Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Recent trends show that car dealerships are becoming a prime target for cyber-attacks, partly due to the rise in autonomous and connected vehicles. This is in addition to more traditional attacks such as phishing. Therefore, car dealerships are urged to take measures to improve their cybersecurity. 

Throughout this article, we will focus on how to protect your car dealership from cyber-attacks, from technological solutions to raising staff awareness, and more. 

Why are car dealerships being targeted by cybercriminals?

Car dealerships collect a significant amount of data which is often stored on-site. This data includes things such as names, addresses, email addresses, phone numbers, and perhaps more importantly, financial information such as bank details and social security numbers. Gaining access to this database can be very lucrative for criminals. 

According to the Second Annual Global State of Cybersecurity Report by CDK Global in late 2022, 15% of all auto dealerships surveyed sustained a cyberattack that year, with 85% of the incidents occurring due to phishing specifically. The report also found that as customers move to a more mobile environment, dealerships will need to secure their desktops and mobile devices to protect against potential cyberattacks.

A cybercriminal’s life is made much easier if a car dealership uses outdated IT infrastructure and lacks sufficient processes in terms of protecting employee login details. 

How are car dealerships vulnerable to cybersecurity attacks?

Before we discuss how to protect your car dealership from a cyber-attack, it is important to know what makes a car dealership vulnerable, and what sort of attacks it could be subjected to. 

• Open Wi-Fi Networks – Many car dealerships have open Wi-Fi networks for their customers to use freely. However, this provides an opportunity for hackers who can potentially access other areas of the network that store sensitive data.
   
• Malware – Malware is possibly the most likely form of cyber-attack, targeting individuals within your organization with malicious email attachments that execute software onto the victim’s device. This software can then grant the attacker remote access to the system.
   
• Phishing – Phishing emails are much more sophisticated than they used to be, appearing much more legitimate, and targeting individuals within the company. If an email seems suspicious or is from an unknown contact, then it is advised to avoid clicking any links.
   
• User error – Unfortunately, anyone working for the car dealership, even the owner, could pose a risk to security. Perhaps using lazy passwords, or not storing log-in details in a safe place. This is why cyber security training is now becoming mandatory at most businesses. 

The consequences of cyber-attacks on car dealerships

If a small-to-medium-sized car dealership is the victim of a cyber-attack, then it can have a much bigger impact than just a short-term financial loss. Some smaller businesses that suffer a data breach may go out of business after such an event, losing the trust of their customer base, and failing to recover from the financial impact.

Research suggests that most consumers would not purchase a car from a dealership that has had a security breach in the past. Failing to prevent a cyber-attack and a criminal from gaining access to customer information is extremely detrimental to a business’s public image. 

How to protect your car dealership from cyber-attacks

Regardless of whether you already have security measures in place, it is always advised to assess how they can be improved and constantly be on the lookout for vulnerabilities within the organization. 

In this section, we will discuss how to improve cybersecurity within a car dealership, breaking down the process into three key stages. 

Stage one – Implementing foundational security

Establishing strong foundational security is key to the long-term protection of your business. When creating your foundational security strategy you should focus on seven main areas.

1. User permissions 

Ensure administrative access is only provided to users who need it as granting unnecessary permissions to standard users creates numerous vulnerabilities. Ensure that only the IT administrator can install new software and access secure areas. 

2. Multi-factor authentication 

Multi-factor authentication means more than just a traditional username and password system. Once the log-in details have been entered, users will also need to enter a PIN that can be randomly generated on their mobile phone, or issued periodically by the administrator.

For added protection, you could also implement a zero-trust strategy. 

3. Data backup recovery processes

The effects of ransomware attacks can be sometimes avoided if important files are regularly backed up, such as each morning. Once stored, there should also be procedures in place to quickly restore this data to minimize any downtime. 

4. Firewalls and other security software

Many car dealerships continue to use older firewall software and outdated security services. Newer, next-generation firewalls offer much more protection, securing even the deepest areas of the network while being more effective at identifying threats. 

5. Endpoint protection 

The endpoint refers to a user’s mobile device or computer that may be targeted by attacks such as phishing emails. Endpoint protection can help secure these devices, identifying malware and preventing it from spreading to other parts of the network.

As part of modernization efforts, some businesses are choosing to protect their phone systems by using a cloud solution.

6. Email gateways

Similar to the above, email and web scanning software is essential to protect data and business operations. This can identify threats and warn the user to prevent them from opening malicious links or opening suspicious attachments. 

7. Email training

Many businesses test their workforce by sending fake phishing emails to see how employees respond. If the correct actions are not taken, then the individual can be given cyber security training to raise their awareness so that they take appropriate action in the future. 

Stage two – security processes

Once all of the above has been assessed and the necessary course of action has been taken, it is time to think about the critical security processes that need to be implemented. These are vulnerability management, incident response, and training. 

1. Vulnerability management 

Firstly, an inventory of your assets (software and devices) needs to take place so you know what needs to be protected. Once this has been done, all software should be checked to determine if it has been patched with the latest update. 

Finally, vulnerability scans should be run on a monthly or quarterly basis. This can be done via penetration testing or an internal network scan. 

2. Incident response

Policies should be drafted in the case of an incident or data breach so the correct course of action can be taken in terms of contacting the necessary parties. Numerous people should also be trained to respond to an incident should a key individual, such as the IT manager not be present. 

Network analysis needs to take place immediately after an incident, whether this is in-house or externally. This is necessary for insurance purposes.

3. Training

Cybersecurity and Acceptable Use policies need to be created so everyone knows what needs to be done in the event of a breach and what their responsibilities are. This can be combined with thorough security training to increase awareness. 

