Author: hello@alienvault.com

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In today’s digital world, it’s no surprise that cyberattacks are becoming more frequent and intense. Enterprises worldwide are trying to defend themselves against attacks such as ransomware, phishing, distributed denial of service and more.

In this challenging cybersecurity landscape, now is the time for companies to prioritize security audits. What are cybersecurity audits and how often should they be to remain safe in the threatening IT world?

Cybersecurity audits and their importance

A cybersecurity audit establishes a set of criteria organizations can use to check the preventive cybersecurity measures they have in place to ensure they’re defending themselves against ongoing threats.

Because cybersecurity risks and threats are growing more sophisticated and frequent in nature, organizations must plan and conduct cybersecurity audits regularly. In doing so, they will have continuous protection from external and internal threats.

How often companies should perform security audits

There’s no official schedule companies must follow for their cybersecurity audits, but in general, it’s recommended that they perform audits at least once a year. However, the IT landscape is changing so quickly that more audits often amount to better protection for an organization.

Businesses working with sensitive information — such as personally identifiable information — should consider conducting cybersecurity audits twice a year, if not more frequently. However, keep in mind that your company may need more time or resources to perform quarterly or monthly audits. The goal is to balance the number of audits you perform and the amount you spend on the audits themselves.

There are many types of audits out there. For example, a blended audit that combines remote and in-person auditing tasks can be helpful for global organizations with remote workers. But two types of audits — routine and event-based — are important to know.

You should certainly conduct routine audits annually or semi-annually, and event-based audits should be done when any major events happen within your IT infrastructure. For example, suppose you add servers to your network or transition to a new project management software. In that case, these “events” require you to perform another audit, as the changes could impact your cybersecurity posture.

4 Benefits of performing audits

The primary purpose of a security audit is to find weaknesses in your cybersecurity program so you can fix them before cybercriminals exploit them. It can also help companies maintain compliance with changing regulatory requirements. Here are some of the primary benefits you can reap by performing regular security audits.

1. Limits downtime

Extended downtime can cost your business a lot of money. According to Information Technology Intelligence Consulting, 40% of organizations surveyed say hourly downtime can cost them between one and five million dollars, excluding legal fees, penalties or fines.

Downtime can occur due to poor IT management or something more serious like a cybersecurity incident. Auditing is the first step companies must take to identify weaknesses that could eventually lead to downtime.

2. Reduces the chance of a cyberattack

As stated above, the main goal of a security audit is to identify vulnerabilities in your cybersecurity program. However, this is only helpful if you and your IT team develop solutions to patch these vulnerabilities and weaknesses. In doing so, you’re improving your overall cybersecurity posture and increasing your level of protection against potential cyber risks, such as malware or phishing attacks, ransomware, and business email compromise — to name a few.

3. Helps maintain client trust

Customers and clients want to know the companies they do business with prioritize physical and cybersecurity. This gives them peace of mind that their sensitive data is not at risk of being exposed, stolen or even sold on the dark web.

Maintaining client trust should be an important objective for any company offering products or services. It can help build your customer base, enhance customer loyalty, and even improve brand recognition.

4. Supports compliance efforts

Security audits are beneficial for businesses looking to take their compliance efforts up a notch. Various data privacy and protection laws are emerging to try and protect consumers and their sensitive information.

For example, the EU’s General Data Protection Regulation can impact your company, especially if it has customers or does business with other organizations in the EU. It can be challenging to keep up with changing regulatory requirements. However, conducting a security audit can help IT teams ensure they’re helping their companies comply with all these rules to avoid fees or penalties.

Protect your business with regular security audits

The cybersecurity landscape is evolving rapidly, with more threats emerging and attacks becoming more sophisticated than ever before. It’s come to the point where hackers leverage advanced technologies such as artificial intelligence to launch automated attacks on enterprises. It’s critical for your business to perform regular security audits to ensure you’re protecting your assets and data. Consider performing audits on a semi-annual basis to offer the best defense against ongoing cybersecurity threats.

The post How often should security audits be? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“Why are you here if you cannot decrypt our data?” This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond.

Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents.

In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an “undesirable event” is determined by each company's own interpretation and perspective.

For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat.

There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders.

Incident response stages

While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals.

SANS identifies six stages of incident response:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

It is important to note that the external response team is not immediately involved in this process.

Preparation

Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas:

• Inventory networks
• Build subnets correctly
• Use correct security controls and tools
• Hire the right people

All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy.

Each attack has its own dwell time – the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to find the “entry point.” The required data will no longer be available. If such a situation arises, the response team can take action, but the likelihood of achieving a 100% successful outcome is significantly reduced.

Identification

This stage is entirely based on how well the preparation was done in the first stage. If everything is done correctly, there is a good chance that you will discover something in advance that can potentially lead to an unacceptable event.

Even primitive and basic steps can greatly increase the likelihood of early detection of a cyber threat. By building your own Security Operations Center (SOC) or engaging a capable third-party provider and implementing effective monitoring practices, you can greatly improve your chances of detecting potential security incidents. Careful preparation allows you to detect an attack in its early stages before the attacker has done any harm.

Ideally, the response process should be initiated at this stage. Alas, in practice, there are many cases when the sad consequences of an attack are the only thing due to which the incident is detected. Everything goes along the logical chain: preparation is terrible, detection and analysis fail, and an incident occurs. And the investigation, in this case, turns out to be a non-trivial task.

Containment

This stage is performed in close cooperation between the external response team and the customer. IT personnel often simply reboot computers before the external incident response team arrives. Yes, this is also a containment method, although not the most elegant.

The problem is that this deprives the response team of a lot of important data. And what is more important, it does not always work. Today hackers rarely use just one technique to achieve persistence. They usually employ Remote Desktop Protocol (RDP) for lateral movement, and stopping them is not always easy. Therefore, joint analytics are vital to understand which connection is legitimate and which is not. When the external response team and their customers work together closely, it becomes simpler to understand the situation and develop effective tactics to contain specific threats.

Eradication

At this stage, it is generally expected that the incident response team has already provided the customer with an incident analysis, including malware analysis, indicators of compromise, etc. A thorough process of scanning the network is in progress, followed by the removal of all detected anomalies.

Recovery

At this stage, a consistent and accurate restoration of the customer's IT systems is carried out. It implies not just recovering from backups but also the reactivation and testing of information security tools.

Usually, restoring protections is a fairly simple task. The fact is that attackers, as a rule, act just by bypassing protection mechanisms. They get administrative privileges and, if possible, “turn off” security solutions. Yes, hackers can use malware that interferes with Windows logging or disrupt Critical Event Management, but such cases are relatively rare.

Although not a common occurrence, some attackers may leave bookmarks to enable repeated attacks. It is vital to remain vigilant and check for such bookmarks, even in the case of a seemingly straightforward attack.

Lessons learned

It may seem that the incident response team's main task is to restore everything to its previous state, but this is a simplification. The response team is invited for a different purpose. Its tasks are to understand:

• The attack vector used by the hackers.
• The specific entry point used to gain unauthorized access to the IT systems.
• A detailed timeline of how the attack progressed.
• Identification of potential prevention measures that could have been implemented at different stages.
• Recommendations for addressing the root cause of the incident to prevent future attacks.

