What YOU Can Do About International Threats

Posted on May 23, 2013 by Brent Huston

Binary eye

With the addition of RedDragon Rising (@RedDragon1949) to the blog, we are now pushing forth a new stream of threat data and insights about the growing problem of international threats. Since we added that content to the site, many of you have written in or asked me on Twitter, what is it that YOU can do about these threats? I wanted to take a few minutes and expand on my responses.

First of all, you can remain aware and vigilant. Much of the information we post here isn’t directly actionable. It isn’t designed to be a roadmap of actions for you to take. It’s designed to be a continual source of data that slowly helps you see a clearer picture of the threat, the actors and their capability. It’s designed to keep you AWAKE. It’s custom made to help you understand your adversary. Knowledge is power and insight is key. We make this content to give you both!

Second, you can communicate the threat and knowledge to your management. This helps them remain aware. It also presents to them that you are monitoring the threats and keeping your eye on the rising tides, even as you help them steer the ship through safe waters. You can use this information to build rapport with them, to give them new insights into your decisions when you explain to them various risks and to help them understand the changing nature of the interconnected world.

You can use the information here as an impetus to get the basics of information security right. While there aren’t any panaceas to fight off the threat and there isn’t a single thing you can buy to make it better ~ we do know that focusing on the basics of infosec and getting them done efficiently, effectively and well is the best defense against a variety of threats. That said, consider doing a quick and dirty review of your security initiatives against our 80/20 Rule for Information Security. This is a set of simple projects that represent the basics of information security and map easily to other standards and baselines. Simply judging your maturity in these areas and following the roadmap to improvement will go a long way to getting the basics done right in your organization.

Invest in detection and response. If your organization is doing the basics of prevention, that is you have hardening in place and are performing ongoing assessment and mitigation of your attack surfaces, then the next thing to do is invest in detection and response capabilities. Today, one of the largest advantages that attackers enjoy is the lack of visibility and effective response capabilities in our organizations. You should have some visibility into every segment and at every layer of your environment. You should be able to identify compromises in a timely manner and move to isolate, investigate and recover from any breaches LONG BEFORE they have become widespread and heavily leveraged against you. If you can’t do that today, make it your next major infosec goal. Need help?Ask us about it.

Lastly, share information with your peers. The bad guys are good at information sharing. They have excellent metrics. They openly share their experiences, successes, failures and new techniques. Much of crime and espionage (not all, but MUCH) is “open source” in nature. The cells of attackers free float in conglomerations of opportunity. They barter with experience, tools, data and money. They share. The more we begin to share and emulate their “open source” approaches, the better off we can be at defending. If knowledge is power, more brains with more knowledge and experience equals MORE POWER. Be a part of the solution.

That’s it for now. Just remain calm, get better at the basics, improve your visibility and stay vigilant. As always, thanks for reading State of Security and for choosing MicroSolved as your information security partner. We are striving to dig deeper, to think differently and to give you truly actionable intelligence and threat data that is personalized, relevant to your organization and meaningful. If you’d like to hear more about our approach and what it can mean for your organization, get in touch via Twitter (@lbhuston), email (info(at)microsolved/dot/com) or phone (614-351-1237 ext 250).

Most Recent Cyber Conflict Information ~ People’s Republic of China

Posted on May 21, 2013 by Bill Hagestad

Good day from AusCERT –

Here are some of the Most Recent Cyber Conflict Information ~ People’s Republic of China:

The People’s Republic of China’s culture of hacking cost the United States $873 million in 2011

http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/20/chinas-culture-of-hacking-cost-the-country-873-billion-in-2011/?