Stage three – ongoing security activities

To ensure your business is protected at all times, it is vital that your IT team is on top of things and you do not rest on automated tasks and policies. 

Key activities include:

• Using an encrypted email solution
• Employing a VPN for remote workers to encrypt the connection
• Mobile device security, management, and protection 
• On-going monitoring, risk assessments, and sticking to best practices

Protecting your car dealerships from Cyber-attacks – summary

According to October, 2022 research from CDK Global, car dealerships are being targeted by cybercriminals who see them as an opportunity to steal sensitive information and financial details. This can be done in multiple ways including phishing scams and malware.

To tackle this, car dealerships should focus on three key areas: the business’ foundational security, implementing security processes, and performing key security activities on an ongoing basis.

The post How to protect your car dealership from cyber-attacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.  

Most, if not all, industries are evolving on a digital level heading into 2023 as we take the journey to edge computing. But the automotive industry is experiencing technological innovation on another level. A rise in the production of connected vehicles, new autonomous features, and software that enables cars to self-park and self-drive are great examples of the digital evolution taking the automotive industry by storm. 

According to the AT&T 2022 Cybersecurity Insights (CSI) Report, 75% of organizations plan to implement edge security changes to help mitigate the kind of risks that affect cars, trucks, fleets, and other connected vehicles and their makers. And for a good reason.

These automotive features and advancements have offered cybercriminals an array of new opportunities when it comes to cyberattacks. There are several ways that threat actors are targeting the automotive industry, including tried and true methods and new attack vectors. 

In this article, you’ll learn about the top 8 cybersecurity threats facing the automotive industry heading into 2023 and what the industry can do to prevent threats. 

Automotive Cybersecurity threats

As autos increasingly come with connectivity features, remote threats are more likely. A recent report revealed that 82% of attacks against the automotive industry (including consumer vehicles, manufacturers, and dealerships) were carried out remotely. Plus, half of all vehicle thefts involved keyless entry. 

Automakers, dealers, and consumers play a role in automotive cybersecurity. But as the industry continues to adopt connected technologies, it will become increasingly important that organizations take a proactive approach to cybersecurity. 

When it comes to automotive threats, there are countless methods that hackers use to steal vehicles and driver information and cause problems with the vehicle’s functioning. 

Let’s explore the top 8 cybersecurity threats facing the automotive industry this year.

Keyless car theft

As one of the most prominent threats, keyless car theft is a major concern for the automotive industry. Key fobs today give car owners the ability to lock and unlock their doors by standing near their vehicle and even start their car without the need for a physical key. 

Autos enabled with keyless start and keyless entry are prone to man-in-the-middle attacks that can intercept the data connection between the car and the key fob itself. Hackers take advantage of these systems to bypass authentication protocols by tricking the components into thinking they are in proximity. Then the attacker can open the door and start the vehicle without triggering any alarms. 

EV charging station exploitation

Electric vehicles are becoming more popular as the globe transitions to environmental technologies. Charging stations allow EV owners to charge their vehicles in convenient locations such as public parking lots, parks, and even their own garages. 

When you charge an EV at a charging station, data transfers between the car, the charging station, and the company that owns the device. This data chain presents many ways threat actors can exploit an EV charging station. Malware, fraud, remote manipulation, and even disabling charging stations are all examples of ways hackers take advantage of EV infrastructure. 

Infotainment system attacks

Modern cars require over 100 million lines of code to operate. Most of that code goes into the vehicle’s firmware and software that allows navigation, USB, CarPlay, SOS functions, and more. These infotainment systems also provide criminals an open door to an automobile’s ECU, endangering lives and compromising control of the vehicle. 

There are many code vulnerabilities that manufacturers need to look out for, and as infotainment systems continue to become more complex and sophisticated, there will be even more vulnerabilities to uncover. 

Brute force network attack

Another common attack type that affects the automotive industry is the good old-fashioned brute force network attack. Many of the threats that face connected and automated vehicles and businesses in the automotive industry are similar to common cloud security threats, but that doesn’t make them any less damaging.

Brute force attacks are tried and true cyberattacks that target a network with the goal of cracking credentials. In the automotive industry, the brute force attack can have far-reaching impacts. Manufacturers, dealers, and owners can all become victims of this type of attack. When credentials become compromised, entire systems can easily become the target of sophisticated attacks that can end in faulty firmware, large-scale data leaks, and vehicle theft. 

Phishing attacks

Another way that hackers can obtain the credentials to enter a target network is through social engineering attacks such as phishing. The attacker will send automotive company employees an email where they pose as a trusted sender, complete with official-looking HTML and signature. Sometimes the attacker will ask for the credentials outright, but usually, attackers will place a link with malicious code in the email. 

When the receiver clicks the link, the malicious code is executed, and the cybercriminal can roam freely in the target system, access sensitive data, and perform further attacks from the inside. 

Compromised aftermarket devices

Insurance dongles, smartphones, and other third-party connected devices also pose a cybersecurity threat to the automotive industry. These aftermarket devices are connected directly to vehicle systems, offering hackers another way to launch an attack. 

This threat also leaves much to consider for those that want to buy a used car. Many people choose to sell or trade used cars through car dealerships, where consumers can find a deal on a previously owned vehicle. Connected devices can leave malware and backdoors in the auto’s system, putting the next owner at risk, too. 

Ransomware

Ransomware is one of the most pervasive threats in tech today. Unfortunately, the automotive industry is no exception. Ransomware is a significant threat to the vehicle industry, including OEMs, consumers, and dealers. 