The answers help give better recommendations. For example:

• If the attack started with phishing, it is advised to set up an email sandbox, adjust spam filters, and train employees.
• If a vulnerability is to blame, changing the updatepatch and network monitoring procedures is recommended.

Why is the final stage so important? First, most attacks are not very inventive. Actually, they are formulaic. Therefore, you can draw conclusions from one attack and prevent a dozen similar ones.

Second, the hackers usually come back. Here is a real-life example. The IR team identified an entry point, studied that PC, and found that some files were encrypted a year before the incident. It turned out that the customers were aware but did not pay attention to the incident since the first time, it caused almost no damage. As a result, a second attack occurred through the same entry point. This time, hackers spent a little more of their time and encrypted everything and destroyed the entire domain.

Third, without adequate response procedures, it is impossible to enhance security awareness training and incident detection, which serve as the bedrock of a company's security system.

How to improve security

Basic knowledge is important

The basic things you probably already know about are already cool and very useful. Every year, thousands of companies fall victim to attacks due to the most banal reasons. The most common cases are the exploitation of unpatched vulnerabilities. The second common thing is phishing.

So, a significant number of potential security issues can be mitigated by prioritizing effective patch management, maintaining an accurate inventory of infrastructure, and providing staff with training in digital hygiene.

There are a lot of organizations that have already done all the basic things. However, it does not guarantee the complete absence of incidents. They can be recommended to run penetration tests. However, you need to “grow up” to this kind of thing. It makes no sense to conduct penetration testing when only 20% of the infrastructure is covered with Intrusion Detection and Response (IDRIDS) solutions.

Follow trends and industry reports

Numerous security reports and news can tell you what tools and attacks hackers use. This way, you can establish relevant security criteria for your company. The reports often provide specific recommendations on how to protect from a particular attack. One of the best sources for such information is MITRE ATT&CK Matrix.

Do not panic, and do not do rash things

A typical mistake is to reboot all the computers involved in the attack. Yes, there are urgent situations when this is crucial, but, if possible, please make copies of infected machines. This will enable you to preserve evidence for any subsequent investigation.

In general, do not act impulsively. Quite often, upon discovering encrypted files, employees immediately disconnect the power supply. This approach is akin to gambling. Nothing can be guaranteed after that. Yes, the encryption stops, and you can probably save several untouched files. On the other hand, such an abrupt stop corrupts the disc and data affected by the encryption process. Even if the security community comes up with a decryptor or you pay a ransom (which is not recommended), restoring data whose encryption has been interrupted may not be possible.

Contacting the experts

Is it possible to cope with an attack on our own? Yes, if you have well-established procedures. Mitigation efforts can be prioritized. It is not very difficult to protect mobile devices, implement multi-factor authentication, or set efficient patch management procedures. From a financial standpoint, relying on backups and minimizing recovery time can be an acceptable strategy. However, when it is essential to stop the attack promptly, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action – there are no alternatives – call the external response team.

The post Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a highly connected, internet-powered world, transactions take place online, in person, and even somewhere in between. Given the frequency of digital information exchange on our devices, including smartphones and smart home gadgets, cybersecurity has never been more important for protecting sensitive customer information. In response, the US Federal Trade Commission has rolled out updated measures to ensure that customers’ details are fully protected. 

Due to supply chain issues and qualified employee shortages, however, the FTC has granted a six-month extension on the original deadline, so businesses and financial institutions now have more time to complete the required changes. This article will look at the updated federal data security measures and how they will impact businesses. 

Updated federal data security measures

In November, the United States Federal Trade Commission announced that it would grant a six-month extension for companies that have yet to update their security measures in compliance with updated FTC standards. 

The new deadline for businesses and financial institutions to implement the required changes will be June 9, 2023. By that point, all businesses must have updated their policies and procedures in keeping with the Financial Data Security Rule, also known as the Safeguards Rule.

Initial changes to the Safeguards Rule

Initially, the Federal Trade Commission approved changes to the Safeguards Rule in October 2021. These changes included updated criteria for financial institutions, providing more specific requirements about which safeguards they must include in their information security programs. 

Some of these updates to the Safeguards Rule were implemented 30 days after the rule was published in the Federal Register, while other specific criteria were on track to be implemented on December 9, 2022. 

Why has the deadline been extended?

The deadline has been extended to June 2023 due to reports presenting compelling arguments for postponing the required implementation. The Small Business Administration’s Office of Advocacy, for example, filed a letter addressed to the FTC. The letter stated that several factors would bar companies from effectively implementing these updated security requirements in the allotted time. 

Between supply chain issues that could cause delays in transporting essential equipment for the requisite security system upgrades, and a widespread shortage of qualified information security experts who could implement the changes on time, the letter from the SBA convincingly spelled out why businesses would need more time to complete the security system upgrades in compliance with FTC rules. 

The global COVID-19 pandemic further exacerbated these issues, making it difficult for small-scale businesses and financial institutions to meet the deadlines. The FTC voted unanimously to approve this deadline extension.

Reasons for FTC data security rule updates

The changes to the Financial Data Security Rule are meant to ensure that financial institutions put sufficient security measures in place to keep their customers’ personal information safe from any hacking attempts. Boosting the data security of financial institutions is vital to strengthening the overall cybersecurity of the country’s interconnected financial networks. 

Given the increasing rates of identity theft and financial fraud attempts, this is an essential form of protection. In 2021, for instance, the FTC encountered almost 390,000 reports of credit card fraud alone, making this the most common type of financial fraud in the United States. Since credit card fraud can often be enacted during unsecured store transactions, the FTC is determined to bolster security measures at every level. 

The FTC Safeguards Rule updates apply to in-person businesses, financial institutions, and online platforms, including the more recent cryptocurrency industry. Since 2009, more than 6,600 distinct cryptocurrencies have been released. With such a sustained influx of different cryptocurrencies, regulations have been slow to catch up in comparison to other trading platforms such as forex or options trading. Now the FTC is working to ensure that online and cryptocurrency transactions are sufficiently secure. 

What does this mean for businesses?

Businesses and financial institutions will need to get busy implementing the necessary changes. For example, companies may need to update their software to remain in compliance with the updated FTC rules. 

This process can take time, as companies will need to search for highly capable technical writers to document the software adjustments. According to Shaun Connell, technical writers and documentation creators must be involved in the software update project from the start. So to meet the June deadline, businesses will need to make this security update a top priority. 

Who does it affect?

Banks are not affected by The Safeguards Rule, but any other non-banking financial institutions, including motor vehicle dealers, payday lenders, and mortgage brokers, will need to update their security protocols by the deadline. 

Depending on the specific institution and its pre-existing security setup, businesses may need to create, enact, and upkeep a strong security system that will protect their customers’ sensitive information, such as financial details, home address, personal preferences, and even name, age, and gender. 