How The Great Firewall of China Shapes Chinese Surfing Habits

http://www.technologyreview.com/view/515056/how-the-great-firewall-of-china-shapes-chinese-surfing-habits/

Goldman exits China’s ICBC, seven years and billions later

http://uk.reuters.com/article/2013/05/21/uk-goldman-icbc-idUKBRE94K07120130521

Semper Fi,

Bill

Latest People’s Republic of China Internet Controls & News from Down Under

Posted on May 20, 2013 by Bill Hagestad

Good day from AusCERT –

The latest Cyber Conflict news out the People’s Republic of China is very curious indeed and firmly supports the fact that Chinese State Sponsored hackers are targeting other international governments – including intelligence, military, and political objectives…

Earlier today here in Asia the alleged Chinese People’s Liberation Army (PLA) hacking unit of PuDong neighborhood in the City of Shanghai has resumed cyber targeting see the Foreign Policy article (http://www.foreignpolicy.com/node/1426054)…and yet today the People’s Republic of China demonstrated a new form of Internet Control for disaffected bloggers who disagree with the Communist Party of China (CPC)…death – you can see the story here; http://www.foreignpolicy.com/node/1426054.

Remember that with the Golden Shield Project (colloquially known as the Great Firewall of China), a Chinese State Sponsored DNS cache poisoning policy, the Internet the Western world enjoys is not what the average Chinese experiences in the People’s Republic of China…So, with the renewed Chinese hacking someone in Beijing must have approved certain Chinese state sponsored hacking activity through the Great Firewall of China…otherwise why would the CPC be putting to death those Chinese bloggers who would challenge the legitimacy of the current Chinese political regime? Hmmm….

Red Dragon Rising @ AusCERT 2013

Posted on May 20, 2013 by Bill Hagestad

Good day from Gold Coast Australia!

Red Dragon Rising has arrived in Australia for AuSCERT 2013!

And of course, 5 hours ago here in Asia Pacific those pesky Dark Guests from the People’s Republic of China are up to their old hacking tricks again reports the New York Times:

“Chinese Hackers Resume Attacks on U.S. Targets”

You can read the direct story at the following link:

http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?&pagewanted=all

Latest People’s Republic of China Cyber Conflict News….中華人民共和國信息战争

Posted on May 17, 2013 by Bill Hagestad

Latest People’s Republic of China Cyber Conflict News….中華人民共和國信息战争

Pentagon Continues Use of People’s Republic of China Satellite in New Lease – Bloomberg
…AFRICOM renews lease with People’s Republic of China’s APT Satellite Holdings Ltd.!

People’s Republic of China’s software industry growth quickens – Xinhua | English.news.cn
The growth of China’s software industry quickened last year despite sluggish market demand caused by an economic slump at home and abroad, showed official data revealed on Wednesday.

India’s NSC points to Huawei, ZTE’s links with Chinese military project PLA-863 http://articles.economictimes.indiatimes.com/2013-05-15/news/39282046_1_huawei-and-zte-telecom-equipment-nsc

Beijing’s ‘Bitskrieg’ – 中國人民解放總參謀部…信息战争
http://www.foreignpolicy.com/articles/2013/05/13/beijings_bitskrieg?page=full

US Intelligence & Military fears after People’s Republic of China missile test – Telegraph
http://www.telegraph.co.uk/news/worldnews/asia/china/10063455/US-fears-after-Chinese-missile-test.html

OpUSA:: Feint or Fail?

Posted on May 8, 2013 by Brent Huston

So, yesterday was the date of the much awaited OpUSA, originally proclaimed to be a decisive attack on the US banking and government infrastructures. Thankfully, there seemed to be little impact on US banking or government, and while some commercial and even government sites did get attacked, the sustained impact seemed to be fairly well contained.

Below are a few thoughts on OpUSA and observations made from the data we saw around the Internet (in no particular order):

Anonymous groups seemed to be alluding to some infighting, with some groups mocking others and some fragments calling the entire operation a fake. There does seem to be some form of power struggle or competition going on inside the loose alignment of cells, at least from what conversations could be reviewed on Twitter, other social media and the paste bin releases.
Many of our team considered the possibility that OpUSA was a feint, designed to attract media attention and recruit new talent, even as primary groups and forces remained on the side lines. From a strategic point, this might make sense, though the in-fighting argument above seems more likely.
There seemed to be a large focus on attacking sites primarily powered by PHP. Certainly there are groups and cells inside the movement where their primary focus is PHP attacks and their exploits and tools are solely geared to PHP compromises. Other platforms are likely to remain in scope and within reach, but the majority of the attacks and compromises released yesterday seemed to revolve around PHP.
The 10,000 credit card release was MOSTLY a bust. All of the cards we saw were already expired. HOWEVER, it should be noted that SSNs, security questions and other PII was included in that release, so the impacts are broader than just credit card information.
Lots of released account credentials, software licenses and such also came out with associated tag lines during the operation. Additionally, many of the folks posting released data to the paste bins and on Twitter also usually release a good deal of pirated software, media and music from what we could tell. It is likely that some of the actors involved in the movement also participate in software and media piracy.
At least 3 credit unions were included in the released target lists. This was interesting, especially given the previous Anonymous stance that citizens should replace banks with credit unions. One has to wonder why these three particular CUs were targeted or if they were merely tokens.

