THREAT INTELLIGENCE

Securing Remote Workers

Mon, 31 Jan 2022 10:42:17 GMT

Remote work. Working-from-home. Teleworking.

Whatever you call it – in our post-pandemic world, it is now the new normal.

However, whilst remote working offers significant convenience, it can also present a range of security challenges for organisations.

You may have spent years developing, maintaining and refining rigorous security controls. Without proper planning and oversight, all those security controls can fly out the window as staff work remotely using a range of devices, all whilst accessing your corporate network. Your remote working staff may be inadvertently putting your entire organisation at serious risk of a cyber-attack.

In this blog we will explore the 3 key considerations when staff work remotely:

Secure hardware
Secure software
Secure connectivity

With the right remote working controls in place, it is possible to balance convenience with your organisation’s need for security.

Secure Hardware

It’s one thing to ensure all desktop computers are secure when your staff are working from the office every day. IT teams have a high degree of control over all the hardware in the office and can easily maintain control over devices.

However, with staff working remotely, maintaining that level of control is a significant challenge.

Ideally, every organisation should insist on providing their staff with a dedicated laptop and/or mobile device that must be used for all work-related purposes. Supplying staff with dedicated work devices makes maintaining control over device configurations and settings a much easier task for your IT team. With the right device configurations, it is easier to ensure correct access controls are in place, systems are regularly updated, and vulnerabilities are rapidly patched.

Unfortunately, the reality is that often organisations do not provide all their staff with work devices.

Increasingly, organisations are allowing staff to use their own private devices, a practice known as Bring-Your-Own-Device or BYOD.

As an organisation, you need to ensure that your IT team maintains some level of control over personal devices that are used for work purposes.

One option is for your IT team to install Mobile Device Management (MDM) technology. This can help separate corporate data from staff members’ personal information. MDM is a useful tool that can allow your IT team to maintain remote visibility and control over your organisation's corporate data on the device. However, MDM is not without its challenges. Installing MDM on all the myriad devices that your staff may be using can present your IT team with a range of logistical challenges.

Another option for managing BYOD is the use of cloud-based end-point protection tools. These allow your IT team to manage the security and privacy controls on all the devices used by your staff for work, whether the devices are owned by your organisation or by an individual employee.

Whether your staff use devices supplied by the organisation or their own personal devices, make sure you have Full Disk Encryption implemented. This encrypts the entire hard drive of the device and applies to all files, data, software and operating systems.

Secure Software

Modern Weak application security is the most common cause of cyber breaches. Vulnerabilities found in common applications, such as email, web browsers, instant messaging tools or other widely used work-related software, are routinely exploited by hackers.

With staff working remotely, every organisation should be taking steps to harden your systems. This means that any functionality that is not absolutely necessary for your staff to do their jobs should be disabled. Disabling unnecessary capabilities or functionality in applications reduces the attack-surface that is available to cyber-criminals.

Organisations should also ensure their staff receive comprehensive cyber awareness training and clearly articulated security policies. For example, staff should be aware of the risks inherent in clicking links or opening attachments in emails, along with training in ways to identify potentially malicious activity.

Likewise, staff should understand the risks associated with “shadow IT.” Many organisations implement policies prohibiting the installation of any applications that have not been approved by the IT department, as such software may be expose the organisation to malicious actors.

One of the most important application security considerations is regular patching. Ensure all your staff understand the importance of running software updates as soon as any of your software vendors release them. This applies to Operating System updates, as well as other types of software, including:

Web browsers
Email clients
Instant messaging tools
Other work-related software (document viewers, word processors, spreadsheet tools, etc.)
Antivirus software
Firewalls

Many applications will run updates automatically. Your remote working staff must ensure automatic updates are enabled. This will allow applications to automatically check for updates at least weekly, or preferably daily in the case of antivirus software and other security software.

For any software that does not automatically update, staff should be trained to manually check for updates and run any that need executing each week. This can usually be done through the application’s menu, or by visiting the software vendor’s website and running any available updates.

Secure Connectivity

How your staff connect to the internet and your corporate network is critically important when they are remote working.

When it comes to accessing the internet, in most cases staff will either connect to a residential network (either wired or wireless) or an external network, for example in a coffee shop or public library. Both residential and external internet connections present challenges.

When it comes to residential networks, these often have fewer in-built security features than their enterprise equivalents. The first thing to remember is that multiple devices are often connected to the same residential network. If a device belonging to an employee’s family member gets infected with malware, this could spread to other devices connected to the same network. Staff need to be aware of these risks and provided with training in the steps they can take to secure residential networks.

For starters, staff should ensure they change the default passwords on any modems or routers, so cyber-criminals cannot use them to gain access to their network. Residential router firmware should always be kept up to date and staff should ensure that WPA2 security is used. Furthermore, your staff need to ensure all data is encrypted whilst using a residential network.

The risks associated with external networks may be even greater. External networks generally don’t offer much protection. Coffee shops or public libraries may not encrypt network communications, leaving staff exposed to eavesdropping. Before using any external networks, staff should ensure they are accessing the internet using a VPN (Virtual Private Network). Ensure your organisation provides VPN access to all staff. However, be aware that if the VPN isn't properly secure, it can also provide an opening for attackers. It is essential to verify the identity of VPN tunnel end-points, as using the wrong authentication method could open the way for an attacker.

Connecting to your organisation’s corporate network can also present a range of security challenges. Whether your organisation is using on-premises or cloud-based technologies, it's essential that remote staff retain the ability to perform all their usual work-related tasks. This includes communicating through email, accessing corporate data and utilising a range of work-related systems.

Remember that remote working effectively expands your organisation's network into people's homes and public locations. This elevates your risk profile to a new level.

One option to address this risk is the use of virtual desktops which can be used to facilitate secure connections to your corporate network. Though beneficial, virtual desktops may also be vulnerable. If a remote worker uses a device that becomes infected with a worm, this could spread through a virtual desktop to your organisation's servers.

There is no single answer to ensuring secure connectivity for remote staff. Rather, a multi-layered approach is essential. By implementing a range of these security controls, you will significantly mitigate the risk of a cyber-attack.

How Can Threat Intelligence Help?