A threat actor can hold an organization’s data hostage in exchange for a significant ransom. Without the right credit protection services, automotive businesses can find themselves in financial trouble. These attacks affect IT systems and operations and can cause expensive shutdowns.

Automotive supply chain attacks

The auto industry utilizes a complex supply chain to source the components that are used to build new vehicles, perform repairs, and provide services. This supply chain presents a huge risk to the industry, as each connected endpoint is a vulnerability waiting to happen. 

But supply chain attacks can trickle down to consumers as well. Updates containing malicious code can be pushed to connected cars, bad actors can compromise firmware, and malware can put supplier operations to a complete halt. 

How the industry can keep automotives secure

Cybersecurity should be a central goal throughout the automotive lifecycle. But it’s also important that automakers improve their cybersecurity expertise to monitor connected and automated vehicles on the road. 

The National Highway Traffic Safety Administration (NHTSA) recently released its recommended cybersecurity best practices for modern vehicles to help strengthen the underlying data architecture of vehicles and protect against potential attacks.

They say that the automotive industry should follow the cybersecurity framework from the National Institute of Standards and Technology (NIST) that focuses on five key functions: identify, protect, detect, respond, and recover. The NHTSA recommendations for vehicles are based on the NIST framework but written specifically for the automotive industry. 

And finally, the Federal Trade Commission (FTC) has also established regulations for connected and automated vehicles. Under the new Safeguards Rule, dealers are expected to meet cybersecurity compliance for their organizations and vehicles by June 2023. 

Final thoughts

Automotive manufacturers, sellers, consumers, suppliers, repairers, and all others in the industry play a critical role in improving the security of connected vehicles in 2023 and beyond. Learn more about how to defend your network from critical incidents. 

The post The top 8 Cybersecurity threats facing the automotive industry heading into 2023 appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers. 

Executive summary

Since mid-June 2022, AT&T Managed Extended Detection and Response (MXDR) Security Operations Center (SOC) observed an enormous number of attacks from Mirai botnet-C2 attempting to gain access to SSH servers instead of Telnet.

Due to the various tactics, techniques, and procedures (TTP) observed, this attack has been associated with RapperBot botnet (Mirai variants.) RapperBot’s goal is still undefined.

According to the analysis that was published by FortiGuard Labs, while the majority of Mirai variants can naturally brute force Telnet servers that use default or weak passwords, RapperBot in particular scans and attempts to brute force SSH servers that are designed to require password authentication.

A large part of the malware is executing an SSH 2.0 client which is able to connect and brute force any SSH server using Diffie-Hellman key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. A unique characteristic of brute forcing in RapperBot is the use of SSH-2.0-HELLOWORLD in order to identify itself to the targeted SSH server during the SSH Protocol Exchange phase.

One of the malicious Mirai botnet IP addresses had allowed network traffic with an asset in an organization over SSH port 22. After some data transferring, the session closed with the client-reset action. The MXDR SOC team quickly identified and recommended mitigation steps to prevent lateral movement and the attacker going further.

Initial alarm review

Indicators of Compromise (IOC)

The alarm initiated with the multiple Open Threat Exchange (OTX)  pulses (Miraibotnet-C2- CDIR Drop List) and an OTX indicator of a known malicious IP. There was network traffic between the known malicious IP and a public IP of an internal asset in an organization. The network traffic was over SSH port 22, and the security system (firewall) action was a deny. The security system (firewall) deny action was evidence of the auto-mitigation. In this case, auto-mitigation means the attack is prevented by firewall rules and threat intelligence by denying the connection from malicious IP.

However, further analysis of the events showed that the traffic was allowed from the malicious IP to another internal asset. In addition to this, there were signs of data transfer from source IP with “sentbyte=1560, rcvdbyte=2773, sentpkt=15, rcvdpkt=13”

** Risk mitigation in Cybersecurity is the reduction of the overall risk/impact of cyber-attacks. Detection, prevention, and remediation are three components of risk mitigation in cybersecurity.

Expanded investigation

Events search

After checking events associated with the alarm, the team always checks the environmental security to see if the malware had further penetrated the environment or attempted any lateral movement.

The team searched events by pivoting on the indicator IP, filtering the past 90 days of events, and the security system (firewall) allowed action types. It was determined that there were a few connections from malicious IP to different internal assets with the client-rst, server-rst, timeout, and closed events.

Client-rst – Session reset by client, Server-rst – Session reset by server

These are usually session end reasons that show who is sending TCP (Transmission Control Protocol) reset and the session terminates – so this does not mean that a security system (firewall) is blocking the traffic. It means after a session is started between client-to-server, it is terminated by (client or server), depending on who sent the TCP reset. Session-end results can be found in traffic logs.

The team suspected that the system might be compromised because the session was reset from the client side (which is the adversary side.) It was then observed that the session was closed (terminated) with a large amount of packet transmissions.

Event deep dive

After further examination of the allowed connections, the malicious IP showed traffic with the customer security system (firewall) over SSH port 22. SSH port 22 uses a TCP connection. Therefore, before transferring data  it needs to establish a reliable connection with the 3-way handshakes.

In order to handshake the header (first two packets), TCP uses approximately 24 bytes and for normal transmission of packet about 20 bytes. Establishing a reliable connection with 3-way handshake needs just three packets to be transmitted. Establishing a connection: ~ 128-136 bytes.

Another observation is that the sent and received bytes with the packet size are indicators of data transferring due to the packets and bytes being bigger than normal packets and bytes of TCP 3-way handshake. This is believed to be an indication of a payload or compromised credentials.