Other than the usual chatter and jeers, there seemed to be little unique about OpUSA and the efforts identified with the campaign. The media is picking up on some additional items here and there, but largely, the operation was seen as being a smaller or less successful campaign than previous attack sets.

MicroSolved Announces International CyberThreat Intel Briefing

Posted on April 16, 2013 by Brent Huston

MicroSolved, Inc. is proud to announce a unique event for those interested in information security.

The 2013 International Cyber Threat Intelligence Briefing, featuring internationally recognized author William Hagestad, is an executive level briefing on the latest cyber threat intelligence from around the world. This briefing will provide a unique opportunity for C-Level decision makers to understand the cyber threat to their organizations through the loss of intellectual property via the determined use of cyber espionage. Attendees will be presented with two commercial case studies focusing on Global 50 companies. Recommendations, Short & Long Term Moves will accompany this interactive cyber threat intelligence briefing.

This is an opportunity for your management team to participate in a frank, focused discussion about the international cyber threats organizations face today in the global marketplace.

To learn more or sign up to participate, please register by clicking here.

Coming to Grips with DDoS – Response

Posted on April 15, 2013 by Brent Huston

In our first two blogs concerning Distributed Denial of Service (DDoS) attacks and small service industries, we presented measures organizations can take to prepare for and defend against DDoS attacks. In this final installment on the subject, we will discuss methods of response to these incidents.

The first thing to do when you think you are under DDoS attack is to not panic. Calm and considered responses are always more effective than immediately jumping in and possibly cutting off legitimate connection requests. An ill-considered response on your part could cause the very denial of service your attacker intended in the first place. The best thing you can do is to immediately access your incident response plans and begin to implement those pre-planned procedures you worked so hard on. We are constantly amazed at how many organizations fail to follow their own response planning in the heat of a real incident!

The next step in the process is traffic (log) analysis. You need to be able to identify what type of attack is being perpetrated and the kinds of bogus requests that are being made. This is where large log capacities and log aggregation tools come in very handy. Being able to view a large amount of data from a central console truly helps you recognize patterns in the attack. Since application layer attacks that employ IP spoofing are presently being used, pattern and type recognition are often the only means you have to discern good traffic from bad.

Once you are able to get a handle on what the bad traffic looks like, you can start filtering it out. This is best done by appliances as close to the network edge as possible. You can also work with your ISP which may be able to assist with filtering as well as other mechanisms such as rate and connection limiting.

After the attack is under control, don’t forget to work with law enforcement agencies such as the FBI and US-CERT. They are interested in these events and may be able to assist you in finding and dealing with the perpetrators. Reporting incidents is important because it is crucial to know the number and types of DDoS attacks that are really taking place out there in order to effectively respond to them. Reporting ends up being good for everybody!

Finally, it is very important to conduct lessons learned meetings and to adjust your incident response and business continuity planning. Table top exercises and other incident preparation techniques are helpful, but nothing helps you learn the hard lessons like a real incident. Why waste the only valuable thing to come out of the whole mess!

This series is written by John Davis, MicroSolved, Inc.

Coming to Grips with DDOS – Defend

Posted on April 4, 2013 by Brent Huston

In our first blog about Distributed Denial of Service (DDoS) attacks and small service industries, we discussed measures that organizations should take to prepare themselves for DDoS attacks. In this second installment, we will go over some methods that are useful in defending networks from these attacks. (The third and final installment in this series will deal with responding to DDoS attacks).

