not far off the full install (~130k). The registry is similarly transformed. On the upgrade the number of registry keys changed was 288,320.
In a nutshell: Threshold 2 essentially delivers a completely new OS, and the amazing thing is that you’ll probably not notice the changes, other than the new features. Of course this is a massive update in terms of download size, but no enterprises have rolled out Windows 10 yet so the impact will hit consumers more. Of course there might be a downside for ISVs that rely on areas of the registry that were modified, or assumed that the Windows folder was intended for anything other than Windows, but ultimately ISVs need to adjust their world-view too: Gone are the days when you can dig deep inside the OS and hope that nothing will change.
Another positive: With an upgrade this big, just about everything is being changed. The OS is more secure, and any vulnerabilities that bad guys had thought about exploiting may well have been addressed or substantially changed – setting the attackers back substantially.
(Sleuthing by Adrian Taylor & Tim Howes of @Bromium)
“Cyber insurance premiums rocket after high-profile attacks” reports Reuters, as the increasing frequency and magnitude of cyber attacks has caused cyber insurance providers to reevaluate cyber security risk. According to Reuters, the rate hikes have also been accompanied by increased deductibles and caps on coverage at $100 million – a far cry from the cost of high-profile breaches, which can cost more than $200 million.
Organizations that were planning to mitigate cyber security risk with cyber security insurance are in a perilous position. According to some estimates, a company may need as much as $1 billion in cyber insurance to protect its assets, but the maximum coverage available today is $500 million, but most companies will be unable to secure more than $300 million.
According to Stephen Catlin, the head of the largest Lloyd’s of London insurer, cyber attacks are “the biggest, most systemic risk…our balance sheets are not large enough to pay for that.” Catlin has argued that cyber insurance should become a responsibility of the government.
In fact, the government has taken cyber insurance into consideration. The Department of Homeland Security has recommended that “a robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
However, not every organization has implemented these recommendations and may find they are not eligible for coverage. According to Reuters:
AIG offers cyber policies that cover up to $75 million for a cyber attack, but only for companies like top global banks that have are the most adept at securing networks and mitigating cyber risk.
“We have turned clients away,” said Tracie Grella, the global head of professional liability at insurance giant American International Group Inc (AIG.N).
Where does this leave organizations that want to decrease cyber security risk?
The DHS has identified four pillars of effective cyber risk culture:
- Engaged executive leadership
- Targeted cyber risk education and awareness
- Cost-effective technology investments
- Relevant information sharing
The bottom line is that the rising price of cyber insurance will force organizations to adopt stronger security practices, both to reduce the cost of insurance premiums and to further mitigate risk.
I always look forward to attending security conferences, and DerbyCon is no exception. It’s a quality conference, with great presentations, training, and camaraderie.
This year’s conference was ripe with new tools, new exploits, and even a primer on how to make better BBQ (always a worthwhile hacker skill). But the one piece of information that really sent me reeling was one that I gleaned from Chris Hadnagy of Social-Engineer.org. It was simply this – that only 7% of organizations ever phish their own employees.
This statistic is appalling. Not because phishing is one of the top attack vectors today. Not because the issue has been around since the mid-nineties, giving us over two decades to work on the problem. Not because of the ease with which companies can run a self-assessment campaign today. No, it’s appalling because of the amount of money most organizations dump into their security stack, and yet those same organizations never run even the simplest of phishing assessments to test whether their multi-million dollar security stack can be bypassed via what is arguably one of the weakest links in any organization.
The cost of running an internal phishing campaign is a fraction of what a professional penetration test might cost. Yet most organizations I encounter have never tried to test what many pen-testers are likely to target early in an engagement – if they’re allowed to do so as part of the test’s scope. Often the fear of the likely results of an internal phishing campaign makes prevents organizations from allowing pen-testers to phish as part of their scope, even though this has been the attack vector of choice for some of the highest profile breaches of the last few years.
As security professionals, we need to get past whatever fears we have about phishing our own organizations. A key approach to dispelling those fears is creating an internal phishing campaign that is centered on learning, growth, and improvement of the organizations security posture, rather than embarrassment. So, where does one start?
- Get permission. In writing.
At this point this should be standard operating procedure for any Infosec professional, but I have to state it, just in case. I’ve seen too many presentations about people that got fired for assessing their own company without permission.
- Don’t reinvent the wheel.
There’s a lot of good primers out there to help you, from Brian Kreb’s article “Phishing Your Employees 101”, to Infosystir’s blog post “The Path to Fixing Security Awareness Training”, which lays out great pointers on getting started. A wealth of other articles can readily be found to assist you.
Ready for more advanced strategies? Check out Hadnagy’s book “Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails”.
- Start small – but get started!
There’s a wealth of free tools available for download, and I highly suggest you start with a free tool first. Large organizations will most likely need to move to a commercial tool or service eventually. But one of the best ways to understand what you’ll need from a commercial resource is to run a small assessment using free or cheap tools that give you a feel for what you’ll need as you grow. Every time you say “If it only did this”, write that feature down in you notes, and find a vendor that can provide it.