Cybercriminals can use any and all of this information to steal customers’ identities, so setting up a comprehensive security protocol will ensure that customers’ details are safe throughout every transaction.

Specific provisions under the extended deadline

Not all the updated criteria of the Safeguards Rule are affected by this six-month-long extended deadline. The specific provisions that businesses and financial institutions must enact by June 9, 2023, are as follows:

• Appoint a highly qualified individual to oversee the new information security program.
• Encrypt all sensitive information that passes through a business’s servers and systems. 
• Appoint and train security personnel who can manage and oversee the updated security systems and enact any security protocols in case of a cybersecurity breach. 
• Craft an incident response plan so that clear protocols are established. 
• Write a comprehensive risk assessment of their current security system. 
• Enact ongoing monitoring of who has access to sensitive customer details within the company.
• Limit who has access to sensitive customer details within the company. 
• Set up multi-factor authentication for any company member who attempts to access customer data. Or, instead of multi-factor authentication, another authentication system that provides equal protection can be implemented. 
• Conduct periodic assessments of the security practices used by their service providers to ensure added layers of security between businesses as well. 

These measures may require significant lead times to be well-established and running effectively by the June deadline. But once they are set up, they should provide significant additional security for all business-to-customer interactions. 

Government policies to prevent cybersecurity threats

At the core of these required security protocol updates is protection for customers. These necessary government policies have individual consumers’ security in mind and rely on multiple layers of cooperation and adjustment to keep sensitive data safe. Businesses and financial institutions will have to cooperate with the widespread Safeguards Rule implementation to fulfill federal trade commission standards designed to prevent cybersecurity threats from taking effect.

The post FTC extends deadline by six months for compliance with some changes to financial data security rules appeared first on Cybersecurity Insiders.

Firewall optimization (also known as firewall analysis) is the process of analyzing and adjusting the configuration and policy set of a firewall to improve performance and security. This process involves reviewing and corelating log data and device configurations, identifying potential vulnerabilities and weaknesses, and providing recommendations for remediation. Performing these processes is complex, which is why tools like firewall analyzers are useful. They offer automation, visualization, and alerting to provide recommendations that can be used to reduce the risk of attack.

What is the business impact of firewall optimization?

Firewall optimization is important because it can help organizations improve their overall security, performance, and compliance, while also reducing costs and improving decision-making. This can ultimately contribute to better overall business performance. Firewall optimization can have a positive impact on a business's overall network security and performance.

Some of the key benefits include:

• Improved security: Analyze configurations and log data to identify potential vulnerabilities and threats in the network and provide recommendations for remediation. This can help to reduce the risk of successful cyber-attacks and data breaches.
• Better performance: Improve overall network performance by identifying and addressing bottlenecks and inefficiencies in the firewall configuration. This can result in faster network speeds, more reliable connectivity, and better overall performance.
• Compliance: Comply with relevant regulations and standards, such as PCI DSS and HIPAA, by providing regular compliance reports and identifying potential compliance issues.
• Cost savings: By identifying and addressing inefficiencies and bottlenecks in the firewall configuration, firewall optimization can also help reduce costs associated with network maintenance and troubleshooting.
• Improved decision-making: Have a better understanding of the network security posture and the capabilities of the firewall. This allows organizations to make more informed decisions about their security strategy, and to better allocate resources for security initiatives.

How is firewall optimization different from firewall management?

Firewall optimization uses software tools like a firewall analyzer to find weaknesses and vulnerabilities in network attached devices. The inspection includes analyzing configurations and log data from security devices, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

The primary features of a firewall optimization include:

• Log analysis: Review log data to understand utilization trends over time and recommend ways to enhance the performance of the firewall without compromising security.
• Configuration analysis and compliance reporting: Review running configurations of firewall devices regularly and include features for generating reports that show compliance with relevant regulations and standards, such as PCI DSS and HIPAA.
• Security analytics: Analytics capabilities allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
• Alerting: Alerting features that notify users when potential threats or vulnerabilities are detected.
• Integration with other tools: Some firewall analyzers can be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.
• Multi-vendor support: Firewall analyzers can support multiple firewall platforms. This can be useful when migrating from one firewall platform to another, to help clean the ruleset of any vulnerabilities and test configurations prior to deployment.

A firewall management platform, on the other hand, is a comprehensive tool that helps organizations to manage, configure, and monitor their firewalls. It includes features like firewall policy management, threat detection and management, asset discovery, and security analytics. The primary features of a firewall management platform include:

• Policy management: Allows users to create and manage firewall policies, which define the rules for allowing or blocking network traffic.
• Asset discovery: Discover and inventory assets on a network, including servers, workstations, and other network attached devices.
• Security analytics: Analytics capabilities that allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
• Monitoring: Monitor network traffic and alerting users when potential threats or vulnerabilities are detected.
• Integration with other tools: In addition to firewall analyzers, some firewall management platforms can be integrated with other security tools, such as a Security Incident and Event Manager (SIEM) to provide a more comprehensive view of an organization's security posture.

One of the main differences between firewall optimization and the firewall management platform is the scope of their capabilities. Firewall optimization is focused on the performance and configuration of the firewall, by analyzing the running configuration and log data from firewalls, even in environments with multiple vendor firewalls.

Another difference is the level of control on a device that the tools provide. A firewall analyzer provides insights, recommendations, application traffic flows, and may even have device configuration and management capabilities. A firewall management platform, on the other hand, provides granular control over firewalls, including the ability to create and manage firewall policies and to monitor network traffic.

How does firewall optimization work?

Firewall optimization uses a firewall analyzer tool to provide visibility into the security posture of a network by identifying potential threats and vulnerabilities, and by providing recommendations for remediation.

The process of firewall analysis typically involves the following steps:

• Data collection: The firewall analyzer collects log data and device configurations from the security devices on the network. This data may include information on network traffic, firewall rules, and security events.
• Data analysis: The firewall analyzer then analyzes the collected data to identify potential vulnerabilities and threats in the network. This may include identifying open ports, misconfigured firewall rules, or unusual network traffic patterns.
• Reporting and visualization: The firewall analyzer generates reports and visualizations that provide a detailed overview of the network's security posture. These reports may include information on compliance with relevant regulations and standards, as well as recommendations for remediation.
• Alerting: The firewall analyzer may also include alerting features that notify security teams when potential threats or vulnerabilities are detected.

Some firewall analyzers can also be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.

Firewall optimization best practices

It is not uncommon for organizations to question if both a firewall analyzer and firewall management platform are necessary for improved network security. Firewall analyzers provide a strategic and operational view of the network security environment across multiple vendors. This contrasts with the firewall management platform’s operational and tactical capabilities which are vendor specific.

In addition, firewall analyzers can provide value for non-operational roles in an organization, such as auditors. Auditors can collect the information they need without having to access the firewall management platform directly or involve the operations teams who administer the platform.

Conclusion

Overall, firewall optimization using firewall analyzer tools and firewall management platforms are important for the network’s health and security. While they serve different purposes, they also complement each other with their unique capabilities. Organizations that need visibility into the performance of the network along with recommendations for improving the firewall security should consider a firewall optimization strategy that incorporates both capabilities.