One good way to defend your network from DDoS attacks is to hire a service organization that specializes in the problem. They typically employ algorithm-based firewalls, large networks, monitoring, and other techniques to thwart these attacks, and can be very effective. However, these services are also pretty expensive and impractical for smaller organizations unless the threat level is very high indeed. The good news is that you can do a lot to defend yourselves from DDoS attacks.

The first step is knowing exactly what it is that you are defending. Computer networks tend to grow organically and it is a sad fact that most organizations have a very imperfect picture of how their networks are set up and how they behave. To defend against DDoS, it is important to know what typical network traffic looks like throughout the business year. This helps you set proper thresholds for automated detection devices and ensures quick detection of the onset of events such as DDoS attacks.

Another step you can take to help defend against DDoS attacks is to consider a cloud-based approach for your web services. With the traffic volumes DDoS attacks can currently generate, internal web servers at smaller organizations are sure to be overwhelmed. But by employing a content distribution network in a cloud setting you vastly increase your capacity, reduce the chance of any one server becoming unserviceable and are able to deal with the event more efficiently.

It is also important to work with your Internet Service Provider (ISP) during DDoS attacks. Your ISP could help in many ways including source blocking, scrubbing, load distribution and rate limiting. In addition, it should be remembered that many DDoS attacks are launched as diversions to cover up other attacks against organizations. Ensuring that your network is properly enclaved and monitored can go a long way in protecting your information and control assets during these attacks.

This series is written by John Davis, MicroSolved, Inc.

Coming to Grips with DDoS – Prepare

Posted on March 29, 2013 by Brent Huston

This post introduces a 3 part series we are doing covering distributed denial of service attacks (DDoS) and helping organizations prepare for them. The series will cover 3 parts, Prepare, Defend and Respond.

Part 1 of 3 – Prepare.

Distributed Denial of Service (DDoS) attacks use networks of compromised computers (botnets) or web servers (brobots) to flood organization websites with so much traffic that it causes them to fail. This is especially worrying for financial institutions and utilities which rely so very heavily on the availability of their services and controls. DDoS attacks are also mounted by attackers to hide fraud or other hacking activities being perpetrated on networks. Although these types of attacks are not new, they are presently increasing in frequency and especially in sophistication. Application layer DDoS attacks do a good job of mimicking normal network traffic and recent DDoS attacks have been measured at a huge 65 Gb (nearly 10 times the previous high point). The purpose of this blog is to discuss some methods small organizations can employ to properly prepare for DDoS attacks. (Later articles in this series will discuss means for defending against and responding to these attacks).

The first thing any organization should do in this effort is proper pre-planning. Ensure that DDoS is included in your risk assessment and controls planning efforts. Include reacting to these attacks in your incident response and business continuity plans. And as with all such plans, conduct practice exercises and adjust your plans according to their results. In all our years in business, MSI has never participated in a table top incident responce or disaster recovery exercise that didn’t expose planning flaws and produce valuable lessons learned.

Next, your organization should consider DDoS when choosing an ISP. It helps immensely to have an Internet provider that has enough resources and expertise to properly assist if your organization is targeted for one of these attacks. Ensure that you develop a close relationship with your ISP too – communicate your needs and expectations clearly, and find out from them exactly what their capabilities and services really are.

Finally on the preparation side of the problem, make sure that you keep well informed about DDoS and the actual threat level it poses to your organization. Keep active in user groups and professional organizations. Use the net to gather intelligence. The Financial Service Information Sharing and Analysis Center (FS-ISAC) has plenty of useful and up to date information on DDoS. You can even turn the World Wide Web against the enemy and use it to gather intelligence on them!

–This article series is written by John Davis of MSI.

PS – This is NOT a problem you can “purchase your way out” of. Organizations can’t and should not buy huge amounts of bandwidth as a preparation for DDoS. The cost impacts of such purchases are not effective, nor is bandwidth size an effective control in most cases. Note that some technology solutions for packet scrubbing and the like do exist. Your milage may vary with these solutions. MSI has not reviewed or tested any of the DDoS technology products as a part of this series.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats