Beware of Increasing Attacker Automation

Attacker tools and workflows are getting more and more automated. They are able to quickly integrate a variety of attack techniques and targets to automate wider-scale compromises and exploitation. This increase in automated capabilities applies to all phases of the attacker methodologies.

For example, modern attacker and bot-net tools can integrate stolen credentials use (“credential stuffing”) into a wider variety of approaches. They can automate the work of the attackers when they find a successful login. They can also try those credentials against a wider set of targets, including various e-commerce and popular social media sites. Essentially, this makes exploitation of stolen credentials significantly easier for an attacker, and potentially, more damaging to the victims whose credentials have leaked.

Stolen credentials and the tools to use them are evolving rapidly, and a significant amount of innovation and evolution are expected in these tool sets over the next year to 18 months. Entire platforms given to user emulation and capable of doing en masse correlation of stolen user data across breach sets are what I expect to see in the next year or so. When these tools emerge, new economies of scale for online identity theft will quickly emerge, raising both awareness and criticality of the problem.

Folks at various security organizations, including Akamai, are also tracking the problem. ( Robust defenses against these automated platforms are going to be needed, and it will place significant stress on organizations who lack mature security programs with advanced visibility and analytics capabilities.

If you’d like some assistance preparing for these types of automated attacks or would like to discuss the potential impacts they may have on your organization, feel free to get in touch ( or give us a call at 614-351-1237.

Want to Resist Ransomware? Embrace the NIST Cybersecurity Framework

Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.

Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.

Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (

Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.

Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.

This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.

The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.

Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.

Wealth Management Firms and Ransomware Tabletop Simulations

No matter what industry you are in, you need to practice emergency procedures to build proficiency and identify glitches in your planning. For example, we all went though fire drills back in grade school, or if you’ve been on a cruise ship, you have received lifeboat drills. These kinds of exercises have proven their worth time and again over the years. For wealth management firms, one such program that needs practice exercises is the incident response program. And tabletop incident response exercises are an effective way to conduct these practices.

We at MSI have had years of experience in developing and conducting tabletop incident response exercises for organizations in a number of industries. In the financial industry, the most prevalent and dangerous attack type currently is ransomware. Ransomware attacks can lead to data breaches, lawsuits, regulatory involvement, loss of reputation and financial loss. Let MSI assist your firm in tabletop exercises designed to test your response preparations and to make adjustments and improvements in your response.

First, we will work with your firm to design a real-world ransomware attack scenario that is relevant to your particular organization. From there we will construct the scenario and set a time with your firm to conduct the exercise. MSI will provide two personnel for the exercise: the exercise moderator and the exercise observer/recorder. It should be noted here that these exercises can be conducted in either the real or virtual world. During these days of pandemic emergency this can be an important consideration.

Once the tabletop begins, the moderator will unfold the details of the exercise one by one, just as they’d come to notice if a real incident were occurring. Your incident response team will then follow your incident response plan, communicate with each other and relate just how they would address each issue as it unfolds. As the exercise continues, the moderator will continue to introduce complexities built into the ransomware exercise scenario. Once the exercise concludes, MSI will help your team conduct a “lessons learned” discussion that points out what worked well during the exercise and what didn’t seem to work well and needs improvement. Finally, your firm will receive a report from MSI recapping the exercise and including suggestions for improving your response techniques and mechanisms.

In our experience, incident response tabletop exercises have never failed to expose flaws in the incident response plan. These exercises also lead to spirited discussion and innovative thinking among the team members. Remember, the key to minimizing the negative effects of any cyber-attack, including ransomware attack, is quick and accurate response.

Should Wealth Management Firms Pay Ransomware or Not?

If your wealth management firm suffers a ransomware attack, should the firm pay the ransom or not? This seems like a straight-forward question, but in reality, is anything but. A number of factors have to be taken into account, including what kind of ransomware attack you have suffered, the possible financial costs associated with the attack and the attack aftermath, the possible reputational damage and attendant loss of clients, and also legal and regulatory consequences that may arise from the attack.

Let’s start by looking at the two main types of ransomware attacks your firm might encounter. In the “traditional” ransomware attack, cyber-criminals break into your network and encrypt your important data so that you cannot access it without the key they used. They then demand a ransom payment for this key. This is an attack on only one of the three pillars of information security: availability. If your firm doesn’t have safely stored backups, you must pay or suffer likely permanent loss of your data. If your firm has safely stored backups, all you have to do is restore your system from these backups. The decision to pay or not in this case seems simple for a wealth management firms: if you pay you get your data back quickly. If you don’t pay, you still get your data back, but not so quickly. It may take days to go through the restoration process. If you think your clients will stand for this downtime, you don’t pay. If you don’t think the business interruption will be tolerated, then maybe it is better to pay and take the financial loss.

The other type of ransomware attacks we’re seeing today are not so simple. If your important data is not properly encrypted, the attackers may not only re-encrypt your data, they may also copy it and threaten to release it publicly if they are not paid. This is a much thornier problem because it also affects another pillar of information security: confidentiality. Financial institutions are heavily regulated and are required to adequately protect the confidentiality of their client’s financial and personal private information. If the firm pays the ransom, they may get the key to unencrypt their data and a promise not to post this data publicly. But what level of trust can you put in the word of criminals?! What is to prevent them from publicly releasing the data anyway, or keeping the data and demanding further payments in the future? This complicates the decision to pay or not considerably. If the firm doesn’t pay the ransom, they are in for public scandal that might cause present clients to go elsewhere and prospective clients to choose a different firm. They may also be subject to regulatory sanction if their information security program is judged to be inadequate. In addition, the firm may be sued by affected clients which can lead to even more scandal and reputational loss.

But wait, there is more! Paying the ransomware is actually illegal is some instances. Under the International Emergency Economic Powers Act or the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions with individuals or entities that are on OFAC’s Specially Designated Nationals and Blocked Persons List or with persons from embargoed regions and countries (see the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments at for more information). And how is the firm to know if the blackmailers they are dealing with are among those on the proscribed list? I would hate to have to be the one to make the decision to pay ransomware or not in these cases. To quote an old cliché, these decision makers are caught between a rock and hard place!

There is no simple, easy or right decision to make if your firm is caught up in this second type of ransomware attack. The real answer is to not be in such a position in the first place. Financial firms should ensure that their information security program is compliant with regulatory and best practices standards at all times. You should ensure that your data is properly encrypted and backed up, patch and update your systems religiously, test and monitor your systems and ensure that your partners and services providers are doing the same. To quote another old cliché: an ounce of prevention is worth a pound of cure!

Preparing for the End of SMS Authentication

Over the last several years, wealth management/asset management firms have been integrating their systems with banking, trading and other financial platforms. One of the largest challenges wealth management firms face, from a technology standpoint, is managing multi-factor authentication when connecting to the accounts of their clients. In the coming year to eighteen months, this is likely to get even more challenging as SMS-based authentication is phased out. 

Today, many financial web sites, applications and phone apps require the use of SMS one-time security verification codes to be sent via text to the user. This usually happens once the user has entered their login and password to the system, after which it triggers the credential to be sent to their mobile phone number on record. The user then inputs this code into a form on the system and it is verified, and if correct, allows the user to proceed to access the application. This is called two factor authentication/multi-factor authentication (“MFA”) and is one of the most common mechanisms for performing this type of user authorization.

The problem with this mechanism for regulating sign ins to applications is that the method of sending the code is insecure. Attackers have a variety of means of intercepting SMS text messages and thus defeating this type of authentication. Just do some quick Google searches and you’ll find plenty of examples of this attack being successful. You’ll also find regulatory guidance about ending SMS authentication from a variety of sources like NIST and various financial regulators around the world. 

The likely successor to SMS text message authentication is the authenticator app on user mobile devices and smartphones. These authenticator apps reside in encrypted storage on the user’s phone and when prompted, provide a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is setup and  the settings configured, it doesn’t need to communicate with the financial platform, and thus is significantly more difficult for attackers to compromise. Indeed, they must actually have the user’s device, or at the very least, access to the data that resides on it. This greatly reduces the risk of interception and mis-use of the codes in question, and increases the security of the user’s account with the financial institution.

This presents a significant problem, and opportunity, for wealth management firms. Transitioning their business processes from integrating with SMS-based authentication to authenticator apps can be a challenge on the technical level. Updates to the user interaction processes, for those firms that handle it manually, usually by calling the user and asking for the code, are also going to be needed. It is especially important, for these manual interactions, that some passphrase or the like is used, as banks, trading platforms and other financial institutions will be training their users to NEVER provide an authenticator app secret to anyone over the phone. Attackers leveraging social engineering are going to be the most prevalent form of danger to this authentication model, so wealth management firms must create controls to help assure their clients that they are who they say they are and train them to resist attackers pretending to be the wealth management firm. 

Technical and manual implementations of this form of authentication will prove to be an ongoing challenge for wealth management firms. We are already working with a variety of our clients, helping them update their processes, policies and controls for these changes. If your organization has been traditionally using SMS message authentication with your own clients, there is even more impetus to get moving on changes to your own processes. 

Let us know if we can be of service. You can reach out and have a no stress, no hassle discussion with our team by completing this web form. You can also give us a call anytime at 614-351-1237. We’d love to help! 

Credential Stuffing: Protection, Detection and Response are all Needed

Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.

Getting ROI with ClawBack, our Data Leak Detection Platform

So, by now, you have likely heard about MicroSolved’s ClawBack™ data leakage detection engine. We launched it back in October of 2019, and it has been very successful among many of our clients that have in-house development teams. They are using it heavily to identify leaks of source code that could expose their intellectual property or cause a data breach at the application level.

