In late July 2018, the Department of Homeland Security (DHS) announced the creation of the National Risk Management Center, a new organization dedicated to threat evaluation particularly as they pertain to potential hacking against the U.S. critical infrastructure. According to news reports, the center will initially commence with narrowing its focus on the energy, finance, and telecommunications sectors. This new initiative is designed to improve risk assessment across the critical infrastructures and serve as the primary “one-stop shop” to help private companies manage their cyber security risks.
Coinciding with this announcement is the Congress-lead “DHS Cyber Incident Response Teams Act of 2018” that seeks to create permanent incident response and threat hunting teams in the DHS. Such a bill further empowers DHS to help improve cyber security via trained professionals to mitigate and remediate cyber incidents against Federal entities and critical infrastructure entities. The bill passed the House of Representatives on March 19, 2018 and goes to the Senate for its consideration.
In August 2013, the American Institute of Aeronautics and Astronautics (AIAA), the professional society for the field of aerospace engineering, convened a civil aviation conference in which cybersecurity was discussed at an industry level. Upon completion of the conference that was attended by foreign carriers, A Framework for CybersecurityAviation was published that provided a strategic path forward by identifying key focal areas such as common cybersecurity aviation standards, developing and implementing a cybersecurity culture, understanding cyber risks and being able to communicate them to bolster situational awareness, and strengthening the defensive system. Since that time, several international conferences discussing aviation cyber security have been held.
Given the global nature of civil aviation, the framework is an important document addressing many of the concerns that impacts the international civil aviation community.
Organizations are investing a significant amount of time and resources building, implementing, improving, and measuring security controls. Breach Simulation systems greatly facilitate this process, which was until now perform in mostly manual means (PT).
Gartner estimated a that the spend on information security globally rose well above $80 billion by the end of 2016, Until the end of 2020, the highest growth is expected to come from security testing, IT outsourcing and data loss prevention (DLP). But many professionals feel that the technology sprawl is hampering their efficiency more than it is helping them. The problem isn’t lack of tools, it’s that the industry is over-investing in a diversity of complex and unwieldy solutions.
A typical medium-large organization invests in at least 35 different security technologies and hundreds of devices which are potentially effective but are trapped in silos that limit their capabilities.
What are breach simulation technologies?
A secure network architecture should follow a defense-in-depth philosophy and be designed with multiple layers of preventive controls. While preventive controls are ideal, detective controls are a must. There is no way to prevent every attack and sometimes preventive controls fail. Even though a firewall is preventing certain traffic from entering the network, if unauthorized traffic is somehow able to subvert these preventive controls it will not be identified if logs are not being collected and reviewed in order to detect an attack. For this reason, it is essential that a comprehensive defense-in-depth architecture include detective controls designed to monitor and alert on anomalous activity. Detecting intrusions into a network is not accomplished by deploying a single piece of technology. Establishing a well-defined breach and attack simulations exercise program allows organizations the ability to identify malicious or anomalous traffic on the network and determine how the analyst should respond to this kind of traffic (Critical Security Control: 20). When performing this kind of test, it is important to create traffic which mimics current attack methods.
New services have emerged that help organizations to do just that – assessing the effectiveness of security procedures, infrastructure, vulnerabilities, and techniques by using breach and attack simulation platform. Such simulations test the vulnerability of your organization for e.g., ransomware attacks, (spear) phishing and whaling attacks, or clicking on malicious banners and links on websites.
These platforms allow organizations to run continuous, on-demand cybersecurity simulations at any time without affecting their systems. As a Software-as-a-Service (SaaS) breach and attack platform, it simulates multi-vector, internal or external attacks by targeting the latest vulnerabilities, including those that are in the wild. These simulated attacks expose vulnerability gaps which allow the organization to determine if its security architecture provides the right protection and if its configurations are properly implemented. Overall, breach and attack simulation platforms have become a powerful tool in the arsenal of the organization’s security team.
Security testing techniques, tools, and service offering from vendors
Other than established and cross-solutions vendors such as Rpaid7 and Qualys, the following emerging vendors offer notable service in the breach simulation category include:
There is an increased focus on Fake news, particularly in light of Russia’s alleged involvement in its creation and dissemination in the steps leading up to, during, and after the 2016 presidential election.