There are many factors to take into consideration when staff work remotely. For any organisation, maintaining ongoing visibility over staff devices, the applications in your environment and network traffic is essential.

Engaging a trusted external Managed Security Services team can ensure you achieve the visibility you need. The Managed Security Services team at Threat Intelligence combines a highly skilled specialist security team with security automation to expand your security capabilities.

We offer a complete and flexible suite of Managed Security Services that is ideal for busy organisations trying to manage the challenges of remote working staff.

In addition to our 24/7 Evolve Security Operations Centre (SOC), we offer Evolve Managed Detection & Response Services. This combines our highly experienced security specialists with Evolve Security Automation capabilities to streamline security operations and ensure the highest quality results.

Contact Threat Intelligence today to learn how our Managed Security Services can ensure your organisation is ideally placed to address the challenges of remote working staff.

Security Within Agile Methodologies

Mon, 24 Jan 2022 15:13:20 GMT

In today’s competitive business landscape, organisations are under intense market pressure to develop and release applications at record pace.

Whether in the form of a new web or mobile application, or additional functionality to an existing application, delays can cost your organisation dearly. Rivals may surge ahead, achieving competitive advantages and capturing greater market share.

DevOps teams find themselves under intense pressure from executives to roll-out applications faster than ever before. Agile methodologies are now widely embraced by DevOps teams as an efficient way to write code, build functionality and deploy applications.

However, all too often speed comes at the expense of security. For many organisations, market considerations trump security imperatives.

In the rush to the production environment, the costs associated with weak application security, or AppSec, are often overlooked. Applications with bugs are vulnerable to breaches. Confidential customer and corporate data may be compromised, resulting in significant financial and reputational costs for your organisation.

The key to secure applications is integrating strong security throughout the software development lifecycle (SDLC). With ongoing code reviews and continuous testing within an agile environment, it is possible to efficiently deploy robust applications, achieving your business objectives without comprising security.

In this blog we will explore the benefits of embracing agile methodologies, whilst ensuring AppSec becomes an integral part of the SDLC.

Waterfall vs Agile

The Waterfall Model

Before we dive into agile, it is worth taking a look at its predecessor: waterfall software development methodologies.

The waterfall approach to systems analysis and design was first established by Winston W. Royce in the 1970s.

For many years, it was the default approach to building and deploying software. However, the waterfall method contained some significant challenges. It required developers to determine all the requirements of the project from the outset, during the System Requirements phase. This included detailed understandings of precisely what end-users needed from the application.

Once System Requirements has been established, the development process ran downhill. The completion of each stage would result in the commencement of the next stage.

A major shortcoming of the waterfall methodology was that Testing was so close to the end of the lifecycle, right before deployment.

As Royce himself understood:

“I believe in this concept, but the implementation described above is risky and invites failure…The testing phase which occurs at the end of the development cycle is the first event for which timing, storage, input/output transfers, etc., are experienced as distinguished from analysed. These phenomena are not precisely analysable…If these phenomena fail to satisfy the various external constraints, then invariably a major redesign is required…The required design changes are likely to be so disruptive that the software requirements upon which the design is based, and which provides the rationale for everything are violated. Either the requirements must be modified, or a substantial change in the design is required. In effect the development process has returned to the origin and one can expect up to a 100 percent overrun in schedule and/or costs.”

In other words, after DevOps teams had invested considerable time and resources to develop software, it may be discovered that there were fundamental flaws during the Systems Requirements stage. This may necessitate a full rethink of the entire design of the application.

It should also be noted that any security testing would also be conducted at the Testing stage. This could also reveal fundamental vulnerabilities. Retroactively fixing these bugs could be costly and would likely delay the release of the end product.

A better methodology was needed. Application development had to be flexible, so that it could be adapted to suit changing circumstances and needs. Additionally, it was essential that testing not be left to the end of the process right before deployment. In particular, security testing had to be embedded throughout the SDLC.

In contrast to waterfall, agile methodologies seek to incorporate flexibility into the process.

Rather than building an entire application before releasing it, agile focuses on rapidly developing, testing and deploying individual components or functionality of an application. This ensures that there is flexibility embedded within the SDLC. DevOps teams can execute redesigns as needs change or market expectations shift.

The Agile Method

Agile methodologies are also better suited to ensuring software is built securely. With functionality tested on an ongoing basis, bugs can be identified and fixed rapidly. This avoids lengthy delays and enables applications to be delivered on time and on budget.

By embracing agile development methodologies, DevOps teams can integrate security considerations throughout every stage of the SDLC. This has given rise to a new model: DevSecOps .

DevSecOps recognises that security cannot be an afterthought. Security is integral to the success or failure of software. Only with continuous code reviews and continuous testing of application functionality can organisations develop software that meets their business needs, including the needs of customers. Embracing a DevSecOps model demonstrates that there does not need to be any trade-off between AppSec and the efficient deployment of applications. Both can be achieved simultaneously.

Why Security Must Not be an Afterthought

Modern organisations need to consider the interests of a range of stakeholders. Customers, employees, shareholders and the broader community all expect organisations to take cyber-security seriously. Policymakers and regulators have responded to these expectations with a range of strong regulatory and privacy requirements that aim to protect private data.

Cyber-security must now be treated as a top priority.

With application breaches a leading cause of cyber-attacks, it is critical that you ensure your organisation’s web and mobile applications are built robustly.

The challenge for DevOps teams is that agile methodologies can see small-scale functionality deployed in timeframes of less than week. However, thorough security testing usually takes longer than this. Finding a way to integrate continuous security into agile methodologies, without unnecessarily delaying the SDLC is essential.

The best way your DevOps team can align its agile development timelines with its security imperatives is through embracing automation tools.

Tools that automate security-related tasks are essential because the more you can automate the work necessary to meet your software deployment objectives, the easier achieving strong AppSec becomes. Additionally, security tools can help reduce some of the development effort required of your DevOps team by shifting it onto the tools. This allows your DevOps team to focus on other priorities, such as building additional functionality.

It is important to remember that where security is involved, tools do not replace humans. However, tools enable scalability and speed. For example, automated tools can scan large volumes of code at a speed that humans would not be able to achieve.

How Can Threat Intelligence Help?

Threat Intelligence brings you Evolve Automated DevOps Application Security Testing .