Those just getting started will want to take a look at tools like:
- The Simple Phishing Toolkit – One of the original open source tools, and a new group has picked up the reigns to continue the project.
- The Social-Engineer Toolkit – More open source goodness. This one come to us from David Kennedy and TrustedSec.
- Phishing Frenzy – This open source tool puts a strong focus on campaign management and ease of use.
- King Phisher – Another campaign focused tool with a good feature set.
- Phish.io – This web-based tool lets anyone try to run a quick phishing simulation. No technical skills required; even a non-technical manager or executive can phish their staff, their board, their business unit, and demonstrate how easy it is for anyone to fall for a well-crafted phishing message. But please, get permission first. In writing!
So, what can organizations hope to gain by running their own phishing campaigns? It is one of the most effective ways to handle an issue that no technology can truly prevent – phishing for credentials. Hadnagy also claims that companies who stuck with it saw an 85% reduction in malware. That’s a huge payoff, and it’s this type of security awareness training that truly gets results – not the relatively ineffective Computer Based Trainings (CBT) through which so many of have slept been subjected. Additionally, the time recuperated from those issues can be put toward shoring up the remaining 15% of an organizations malware exposure, focusing on a deeper, more effective defense in depth program.
Last week, Brian Krebs reported that a Russian security vendor was attacked by Molotov cocktails after it published its analysis of an ATM skimmer. When cyber attacks become physical, it is an interesting trend to observe. Unfortunately, it seems the trend has been increasing during the past few years, with reports of physical attacks, “swatting” and even kidnapping, which can all be tied back to cyber security.
Most cyber attacks have real-world consequences, most frequently these consequences are economic; however, some cyber attacks have physical ramifications. For example, Stuxnet attacked Iranian SCADA systems that were being used to enrich uranium gas. The result was the physical failure of centrifuges.
The hacktivist group, Anonymous, also straddles this cyber-physical line. Early Anonymous operations include Project Chanology, which combined denial-of-service (DDoS) attacks with real-world protests. Later Anonymous operations, such as Operation Payback, were conducted almost entirely online through DDoS attacks. More recently, Anonymous has participated in real-world protests, such as the Occupy Movement, donning its eponymous Guy Fawkes masks and taking to the street to demonstrate solidarity.
Another practice that crosses the cyber-physical line is doxing, the tactic of researching personally identifying documents (hence: doxing) about a target for the purpose of further harassment. A more recent trend related to doxing is swatting, which spoofs phone calls to 911 in an effort to dispatch emergency services – primarily police and SWAT teams – to respond to the false report of an emergency situation.
In 2013, Brian Krebs found himself the target of a swatting attack (at the same time his Web site was under a DDoS attack) after reporting about a black market identity theft Web site. Krebs later learned that the young hacker responsible for the attack “got pissed that you released the site he uses.”
Krebs, in turn, was able to deduce the identity of one hacker and provided it to the police, which resulted in his eventual arrest. However, Krebs believes this arrest may have been a diversion from his true attacker.
It is worth noting that the swatting attack against Krebs was motivated by his publication and analysis of identity theft attacks. Similarly, the Molotov cocktail attacks against Dr. Web was motivated by the analysis of its ATM skimmer attack.
The “International Carders Syndicate” attacked Dr. Web after warning it to remove all references to ATM malware from its site. Dr. Web CEO Boris Sharov believes the Molotov attack was ordered over the Internet, “through a black market where you can order almost any crime…all the attacks had been ordered by the Internet. And since they never succeeded against our office, it showed us that not much money was paid for these attacks.”
Here we get to the most likely modus operandi for many of these cyber attacks that become physical: money. Brian Krebs was swatted because he threatened the economics of an identity thief. Dr. Web was firebombed because it threatened the economics of ATM skimmers. Eugene Kaspersky, son of Kaspersky CEO Yevgeny Kasperky, was kidnapped for a ransom. Silk Road mastermind Ross Ulbricht, hired multiple hitmen through his black market forum, in an effort to track and kill those that sought to expose him.
Unfortunately, it seems that lines between the digital realm and the real world are increasingly blurring. It is unlikely that these cyber-motivated physical attacks will be the last. The only good news for information security practitioners is that it remains highly unlikely that any of these physical attacks would ever target their enterprises. These physical attacks have been motivated by money (or desperation) when the anonymity of the Internet has been threatened.
One final parting thought is that if cyber attacks are becoming physical, why can’t cyber security become physical as well? In fact, it can. Bromium vSentry utilizes hardware-isolated micro-virtualization, which creates a secure environment where users tasks are isolated from each other, the protected system and the network. If you’re interested in learning more about how physical security can be applied to information security, please visit: http://www.bromium.com/products/our-technology.html