Rapperbots work like an SSH brute-forcing campaign. After it has gained access on a device, it sends its architecture to the C2 server – the device’s IP, and the credentials used. Then the adversary tries to load the main payload binary on the compromised device via binary downloader or software like ftpget, wget, curl, or tftp, that is installed on the device.

Reviewing for additional indicators

At this point, the attacker tried to get “Initial Access (tactic)” into the network by using “Exploit Public Facing Application” technique based on the Mitre Att&ck Framework.

Exploit Public Facing Application is a technique which is used by adversaries to take advantage of vulnerabilities/weaknesses in a program or internet facing computer to gain Initial access to a network. In this case, even though there was evidence of data transfer, evidence of payload or lateral movement activity were not seen.

Response

Building the investigation

An investigation was created by following the incident response process. The investigation included identifying the incident, finding the root cause of the incident and Indicators of compromise. Then we made recommendations to the customer on mitigation/remediation steps. We communicated with the customer to ensure necessary actions are executed. Recommended mitigation steps were:

• Blocking the malicious IP
• Disabling SSH password authentication (if possible)
• Changing passwords to stronger passwords for the device.

Incident response is an organizationed approach and process to manage cybersecurity breaches/incidents or cyberattacks. It includes multiple steps:

• Identifying an incident/attack
• Minimizing damage
• Eradicating the root cause
• Minimizing recovery cost and time
• Learning lessons from the incident
• Taking preventative action

According to the analysis that was published by FortiGuard Labs, Rapperbot developers improved their code to maintain persistence, which differentiates it from other Mirai variants. Even after rebooting infected assets or removing malware, intruders can continuously access infected assets via SSH. Therefore, rebooting the device or removing malware Is not a permanent mitigation option.

The Rapperbot’s primary threat is brute forcing the credentials of SSH. By disabling SSH password authentication (if possible), or changing passwords to stronger passwords for the device, the Rapperbot mitigation can easily be done.

Customer interaction

The customer wanted to be kept in the loop and informed if the attack continues.

Limitations and opportunities

Limitations

In this investigation, MXDR was unable able to see inside the transmitted packets. As a result of the lack of visibility into the network flows in the environment, MXDR has limited access to the customer environment. However, MXDR suspected the data transfer could include the main payload binary on the compromised device.

The post Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.

The alarm

One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.

A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.

The below image is for an alarm for malware which ended up being process automation software

but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.

The business impact

The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.

The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.

What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.

Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when JNDI calls were considered benign?

Lessons learned

Just as we learn the CIA security triad is a balancing act between confidentiality, integrity and availability, there is a balance to be struck between the use of immediate automated response actions and the slower reasoning of human evaluation prior to response actions. An EDR solution will immediately and infallibly carry out the policy which it has been programmed to implement, but in a ruthless fashion. A human evaluation will take longer, but it can consider prior history, the validity of the triggering IOCs in context, and the nuances of how selecting one response action over another might impact your overall business.

Automation, machine learning, artificial intelligence, and the like have their place. Their benefits will no doubt increase as technology develops. But the human component will always be necessary. The MXDR SOC and our customers (being the humans that we are) must work together to define the critical assets and business processes that should never be touched by automated intrusion. We must also work together to find the space in your environment where those swift and ruthless automated response actions are an advantage. And it is a very human decision to conclude how much risk we can tolerate in each implementation.

The post Stories from the SOC  – The case for human response actions appeared first on Cybersecurity Insiders.

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's “redundant code injection mechanism” is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.

One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.

Also, GuLoader has also been observed using JavaScript malware strain RATDispenser to drop the malware via a Base64-encoded VBScript dropper. This allows the malware to bypass security measures and gain access to infected systems.

About Perimeterwatch

The post GuLoader – a highly effective and versatile malware that can evade detection appeared first on Cybersecurity Insiders.

Manufacturers are some of the most ambitious firms on the planet when it comes to harnessing the power of edge technology to modernize their businesses. As they make plans in 2023 to     enhance business outcomes through the use of technologies such as 5G and IoT, manufacturers should also increasingly be called to innovate in the spheres of governance and cyber risk management.

OT-IT convergence drives manufacturing modernization

The convergence of operational technology (OT) on the factory floor with information technology (IT) is nearly synonymous with manufacturing modernization. OT-IT convergence enables new digital processes, remote connections, and smarter operations. It's a business outcome-oriented transformation that executive stakeholders have future success pinned upon.

Recent studies from AT&T show that manufacturers are investing in initiatives  such as smart warehousing, transportation optimization and video-based quality inspection at such a rate that the industry is advancing ahead of energy, finance, and healthcare verticals when it comes to edge adoption today.

But to reap the business benefits from these investments, manufacturers need to recognize and attend to the cyber risk realities that are part and parcel with this inevitable convergence.

Cybercriminals are increasingly targeting industrial control system (ICS) technologies that are the bedrock of the OT ecosystems. Attackers have learned to take advantage of ICS hyperconnectivity and convergence with the IT realm to great effect. Last year's warning from the federal Cybersecurity and Infrastructure Security Agency (CISA) attests to this, as do high-profile attacks last year against tire manufacturers, wind turbine producers, steel companies, car manufacturers, and more.

Reducing risk through Zero Trust

One of the most promising ways that manufacturers can begin to reduce the risk of these kinds of attacks is through the controls afforded by a Zero Trust architecture. From a technical perspective, Zero Trust unifies endpoint security technology, user, or system authentication, and network security enforcement to prevent unrestrained access to OT or IT networks—and reduce the risk of unchecked lateral movement by attackers. With Zero Trust, access is granted conditionally based on the risk level of users (or machines, or applications). It's a simple, elegant concept that requires careful execution to carry out.