This innovative solution enables your DevOps team to automate the integration of AppSec testing into the software development pipeline. You will be able to rapidly identify security vulnerabilities in applications under development, with automated reviews of every piece of code that is deployed.

Evolve Automated DevOps Application Security Testing delivers the most efficient security controls for software progressing through the development pipeline to the production environment. Not only will you achieve unprecedented efficiencies, but the security of your applications will be stronger than ever before.

With Evolve Automated DevOps Application Security Testing, you will be able to automatically orchestrate on-demand AppSec testing environments in real-time. This can even take place within your Evolve Cloud that sits inside your Evolve Security Zone. This means that there are minimal requirements for DevOps pipeline integration.

As long as your DevOps Pipeline server can execute Python code, either locally or on a remote server running Windows or Linux, you can easily integrate the Evolve Automated DevOps Application Security Testing to get up and running within minutes by adding a simple build step into your deployment pipeline.

Evolve Automated DevOps Application Security Testing has made building and deploying applications faster and more secure than ever before. Contact us today to learn how Threat Intelligence can help your organisation meet all your application development needs.

Embracing Cloud Without Compromising Security

Mon, 17 Jan 2022 15:27:59 GMT

Among cyber-security experts, 2021 will be remembered as the year that cloud breaches surpassed on-premises breaches for the first time.

In many respects, that is not surprising. The pandemic has been a catalyst for many organisations to transition to cloud-computing. As ever, cyber-criminals are quick to adapt whenever they sense a new opportunity. As a result, many cyber-criminals have begun focusing their efforts on breaching cloud environments.

According to Verizon’s Data Breach Investigations Report , 73 percent of cyber-security incidents now involve cloud assets, with the rest involving on-premises IT assets. The previous year, cloud only accounted for 27 percent of breaches.

It’s clear that transitioning to the cloud offers organisations many benefits. However, it may also present significant risks when not planned and executed correctly.

In this blog, we will explore the benefits of cloud, some of the important security implications you need to consider before transitioning, and how expert guidance can help you avoid potentially devastating breaches.

Four Benefits of Embracing a Cloud Computing

All the talk in recent years has been on the need for organisations to migrate to the cloud. It’s a trend that has grown exponentially through the pandemic, as organisations adapt to find ways to enable staff to work remotely, as well as opportunities to transact digitally with customers.

The benefits of cloud computing are numerous. Below are four key benefits many organisations experience when embracing cloud computing:

1. Pursue new opportunities

Migrating to the cloud allows you to pursue new business opportunities. Utilising cloud data centres offers levels of flexibility and scalability that could not easily be achieved with on-premises technologies. This ensures your organisation can expand its computing resources efficiently as circumstances change, and your needs evolve. It allows you to collect and store more data, which in turn offers the potential for greater insights and new commercial opportunities. By harnessing the strengths of cloud computing, your organisation can turbo-charge growth by engaging more customers irrespective of geographic location, as well as fostering deeper engagement with existing customers.

2. Facilitate remote work

Rolling pandemic-induced lockdowns have been a major driving force behind many organisations embracing cloud computing. Many have found transitioning to the cloud essential to maintaining staff connectivity. By enabling staff to access the systems and applications required to carry out their work duties from multiple devices, many organisations have been able to maintain business operations despite the many disruptions caused by the pandemic.

3. Reduce Costs

Cloud technologies allow you to reduce both upfront and ongoing costs compared to expensive on-premises systems. Investing in on-premises physical data centres, as well as all the associated IT staff required to set-up and maintain them, can be prohibitively expensive for many organisations. All too often, organisations find themselves investing in systems with excess capacity. This is hardly the best use of limited resources. Cloud solutions allow you to achieve economies of scale by sharing cloud computing resources with other organisations. You also benefit by having access to the cloud provider’s team of experts. All these factors can help make cloud systems more cost effective than on-premises systems. Rather than large upfront costs, not to mention ongoing maintenance costs, embracing cloud allows you to simply pay predictable monthly fees. Generally, the fees would only increase if and when you need additional capacity due to business growth.

4. Business Continuity

Cloud technology can strengthen your ability to recover from a range of disasters and enable you to maintain business continuity in the face of potential disruptions. With cloud infrastructure often located in multiple physical locations, many cloud providers offer network availability guarantees. Cloud solutions can be scaled rapidly in accordance with changing usage and demand, further mitigating the risks of interruption or downtime. Cloud providers also have access to cyber-security systems and expertise that many individual organisations lack. This can reduce the risk that your data may be comprised as a result of a data breach.

Key Security Considerations When Selecting a Cloud Provider

Despite a range of security benefits that come from cloud computing, it is clear that cloud environments can also be breached, with potentially devastating consequences.

Whilst cloud providers bear some responsibility for security, other security considerations remain the responsibility of the individual cloud tenants. This shared responsibility model may require a cloud provider to ensure the data centre perimeter is secure, or that tenants on shared servers cannot access each other’s data. However, individual tenants usually retain primary responsibility for system configurations. Given that most cloud breaches start with configuration errors, any organisation transitioning to a cloud environment would be wrong to assume they no longer need to worry about security.

When considering different cloud providers, it is essential you undertake a comprehensive risk assessments. Some of the important questions you should consider before selecting a cloud provider include:

Reputation

When embarking on your cloud journey, it’s critical to remember one essential truth: You are handing over access to business-critical data to a third-party. That means there needs to be a very high degree of trust between your organisation and the cloud provider.

Undertake due diligence on any prospective cloud providers. Check their reputation to see who their other clients are and their level of cloud experience. The cloud provider should be able to demonstrate compliance with a range of security standards. They should also have formal risk management policies in place and processes for assessing third-party service providers and vendors.

Any cloud provider should also take time to understand your organisation and the outcomes you are trying to achieve.

Data Transmission, Processing & Storage

Most attacks against cloud environments seek to compromise valuable sensitive data. Therefore, it is critical that your cloud provider has systems and processes in place to ensure your organisation’s data is transmitted, processed and stored securely.

Some organisations have data sovereignty requirements. Service Level Agreements (SLAs) should stipulate whether data is stored exclusively in onshore data centres. Your organisation may need to adhere to certain data security and privacy compliance standards, so it is important to verify that your cloud provider undertakes continuous monitoring and reporting for audit purposes.

