Category: Threat Detection

An insider threat can feel a bit like the plot twist in a spy thriller. You know, the moment when the protagonist realises the enemy is not just at the gates but has been inside the house the whole time. Suddenly, all those polite conversations by the water cooler take on a sinister meaning. So, what do you do when your very own corporate narrative takes a turn for the dramatic?

 

Identifying the Mole

Recognising that you have an insider threat is akin to Bruce Willis discovering the baddies in Nakatomi Plaza. It starts with anomalies – those little blips on the radar that don’t quite fit. Perhaps it’s an unusual after-hours access or data transmissions that scream “I’m up to no good!” It’s all about the IoCs (Indicators of Compromise) and your ability to pick up on them quicker than Sherlock Holmes on a good day.

 

Many times though, it’s not a flashing red icon on the screen which will let you know that someone’s intentions may not be completely pure – but rather from colleagues. While technology is great, nothing picks out an insider faster than a vigilant co-worker. Red flags from co-workers can include, but not be limited to people working odd hours, having substance abuse, or gambling addictions, asking invasive questions about data which doesn’t involve them, or frequently contradicting themselves about their personal lives and backgrounds.

 

While none of these things in isolation necessarily mean your co-worker is an aspiring Dr Evil, small things can add up.

 

Containment: The First Line of Defence

Once you’ve identified your very own Benedict Arnold, the next course of action is containment. Think Elliot Ness in “The Untouchables” – quick, decisive, and utterly cool under pressure. You’ll want to limit their access faster than you can say, “Houston, we have a problem.” This includes revoking access rights, isolating machines from the network, and going through the logs to double and triple check what activities the insider has been up to. It’s not just about stopping the immediate threat; it’s about ensuring the security breach doesn’t spread like wildfire.

 

Eradicate the Threat

Eradication isn’t just about getting rid of the threat; it’s about doing it with the efficiency of John Wick at an assassin’s convention. Whether it involves disciplinary actions, legal steps, or simply escorting the individual out of the building with their belongings in a box, or maybe in handcuffs, it needs to be executed quickly and with precision.

 

Recovery and Reflection

After the storm has passed it’s time to look into what went wrong, what went well, and where improvements could be made. A thorough audit is needed and defences rebuilt to be stronger than before.

 

The Sequel No One Wants but Everyone Needs

Insider threats aren’t a one-off scenario, and they don’t just impact one organisation. By the looks of things, they don’t seem to be slowing down either. So prevention needs to be a priority. This involves training, vigilance, and creating a strong culture where security is taken seriously by everyone.

 

Awareness needs to be built as well as regular drills to keep everyone up to date on the latest threats.

 

Finally, it’s important to not keep the event and learnings to yourself. Share the learnings with other organisations so that they too can better prepare themselves and hopefully not fall victim to a malicious insider.

The post INSIDER THREAT AWARENESS MONTH: Are you prepared? appeared first on IT Security Guru.

Insider threats are a growing concern for organizations of all sizes and industries, and can be both intentional and unintentional, resulting in significant consequences for the organization’s data, finances, and reputation. Organizations face a significant threat from within their own ranks, where a current or former employee, partner, contractor, or vendor can compromise sensitive data, whether intentional or unintentional, and potentially working with others to achieve their goal.

What are Insider Threats?

Insider threats are attacks on an organization’s systems and data by individuals who have authorized access to the network. These threats can be categorized into three types: malicious insiders, who deliberately misuse their access rights; negligent insiders, who inadvertently cause security breaches due to carelessness or lack of awareness; and adversaries with stolen credentials, who use stolen credentials to access an organization’s systems.

Insider threats can take many forms, including malicious activities such as stealing sensitive data, sabotaging systems, or collaborating with external attackers. Negligent insiders may fail to secure sensitive data, make phishing mistakes, or fail to follow security policies. Adversaries with stolen credentials may use stolen credentials to access systems, deploy malware, or steal data.

To detect insider threats, organizations must collect, consolidate, and analyze vast amounts of event data. User behavior analytics (UBA) can help establish baselines of normal user behavior and flag true threats.

The Modern Workplace and Insider Threats

The modern workplace has undergone a significant shift, with the majority of employees now working remotely or in a hybrid environment. As a result, securing company data and applications has become a top priority. Insider threats are particularly concerning, as they can be difficult to detect and resolve, with an average cost of $179,209 to contain the consequences of an insider threat. All organizations are vulnerable to insider threats, regardless of size or industry. Small and medium-sized businesses (SMBs) are particularly at risk due to their limited resources and expertise.

Types of Insider Threats

There are several types of insider threats that organizations must be aware of. These types include:

The disgruntled employee

The disgruntled employee is a threat to the organization who wants to harm the organization by destroying data or disrupting business activity. These employees may be motivated by personal issues, a sense of injustice, or feeling left out of the organization’s decision-making process. They may use their access to sensitive information and systems to cause harm, making it essential for organizations to monitor and address employee dissatisfaction and potential issues.

The malicious insider

The malicious insider is an employee who steals data for personal gain. This can include intellectual property, financial information, or sensitive user data. Insiders may be motivated by financial gain, revenge, or a sense of power and control. It is crucial for organizations to implement robust security measures and monitor employee behavior to prevent or detect insider threats.

The feckless third party

The feckless third party is a business partner who compromises security through negligence, misuse, or malicious access. These partners may be unintentionally exposing their organization to security risks, such as poorly configured networks, inadequate access controls, or weak passwords. Organizations must ensure that their third-party partners are following best practices and adhering to security standards to minimize the risk of a security breach.   

Behavioral Indicators of Insider Threats

Unusual behavior is often a sign of an insider threat, which can manifest in various ways. Suspicious activity, such as account lockouts, multiple failed logon attempts, or attempts to transfer large volumes of data outside the network, can be a red flag. Additionally, behavior that is unusual for a particular individual or group, such as accessing sensitive data or resources outside of normal working hours or from unusual locations, can also indicate a potential insider threat. 

Below are 10 of the most common indicators of insider threats:

1. Financial distress: When employees are struggling financially, they may be more vulnerable to temptation and may compromise company systems for personal gain.

2. Workplace tensions: Conflicts with management or colleagues can lead to disgruntled employees seeking revenge by targeting the company’s systems or data.

3. Unusual access requests: Sudden and excessive requests for access to sensitive information or documents can be a sign of an insider threat.

4. Employment history: Employees who have a history of frequent job changes or significant gaps in their employment history may be more likely to engage in insider threats.

5. Suspicious data transfers: Unusual or excessive exporting of documents and files to personal devices can indicate a potential insider threat.

6. Insufficient device security: Using personal devices for work purposes without proper security measures in place can create a vulnerability to insider threats.

7. Unusual work hours: Suspicious activity outside of regular working hours can be a sign of an insider threat.

8. Isolated behavior: Employees who exhibit unusual behavior when they are alone in the workplace or away from the norm can be indicative of an insider threat.

9. Anomalous network activity: Unusual network traffic or searches can be a red flag for potential insider threats.

10. Excessive file viewing: Frequent and unusual viewing of sensitive files and documents can be a sign of an insider threat.

Mitigating the Risks of Insider Threats

To mitigate the risks of insider threats, organizations must implement several measures. One is to use a User Behavior Analytics (UBA) solution to help manage and secure access to sensitive data, systems, and accounts. Additionally, implementing the Principle of Least Privilege (PoLP) can help prevent insiders from accessing sensitive information they don’t need. It is also essential to manage and secure privileged credentials, monitor and audit privileged access, and educate employees on cybersecurity best practices. Having tools in place to help investigate and recover from insider threats is crucial. Additionally, providing regular cybersecurity training to employees and promoting a culture of cybersecurity awareness can help prevent insider threats from occurring.