AT&T Cybersecurity Consulting has more than 20 years of experience increasing network security and performance using its firewall optimization programs. Learn more about the benefits and best practices of implementing a firewall optimization strategy that incorporates both firewall analyzer tools and firewall management platforms. Contact us today to get started.

The post What is firewall optimization? appeared first on Cybersecurity Insiders.

AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.

Key takeaways:

• BlackGuard steals user sensitive information from a wide range of applications and browsers.
• The malware can hijack crypto wallets copied to clipboard.
• The new variant is trying to propagate through removable media and shared devices.

Background

BlackGuard stealer is malware as a service sold in underground forums and Telegram since 2021, when a Russian user posted information about a new malware called BlackGuard. It was offered for $700 lifetime or $200 monthly, claiming it can collect information from a wide range of applications and browsers.

In November 2022, an update for BlackGuard was announced in Telegram by its developer. Along with the new features, the malware author suggests free help with installing the command & control panel (Figure 1)

Figure 1. Announcement of new malware version in its Telegram channel.

Analysis

When executed, BlackGuard first checks if another instance is running by creating a Mutex.

Then to ensure it will survive a system reboot, the malware adds itself to the “Run” registry key. The malware also checks if it's running in debugger mode by checking TickCount and checking if the current user belongs to a specific list to determine whether it is running in a malware sandbox environment. (Figure 2)

Figure 2. Malware will avoid execution if running under specific user names.

Now all is ready for stealing the user’s sensitive data. It collects all stolen information in a folder where each piece of data is stored in a specific folder, such as Browsers, Files, Telegram, etc. (Figure 3)

Figure 3. BlackGuard main folder with stolen data divided into folders.

When it finishes collecting sensitive data, the malware will zip the main folder using the password “xNET3301LIVE” and send it to its command & control. (Figure 4)

Figure 4. Zipping exfiltrated data with password and uploading to command & control.

Browser stealth

Along with collecting cookies, history and downloads of different browsers, BlackGuard also looks for the existence of special files and folders of different browsers. (This includes “Login Data”, AutoFill, History and Downloads. (Figure 5)

 

Figure 5. Collecting browser information.

Below is the list of browsers BlackGuard is looking for:

Chromium	Chrome	ChromePlus
Iridium	7Star	CentBrowser
Chedot	Vivaldi	Kometa
Elements Browser	Epic Privacy Browser	uCozMedia
Sleipnir5	Citrio	Coowon
liebao	QIP Surf	Orbitum
Comodo Dragon	Amigo	Torch
Comodo	360Browser	Maxthon3
K-Melon	Sputnik	Nichrome
CocCoc	Uran	Chromodo
Opera	Brave-Browser	Edge
Edge Beta	OperaGX	CryptoTab browser

 

In addition, the malware steals Chrome, Edge, and Edge Beta browsers’ crypto currency addons data. It supports the addons listed below by looking for their hardcoded installation folder path in “MicrosoftEdgeUser DataDefaultLocal Extension Settings”. For example, the specific folder for “Terra Stations” is “ajkhoeiiokighlmdnlakpjfoobnjinie”. BlackGuard looks for Edge/EdgeBeta addons listed below:

Auvitas	Math	Metamask
MTV	Rabet	Ronin
Yoroi	Zilpay	Exodus
Terra Station	Jaxx

 

For Chrome it looks for those addons:

Binance	Bitapp	Coin98
Equal	Guild	Iconex
Math	Mobox	Phantom
Tron	XinPay	Ton
Metamask	Sollet	Slope
Starcoin	Swash	Finnie
Keplr	Crocobit	Oxygen
Nifty	Keplr	Forbole X
Slope Wallet	Nabox Wallet	ONTO Wallet
Goby	FINX	Ale
Sender Wallet	Leap Wallet	Infinity Wallet
Zecrey	Maiar Wallet	Flint Wallet
Liquality

 

Cryptocurrency

The malware also steals cryptocurrency wallets. It copies the wallet directory for each of the following crypto wallets below and sends them to its command & control.

Zcash	Armory	Jaxx Liberty
Exodus	Ethereum	Electrum
Atomic	Guarda	Zap
Binance	Atomic	Frame
Solar wallet	Token Pocket	Infinity

 

It will also query the registry for the installation path of “Dash” and “Litecoin” keys and do the same.

Messaging and gaming applications:

BlackGuard supports the stealing of a wide range of messaging applications. For some of the applications such as Telegram, Discord and Pidgin, the malware has a specific handler for each. For example, for Discord, it copies all data for the following folders in the Application Data folder which stored the Discord tokens: “DiscordLocal Storageleveldb”, “Discord PTBLocal Storageleveldb”, “Discord Canaryleveldb”. In addition, it copies all strings in files with the extension of “.txt” and “.ldb” if they match Discord’s token regular expression. (Figure 6)

Figure 6. Stealing Discord’s tokens and data.

Below is the list of messaging applications the malware looking to steal sensitive information from:

Discord	Telegram	Tox
Element	Miranda NG	Signal
Adamant-IM	Wire	WhatsApp
Vipole	Proxifier	Steam
Pdgin	Battlet net

 

Outlook, FTP, VPN, and other applications

BlackGuard steals login data and other sensitive information from additional communication programs. For email applications, the malware queries specific Outlook registry keys under the CURRENT_USER hive to extract user, password and server information. (Figure 7)

Figure 7. Exfiltration of Outlook stored information.

The malware also handles different FTP and VPN applications to extract stored users and passwords. For example, for NordVPN, the malware will search the application’s folder and if found, it parses all user.config files to extract the users and passwords. (Figure 8)

Figure 8. Exfiltrating NordVPN information.

In addition to Outlook and NordVPN, BlackGuard also steals information from WinSCP, FileZilla, OpenVPN, ProtonVPN and Total Commander.

Other data collected      

Additionally, the malware also collects information from the machine such as anti-virus software installed on the machine, external IP address, localization, file system information, OS and more.

New BlackGuard features

Crypto wallet hijacking

In addition to stealing crypto wallets saved/installed on the infected machine, BlackGuard is hijacking cryptocurrency addresses copied to clipboard (such as CTRL+C) and replacing them with the threat actor’s address. This can cause a victim to send crypto assets to the attacker without noticing it when trying to transfer/pay to other wallets. This is done by tracking any content copied to the clipboard and matching it to relative different crypto wallets’ regex. (Figure 9)

Figure 9. Specific regex to search in clipboard for listed coins.

Once there is a match, the malware will query its command and control for the alternative wallet and replace it in the clipboard instead of the one that was copied by the user. The malware supports stealing the popular crypto assets below:

BTC (Bitcoin)	ETH (Ethereum)	XMR (Monero)
XLM (Stellar)	XRP (Ripple)	LTC (Litecoin)
NEC (Nectar)	BCH (Bitcoin Cash)	DASH

 

Propagate through shared / removable devices

Although this feature was limited since Windows 7 to be used only for CDROM, the malware copies itself to each available drive with an “autorun.inf” file that points to the malware to execute it automatically. This includes removable and shared devices. For example, if a USB device is connected to an old version of Windows, the malware will be executed automatically and infect the machine. (Figure 10)

Figure 10. Propagate to all available drives.

Download and execute additional malware with process injection

The new variant of BlackGuard downloads and executes additional malware from its command & control. The newly downloaded malware is injected and executed using the “Process Hollowing” method. With that the malware will be running under legitimate/whitelisted processes and can make more detection more difficult. (Figure 11)

Figure 11. Download and execute additional malware using process injection.

The targeted process is RuntimeDirectory folder, RegASM.exe (C:WindowsMicrosoft.NETFramework64runtime_versionRegAsm.exe)

Massive malware duplication

The malware copies itself to every folder in C: drive recursively, each folder the malware generates a random name to be copied to. This feature is not common for malware, and this is mostly annoying, as the malware gains no advantage from that.

Persistence
The malware added persistence to survive system reboot by adding itself under the “Run” registry key. (Figure 12)

Figure 12. Setting registry persistence.

Documents – stealth activity

The malware searches and sends to its command and control all documents end with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” in the user folders (including sub directories): “Desktop”, “My Documents”, UserProfile folder.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035716: ET TROJAN BlackGuard_v2 Data Exfiltration Observed

2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Activity

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
IP ADDRESS	http://23[.]83.114.131	Malware command & control
SHA256	88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3	Malware hash

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access
  • T1091: Replication Through Removable Media
• TA0002: Execution
  • T1106: Native API
  • T1047: Windows Management Instrumentation
• TA0003: Persistence
  • T1547.001: Registry Run Keys / Startup Folder
• TA0005: Defense Evasion
  • T1027: Obfuscated Files or Information
• TA0006: Credential Access
  • T1003: OS Credential Dumping
  • T1539: Steal Web Session Cookie
  • T1528: Steal Application Access Token
  • T1552: Unsecured Credentials
    • .001: Credentials In Files
    • .002: Credentials In Files
• TA0007: Discovery
  • T1010: Application Window Discovery
  • T1622: Debugger Evasion
  • T1083: File and Directory Discovery
  • T1057: Process Discovery
  • T1012: Query Registry
  • T1082: System Information Discovery
  • T1497: Virtualization/Sandbox Evasion
• TA0008: Lateral Movement
  • T1091: Replication Through Removable Media
• TA0009: Collection
  • T1115: Clipboard Data
  • T1213: Data from Information Repositories
  • T1005: Data from Local System
• TA0011: Command and Control
  • T1071: Application Layer Protocol
  • T1105: Ingress Tool Transfer
• TA0010: Exfiltration
  • T1020: Automated Exfiltration

The post BlackGuard stealer extends its capabilities in new variant appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. ​

According to the Open Web Application Security Project (OWASP, 2019), broken object-level authorization (BOLA) is the most significant vulnerability confronting modern application programming interfaces (APIs). It can be exciting to pursue innovations in the API area, but while doing so, programmers must ensure that they are adequately attentive to security concerns and that they develop protocols that can address such concerns. This article will describe the problem of BOLA and its consequences, and then it will present potential actions that can be taken to solve the problem.

The problem

​OWASP (2019) indicates the following regarding BOLA: “Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request” (para. 1). For example, a hacker may access information regarding how various shops make requests to an e-commerce platform. The hacker may then observe that a certain pattern exists in the codes for these requests. If the hacker can gain access to the codes and has the authorization to manipulate them, then they could establish a different endpoint in the code and thereby redirect all the data to themselves.

The exploitation of BOLA vulnerabilities is very common because, without the implementation of an authorization protocol, APIs essentially have no protection whatsoever against hackers. To attack this kind of APIs, the hacker only needs the capability to access request code systems and intercept data by manipulating the codes, which can be done rather easily by anyone who has the requisite skills and resources (Viriya & Muliono, 2021). APIs that do not have security measures in place are thus simply hoping that no one will know how to conduct such an attack or have the desire to do so. Once a willing hacker enters the picture, however, the APIs would have no actual protections to stop the hacker from gaining access to the system and all the data contained within it and transmitted across it.

The consequences

​BOLA attacks have significant consequences in terms of data security: “Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access can also lead to full account takeover” (OWASP, 2019, para. 3). In short, BOLA attacks produce data breaches. Stories about data breaches are all too common in the news, with a very recent one involving a healthcare organization in Texas (Marfin, 2022). While not all data breaches are the result of BOLA attacks, many of them are, given that BOLA is a very common vulnerability in APIs. The specific consequences of a successful BOLA attack, as well as the magnitude of those consequences, would depend on the target of the attack.

For example, if the target is a healthcare organization, then the data breach could lead to hackers gaining access to patients' private health insurance. If the target is a bank, then the hackers would likely be able to access customers’ social security numbers. If the target is an e-commerce website, then data regarding customers’ credit card numbers and home addresses would be compromised. In all cases, the central consequence of a BOLA attack is that hackers can gain access to personal information due to a lack of adequate security measures within the APIs in question.

The solution

​The solution to BOLA is for programmers to implement authorization protocols for accessing any data or codes within an API. As OWASP (2019) indicates, prevention of BOLA will require the implementation of “an authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses input from the client to access a record in the database” (para. 9).

BOLA vulnerability essentially has to do with APIs and assuming that if a user has access to the information required to make a request, then they must automatically be authorized to make that request. This assumption is obviously fallacious since hackers can gain access to the information and then use it to manipulate the API even though they have no actual authorization to do so.

Therefore, preventing BOLA vulnerability requires a system that not only responds to the user’s inputs but is also able to verify whether the user is authorized to perform the desired actions (Blokdyk, 2022). For example, the system may require an external password that a hacker would not be able to find simply by perusing data and information within the API itself.

The solution to BOLA, then, is straightforward one. APIs currently focus on object IDs for authenticating requests, which is altogether inadequate from a data security standpoint. To prevent BOLA, APIs must track the users themselves and focus on ensuring that users are properly authorized to make requests, take actions, and provide inputs within the system. The BOLA vulnerability is based entirely on the fact that programmers often fail to implement such a protocol. Such implementation would eliminate the entirety of the vulnerability insofar as hackers will then not be able to access and manipulate target APIs.

Perhaps BOLA is thus a case study in humility. As programmers explore new frontiers of modern APIs, they must also ensure that they do not neglect the basics. The implementation of user authorization protocols to prevent BOLA vulnerability must be understood as a foundational element for any sound API, and doing so will address a key OWASP priority. 

References

Blokdyk, G. (2022). User authentication and authorization. 5STARCooks.

Marfin, C. (2022, July 12). Tenet Healthcare faces lawsuit after data breach affects 1.2 million ​patients. Dallas Morning News. ​​https://www.dallasnews.com/news/courts/2022/07/12/tenet-healthcare-faces-lawsuit-%E2%80%8Bafter-data-breach-affects-12-million-patients/

Open Web Application Security Project. (2019). API2:2019 broken object level authorization. ​GitHub. https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-​object-level-authorization.md

Viriya, A., & Muliono, Y. (2021). Peeking and testing broken object level authorization ​vulnerability onto e-commerce and e-banking mobile applications. Procedia Computer ​Science, 179, 962-965.

The post Broken Object Level Authorization: API security’s worst enemy appeared first on Cybersecurity Insiders.

Ransomware is a form of malicious software (malware) that restricts access to computer files, systems, or networks until a ransom is paid. In essence, an offender creates or purchases ransomware, then uses it to infect the target system. Ransomware is distributed in several ways including, but not limited to, malicious website links, infected USB drives, and phishing emails. Once infected, the offender encrypts the device and demands payment for the decryption key. Figure 1 provides a simplistic overview of the ransomware timeline.

Figure 1. Ransomware timeline.

The earliest recorded case of ransomware was the AIDS Trojan, which was released in the late 1980s. Now, in 2023, ransomware is considered the greatest cybersecurity threat due to the frequency and severity of attacks. In 2021, the Internet Crimes Complaint Center received over 3,000 ransomware reports totaling $49.2 million in losses. These attacks are especially problematic from a national security perspective since hackers aggressively target critical infrastructure such as the healthcare industry, energy sector, and government institutions.

If ransomware has been around for over 40 years, why is it now increasing in popularity? We argue the increase in ransomware attacks can be attributed to the availability of ransomware sold on darknet markets.

Darknet markets

Darknet markets provide a platform for cyber-criminals to buy, sell, and trade illicit goods and services. In a study funded by the Department of Homeland Security, Howell and Maimon found darknet markets generate millions of dollars in revenue selling stolen data products including the malicious software used to infect devices and steal personal identifying information. The University of South Florida’s (USF) Cybercrime Interdisciplinary Behavioral Research (CIBR) sought to expand upon this research. To do this, we extracted cyber-intelligence from darknet markets to provide a threat assessment of ransomware distribution. This report presents an overview of the key findings and the corresponding implications.

Threat assessment

While drugs remain the hottest commodity on darknet markets, our threat intelligence team observed a rise in ransomware (and other hacking services). 

The study was conducted from November 2022-February 2023. We began by searching Tor for darknet markets advertising illicit products. In total, we identified 50 active markets: this is more than all prior studies. We then searched for vendors advertising ransomware across these markets, identifying 41 vendors actively selling ransomware products. The number of markets and vendors highlight the availability of ransomware and ease of access. Interestingly, we find more markets than vendors. Ransomware vendors advertise their products on multiple illicit markets, which increases vendor revenue and market resiliency. If one market is taken offline (by law enforcement or hackers), customers can shop with the same vendor across multiple store fronts.

The 41 identified vendors advertised 98 unique ransomware products. This too shows the accessibility of various forms of ransomware readily available for purchase. We extracted the product description, price, and transaction information into a structured database file for analysis. In total, we identified 504 successful transactions (within a 4-month period) with prices ranging from $1-$470. On average, ransomware sold on the darknet for $56 with the best-selling product being purchased on 62 different occasions at $14 per sale. A screenshot of the best-selling ransomware advertisement is presented in Figure 2. This product is listed as fully customizable, allowing the customer to choose their target and ransom amount. These findings illustrate that ransomware sold on the darknet is both affordable and user-friendly.

Figure 2. Ransomware advertisement found on a darknet market.

Purchases on the darknet are facilitated using cryptocurrencies that anonymize the transaction and ensure both the buyer and seller's protection. Bitcoin is the favored method of payment, but some vendors also accept DOGE, Bitcoin Cash, Litecoin, and Dash.

Our final goal was to understand which words are associated with ransomware distribution. Using the product description, we created a word cloud (presented in Figure 3) to depict the most common words used when selling ransomware. The most commonly used words include ransomware, encrypt, systems, urgency, decryption, victims, and software. Knowing the words associated with ransomware distribution allows for the development of machine learning algorithms capable of detecting and preventing illicit transactions.

Figure 3. The most used words in a ransomware advertisement.

Implications

The security concerns posed by ransomware and darknet markets have been independently identified by researchers, government agencies, and cybersecurity companies. We expand the discussion by assessing the synergetic threat posed by ransomware distributed via darknet markets. Our findings suggest the uptick in ransomware may result from product availability, affordability, and ease of use. Cyber-criminals no longer need the advanced technical skills required to develop unique forms of ransomware. Instead, they can simply purchase customizable ransomware on the darknet and launch an attack against their victims.

Acknowledgements

            This research would not be possible without the students and faculty associated with CIBR lab. Specifically, we thank Taylor Fisher, Kiley Wong-Li, Mohamed Mostafa Abdelghany Mostafa Dawood, and Sterling Michel for their continued involvement on the cyber-intelligence team. For more cutting-edge cybersecurity research, follow Dr. C. Jordan Howell, Lauren Tremblay, and the CIBR Lab on Twitter: @Dr_Cybercrime, @DarknetLaur, and @CIBRLab.

The post An assessment of ransomware distribution on darknet markets appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Customers’ willingness to give you their personal data begins with the experience they receive. Convincing them requires the right tone, an outlook of what they’ll get in return, and most importantly, a high level of trust. But while companies depend on customer data to unlock growth, user-centric data collection can be tricky.

43% of U.S. consumers say they would not allow companies to collect personal data, even to accommodate more personalized, customized experiences, while 88% will give you their data if they trust your brand.

With this in mind, how do you meet customer expectations and proactively build consumer trust throughout the entire customer lifecycle? Effective user journey orchestration, supported by a robust Customer Identity & Access Management (CIAM) solution, can help you balance security, privacy, and convenience, resulting in a trust-worthy digital experience.

5 ways CIAM safely orchestrates your customers’ journey

CIAM is an effective solution for hassle-free and secure logins that enables you to retain more customers with seamless access across various digital channels. This is how CIAM safely orchestrates your customers’ journey.

1. Capture and manage customer identities to remove friction at registration and login

Businesses spend a lot to acquire new customers but tend to invest less in the experience once acquired. Meanwhile, providing a seamless and convenient experience is what eventually brings loyalty – and thus, the base to harness true ROI.

With CIAM, you no longer need to push every customer through the same rigid authentication processes when they visit your site. Put simply, CIAM ensures customers are always met at the digital front door, conveniently and without friction.  

For example, if customers are registering for the first time, you don't need to ask them to enter all their personal data immediately. Ask your customer for only needed information, at the right point in their journey. This will allow them to focus on their shopping experience or the task at hand rather than filling in forms.

When an existing customer wants to log into your site, you can make smarter decisions about how many authentication hoops you should make them jump through. For example, suppose the risk environment remains unchanged, and their behavioral context is the same as before. You might decide they don't need to enter their password again or authenticate using MFA.

CIAM allows you to adjust your authentication experience's friction level to make your customers' experience seamless.