Physical access controls should also be a priority that safeguard the data centre.

Disaster Recovery & Business Continuity Capabilities

Cloud providers should have plans and expertise in place to allow a rapid response to any cyber incident. At a minimum, they should have comprehensive security policies and procedures in place for access control, as well as 24/7 eyes-on-glass monitoring of all logs and events in the environment to rapidly detect any potential cyber-security breaches.

All data should be backed-up and retained in order to avoid any permanent loss of business-critical data, ensuring that in the event of a breach, your organisation can recover rapidly from any disaster and maintain business continuity.

Ensure that recovery times and capabilities are stipulated in your SLAs.

Hybrid Solutions – Aligning On-Premises and Cloud Environments

Many organisations find that a hybrid solution, where they retain use of their on-premises systems for certain functions, whilst embracing public cloud computing for others, offers the best of both worlds.

In some circumstances, organisations may prefer to retain sensitive data and applications on-premises, behind their own firewalls. This ensures access is tightly restricted to individuals within the organisation. At the same time, the organisation may opt to embrace public cloud computing for other systems that are not quite as sensitive. This ensures the organisation can derive the many benefits of the cloud, such as the capacity to scale rapidly, greater flexibility, access to more expertise and reduced costs.

In many cases, on-premises systems will be connected to cloud-hosted systems. This poses a potential risk whereby malicious actors who gain access to an organisation’s on-premises systems are able to pivot to the cloud environment as part of an attack. It is critical that the right security architecture is adopted to limit the capacity of cyber-attackers to move laterally across your on-premises and cloud environments.

How can Threat Intelligence help your organisation embrace cloud securely?

Any organisation transitioning to cloud computing needs to understand that security considerations remain as important as in on-premises environments. With most cyber-incidents now occurring in cloud environments, and most of those stemming from configuration errors, expert guidance is essential to ensure your organisation’s security.

Hybrid models, which see an organisation transition partially to the cloud whilst retaining some on-premises capabilities, may present additional security challenges.

Threat Intelligence offers expert guidance with comprehensive Security Architecture Reviews.

The security architecture your organisation has in place is key to avoiding a major security breach. Ineffective security architecture covering your entire cloud and on-premises environments, puts your organisation at risk of compromise. The result could be that your organisation suffers a large-scale data breach with significant financial and reputational consequences.

With a Security Architecture Review, you gain an understanding of your organisation’s systems and security controls. You will be able to identify areas of weakness that may be vulnerable to attack, with a comprehensive plan to uplift your organisation’s security maturity.

The Smart Choice: Outsourcing Your Cybersecurity Requirements

Mon, 10 Jan 2022 16:10:04 GMT

Hardly a day goes by without reports of a new type of cyber-attack. Whether its financially-motivated criminal syndicates, or state-based actors, those who are looking to inflict harm on your organisation are constantly adopting new tactics to take advantage of any perceived vulnerabilities.

Organisations are faced with the ongoing challenge of ensuring they have the right mix of internal security capabilities to confront an ever changing threat landscape.

One potential solution would see every organisation significantly expand the skill-set and capabilities of its in-house information security department. However, with Australia experiencing a shortage in skilled cybersecurity professionals, this option presents its own difficulties.

A viable alternative for many organisations is to partner with a trusted cybersecurity services provider. This allows your organisation to retain certain skills in-house, whilst augmenting your capabilities as needs arise. In this blog, we will explore how outsourcing a range of cybersecurity functions to professional and trusted partners could be the ideal solution for your organisation.

Fighting an Uphill Battle: The Challenge of Cybersecurity Staffing

All too often, organisations view cybersecurity through an exclusively technology lens. Many boards are under the impression that investing in the right technology solutions will keep a range of malicious actors at bay. However, the reality is that securing your organisation’s information assets requires much more than investing in the latest kit.

Cyber-criminals are constantly adapting their attack vectors to take advantage of new vulnerabilities. If you’re wholly reliant on technology to secure your network, devices and applications, it’s only a matter of time before the criminals find gaps in your security defences and exploit them.

A team of well-trained cybersecurity professionals will understand the criminal mind and will always aim to stay one step ahead of the attackers. By integrating the latest threat intelligence, closely monitoring your network traffic and identifying attacks in the wild in real-time, skilled cybersecurity staff are essential to successfully confronting a constantly evolving threat landscape.

However, ensuring your organisation has the cybersecurity staff with the essential set of skills your organisation needs is a core challenge for any CISO. Even if you do manage to assemble the right team, retaining them over the long-term in a tight labour market presents further difficulties.

All too often, organisations invest substantial amounts of time and money recruiting and training a cybersecurity team that has the right suite of skills, only to see staff up and leave to pursue better-paid opportunities elsewhere.According to 160 Australian CISOs surveyed by specialist IT recruitment agency, Robert Half, the race for talent has become so competitive that many firms are out-bidding each other to attract the right candidates by boosting salary offers to over 70% of new hires.

Despite this, 88% of surveyed CISOs are experiencing more difficulty attracting the right employees compared to five years ago. Additionally, reports indicate that 71% of CISOs face rising staff turnover rates, which is unsurprising given that 31% of IT employees change jobs within less than two years.

This is a problem that is being exacerbated by the pandemic, with international recruitment efforts being hamstrung by travel restrictions and lockdowns. Clearly, current market conditions favour local employees, with demand for key cybersecurity skills substantially outstripping supply.

Whilst skills shortages and competitive remuneration levels are driving heightened employee mobility, there is an alternative approach that could result in a better outcome for your organisation - outsourcing.

5 Key Benefits of Outsourcing Some (If Not All) Of Your Cybersecurity Requirements:

1. Cost Effective

Whilst you may think it is more cost effective to have an in-house cybersecurity team, given the range of skill-sets you are likely to need, and current labour shortages in Australia, the outsourcing route is likely to generate significant long-term savings for your organisation.

As an example, consider the costs associated with setting up your own in-house Security Operations Centre (SOC). The expense of maintaining a team of security analysts around the clock is likely to be prohibitively expensive. You will also need to invest in a range of monitoring systems and SIEM solutions.

An outsourced model achieves significant economies of scale. Because a trusted cybersecurity partner will have established an existing SOC , which they use to monitor the networks of a range of organisations, you end up sharing the costs with others.

2. 24/7 Eyes on Glass

Your cybersecurity staff may be rostered to work during business hours only. The problem is that cyber-attackers are on the hunt for opportunities 24 hours a day, 7 days a week.

A network breach that is launched on a Friday evening may go undetected for 48 hours or longer. This allows your attackers plenty of time to move laterally across your network, compromise large amounts of your critical data, install backdoors for future exploits, and launch malware that could enable remote code executions.

The outsourcing model allows you to maintain 24/7 eyes on glass. This means that whenever a breach occurs, cybersecurity experts will be watching your network traffic, ensuring they are ready to swing into action to limit the damage.

3. Rapid Incident Response

The key to effective cybersecurity is the ability to respond rapidly whenever an incident occurs. It is critical that you act quickly to contain a breach, restrict movement through the network, minimise damage to systems and secure data assets.

Rapid incident response is essential for reducing the impact an attack has on your organisation. You will experience minimal downtime and will be able to maintain business continuity.

With a highly-skilled cybersecurity team on your side, you can rest assured that in the event of any attack, professional incident response teams will be acting quickly to protect your organisation. This can dramatically reduce the costs of an attack, as damage to your systems will be limited and data compromise will be minimal.

Rapid incident response can also prevent a range of legal consequences, as you will be able to demonstrate that your organisation adheres to industry best-practices. It can also prevent long-term reputational damage that often flows for organisations that are victims of cyber-attacks.

4. Range Expertise

When outsourcing your cybersecurity requirements to a trusted partner, it is likely they handle significantly more breaches than your in-house team would handle. By being exposed to more alerts and attacks, an outsourced team will be better informed about how to respond to different attack vectors.

The outsourced model also ensures your organisation benefits from the skills and knowledge of a range of cybersecurity professionals with deep domain expertise in specific verticals.

For example, your outsourced cybersecurity partner may have staff with specific expertise in CLOUD platforms, application security or endpoint protection. Having all the different skill-sets your organisation requires in-house is all but impossible. Most organisations that opt for the in-house model have generalists, which means you miss out on the knowledge and experience of domain experts.

5. Expedite Your Cyber Maturity

Regulators, boards, shareholders, customers and commercial partners all expect organisations to be taking active measures to strengthen their resilience against increasingly dangerous cyber-attacks.

Organisations are required to meet increasingly complex industry and regulatory compliance standards. Whether its PCI-DSS, APRA CPS 234, ISO27001, IRAP or the ASD’s Essential Eight, there’s no escaping the fact that cybersecurity compliance is more onerous than ever before.

That’s why it’s essential to tap into the guidance and knowledge of outside experts. By partnering with a trusted cybersecurity provider, your organisation will gain access to a range of specific skills and expertise that will enable you to uplift your cyber resilience, expedite your cyber maturity and achieve your compliance requirements.

How can Threat Intelligence help?

Managed Security Services by Threat Intelligence combines the expertise of our highly skilled security specialists with the advantages of Evolve rapid security automation to expand your organisation’s cyber resilience. With a complete and flexible suite of Managed Security Services, your organisation’s unique cybersecurity objectives can be achieved with our tailor-made approach.

Whether you wish to augment your in-house capabilities, achieve the peace of mind that comes from 24/7 monitoring, or retain incident response capabilities for unforeseen emergencies, Threat Intelligence is here to help you meet your specific requirements.

Not only will our outsourced solutions expand the capabilities at your disposal, partnering with Threat Intelligence will enhance your resilience at a time when cyber-attacks have never been more dangerous.

Best of all, by outsourcing your Managed Security Services, you ensure the costs of achieving your cyber objectives are contained, allowing you to dedicate more time and resources to your core goal – growing your business!

Contact Threat Intelligence today for a discussion about the goals your organisation is seeking to achieve and how Threat Intelligence can help you achieve them.

How to identify your Log4j exposure

Wed, 15 Dec 2021 14:55:16 GMT

A critical vulnerability (CVSS score of 10 out of 10) is actively being exploited in the wild to execute ransomware or cryptocurrency miners across a large number of Java-based applications and products.

Applications or products that use Java quite often use the Log4j library to create log entries. The vulnerability exists in any HTTP header or parameter that is logged via the Log4j library, which allows a remote attacker to perform Remote Code Execution on the underlying server. This is achieved by forcing the server to download a remotely hosted Java Class that it then executes.

The vulnerability identifier for this vulnerability is CVE-2021-44228 and is dubbed the "Log4Shell" vulnerability.

Who is impacted?

This is impacting nearly every organization globally, with a small selection including Apple, Amazon, Microsoft Azure, Okta, Atlassian, Palo Alto Networks, Checkpoint, Cisco, Juniper, Citrix, VMware, IBM, Docker, GitHub, Twitter, Apache, CloudFlare, Linkedin, Solarwinds, Kaseya, and even Google.

More vendors are being added to the extensive list daily, with over 100 vendors affected already, which you can track here .

What do you need to do?

1) Review the list of affected vendors and immediately apply upgrades or patches to any internet-accessible systems.

2) If you can’t patch, or if there is no patch, then remove the system from the internet immediately.

3) You then need to identify your affected systems, which is harder than you think. Basically, you need to locate all JAR files that have a vulnerable Log4j library packaged inside.

This requires a deep search across all of your Windows, Linux and Mac systems to locate all affected JAR files, as well as across any appliances and devices on your network.

Once located, you need to disable lookups via the configuration option below:

Dlog4j2.formatMsgNoLookups=true

How can Threat Intelligence help?

Since this vulnerability is hidden within so many different applications and products, Threat Intelligence has updated a series of Evolve products to assist you with identifying this exposure and proactively prevent your organization from suffering a security breach.

EvolvePT VS Log4j

Log4j External Exposure Penetration Test (Unauthenticated)

Evolve Automated Penetration Testing (EvolvePT) performs a targeted assessment of your internet-accessible applications, products and services to identify if they are exploitable via the Log4j vulnerability from the perspective of an unauthenticated internet-based attacker. To provide a thorough analysis, each of the web-based services that are identified, both manual and automated attacks can be performed against each service. This allows you to proactively and quickly identify vulnerable applications and products to prevent a security breach.

Log4j Authenticated External Application Penetration Test

Evolve Automated Penetration Testing (EvolvePT) performs a targeted assessment of the authenticated areas of your internet-accessible applications to determine if they are exploitable via the Log4j vulnerability from the perspective of authenticated or registered user accounts. This allows you to proactively identify vulnerable applications and products within your authenticated application layer to gain deeper coverage.

Log4j Internal Infrastructure Penetration Test (Unauthenticated)

This custom-designed penetration test will perform a targeted assessment of your internal applications, products and services using our Evolve Automated Penetration Testing (EvolvePT) to identify if they are exploitable via the Log4j vulnerability from the perspective of an unauthenticated internal attacker. To provide a fast and cost-effective service, each of the web-based services that are identified, automated crawling and attacks will be performed against each service. This allows you to proactively identify vulnerable applications and products, including network devices and appliances, in a streamlined way to gain a deeper insight into your internal systems that may be vulnerable.

Log4j Authenticated Wireless Penetration Test

Various wireless portals and devices use Java in their web interfaces, which may contain the Log4j vulnerability. This is especially risky on guest wireless networks and captive portals. EvolvePT will authenticate to the wireless networks and test the wireless devices to determine if they contain the Log4j vulnerability. This helps to prevent wireless-based attackers from compromising the wireless infrastructure to gain unauthorized access to internal networks.

EvolveIR VS Log4j

Log4j Authenticated Internal Exposure Assessment

Evolve Automated Incident Response (EvolveIR) feature to provide a deep insight into your company-wide exposure to the Log4j vulnerability. The first phase leverages the Evolve Security Automation capabilities to perform an authenticated search of every server to locate Log4j instances, including searching and unpacking JAR files to identify instances that use Log4j, as well as gathering context around the exploitability of each instance of Log4j. This information is then fed into the second phase where each instance of Log4j is then reviewed to determine if it is vulnerable so the risk can be remediated.

EvolveMDR VS Log4j

Log4j Security Breach Investigation

If you suspect that you may have suffered a security breach via the Log4j vulnerability, or if you wish to have Threat Hunting performed to identify if you have been breached, then with our EvolveMDR , managed detection and response services, we can lead a security breach investigation to ensure your business remains safe.

How to get assistance?

Request a demo and talk to one of our Experts to keep your business safe.

Vulnerability Scanning vs Penetration Testing: What Is the Best Approach for Your Organisation?

Mon, 13 Dec 2021 11:38:39 GMT

Threat Intelligence brings together the best of Vulnerability Scanning and Penetration Testing with our suite of Automated Penetration Testing solutions.

In this blog, we will explore the differences between Vulnerability Scanning and Penetration Testing, as well as the many benefits your organisation can derive by combining features of both.

Why You Need to Test Your Systems Regularly

Threat actors are opportunists. You can be certain they are always on the hunt for any new opportunity to breach a network or an application.

That’s why organisations around Australia have embraced regular testing of their systems. By interrogating your systems’ defences, it is possible to identify hidden vulnerabilities. Left unfixed, it is only a matter of time before these vulnerabilities will be exploited by threat actors.

The consequences for your organisation could be devastating – compromised data, damaged systems, a ruined reputation and even possible legal ramifications. The costs, including long-term business disruption, could be crippling.

Regular testing of your systems provides you with the best chance of staying one step ahead of the cyber-criminals.

But which method of testing is right for your organisation? Testing falls into two broad categories: Vulnerability Scanning and Penetration Testing.

What is Vulnerability Scanning?

Vulnerability Scanning is an automated process in which your network or applications are scanned using a range of scanning tools.

The goal is to identify known vulnerabilities in your systems.

Scanning tools’ databases are regularly updated with information about vulnerabilities including coding bugs, packet anomalies, configuration faults, and known paths cyber-criminals use to compromise confidential data. By scanning your systems, these tools are looking to identify these known vulnerabilities in your environment, so you can then run the necessary patches to remediate them.

In many organisations, Vulnerability Scanning is performed by the IT department, or external cyber-security specialists. The actual scanning process not only identifies known vulnerabilities, it can also classify them in terms of severity, allowing your IT team to prioritise patching those vulnerabilities that represent the greatest risk to your organisation. All too often, breaches occur because organisations have failed to patch well-known vulnerabilities that cyber-criminals have been exploiting for years. With Vulnerability Scanning, there is no longer any excuse for organisations to neglect patching these vulnerabilities.

Vulnerability Scanning is an activity that should be undertaken on a regular basis. A full network Vulnerability Scan should be run at least annually. Some compliance standards, such as PCI DSS, actually mandate it. Vulnerability Scanning is both effective and efficient. However, whilst there are many advantages to Vulnerability Scanning, it also has its limitations. Like many aspects of cyber-security, the good guys are in a constant race against the bad guys. The same scanning tools you use to identify vulnerabilities, may be used by cyber-criminals to identify weaknesses for exploitation.

Furthermore, the most sophisticated threat actors are not simply looking to exploit widely-known vulnerabilities. Rather, they are hunting to discover new vulnerabilities. So-called Zero Days are vulnerabilities that have just been discovered for the first time. As patches don’t yet exist for these vulnerabilities, organisations can find themselves at the mercy of cyber-criminals.

That’s why many organisations also incorporate Penetration Testing into their cyber-security strategies.

What is Penetration Testing?

Penetration Testing , also known as Ethical Hacking, seeks to identify and breach exploitable systems in your organisation’s environment. Penetration Testers, whether in-house or external experts, adopt the mindset and tactics of a threat actor.

A key difference between Vulnerability Scanning and Penetration Testing is the latter’s use of manual interrogation techniques. Penetration Testing goes beyond Vulnerability Scanning as it seeks to uncover hidden vulnerabilities, not simply those that are widely-known.

The objective of Penetration Testing is to identify ways in which a sophisticated threat actor could breach your defences. This knowledge provides your organisation with critical awareness that allows you to harden your systems and ensure your security posture can be made more resilient.

A typical Penetration Testing engagement usually encompasses the following stages:

Scope

The scope of a Penetration Testing exercise is critical. It starts with careful consideration of the objectives you hope to accomplish.