Thus, when looking at building a zero-trust strategy, ZTNA 2.0 solutions have a role to play in helping apply more effective controls at the application level that are responsive to account takeover attempts. ZTNA 2.0 combines fine-grained, least- privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps, and data everywhere – all from a simple unified product.

Most importantly, too, is that Zero Trust requires business stakeholder input and collaboration to get right. Just as business stakeholders in manufacturing drive the push to the edge and the push for all nature of digital transformation and OT-IT convergence, they've got to be intimately involved with Zero Trust initiatives to spur success.

“Technology can come and go, but what manufacturers are really after are business outcomes,” says Theresa Lanowitz,  head of cybersecurity evangelism for AT&T. “That's where we need to focus when it comes to Zero Trust—at its core it needs to be driven by the business, which really sets the North Star for Zero Trust governance.”

Zero Trust should be owned by business stakeholders

At the end of the day, Zero Trust projects should be owned by the business, agrees Dharminder Debisarun, worldwide industry security architect for manufacturing, Internet of Things and transport at Palo Alto Networks, who says that when his group is approached by manufacturers interested in building out Zero Trust infrastructure, the team always turns conversations back to the business basics.

“People bring us in and say 'We want to do Zero Trust, how can you help?'” Debisarun says, explaining that they're usually starting with very technical deployment questions about elements like Secure Access Service Edge (SASE) and remote access management. “We usually take a step back then and ask, 'Why do you want to do Zero Trust? What's the business goal for it?'”

Similarly, Debisarun says they try to involve business stakeholders into collaborative risk discussions before getting into the meat of architectural design. That step back will hopefully get a manufacturer focused on doing risk assessments and other business alignment activities that will shape the way risk is managed—based on business goals, rather than narrow technical specifications. It will also get the entire team thinking about how the value of OT and IT assets are determined and establish the roadmap for where and how Zero Trust security technologies are deployed over time.

Business stakeholders have the most prescient and intimate knowledge of the emerging business conditions, regulatory demands, partnership agreements, and supply chain considerations that are going to impact risk calculations. This is why business ownership is the cornerstone and foundation for Zero Trust governance.

When manufacturers direct the security team with an eye toward  business outcomes, these technical executors are less likely to take a tools-only approach to technology acquisition to engage in reactionary spending based on the latest breach headlines. Incremental improvements will be built up around security controls that manage risk to the most critical operational processes first, and also around the processes and systems most put at risk by new innovations and business models.

The post Governance of Zero Trust in manufacturing appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

A radius server uses a network protocol for remote user authentication and authorization. It is a client/server protocol that allows a remote user to access a network using a shared secret (usually a password). RADIUS servers are typically located on the perimeter of a network and use port 1812 (UDP) or 1645/1813 (TCP).

RADIUS was originally developed by Livingston Enterprises, Inc. in 1991. It is now an IETF standard (RFC 2865). The following are the most important things to know about RADIUS server authentication.

•  RADIUS is a remote authentication dial-in user service

It was developed to provide centralized authentication, authorization, and accounting management for networked devices such as routers and switches.

What does dial-in refer to here? Dial-in is a type of authentication that allows a user to connect to a network remotely using a phone line or other connection. RADIUS servers are used to manage user access to a network. They can be used to control who can access the network, what services they can use, and how much bandwidth they can consume.

•  RADIUS is an alternative to TACACS and is often used in conjunction with TACACS+ for authentication and authorization

The reason for this is that RADIUS is typically used for remote access, while TACACS+ is usually used for device administration. While both protocols can be used for both purposes, RADIUS is usually the preferred protocol for remote access.

•  A RADIUS server typically uses UDP port 1812 (or TCP port 1645/1813) to communicate with clients

RADIUS servers typically listen on UDP port 1812 (or TCP port 1645/1813). When a RADIUS client sends a request to the server, it includes the secret key in the request. The server uses this key to authenticate the client and authorize the request.

RADIUS is a client/server protocol, which means that each RADIUS client must have a corresponding RADIUS server. A RADIUS client is typically a network device such as a router or switch. A RADIUS server is a computer that runs the RADIUS software and manages user access to the network.

What this means is that for a user to be able to access the network, they must first authenticate with the RADIUS server. The RADIUS server then authorizes the user's access to the network and controls what services they can use.

•  RADIUS uses a client/server architecture

The RADIUS server is responsible for authenticating users and maintaining their account information, while the RADIUS client is typically a network device that forwards authentication requests to the server. The reason this distinction matters is that it allows the server to be centrally located and managed, while the clients can be distributed throughout the network. This architecture also makes it possible for the server to authenticate users against multiple databases, such as an LDAP server or a local file.

The implications of this are that if the server goes down, the entire network will be unavailable to users. This is why it is important to have redundant RADIUS servers in a production environment.

•  A RADIUS server can authenticate users against multiple databases

RADIUS supports multiple authentication methods, including PAP, CHAP, MS-CHAP, and EAP. PAP is the simplest authentication method and sends the username and password in clear text. CHAP encrypts the password but sends it over the network in plain text. MS-CHAP encrypts both the username and password. EAP is a more secure authentication method that uses digital certificates.

•  RADIUS uses UDP for transport

RADIUS uses UDP as its transport protocol. UDP is a connectionless protocol, which means that each packet is sent independently and does not require a connection to be established beforehand. This makes RADIUS very scalable, as it can support a large number of clients without requiring a lot of resources on the server.