1. Build robust customer profiles based on first-party, consent-based data

CIAM captures the personal data that the customer has released to your brand. This first-party data, which is based on consumer consent, enables your business to compile comprehensive client profiles by collecting and combining data from multiple channels. The data produced can assist your company in achieving a unified customer experience as your consumer engages with various business divisions.

First-party data is essential as third-party cookies are being blocked from browsers, and businesses need to invest in privacy-friendly ways to gather data for profiling their prospective customers. Besides from harnessing the value of data, consent-based data collection is a demonstration of respecting your customer’s privacy – a building block to achieving customers’ trust.

2. Orchestrate customer profiles in near real-time to other engagement solutions to deliver personalized experiences

Storing your customers' profile data in a single platform allows you to make timely and data-informed decisions furthering engagement with your customer with other solutions.

Take, for example, the way Spotify works. When you search for your favorite artist, the platform suggests other artists with the same style. These suggestions allow you to listen to more of your favorite music and offer an impeccable personalized experience. Wouldn’t you like your brand to treat your customers the same way?

If you get to know your customers better by building rich user profiles, you can use these profiles to tailor experiences across every digital property. And your customer will keep coming back to you for more.

3. Drive the adaptive authentication experience to limit burden and enhance security

Requiring your customers to provide an additional authentication factor by implementing MFA is one of the simplest ways to increase the security of the login flow. Email is an option that is often easier to implement, but it can increase customers’ effort at the authentication flow, and building frustration might cause them to opt for a competitor.

With CIAM, you can choose the authentication options, i.e., biometrics, that will be easiest or most secure for your customers without any additional worry about how difficult they might be to integrate and maintain within your application.

A customer identity platform only asks for the authentication you need and always asks for it when you need it, providing two sides of the same coin. If you can prove to customers that the friction added to the experience is always proportionate to the situation, you'll find it much easier to win their trust.

4. Adopt progressive profiling

A customer's introduction to your application is often a registration process, and you need to ensure that the process is efficient, seamless, and secure so that you don't lose the customer's attention along the way. This might mean primarily collecting only the minimum amount of information you require from your users. A 'just in time' and 'just enough' approach to data collection is the best strategy for building a frictionless and secure prospect-to-customer journey that leads to better conversion rates.

A CIAM solution can be configured to require as many or as few pieces of information about your customers as you wish to gather. This information can be stored centrally so that you can utilize the CIAM solution as the source of truth regarding customer personal information and be assured that this data is always secured. 

The main advantage of effective user journey orchestration

A significant benefit of deploying a cloud identity platform, and thereby adopting a user journey orchestration process, is that it helps establish the trust needed to build long-lasting relationships with your customers.

Businesses can acquire more customers by using CIAM and progressive profiling to streamline the registration process and asking for information over time rather than forcing new customers to fill out a long sign-up form at the very beginning. Also, reducing friction during login when existing customers return to any digital property can help your business retain customers.

By enforcing appropriate security measures in every situation, CIAM shows your customers that you are a trustworthy steward of their accounts and personal data. This increases the likelihood of repeat business, reduces the risk of account abandonment, and acts as a disincentive for churn.

The post How CIAM safely orchestrates your customers’ journey and its benefits  appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

More and more, people are completing the entire real estate transaction process online. From searching for properties to signing documents, online convenience can make the process easier and more efficient. However, with all of this activity taking place on the internet, it is important to be aware of the potential security risks that come along with it. Here are the eight common cybersecurity issues that can arise during the purchase of real estate online and how you can protect yourself against them.

1. Cybercrime

This is, unfortunately, the world we live in – and it makes sense, given the large sums of money involved. Cybercriminals may attempt to hack into the system and gain access to private information. They may even try to interfere with the transaction process itself, delaying or preventing it from taking place at all.

To combat this threat, make sure you are using a secure online platform when completing the transaction and be sure to only provide personal information when necessary.

When you are completing a real estate transaction online, a lot of your personal information will be requested. This can include anything from your address and phone number to your bank account information. If this information is not properly secured, it could be at risk of being accessed by cybercriminals.

To keep yourself safe, it is important to know what to look out for. You should watch for the commonly attempted ways that remote real estate buyers might be targeted and understand what you should do in the event of a breach.

2. Data breaches

Buying real estate remotely involves a number of different tools, like online payment gateways and other web services. All of these tools can be vulnerable to data breaches, which means that hackers could gain access to your personal information stored on their servers. To protect yourself, research a service’s security standards before providing any sensitive information or look for an alternative if the security measures are inadequate.

Always make sure you are observing best practices during and after an online purchase, which include doing things like updating your passwords as appropriate and monitoring your credit cards for any suspicious activity. By following these tips, you can help ensure that your online real estate transaction is secure.

3.  Phishing scams

These are attempts to obtain your personal information by pretending to be a legitimate source and they are on the rise. Be sure to only provide your information on secure websites and look for signs of legitimacy, such as “https” in the web address or a padlock icon in the URL bar.

Phishing scams that target real estate buyers might include emails, text messages, and voicemails asking you to provide your credit card details or other personal information to make a purchase. Make sure to always look for signs of legitimacy before providing any sensitive information.

They might also include bogus emails from lawyers or other professionals with malicious links or attachments. Be sure to only open emails from verified sources and never click on suspicious links.

4. Malware threats

Malicious software can be used to steal your personal information, such as banking credentials and passwords, or to install ransomware that locks you out from accessing your own files. To protect yourself from malware, make sure to install trusted antivirus and anti-malware software on your computer. Additionally, make sure to always keep your operating system up to date with the latest security patches.

5. Identity theft

Identity theft is a growing problem online and can be especially dangerous for real estate buyers. Hackers may use stolen information to gain access to your bank accounts or other financial resources, making it important to protect all your personal information from potential thieves. Make sure to use secure passwords, avoid public Wi-Fi networks, and never provide sensitive information over email.

This is especially pressing in an age where people are so much more mobile and global than they ever have been. Real estate transactions can be conducted from airports, coffee shops and all manner of unsecured wireless networks, which demands extra vigilance when it comes to cybersecurity.

6. Website hacking

Hackers can also gain access to websites and steal information stored on them, including user data. To protect yourself from website hacking, make sure that the websites you use have strong security protocols in place. Additionally, look for signs of legitimacy such as a padlock icon in the URL bar and verify any third-party links or attachments before clicking on them.

If you are dealing with a real estate agent that uses a website, make sure it is secure and they have taken proper precautions to protect your data.

7. Social engineering attacks

Social engineering attacks are when hackers use psychological tactics to get you to reveal confidential information or take some sort of action. For example, they may send fraudulent emails that appear to come from a real estate agent asking for your personal details or credit card numbers. Make sure to always verify the source of any emails before taking any action.

The best way to identify a social engineering attack is to look for suspicious language, attachments, or links in the email. If anything looks out of the ordinary, it's best to delete the message and report it to your security provider.

You can always take extra steps to protect yourself, like using two-factor authentication when logging into accounts or working with a cybersecurity professional. By staying vigilant and taking proactive measures, you can help ensure that your online real estate transactions are secure.