Application Penetration Testing should be undertaken whenever you are launching a new web or mobile application or releasing new functionality for an existing application.

External Network Penetration Testing should be undertaken to determine the strength of your organisation’s perimeter defences.

Internal Network Penetration Testing should be undertaken to determine whether a breach of your perimeter allows unfettered lateral movement across your network.

With web services, such as APIs, increasingly used to connect different systems and to facilitate data transfers, it is also critical to undertake Web Services Penetration Testing. Even your organisation’s Wi-Fi routers may be vulnerable. Wireless Network Penetration Testing ensures unauthorised individuals are not connecting to your network through Wi-Fi routers.

You also need to determine whether the Penetration Testers should interrogate your systems as authenticated users, i.e., those who have access to login and password credentials, or unauthenticated threat actors.

Furthermore, you need to determine whether to undertake Black-Box Penetration Testing, where the testers have no prior knowledge of the system, architecture or source code. This approach simulates how a genuine threat actor would likely attempt to attack your systems.

Alternatively, White-Box Penetration Testing provides the testers with extensive system information. The benefit of this approach is that testers can examine the source code to identify potential points of weakness. Another approach is Grey-Box Penetration Testing, where the testers are accessing the systems with some knowledge, for example as a privileged user.

Reconnaissance and Planning

Once you have determined the scope of Penetration Testing, the testers will begin their reconnaissance and planning. This step sees the testers gather critical information about the systems they will test to determine likely points of weakness.

The Penetration Testers will look for open-source intelligence (OSINT) that may help to identify vulnerabilities and potential entry points.

The Penetration Testers will also conduct threat modelling to map-out how they will conduct their attack.

Interrogation

Armed with a map of likely vulnerabilities and entry points, the Penetration Testers undertake their interrogation of the systems, as outlined in the scope. The objective for the Penetration Tester is to go as far as possible within your environment, whilst evading detection.

The Penetration Testers will only go as far as authorised by the client. They will also make every effort to avoid causing any damage, data loss or business interruption.

Throughout the interrogation stage, the client will be kept fully-updated of progress. Clients will be alerted to any severe vulnerabilities that are uncovered, so urgent steps can be taken to remediate the risk.

Reporting

Upon completion of the Penetration Test, a comprehensive report will be developed that outlines any vulnerabilities uncovered, the severity of those vulnerabilities, along with essential remediation advice.

The client is then armed with a blueprint for strengthening the security of the tested systems.

Evolve Automated Penetration Testing: The Best of Both World

Both Vulnerability Scanning and Penetration Testing have enormous benefits.

Whilst Vulnerability Scanning is efficient and effective, it is restricted to detecting known vulnerabilities. By contrast, Penetration Testing is manual in nature, allowing testers to use their skills and knowledge to uncover hidden vulnerabilities. However, traditional Penetration Testing can be time-consuming. Most organisations only undertake Penetration Testing annually – leaving the organisation exposed to potential threats for protracted periods of time.

Evolve Automated Penetration Testing offers the best of both worlds.

It allows you to go beyond simple Vulnerability Scanning by automating many of the activities traditionally undertaken by Penetration Testers. At the same time, testing activities can be automated to run at intervals that are suited to your organisation’s specific requirements. You no longer need to remain vulnerable in between annual Penetration Tests.

With Evolve Automated Penetration Testing, your organisation can embrace a modern approach that maximises your security uplift. This represents a paradigm shift in how Penetration Testing is delivered. Offering both on-demand and regular Penetration Testing cadences, it is possible to significantly reduce the risk of your external network perimeter, internal network defences, or applications being breached.

In a world where cyber-criminals are rapidly adopting new attack vectors, it has never been more important to stay ahead of a rapidly evolving threat landscape.

Request a demo to begin a free trial and see how Evolve Automated Penetration Testing can enable you organisation to achieve your security objectives.

Security Architecture: What it is, Benefits and Frameworks

Tue, 12 Oct 2021 07:49:53 GMT

It is undeniable that organizations require robust security measures against cyber threats. A cyber-breach can result in huge expenses to your organization. So what can we do to help prevent these breaches? This is the purpose of a strong security architecture that can reduce these cyber security threats and the expenses that might result from them.

A security architecture is a set of models, methods, and security principles that align with your objectives, keeping your organization safe from cyber threats. Through security architecture, a business’ requirements are translated to executable security requirements. Just like architecture in construction where there is an examination of the property in such factors as climate, soil type, topography, and client preference, so must a security architect understand the network, firewalls, defences, detection systems, and many other factors.

Elements of Security ArchitecturE

Each organization is different, meaning every security architecture framework is uniquely designed to meet the needs of a specific organization. However, the methods and guidelines used to meet those needs are largely the same from architect to architect.

Security Architecture Frameworks Examples

Security architects have guidelines (frameworks) to work with. A security architecture framework is a set of consistent guidelines and principles for implementing different levels of business’ security architecture. Companies may opt to devise their frameworks by combining international standard frameworks, such as:

TOGAF
SABSA
OSA

TOGAF Framework

TOGAF, or The Open Group Architecture Framework, helps determine which problems need to be solved within the security infrastructure in a business. Its primary focus is on the organization’s goal and scope, as well as the preliminary phases of security architecture. TOGAF does not, however, give specific guidance on ways to address security issues.

SABSA Framework

SABSA, or the Sherwood Applied Business Security Architecture, is a policy-driven framework. It helps define the critical questions that security architecture can only answer: what, why, when, and who. The goal of SABSA is to ensure that after the design of security services, they are then delivered and supported as an integral part of the enterprise’s IT management. One downside, however, is that SABSA doesn’t get into specifics regarding technical implementation.

OSA Framework

On the other hand, the Open Security Architecture (OSA) is a framework related to technical and functional security controls. OSA offers a comprehensive overview of crucial security components, principles, issues, and concepts that underlie architectural decisions involved in designing effective security architectures. However, OSA can only be used if the security architecture has already been designed.