While source code leaks remain a signficant concern, it is really only the beginning of how to take advantage of ClawBack. I’m going to discuss a few additional ways to get extreme return on investment with ClawBack’s capabilities, even if you don’t have in-house developers.

One of the most valuable solutions that you can create with ClawBack is to identify leaked credentials (user names and passwords). Hackers and cyber-criminals love to use stolen passwords for credential-stuffing attacks. ClawBack can give you a heads up when stolen credentials show up on the common pastebin sites or get leaked inadvertantly through a variety of common ways. Knowing about stolen credentials makes sense and gives you a chance to change them before they can be used against you. 

We’ve also talked a lot about sensitive data contained in device configurations. Many potentially sensitive details are often in configuration files that end up getting posted in support forums, as parts of resumes or even in GITHub repositories. A variety of identifiable information is often found in these files and evidence suggests that attackers, hackers and cybercriminals have developed several techniques for exploiting them. Our data leak detection platform specializes in hunting down these leaks, which are often missed by most traditional data loss prevention/data leakage prevention (DLP)/data protection tools. With ClawBack watching for configurations exposures, you’ve got a great return on investment.

But, what about other types of data theft? Many clients have gotten clever with adding watermarks, unique identity theft controls, specific security measures and honing in on techniques to watch for leaked API keys (especially by customers and business partners). These techniques have had high payoffs in finding compromised data and other exposures, often in near real time. Clients use this information to declare security incidents, issue take down orders for data leaks and prevent social engineering attackers from making use of leaked data. It often becomes a key part of their intrusion detection and threat intelligence processes, and can be a key differentiator in being able to track down and avoid suspicious activity.

ClawBack is a powerful SaaS Platform to help organizations reduce data leaks, minimize reputational risk, discover unusual and often unintentional insider threats and help prevent unauthorized access stemming from exposed data. To learn more about it, check out today.

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 



PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

Example of Pole Mounted Device Threats Visualized

As a part of our threat modeling work, which we do sometimes as a stand-alone activity or as part of an deeper assessment, we often build simple mind maps of the high level threats we identify. Here is an example of a very simple diagram we did recently while working on a threat model for pole mounted environments (PME’s) for a utility client. 

This is only part of the work plan, but I am putting it forward as a sort of guideline to help folks understand our process. In most cases, we continually expand on the diagram throughout the engagement, often adding links to photos or videos of the testing and results. 

We find this a useful way to convey much of the engagement details with clients as we progress. 

Does your current assessment or threat modeling use visual tools like this? If not, why not? If so, drop me a line on Twitter (@lbhuston) and tell me about it. 

Thanks for reading! 

Pole Mounted Environment Threats

Utilities Need to Harden Their Systems Against the Exploding IoT Threat

As the complexity of a computer system increases so does the difficulty of securing it against cyber-attack. In fact, difficulty of protection rises at a more than one-to-one ratio with complexity. This is one of the reasons we at MSI so highly tout extensively segmenting complex networks into “enclaves” with individual firewalls and access controls, as well as strict trust rules on how each enclave can communicate with each other and the outside world. Although this process is complex to develop and implement, once in place it greatly simplifies the protection of critical assets such as industrial controls systems and administration networks.

One reason why it behooves utilities to consider cyber-protections at this level is the exponential rise in the availability and use of Internet of Things (IoT) devices. It seems like every kind of device there is now has a computer in it and can be accessed and administered over a network of some kind. And usually this network is the Internet or is routable to the Internet.

Systems at threat include industrial control systems and the enterprise networks that administer them; they employ more remote access devices every day. IoT devices that are connected to enterprise networks can be just about anything. Smart light bulbs, cameras, heat sensors, voice controllers, televisions, robots… the list is daunting and grows constantly.

Exacerbating this problem for most of the last year has been the pandemic emergency. The need for social distancing and remote working has exploded because of it. And as we all know, in an emergency functionality trumps security every time. Concerns have set up remote conferencing and remote administration systems at a record pace. And even if they have performed some form of risk analysis before, during or after implementation, chances are that they may not have been holistic in their threat and risk analysis.

This brings me back to the enclave computing scheme I mentioned above. To set up proper network segmentation, the first things you need to know are what data/devices are on the network, how data flows between these entities and what trust relationships are implemented in their setup. Until you have a grasp on all of these factors, there is no way you can gauge the full range of negative security effects hooking IoT devices to your enterprise network can have.

So, my advice to Utilities and other users of industrial controls systems is this: do a thorough business impact analysis (BIA) of your enterprise network and all of its connections. The BIA will reveal the factors I mentioned above. It reveals what devices and data are there and their relative criticality. It shows you how data moves and what trusts what. This information is the necessary precursor to accurate risk and threat assessment, and can be the beginning of a new level of information security at your enterprise.