It matters that RADIUS uses UDP for transport because UDP is a less reliable protocol than TCP. This means that RADIUS packets can be dropped or lost in transit. However, this is usually not a problem because RADIUS uses retransmission and error checking to ensure that packets are delivered reliably.

•  The RADIUS server must have a shared secret with the clients

The RADIUS server and clients must have a shared secret, which is used to encrypt and decrypt packets. This shared secret is typically a password or phrase that is known only to the server and clients. Without the shared secret, an attacker would not be able to read or modify the packets being exchanged between the server and clients.

•  RADIUS uses Access-Request and Access-Accept packets

When a client sends an authentication request to a RADIUS server, it does so using an Access-Request packet. The server then responds with an Access-Accept or Access-Reject packet, depending on whether the authentication was successful. If the authentication was successful, the server will also include an Access-Challenge packet, which contains a challenge that the client must answer to prove its identity.

•  RADIUS can be used for AAA

RADIUS can be used for AAA, which stands for Authentication, Authorization, and Accounting. Authentication is the process of verifying a user's identity, authorization is the process of determining what resources a user is allowed to access, and accounting is the process of tracking and billing for a user's usage.

AAA is a common security model that is used to control access to network resources.

•  RADIUS is standardized by the IETF

RADIUS is a standards-based protocol, which means that it is defined by an Internet Engineering Task Force (IETF) specification. The most recent version of the RADIUS specification is RFC 2865, which was published in June 2000.

•  RADIUS is commonly used by ISPs

RADIUS is commonly used by Internet service providers (ISPs) to authenticate and authorize users who are trying to access the internet. RADIUS is also used by corporate networks to authenticate and authorize users who are trying to access the network.

•  There are a few different RADIUS implementations

There are a few different RADIUS implementations, including FreeRADIUS, Microsoft NPS, and Cisco ACS. FreeRADIUS is the most popular open-source RADIUS server. Microsoft NPS is the RADIUS server included in Windows Server. Cisco ACS is a commercial RADIUS server from Cisco Systems.

Conclusion

These are the most important things to know about RADIUS server authentication. RADIUS is a critical part of many network security systems, and understanding how it works is essential for anyone who is responsible for managing a network.

The post RADIUS server authentication: Old but still relevant appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

When strategizing a security approach for the coming year, many solutions will cross a CISO’s desk, all useful in covering some part of the network. Organizations must scrutinize every layer and each solution to make sure their security stack runs efficiently while still boasting a Defense-in-Depth approach. There cannot be an overload of alerts, the learning curve must be worth the cost, and all solutions must integrate with each other. Not surprisingly, the search can be tedious, complex, and confusing.

Broadly speaking, cybersecurity defends the network and the devices on that network. Both are key and must be protected. Endpoint security and response includes “not only the automated monitoring and detection of threats on the endpoint, but also a combination of autonomous and manual investigation, remediation, and response.” While not every tool will make the cut, here are seven reasons why Endpoint Detection and Response (EDR) should not be ignored.

1. Cybercriminals aren’t ignoring endpoints. It’s not surprising that in a recent study, 76% of IT decision-makers reported their company use of endpoint devices has gone up. This can include workstations, servers, tablets, smartphones and a host of IoT devices like cameras, smart speakers, and lighting. However, it is equally unsurprising that bad actors have capitalized on this gain, and consequently, 79% of IT teams have seen a rise in endpoint-related security breaches.
2. The cyber talent crisis creates the need for autonomous response on the endpoint. With an increase of both endpoints and endpoint-related attacks, a proportional increase in endpoint security measures is needed; unfortunately, the ongoing cyber talent deficit hamstrings those efforts and makes whatever qualified cybersecurity experts are available difficult to attain for many small to medium-sized businesses. Endpoint security solutions use automatic investigation and monitoring techniques to spot threat 24/7/365 and often respond autonomously to mitigate them. This cuts back significantly on the work remaining for already-strapped security teams to do.
3. EDR offers cloud-based security for end-user devices. One of the primary security problems facing fast-expanding, digitally native, and mid-transition companies is how to secure both on-premises and cloud-based assets. Endpoints, while not in the cloud, connect to it and bad actors can use vulnerabilities in device software to pivot to the rest of your network. State of the industry endpoint security platforms can deploy patches and run reboots from the cloud and offer enterprise-wide centralized cloud management.
4. Remote device security trends downward as workers mix personal with professional. The rise of BYOD has been significant and ubiquitous in the wake of the remote-work migration, and a study by Gartner revealed that over 50% of workers used their own laptop or smartphone for work activity. Interestingly, a Ponemon study indicated that 67% of respondents reported that personal mobile devices have negatively impacted their company’s security posture, and 55% cite smartphones as the most vulnerable endpoint in their organization.
5. EDR secures email. As many as 91% of all breaches begin with a phishing email. Email servers are a widely exploited endpoint. Endpoint security solutions can clean email messages before they reach the network, isolate and investigate links, and alert users when sensitive data is about to leave the organization.
6. Firewalls are not foolproof. While having a firewall is a best practice, it only represents one part of a defense-in-depth approach. Firewalls are susceptible to misconfiguration, and their signature-based policies miss new exploits that recompile their code or use fileless malware. Additionally, freshly spun-up domains can cause many malicious sites to slip by undetected, and the popularity of this method is rendering firewalls even more ineffective. Not having an additional layer of defense directly on the endpoint device can be problematic as these trends continue.
7. EDR can proactively prevent zero days from entering your network. Macros used to be the loose cannon of inboxes, infecting the victim device directly upon opening. While Macros are largely disabled by default now, malicious code (largely HTML) still lurks in attached documents that only require a bit of social engineering to get the user to click. By sandboxing email attachments and vetting them for safety prior to opening, email security tools can prevent zero days from detonating on your network.