Many believe that the motivation behind this ongoing “fake news” campaign is to disrupt or subvert the democratic process. Recently, U.S. Senator Mark Warner said that between 2012-2016, there was more than 700 percent increase in the use of digital political adverting. Additionally, the Senate Committee on Intelligence is concerned about Russian use of social media platforms, inviting Google, Twitter, and Facebook and for a public hearing to further discuss this matter.
You wouldn’t believe this! Fake News is growing to scarry proportions!
Facebook disclosed that it had identified more than $100,000 worth of divisive ads suspected of having been purchased by Russian company with ties to the Kremlin. Approximately 3,000 ads running between June 2015-May 2017 and tied to 470 fake accounts neither targeted nor focused on a specific candidate as much as concentrated on pushing divisive social issues to the forefront. Facebook has since shut down these sites. This disclosure further supports the conclusions found by the U.S. Intelligence Community January 2017, “Assessing Russian Activities and Intentions in Recent U.S. Elections.” The assessment determined that the Russian influence campaign was designed to damage Hillary Clinton and boost Trump during the election. The report also determined that Russian Internet “trolls” had posted anti-Clinton messages.
Threat Hunting (or TH in short) is quickly emerging as a ho trend in cybersecurity. The onslaught of data breaches we’ve been experiencing, each bigger than the last, proved to organization that they should assume compromise and seek ways to reduce the Dwell time. Dwell time is defined as the number of days that a threat stayed latent before discovery and eradication. In 2016 it was 98 days for financial services firms, and 197 days for retailers on average.
So organizations now “Hunt’ for threats instead of looking for alerts to notify them regarding potential breaches.
Roots
The term “threat hunting” was probably coined by security analyst Richard Bejtlich, who wrote in 2011: “To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise.” The SANS Institute defines threat hunting as follows: “Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks.”
Even the analyst firm Gartner covers this activity (although not defined as a market segment yet).
North Korea has garnered much attention, largely due to its nuclear ambitions, but also for its presumed substantial offensive cyber capabilities. The isolated country has been suspected of some of the more noteworthy hacks that, if true, have demonstrated an increasing use of cyber operations that have spanned from distributed denial-of-service (DDoS) attacks to more destructive “wiping” of data on targeted networks and systems. As of late, there has been indications that North Korea has been using its cyber prowess in support of more criminal activities such as the theft of money, and more recently, of cryptocurrencies. Such a divergent range of activities is of note as many of the other suspected nation state-driven cyber operations have concentrated on stealing data, disseminating influence campaigns, or launching destructive attacks.
North Korea Cyber power
This is not to say that suspected North Korean cyber activity is absent these purposes. Some of the more aggressive actions believed to be orchestrated by North Korea include but may not be limited to the following:
August 2017: Cyber espionage activity tied to the “Lazarus Group” targeted U.S. defense contractors with spearphishing e-mails. Lazarus Group operations are believed to be orchestrated by North Korean cyber actors.
June 2017: The U.S. Computer Emergency Response Team published a warning of potential North Korean cyber attacks against U.S. media, aerospace, and financial companies. Known as “Hidden Cobra,” the alert identified Internet Protocol (IP) addresses associated with a malware variant used to manage North Korea’s DDoS botnet infrastructure.
November 2014: In addition to having personal information and intellectual property stolen from its networks, Sony Pictures Entertainment suffered damages from wiper malware. The Federal Bureau of Investigation maintained high confidence that North Korea was responsible.
The recent Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States. Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals. According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files. In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.
More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public. One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation. To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach. While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.
Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach. The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why. A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact. The company has until September 28 to answer the questions outlined in the Committee’s letter.
The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens. Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;
the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.
It is important to underscore that these millions of individuals did not carelessly protect or handle their own data. Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence. Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required. Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.
Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.” This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised. In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups. The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens. Such actions are not only negligent but border on criminal in their own right.
The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people. Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices. U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.
While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics. This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario. What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology. That seems a call that both sides of the aisle should be able to get behind.
First announced in 2015, the United Kingdom (UK) finally published its Digital Strategy that went into effect on March 1, 2017. Per the government’s website, the goal of this document is to provide a blueprint how the UK will build on its success to date in developing a world-leading digital economy that works for the greater good. This is particularly important given that the UK is a global capital for financial technology, which generated £6.6bn of revenue in 2015.
In my previous post on Cyber Threat Intelligence (CTI) I discussed at least one immediate benefit of CTI as a means of cutting the cost of vulnerability and patch management by potentially obviating the need to trigger a patch management exercise.