8. Having weak passwords

Another common cybersecurity issue is having weak passwords. Make sure to use strong passwords when creating any accounts associated with your real estate purchase. You should also change your passwords on a regular basis and never reuse old passwords or share them with anyone else.

Using a password manager can also help you keep track of all your different passwords and store them in a secure place. If you're dealing with an agent, ask them to use strong passwords as well, and make sure that they keep all of your personal information safe.

Conclusion

Real estate transactions are increasingly taking place online, which can create potential security risks if proper precautions aren't taken. By following best practices and being aware of the common cybersecurity issues associated with purchasing real estate online, you can help ensure that your transaction is secure. With a bit of extra effort and knowledge, you can rest assured knowing that your online property purchases are safe and secure.

The post 8 Common Cybersecurity issues when purchasing real estate online: and how to handle them appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“Why are you here if you cannot decrypt our data?” This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond.

Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents.

In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an “undesirable event” is determined by each company's own interpretation and perspective.

For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat.

There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders.

Incident response stages

While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals.

SANS identifies six stages of incident response:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

It is important to note that the external response team is not immediately involved in this process.

Preparation

Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas:

• Inventory networks
• Build subnets correctly
• Use correct security controls and tools
• Hire the right people

All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy.

Each attack has its own dwell time – the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to find the “entry point.” The required data will no longer be available. If such a situation arises, the response team can take action, but the likelihood of achieving a 100% successful outcome is significantly reduced.

Identification

This stage is entirely based on how well the preparation was done in the first stage. If everything is done correctly, there is a good chance that you will discover something in advance that can potentially lead to an unacceptable event.

Even primitive and basic steps can greatly increase the likelihood of early detection of a cyber threat. By building your own Security Operations Center (SOC) or engaging a capable third-party provider and implementing effective monitoring practices, you can greatly improve your chances of detecting potential security incidents. Careful preparation allows you to detect an attack in its early stages before the attacker has done any harm.

Ideally, the response process should be initiated at this stage. Alas, in practice, there are many cases when the sad consequences of an attack are the only thing due to which the incident is detected. Everything goes along the logical chain: preparation is terrible, detection and analysis fail, and an incident occurs. And the investigation, in this case, turns out to be a non-trivial task.

Containment

This stage is performed in close cooperation between the external response team and the customer. IT personnel often simply reboot computers before the external incident response team arrives. Yes, this is also a containment method, although not the most elegant.

The problem is that this deprives the response team of a lot of important data. And what is more important, it does not always work. Today hackers rarely use just one technique to achieve persistence. They usually employ Remote Desktop Protocol (RDP) for lateral movement, and stopping them is not always easy. Therefore, joint analytics are vital to understand which connection is legitimate and which is not. When the external response team and their customers work together closely, it becomes simpler to understand the situation and develop effective tactics to contain specific threats.

Eradication

At this stage, it is generally expected that the incident response team has already provided the customer with an incident analysis, including malware analysis, indicators of compromise, etc. A thorough process of scanning the network is in progress, followed by the removal of all detected anomalies.

Recovery

At this stage, a consistent and accurate restoration of the customer's IT systems is carried out. It implies not just recovering from backups but also the reactivation and testing of information security tools.

Usually, restoring protections is a fairly simple task. The fact is that attackers, as a rule, act just by bypassing protection mechanisms. They get administrative privileges and, if possible, “turn off” security solutions. Yes, hackers can use malware that interferes with Windows logging or disrupt Critical Event Management, but such cases are relatively rare.

Although not a common occurrence, some attackers may leave bookmarks to enable repeated attacks. It is vital to remain vigilant and check for such bookmarks, even in the case of a seemingly straightforward attack.

Lessons learned

It may seem that the incident response team's main task is to restore everything to its previous state, but this is a simplification. The response team is invited for a different purpose. Its tasks are to understand:

• The attack vector used by the hackers.
• The specific entry point used to gain unauthorized access to the IT systems.
• A detailed timeline of how the attack progressed.
• Identification of potential prevention measures that could have been implemented at different stages.
• Recommendations for addressing the root cause of the incident to prevent future attacks.

The answers help give better recommendations. For example:

• If the attack started with phishing, it is advised to set up an email sandbox, adjust spam filters, and train employees.
• If a vulnerability is to blame, changing the updatepatch and network monitoring procedures is recommended.

Why is the final stage so important? First, most attacks are not very inventive. Actually, they are formulaic. Therefore, you can draw conclusions from one attack and prevent a dozen similar ones.

Second, the hackers usually come back. Here is a real-life example. The IR team identified an entry point, studied that PC, and found that some files were encrypted a year before the incident. It turned out that the customers were aware but did not pay attention to the incident since the first time, it caused almost no damage. As a result, a second attack occurred through the same entry point. This time, hackers spent a little more of their time and encrypted everything and destroyed the entire domain.

Third, without adequate response procedures, it is impossible to enhance security awareness training and incident detection, which serve as the bedrock of a company's security system.

How to improve security

Basic knowledge is important

The basic things you probably already know about are already cool and very useful. Every year, thousands of companies fall victim to attacks due to the most banal reasons. The most common cases are the exploitation of unpatched vulnerabilities. The second common thing is phishing.

So, a significant number of potential security issues can be mitigated by prioritizing effective patch management, maintaining an accurate inventory of infrastructure, and providing staff with training in digital hygiene.

There are a lot of organizations that have already done all the basic things. However, it does not guarantee the complete absence of incidents. They can be recommended to run penetration tests. However, you need to “grow up” to this kind of thing. It makes no sense to conduct penetration testing when only 20% of the infrastructure is covered with Intrusion Detection and Response (IDRIDS) solutions.

Follow trends and industry reports

Numerous security reports and news can tell you what tools and attacks hackers use. This way, you can establish relevant security criteria for your company. The reports often provide specific recommendations on how to protect from a particular attack. One of the best sources for such information is MITRE ATT&CK Matrix.

Do not panic, and do not do rash things

A typical mistake is to reboot all the computers involved in the attack. Yes, there are urgent situations when this is crucial, but, if possible, please make copies of infected machines. This will enable you to preserve evidence for any subsequent investigation.

In general, do not act impulsively. Quite often, upon discovering encrypted files, employees immediately disconnect the power supply. This approach is akin to gambling. Nothing can be guaranteed after that. Yes, the encryption stops, and you can probably save several untouched files. On the other hand, such an abrupt stop corrupts the disc and data affected by the encryption process. Even if the security community comes up with a decryptor or you pay a ransom (which is not recommended), restoring data whose encryption has been interrupted may not be possible.

Contacting the experts

Is it possible to cope with an attack on our own? Yes, if you have well-established procedures. Mitigation efforts can be prioritized. It is not very difficult to protect mobile devices, implement multi-factor authentication, or set efficient patch management procedures. From a financial standpoint, relying on backups and minimizing recovery time can be an acceptable strategy. However, when it is essential to stop the attack promptly, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action – there are no alternatives – call the external response team.

The post Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks appeared first on Cybersecurity Insiders.