NOTE: Insider threat detection and prevention is not just the responsibility of IT cybersecurity teams. Everyone in the organization, including business users, leadership teams, and IT teams, must work together to reduce the risk of insider threats.

Insider threats remain a significant concern for many organizations, as they can be challenging to identify and address without the necessary tools and expertise. It is crucial that companies prioritize securing their most valuable assets, including privileged accounts, systems, and data.

 

The post Insider Threat Detection: What You Need to Know appeared first on Cybersecurity Insiders.

A recent study conducted by Radiant Security, reveals significant dissatisfaction among IT security professionals with their current managed detection and response (MDR) tools. Radiant  polled 300 IT security experts in the US, revealing that 60%  of the respondents are considering AI-based solutions to replace their current MDR solutions.  

With nearly one-third of organizations suffering breaches within the last year, security professionals have begun a critical examination of MDR effectiveness, especially  as cyberthreats grow more complex.

Inadequate MDR Systems Encourage a Shift Towards AI 

The study indicates that traditional MDR services are failing to keep pace with advanced threats such as AI-driven phishing and malware attacks. A notable 44% of respondents reported taking over a month to address a single cybersecurity incident, a delay that can have severe repercussions to reputation, finances, and operations.  

Following a breach, a key worry for organizations is the swift detection and remediation from the issues leading to the incident. Deployment times are also a concern, with half of the participants stating a four to six-month timeline, and another 44% needing up to a year for full deployment. Research also unveiled that discontent with MDR solutions typically arose within the first nine months of usage. 

The Potential of AI in Security Operations 

The survey suggests that AI could address many of the deficiencies of MDR systems. For instance, 34% of respondents felt their MDR tools lacked adequate understanding of  their specific environments—a gap that AI, with its learning capabilities, could fill. 

Moreover, AI has the capability to provide much-needed support to understaffed security teams, which was a problem for 57% of the surveyed professionals. By reducing the  number of escalated issues, AI can ease the burden on security analysts. 

Lastly, most respondents did not report time savings with their current MDR tools, contrary to expectations. AI, however, has the potential to automate and streamline up  to 90% of routine Level 1 and Level 2 tasks, offering a more efficient solution for security operations centers (SOCs). 

In conclusion, the shift towards AI-enhanced security operations has the potential to be a game-changer for organizations looking to bolster their cybersecurity defenses efficiently and effectively. 

Learn more about Radiant Security’s latest research

The post AI Could Transform Detection and Response as Legacy MDRs Lack appeared first on Cybersecurity Insiders.

[By James Allman-Talbot, Head of Incident Response and Threat Intelligence at Quorum Cyber]

 

According to IBM, the global average cost of a data breach in 2023 was 4.45 million, which was a 15% increase over three years. Microsoft notes that “the U.S. was the target of 46 percent of cyberattacks in 2020, more than double any other country.” Cyberattacks present an additional challenge for IT departments; they must translate cyber risks into operational and business risks so that there is an understanding at the board level. Those who understand “1s & 0s”need to explain to those who work in “dollars & cents” that the cyber-criminal world is evolving into a multi-tiered business structure that rivals their corporate structures with a sophisticated org-chart consisting of:

 

  1. Access Brokers focused on finding organizations with vulnerabilities, compromising networks, and probing for the easiest way into them. Once identified, they sell these prospects as a package to cybercriminal groups.

  2. Developers that build Ransomware-as-a-Service (RaaS) tools to hire out to other bad actors.

  3. Front Men that purchase the access information and acquire RaaS tools, a third group (the Front Man) will move into the network, steal or encrypt data, execute the ransomware payload, and demand the ransom.

 

In a recent survey by CyberEdge Group, 78% of ransomware victims reported having experienced multiple vectors of extortion. These well-structured cyber-criminal organizations can launch ransomware extortion in four typical stages:

 

Stage 1: The ransomware attackers commonly gain access through phishing emails, software vulnerabilities, or compromised credentials. Once breached, a complete, ordered listing of all the system’s items begins. Lateral movements are made to other devices until an endpoint has been reached – having infected as many devices as possible. At this point, malware is implemented, resulting in data encryption or being blocked from accessing files. Demands are then placed on the organization as a ransom to be paid so that a decryption key can be provided.

