This week at the RSA Conference, I had the opportunity to talk with dozens upon dozens (more than 100) of information security professionals for Bromium’s “State of Security Report Card,” a survey of opinions about popular security solutions. It may seem obvious (especially if you read the headlines), but the survey revealed that firewalls and antivirus are failing to prevent attacks.
The results of this survey serve as yet another proof point in a long line of data about the shortcoming of legacy security solutions. Even if you cling to the belief that AV is not dead, RSA conference attendees seem to be aware that these solutions are failing.
Specific findings from the “State of Security Report Card” include:
- Organizations have room for improvement in prioritizing security – Bromium asked RSA conference attendees to grade their organization on its ability to prioritize security by allocating the resources it requires, but only eight percent of respondents gave their organization an A. Forty-two percent of respondents gave their organization a B, thirty-two percent of respondents gave their organization a C and 18 percent of respondents gave their organization a D. Interestingly, no respondents were willing to give their organization a failing grade.
- Firewalls and Anti–virus are failing to prevent attacks – Bromium asked RSA conference attendees to grade a variety of security solutions on their ability to prevent attacks and address the priorities set by their CISO, but only firewall and anti-virus received any failing grades. Twenty percent of respondents gave firewalls a failing grade and 25 percent of respondents gave antivirus a failing grade. Among the most popular responses, 42 percent of respondents gave firewalls a B and 36 percent of respondents gave antivirus a C.
- Next-generation solutions are performing above average – Next-generation firewalls, network sandboxes, endpoint isolation, host monitoring and threat intelligence solutions all performed well. None of these solutions were given a failing grade by any respondents. Among the most popular responses, 58 percent gave next-generation firewalls a B (17 percent gave it an A), 54 percent gave advanced threat protection/network sandboxes a B (20 percent gave it an A), 64 percent gave endpoint isolation/sandboxing/host monitoring a B (17 percent gave it an A) and 44 percent gave threat intelligence a B (17 percent gave it an A)
- Information Sharing Initiatives Show Promise; Face Hurdles – Bromium asked RSA conference attendees both if their organization would benefit from information sharing initiatives, such as those outlined in President Obama’s Executive Order, as well if their organization would participate. The overwhelming majority (78 percent) said they would benefit from information sharing initiatives, but less than half (48 percent) said they would participate. There is clearly a disconnect in these results, which suggest that information security professionals are concerned about how information sharing initiatives will aggregate and anonymize their organization’s data.
It’s that time of the year again! No, not Tax Day, the release of the Verizon Data Breach Incident Report, which provides analysis of more than 79,000 security incidents and 21,000 breaches. The report itself is 70 pages long, which you can take the time to review for yourself here.
Here are some high-level statistics that you may find interesting:
- On average, across all organizations, five malware events occur every second. Of course, this may occur in spikes and some organizations will experience a much lower volume while others experience a much higher volume.
- 70-90 percent of malware samples are unique to the organization they attack, rendering signature-based detection irrelevant.
- 75 percent of attacks spread from victim zero to victim one in less than 24 hours, again rendering signature-based detection irrelevant. In fact, the vast majority of attacks only exist for 24 hours…hardly enough time for malware researchers to create and disseminate the signatures to prevent them.
To quote the report:
“Criminals haven’t been blind to the signature and hash matching techniques used by anti virus(AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior.
One common theme through the report is that five sectors are being attacked more than any other. Government agencies reported 303 instances of data loss and an astronomical 50,000 security incidents. Financial services reported 277 instances of data loss and 642 security incidents. Technology companies reported 95 instances of data loss and 1,496 security incidents. Manufacturing reported 235 instances of data loss and 525 security incidents. Retail reported 164 instances of data loss and 523 security incidents.
Logically, these sectors are being attacked more than others because they hold the most valuable information. Financial services and retail maintain bank accounts and credit card numbers. Manufacturing and technology hold intellectual property. Government agencies retain state secrets. Clearly, cyber criminals follow the money, which is why it is so important to change the economics of cyber security.
In the same way that each of these sectors is attacked for the unique information it contains, there are three demographics of actors in cyber-attacks that each prefer unique attack vectors. Activists (or hacktivists) prefer to attack Web applications 61% of the time. Organized crime prefers to use malware (or crimeware) in 73 percent of its attacks. State-sponsored attacks default to cyber-espionage in 97% of attacks.