Remote work leaves endpoints more exposed than ever, vulnerable to human error and consumer-side attacks. Cybercriminals continue to target firmware, and the shortage of qualified cybersecurity professionals can leave various parts of the network at risk. Struggling SOCs can offload some of the burden of network monitoring as EDR solutions autonomously investigate and respond to incidents on the endpoint. Next-generation EDR tools can aid ongoing security measures by collecting data at the source.

Keeping EDR an integral part of a Zero Trust security strategy will be ever more imperative as time goes on and threats continue to evolve. Cybercriminals aren’t lessening their attention to the endpoint, so organizations shouldn’t either.

The post 7 reasons why Endpoint Security and Response shouldn’t be ignored appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a world where you can scan the veins in your hand to unlock a smartphone, how do you maintain control over personal data? Biometric authentication, the use of distinctive human features like iris patterns, fingerprints and even gait in lieu of a password, is gaining ground in the tech world.

Proponents tout its inherent, hard-to-replicate qualities as a security benefit, while detractors see the same features as an invasion of privacy. Both sides may be right.

The problems with biometrics

Unlike a password, you can’t forget your face at home. But also, unlike a password, you can’t reset your face — meaning you’re out of luck if someone steals a photo of it.

In 2016, a biometrics researcher helped investigators hack into a murder victim’s phone with only a photo of the man’s fingerprint. While security systems are getting more advanced all the time, current technology also allows cybercriminals to run wild with a single piece of biometric data, accessing everything from laptop logins to bank accounts.

By its very nature, biometric authentication requires third parties to store biometric data. What happens if the information is exposed?

In addition to potential hacking, breaching people’s personal data might reveal something they’d rather keep private. Vein patterns could reveal that a person has a vascular disorder, raising their insurance premiums. Fingerprints could expose a chromosomal disease.

True, people give this same information to their doctors, and a medical data breach could have the same repercussions. But handing off biometric data to a commercial company — which isn’t bound by HIPAA or sworn to do no harm — is a much grayer area.

Another issue that occasionally plagues biometric authentication is injuries and natural bodily changes. A single paper cut can derail a fingerprint scanner, and an aging eye throws iris scanners for a loop. People will have to update their photos every few years to remind the system what they look like.

Some facial recognition programs can even predict how long a person will live. Insurance companies have expressed interest in getting hold of this data, since the way a person ages says a lot about their health. If stolen biometric data fed into an algorithm predicts a person won’t make it past 50, will their employer pass them up for a promotion?

In the event of an accident, your family won’t easily be able to access your accounts if you use biometric authentication, since it’s not as simple as writing down a list of passwords. Maybe that’s a good thing — but maybe not.

Another ethical dilemma with biometric data use is identifying people without their consent. Most people are used to being on camera at the grocery store, but if that same camera snaps a photo without permission and stores it for later retrieval, they probably won’t be too happy.

Some people point out that you have no right to privacy in a public space, and that’s true — to an extent. But where do you draw the line between publicity and paparazzi? Is it OK to snap a stranger’s photo while you’re talking to them, or is that considered rude and intrusive?

The benefits of biometric data

Of course, no one would be handing off a photo of their face if the technology was good for nothing.

It’s quick, easy, and convenient to log into your phone by putting your thumb on the home button. Though it’s possible for a hacker to find a picture of your thumbprint, they’d also have to snag your phone along with it to log in, essentially having to bypass a two-factor authentication system. Who has time for that just to steal a reel of cat photos?

Hackers also can’t brute-force their way into guessing what your face looks like. Letter and number combinations are finite, but the subtle variations of the human body are limitless. Nobody can create a program to replicate your biometric data by chance. Consequently, biometric authentication is an extremely strong security measure.

Police can also use biometric analysis to get criminals off the streets. Unlike a human with questionable accuracy, a camera is a reliable witness. It’s not perfect, of course, but it’s much better than asking shaken crime victims for a description of who mugged them. Smart cameras equipped with facial recognition can prevent wrongful detainments and even acquit people who would otherwise languish in jail.

The flip side is that facial recognition does occasionally get it wrong — people have been arrested for crimes they didn’t commit thanks to camera footage of a lookalike. As camera technology improves, hopefully the incidence of people being wrongfully accused will lessen. But for the few outliers who still get misidentified, the consequences can be grave.

Facing the facts

Ultimately, people will have to decide for themselves if they’re comfortable using biometric technology. You probably won’t encounter any problems using biometric authentication to access your phone or laptop, and it can vastly improve your security. The bigger ethical debate is in how third parties can use publicly available data — whether legal or leaked — to further their own gains. In the meantime, just know that your face is probably already in a database, so keep an eye out for doppelgangers.

The post The ethics of biometric data use in security appeared first on Cybersecurity Insiders.

Website defacement

Websites are central to business operations but are also the target of various cyber-attacks. Malicious hackers have found several ways to compromise websites, with the most common attack vector being SQL injection: the act of injecting malicious SQL code to gain unauthorized access to the server hosting the website. Once on the server, the hacker can compromise the target organization's website, and vandalize it by replacing the original content with content of their own choosing. This criminal act is referred to as website defacement. See Figure 1 for examples of past website defacements.

Figure 1. Examples of past website defacements.

While the act of vandalizing a website may seem trivial, it can be devastating for the victimized entities. If an e-commerce site is publicly compromised, for example, they suffer direct and indirect financial loss. The direct losses can be measured by the amount of revenue that would have been generated had the website not been compromised, and by the time and money spent to repair the damaged site. Indirect losses occur because of reputational damage. Potential customers may be deterred from providing their banking information to an organization portrayed and perceived as incapable of protecting their assets.