 

Stage 2: Before a demand for payment can be made, a copy of the victimized organization’s data is transported to the attacker’s servers. A threat is then leveled. Ransom must be paid, or the hostage company’s data will be released to the public. If release happens, fines could be levied by regulatory agencies.

 

Stages 3 & 4: The threat actor often bullies the victimized organization by scaring them with a promise to release third-party data or implement a distributed denial-of-service (DDoS) attack. This attack is designed to disrupt the server by overwhelming it or its surrounding infrastructure with a torrent of internet traffic meant to overwhelm the system.

 

However, a fifth extortion element is now added—the social media attack.

 

Social Media: Many, if not all, organizations have a social media component. Attackers now request ransoms that include payments to avoid posting damaging content on social media and ransoms to have access to your accounts returned. Damages via social media can be significant. Your brand reputation could take a hit due to posting false or offensive content. You risk legal ramifications if information such as customer data is released. Platform administrators could suspend or remove your accounts. Social media attacks could also launch further malware or phishing attempts, infecting your organization’s followers and customers. All of this potential damage necessitates a rebuilding of trust and recovery costs.

 

Practical Steps To Recover From A Ransomware Hit

 

Extortion efforts from bad actors will become more aggressive in response to the announcement from the International Counter Ransomware Initiative. However, all is not doom and gloom; there are practical steps to mitigate risks and recover faster. These steps entail the implementation of:

 

1. A Robust Cyber Security Framework

  • Maintain all vendor security patches for all appliances, applications, network devices, and operating systems.

  • Implement network segmentation to reduce the number of available lateral movement paths.

  • Implement and maintain strong access controls, adhering to the principle of least privilege; this will reduce the available data for threat actors to steal.

  • Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic and block malicious traffic.

2. Backup and Disaster Recovery

  • Perform regular backups.

  • Perform regular restoration tests of all backups taken to ensure their validity.

3. Threat Detection

  • Implement security information event management (SIEM) to report suspicious activity.

  • Monitor endpoint devices for suspicious or malicious behaviors using an endpoint detection and response (EDR) system, such as Microsoft Defender.

4. Incident Response Planning

  • Develop an incident response plan and supplementary playbooks that detail an organization’s actions in the event of a cyber incident.

  • Clearly define the roles and responsibilities of the cyber incident response teams (CIRT).

  • To ensure the incident response plan is fit for its purpose, it should be regularly tested, and lessons learned should be implemented.

5. Security Audits and Assessments

  • Conduct regular validation scanning to ensure configuration baselines and security patches are being applied appropriately.

  • Engage with independent third parties to perform periodic vulnerability assessment and penetration testing exercises to identify security flaws.

6. User Awareness and Training

  • Educate users on the risks of phishing emails, social engineering, and suspicious attachments or links.

  • Promote the use of multi-factor authentication throughout the organization.

 

Effective Methods Of Senior-Level Communication

 

One of the most effective methods of knowledge transfer is to put senior-level managers through the experience of a simulated cyber incident to educate them on the corporate roles and responsibilities when an attack occurs. Tabletop Incident Response exercises are an excellent way to ensure that plans, playbooks, and teams are thoroughly tested. By working closely with senior-level management, IT can help the C-suite understand each exercise and better prepare them for the eventual hack. The IT to C-suite knowledge transfer includes input from legal, finance, and other departments and external domain experts to establish a no-blame recovery game plan. This knowledge transfer is essential because many C-suite individuals don’t realize the downstream impact of a cyber attack, such as:

 

  • Business disruption due to any IT systems being out of action.

  • Getting technology up and running again (which could take days or weeks).

  • Defending lawsuits from clients.

  • Loss of clients.

  • Financial penalties from industry regulators.