It is interesting to note that as the sophistication of the actor increases from activist to criminal to state-sponsored agent, so too does the sophistication of their attack increase from Web application disruption to malicious attacks to advanced persistent threats.
Many organizations may likely dismiss concerns of cyber-espionage, but ultimately, cyber-attacks have more in common than they do apart. The Verizon reports mentions that historically 71% of known vulnerabilities had a patch available for more than a year before a breach.
This demonstrates the challenge of patching vulnerable machines (something I have written about before). Security teams and operations teams often find themselves at odds. A poorly implemented patch can cause more harm than good, yet waiting to implement a patch leaves an organization vulnerable to attack.
The Verizon report underscores this dilemma since just 10 CVEs accounted for 97% of exploits. Clearly, information security teams should prioritize implementing critical patches to make these attacks more difficult for attackers. And yet, some of the CVEs stretch back more than a decade to 1999. There is no silver bullet when it comes to patching (unless you consider an isolation-based solution like Bromium that pro-actively protects vulnerable machines).
One last trend that I would like to highlight in the Verizon report is phishing. Verizon found that 2/3 of cyber-espionage attacks during the past two years have utilized phishing. Additionally, Verizon found that 23% of end users will open phishing emails. Finally, a phishing campaign of just 10 emails has a 90 percent chance of compromise.
This resonates very closely with recent research conducted by Bromium, which determined that 23% of information security professionals believe that end user behavior with email introduces the most risk.
The Verizon report highlights the problem with end users:
“It may not be obvious at first glance, but the common denominator across the top four patterns accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns.”
Ultimately, end users remain the weakest link in the information security chain, which is why Bromium is committed to restoring trust in end user computing.
It’s been a depressing start to the year as far as breaches and malware go, and I’ve seen a worrisome trend toward “cyber-despondency” in the sentiment of many CISOs. When orgs with huge security budgets are still easily rolled and we see warnings of a “Cyber Armageddon”, what can we do?
After all, who are you to contradict Keith Alexander when he says “There are only two kinds of companies – those that have been hacked, and those that will be”? He really ought to know. Even if you detected Equation malware you’d have to destroy your PCs to get rid of it. BYOD is a joke if every call can be intercepted or if malware was installed by the device OEM.
CSO magazine says we’ve passed the cyber-tipping point. And worse still, a leading CISO, Alex Stamos of Yahoo recently declared the security market to be broken – bemoaning the point-solution nature of the vendor landscape and pointing out the failure of vendors to solve the problems they claim to.
So what are you going to do? Now is not a time for inaction or blame. On the contrary, it is time for security Pros with courage to demand change – starting with your own infrastructure and IT management organization. It’s time for courage in the face of cyber-nihilism. Here’s the full piece.
News this week that the Retail Cyber Intelligence Sharing Center (R-CISC) is collaborating with the Financial Services ISAC (FS-ISAC) on its new threat intelligence portal. The R-CISC is working with the FS-ISAC to share threat information, in an attempt to improve security within their industries. The portals will remain independent, yet integrated.
According to a Dark Reading interview with Brian Engle, executive director of the R-CISC:
“[The R-CISC] evaluated a number of different platforms to help enable information-sharing for retailers…and given the statge of [R-CISC’s] maturity, and the amount of interaction with the financial services industry, we selected FS-ISAC’s portal and technology platform. Our portal rides on the same technology as the FS-ISAC’s, but there’s a separate instantiation for retail.”
The R-CISC was created in 2014 after a rash of high-profile retail breaches, including Target and Home Depot. The threat intelligence portal represents a significant upgrade for the retail industry, which had previously been sharing threat intelligence, such as indicators of compromise, through email distribution lists.
The push for threat intelligence sharing is a great initiative for the retail industry. The STIX format developed at Mitre has become a de-facto standard for threat sharing between major Financial Services during the past year. It allows an organization to share key threat data – including the addresses of remote servers used in the attack and the malware fingerprint, among other attributes, in a suitably anonymized form, without breaching confidentiality. STIX and other open threat indicator formats are of great importance because they allow sharing of information between different vendor tool-sets. Contrast this with the proprietary formats of traditional signature feeds from major anti-virus vendors, and you should realize this is a major advance for the industry.