Threat actors

Unlike most forms of hacking, website defacement has a public facing component. Assailants are eager to get credit for their success in compromising websites and are notorious for bragging about their exploits across various platforms, including general social media (e.g., Facebook, Twitter, Youtube, etc.) and hacking specific sites. The most popular platform on which hackers report successful defacements is Zone-H. Users of the platform upload evidence of their attack, and once the attack is verified by the site’s administrators, it is permanently housed in the archive and viewable on Zone-H’s webpage. Zone-H is the largest hacking archive in the world: over 15 million attacks have been verified by Zone-H thus far, with over 160,000 unique active users. The archive, as depicted in Figure 2, includes the hackers’ moniker, the attacked website's domain name, and an image of the defacement content (resembling the images depicted in Figure 1).

Figure 2. Zone-H: The largest hacking archive in the world.

Hackers tend to use the same moniker across platforms to bolster the reputation and status of their online identity, which allows for the gathering of digital artifacts and threat intelligence pertinent to the attack and attacker, respectively. Indeed, we have been systematically gathering data on active malicious hackers who report their successful defacements to Zone-H since 2017 and, in doing so, have uncovered several interesting findings that shed light on this underground community. For example, and in direct contrast to Hollywood’s stereotype of the lone actor, we observed an interconnected community of hackers who form teams and develop their skills through collaboration and camaraderie. We also found variation in hackers’ attack frequency: some hackers are extremely prolific and can be classified as persistent threats, while others only engage in a few attacks before disappearing. These findings served as motivation for this study.

Criminal trajectories           

Recently, we built an analytic model capable of predicting which new hackers will become persistent threats at the onset of their criminal career. The study began by identifying 241 new hackers on the Zone-H archive. We then tracked each of these hackers for one year (52 weeks) following their first disclosed website defacement. We recorded their total number of attacks, extracted and analyzed content from their defacements, and gathered open-source intelligence from a litany of social media and hacking sites. In total, the 241 hackers in our study defaced 39,428 websites within the first year of their hacking career. We identified 73% of our sample on a social media site and found that 50% also report their defacements to other hacking archives. Finally, we extracted and analyzed the content of each new hacker's first defacement and found that 39% of hackers indicated involvement with a hacking team, 12% posted political content, and 34% left their contact information directly on the compromised site. 

To plot trajectories, we had to first disaggregate the dataset to determine whether each of the hackers in our sample defaced at least one website each week for the 52 weeks following their first defacement. Upon completion, we employed latent group-based trajectory modeling to determine if, and how many, unique criminal trajectories exist. Results are presented in Figure 3. We found that new hackers follow one of four patterns: low threat (28.8%), naturally desisting (23.9%), increasingly prolific (25.8%), and persistent threat (21.5%). Hackers classified as low threat (blue line) engage in very few defacements and do not increase their attack frequency within one year of their first attack. Those labeled as naturally desisting (red line) begin their careers with velocity, but this is short-lived. Conversely, those classified as increasingly prolific (green line) engage in more attacks as they advance in their criminal careers. Finally, those deemed as persistent threats (yellow line) begin their careers with velocity and remain prolific. To our knowledge, we are the first to plot the trajectories of new malicious hackers.

Figure 3. The one-year trajectory of new malicious hackers.

After plotting the trajectories, we employed a series of regression models to determine if open-source intelligence and digital artifacts can be used to predict the evolution of a new hacker's criminal career. Contrary to our expectation, we found politically driven hackers are at an increased odds of naturally desisting. While these hackers may engage in a high number of attacks at the onset of their career, this is short-lived. We suspect eager new hacktivists simply lose sight, or get bored, of their cause. Conversely, new hackers who post their contact information directly to the compromised site are at a decreased odds of naturally desisting. Tagging a virtual crime scene with contact information is a bold move. We suspect these hackers are rewarded for their boldness and initiated into the hacking community, where they continue defacing websites alongside their peers.

Different patterns emerged when predicting who will become a persistent threat. We found that social media engagement and reporting defacement activity to other platforms increase the odds of being a persistent threat. This may boil down to commitment: hackers committed to building their brand by posting on multiple platforms are also committed to building their brand through continual and frequent defacement activity. The most interesting, yet also intuitive, patterns emerge when predicting who will become increasingly prolific. We found that hackers who report to other platforms and indicate team involvement engage in more attacks as they progress in their career. Joining a hacking team is a valuable educational experience for a new hacker. As a novice hacker learns new skills, it is no surprise they demonstrate their capabilities by defacing more websites.

Taken together, these findings offer insight into the development of proactive cybersecurity solutions. We demonstrate that open-source intelligence can be used to predict which hackers will become persistent threats. Upon identifying high-risk hackers, we believe the next logical step is to launch early intervention programs aimed at redirecting their talent toward something more constructive. Recruiting young hackers for cybersecurity positions could create a safer cyberspace by filling the nation’s skills shortage while simultaneously removing persistent threat actors from the equation.

Acknowledgements

This work was conducted alongside several members of the Evidence-Based Cybersecurity Research Laboratory. We thank Cameron Hoffman and Robert Perkins for their continual involvement on the hacking project. For more information about our team of researchers and this project visit https://ebcs.gsu.edu/. Follow @Dr_Cybercrime on Twitter for more cutting-edge cybersecurity research.

The post Predicting which hackers will become persistent threats appeared first on Cybersecurity Insiders.