  • Recruiting new personnel in the event of lawyers or other employees leaving due to any or all of the above.

In addition, the cyber defense issue is not solely predicated on bad actors becoming more sophisticated in their business acumen; it also involves these criminals constantly changing their tactics, techniques, and attack procedures. 

Platform growth has aided cybercriminals by enabling them to leverage the skills and infrastructure of other bad actors to carry out compromised operations that they would ordinarily be unable to execute on their own.

 

Navigating the Future Landscape of Ransomware

 

Ransomware operators will likely apply triple and quadruple extortion strategies, enabling them to use more significant pressure against victims for payment, thereby improving their success rates. Extortion efforts will become more aggressive in the face of forty countries forming an alliance plan that involves signing a pledge not to pay ransoms to cybercriminals, aiming to eliminate their financial revenue stream.

 

Throughout 2024, ransomware operations will continue to expand in complexity as the technical capabilities of ransomware payloads continue to develop. This will allow threat actors to expand their attack surface and target additional operating system architectures, such as macOS and Linux.

 

While victims may be able to recover from the initial ransomware event, the additional layers of extortion are designed to exert maximum pressure to ensure that the ransom payment is ultimately paid. To mitigate the risk of ransomware, the best defense against bad actors remains vigilance, preparedness, and planning.  

 

###

 

 

James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity, and has worked in various industries including aerospace and defense, law enforcement, and professional services. Over the years, he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations and has worked closely with board-level executives during incidents to advise on recovery and cyber risk management.

 

The post Cyber Attacks: The Need For an IT and Board-Level Understanding of the Risks appeared first on Cybersecurity Insiders.

New research by Outpost24 has revealed that malware developers are using sandbox evasion techniques to avoid exposing malicious behaviour inside a sandbox where malware is analysed by security researches. Outpost24’s threat intelligence team, KrakenLabs, discovered that malware developers are using trigonometry to detect human behaviour based on cursor positions to avoid automated security analysis.

The Malware-as-a-Service (MaaS) model poses a significant threat in the realm of cybersecurity. This model allows individuals or groups with limited technical expertise to access and deploy sophisticated malware tools and services, often developed by more skilled cybercriminals. The ease of access to such malicious tools has contributed to an increase in the number and complexity of cyberattacks.

Anti-analysis techniques have been the bane of many security analysts, as they have been included in malware practically since its inception. As the name implies, these techniques are designed to prevent the analysis and understanding of the software they are meant to protect, typically by making it harder to understand when looking at the “code” or by preventing the execution of the malware in controlled environments. Like every other aspect of cybersecurity, malware developers have been playing a game of cat and mouse with security analysts, developing new techniques to detect these environments, while security analysts work on techniques to disable or undo them.

Since December 2022, LummaC2, an information stealer written in C language, has been sold in underground forums. KrakenLabs previously published an in-depth analysis of the malware assessing LummaC2’s primary workflow, its different obfuscation techniques, and how to overcome them to effectively analyse the malware with ease. The malware has since gone through different updates and is currently on version 4.0. Among other updates, version 4.0 has included a new Anti-Sandbox technique to delay detonation of the sample until human mouse activity is detected.

In the blog post, published today, the KrakenLabs team deep dive, with highly technical insight, into the Packer, as well as the Control Flow Flattening technique. Control Flow Flattening is an obfuscation technique aimed at breaking the original flow of the program and complicating its analysis. Additionally, it makes use of opaque predicates and dead code to complicate analysis and make identification of relevant blocks more difficult.

LummaC2 v4.0 makes use of a novel anti-sandbox technique that forces the malware to wait until “human” behaviour is detected in the infected machine. This technique takes into consideration different positions of the cursor in a short interval to detect human activity, effectively preventing detonation in most analysis systems that do not emulate mouse movements realistically.

The threat researchers also found that advertisements in underground forums describe protecting the malware with a crypter is recommended to avoid leaking the malware anywhere in its pure form. Newer versions of the malware added a new feature to avoid leaking the unpacked samples.