Kudos to the retail industry for its effort in implementing this threat intelligence initiative. Of course, the more cynical among us may believe that these threat intelligence initiatives are putting the cart ahead of the horse. Case in point, this week, MWR Infosecurity published its report, “Threat Intelligence: Collecting, Analyzing, Evaluating,” which contends:
Threat intelligence is at high risk of becoming a buzzword. With so many disparate offerings and so much pressure to be ‘doing’ threat intelligence, organisations risk investing large amounts of time and money with little positive effect on security.
However, the report does take a pragmatic approach:
However, by taking threat intelligence back to its intelligence roots and applying the same strict principles, a far more effective strategy can be devised. As is the case with traditional intelligence, tackling cyber threats demands rigorous planning, execution and evaluation. Only then can an organisation hope to target its defences effectively, increase its awareness of threats, and improve its response to potential attacks.
This is good advice. At the end of the day, the value of threat intelligence is only worth what you can do with it.
News this week of the Dridex malware campaign (the newest member of the GameOver Zeus Trojan family) should serve as a reminder that you can’t stop what you can’t see. According to the research, the attack vectors remain the same as it ever was, in this instance the malware is executed through phishing emails and Microsoft Office exploits. Additionally, the attack leverages social engineering that convinces its targets to enable the macros required to deliver the malicious payload.
Most interestingly, the attack would not execute until the document was closed, utilizing a method called AutoClose to evade detection.
According to the research, this technique is effective against sandbox detection capabilities. The research notes:
“As sandboxes have adjusted to also ‘wait,’ the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether. No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.”
Does it seem like we’re stuck on a hamster wheel? Sandbox detection has become a popular security technology in the past five years, in part because the vendors of these solutions convinced their buyers that existing solutions created a security gap. However, as sandbox detection has become widely deployed, attackers have turned their attention to defeating them. We’ve seen malware that monitors mouse clicks to evade detection, malware that sleeps or stalls execution to evade detection and even malware that determines the presence of detection engines and sandboxes to evade detection.
The only logical conclusion is that you can’t prevent what you can’t detect, so this iteration of the Dridex malware should serve as a reminder (or a wake-up call if you’re still snoozing) that attackers are becoming increasingly savvy at evading detection, even in the face of “advanced” detection solutions. Detection is not enough. It is time to take a proactive approach to security. Develop a posture based on isolation and prevention instead of reacting with detection and response.
Not even an extra life can save gamers now. Bromium Labs has just published research that identifies a new strain of crypto-ransomware that locks many popular games, including Call of Duty, Minecraft and World of Warcraft.
Information security is hard. Data breaches on the scale of Target, Home Depot, Sony and Anthem serve as a constant reminder that it is impossible to detect a determined attacker until it is too late. Bromium research has consistently found that the overwhelming majority of information security professionals believe end users are their biggest security headache, but we have stumbled across one network security administrator that might be his own biggest security headache.
Last month on a security section of reddit.com, a user posted this screenshot, “Not pwnd yet but This is a public facebook post by our netsec guy.”
That’s right, this network security admin posted a list of vulnerable IP addresses on a public Facebook page. There was an optimistic belief on reddit that these were the IP addresses of honey pots, but most of the comments were much more critical.
The very next day, the same user posts a follow-up screenshot, “UPDATE: Not pwnd yet but This is a public facebook post by our netsec guy.”
It is starting to seem unlikely that these were honey pots. These vulnerable IP addresses are actually printers. Fortunately, this network security admin notes that the vulnerability does not affect printers. Unfortunately, it seems these printers are accessible via the public IP addresses he posted. This is quite bad since the worst case scenario for a compromised network printer is “fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration.”
Finally, a few weeks later, the original user posted another update, “UPDATE #3 : Our brilliant netsec guy is at it again. Publicly announces vulnerable IPs, specifies their vulnerability and threatens to ban them. That’s not even the best part…”
I’m practically at a loss for words. In what world does a network security admin think that it is a good idea to publically post the IP addresses vulnerable to a specific exploit? It turns out that these are network devices that are his responsibility, so perhaps everything will click into place for him after he blocks Internet access to them.
Or perhaps this really is all just an elaborate ploy to send traffic to a honey pot, in which case, be sure to share this blog with all of your colleagues.