To protect against threats similar to these, advanced threat detection, alongside user education and regular software updates is key. Earlier this month, Outpost24 announced updates to their CORE platform, with complete visibility of technology assets and threat exposure.

The post LummaC2 Stealer’s New Anti-Sandbox Technique? Trigonometry first appeared on IT Security Guru.

The post LummaC2 Stealer’s New Anti-Sandbox Technique? Trigonometry appeared first on IT Security Guru.

Obrela Security Industries recently launched their H1 2022 Digital Universe Study, which provides detailed insight into this year’s security and threat landscape. The results provide a ‘funnel’ view of real-time visibility data, and allow organisations to gain a better understanding of how threats are security are developing, and how they can better protect themselves.  

To put together this report, Obrela collected and analysed 1 PBs of logs as well as 100,000 devices. In this time, they detected 7,369 cyber incidents with an average response time of 7 seconds.  

Using this, Obrela’s security team was able to find out what attack vectors were most prominent and what type of methods threat actors tended to execute when attempting to gain unauthorised access. Some of the more significant shifts within the threat landscape included: 

  • A 16% increase in data breaches, as well as attacks that targeted end users as opposed to corporations.  
  • A 6% upswing in zero-day attacks, particularly exploiting vulnerabilities.  
  • A 12% surge in attacks related to internal threats, such as policy violations, privileged user activity and inadvertent actions.

Looking at particular attack methods, Obrela found that those most utilised were typically malware infection, reconnaissance, data exfiltration and phishing attacks, along with the exploitation of malicious insiders.  

The study also looks into which sectors are most vulnerable to cyber criminals, with banking & financial services, and government/corporate being at the top of the list. This is mostly down to the monetary value that threat actors can extract from exploiting weaknesses in security, as well as the personal and confidential data they store on their servers. In addition, banking, finance, government and corporate sectors play an important role in global economic activity, making them an incredibly attractive target for a criminal looking to exfiltrate information and extort.   

What can companies do to protect themselves?  

To decrease risk and make sure their security posture is up to scratch, organisations must remember to do the ‘basics’. This means, following best practices such as implementing security training, user authentication and access, and protecting their endpoints and brand. In order to boost security and improve security, organisations should extend their best practices to also include network management, as well as network segmentation and Zero trust. These should be deployed across the whole company and its network. Another option is for organisations to partner with an MSSP, who can monitor their IT and cloud infrastructure, removing the pressure from their own IT teams and allowing them to focus on internal issues and tasks; this could make the difference between a secure corporate nature and becoming another breach statistic. 

Emerging use cases 

After analysing the data and devices, Obrela found new incident cases, including:  

Domain impersonation: this is often associated with phishing campaigns, where employees of an organisation or end-users are targeted by cyber criminals pretending to be from their bank. Victims are taken to an impersonation site, via a phishing link, which will prompt them to enter personal information, including bank details or passwords. By the time the victim notices it is often too late, and malicious actors will already have access to their accounts or network.  

Internal Directory Busting: This vector is similar to a brute force web attack, which targets public facing websites. In using this method, threat actors can then exfiltrate personal and confidential data to use for malicious purposes.  

Unfortunately, cyber criminals are becoming increasingly sophisticated and are adaptable to the evolving threat landscape. Organisations must ensure they have the basic cybersecurity infrastructure, but they should also implement an extra layer of protection around their end users and networks. A network or system breach can not only impair their business operation, but it can also significantly affect their reputation, damaging their brand image and often leading to loss of customer trust.  

In partnering with an MSSP who understands the fluid nature of the security market, organisations can better secure their environments and keep their employees and customers protected from numerous cyber threats.  

 The Digital Universe study can help organisations understand what these types of threats are and how to protect against them.

You can find the full report here: https://www.obrela.com/digital-universe-report-h1-2022/  

The post Obrela’s 2022 Digital Universe Study – A look at today’s threat landscape   appeared first on IT Security Guru.