Benefits of Security Architecture

Strong security architecture leads to fewer security breaches

With modern technology, an organization is required to have a security architecture framework to protect vital information. This drastically reduces the threats associated with an attacker successfully breaching an organization’s systems. Among the many benefits of security architecture is that it can translate each unique requirement into executable strategies and develop a risk-free environment for a business while aligning with the latest security standards and business needs. Of course, the “holy grail” is that security architecture helps organizations demonstrate their integrity and confidentiality to potential partners. A strong security architecture, first and foremost, upholds the three pillars of the CIA Triad: Confidentiality, Integrity, and Accessibility. In so doing, consumers and business partners will be much more likely to work with and trust an organization.

Proactive security measures save money

Mitigating cybersecurity threats is expensive. Some of the possible ramifications of security breaches can include the halt of production processes, product recalls, embarrassing press conferences and, as a result, damaged reputations and severe monetary loss. The cost of fixing an error when detected in the early coding stages can cost up to 300%. However, if the same error is detected in the post-releases or the production stages, it costs up to 3,000% more. To avoid or reduce the chances of errors slipping through during product development, it is advisable to integrate security at each production level. All products should be developed within a security context, minimizing zero-day attacks and rushed (therefore expensive) patches.

Mitigate disciplinary measures in the event of a breach

Although cyber breach legislation consequences differ around the globe, it is common knowledge that the more an organization tries to prevent risks and reduce vulnerabilities, the higher the chances of favourable outcomes in the event of an attack. Working within regulations can help prevent punitive measures, which will, of course, further damage a company’s reputation and finances. With the introduction of GDPR, regulations have gotten stricter, and businesses are working to keep their technology within these new regulations. At the same time, technology is also advancing quickly, meaning that the legislative landscape is also working tirelessly to catch up with technology. In other words, both sides of the equation are constantly changing and tightening their regulations and practices.

Therefore, as a business, having a robust security architecture and using the necessary processes and tools to integrate the development cycle to detect errors is the best way to comply with the relevant authorities and regulations, as well as further defend your company against cyber threats.

Conclusion

As we conclude, it is important to mention that these types of issues must be handled by a specialist. IT – specifically cyber security – is a sensitive field. Having an expert to walk you through this process is vital to ensure that your security is being handled correctly. Moving forward, well-planned and effective security architecture will greatly help in consistently managing risks by allowing departments to make quick and better decisions and leveraging industry best practices.

What is a Managed SOC? And why use one?

Mon, 04 Oct 2021 08:06:48 GMT

As the cyberthreat landscape evolves at a dizzying speed, the only way organizations can stay ahead of threat actors is by prioritizing their cybersecurity programs. They must also monitor and analyze their security posture on an ongoing basis to detect, prevent and respond to threats. Here’s where a Security Operations Center (SOC) plays a vital role.

SOC teams use numerous processes and tools to detect, analyze, respond to and investigate anomalous behaviour and cybersecurity incidents.

But even knowing how important the SOC is, not all organizations can set up the team in-house; they may lack the resources, skills, budget . . . there are any number of reasons why this happens. Fortunately, they can still leverage all the benefits of a SOC – with a managed SOC (or SOC as a Service).

Managed SOC Meaning Unpacked

Managed SOC – also known as SOC as a Service – is a subscription-based service that enables organizations to “outsource” the SOC function to a vendor. Managed SOC providers are external cybersecurity experts who monitor the company’s IT network, devices, applications and data for known and evolving vulnerabilities, threats and risks. They can provide proactive threat detection, immediate incident or alert response, and incident remediation. There are two types of SOC as a Service: a fully-managed SOC, or a co-managed SOC.

Why Use a Managed SOC?

In the first nine months of 2020, data breaches exposed 36 billion records (Risk Based Security), with the average breach costing $3.86 million (IBM). Today, that cost has risen to $4.24 million (IBM). In this disquieting landscape, the role of a Security Operations Center cannot be overstated.

However, setting up the SOC in-house involves a significant investment in software, hardware and other infrastructure. It can also take a long time to build a team, obtain the necessary tools and licences, and configure the SOC. These can all be serious barriers, and can prevent the organization from strengthening its security posture.

With SOC as a Service, organizations can easily and cost-effectively eliminate these barriers.

Benefits of SOC As a Service

Technology Deployment and Management

Through the cloud-based/subscription-based Security as a Service, organizations can speed up SOC technology deployment. Since they don’t have to set up their own security tools or processes, the SOC deployment period is very short. Some managed SOC providers can start monitoring an organization’s environment in just a few weeks, providing proactive protection with minimal delays.

On-demand Access to Experts

Security as a Service provides on-demand cybersecurity experts who are skilled at threat monitoring, assessment, response and remediation support. They can immediately start monitoring the IT environment for potential cyber threats and risks for ongoing, reliable protection.

Security Event Prevention and Management

Security events could potentially have serious information security implications. To stay on top of them and ensure that they don’t lead to other problems, they must be continuously logged and evaluated. This is easier to do with a managed SOC.

Security Incident Prevention and Remediation

A security incident is a viable risk that can result in tangible damage, such as operational disruptions or data loss. A SOC as a Service provider can continuously review suspicious behaviours and alerts to prevent possible security incidents. They also remediate detected threats, either independently or by working with the client’s internal IT team.

Proactive Threat Protection

The best managed SOC providers work with numerous clients and can therefore leverage economies of scale. If their analysts identify a threat in one client’s IT ecosystem, they can roll out necessary updates to protect other clients as well.

Managed Detection and Response (MDR)

SOC as a Service is ideal for small/medium businesses looking for MDR capabilities. Managed SOC providers can offer managed threat hunting, incident snooping and triaging, malware analysis, and even post-incident recommendations to prevent future attacks.

Threat Intelligence Management

For comprehensive protection, threat information is not enough. This information must be enriched with the right context at the right time to make it actionable and effective. This is the meaning of threat intelligence. An external managed SOC team can collect and prioritize threat data and add the right context to create threat intelligence, gain a better understanding of real threats, and thus shore up defences.

They can also effectively research and triage multiple alerts that come in from disparate data sources to improve alert response and reduce the “alert fatigue” that internal SOC teams often struggle with.

Managed SOC Pricing

The managed SOC model offers a clear cost advantage over traditional SOC. Many providers offer multiple package options, which usually include some fixed offerings with some possible customization.

An introductory package may include managed SOC for a certain time period (e.g. 8×5), as well as security processes and procedures, identity and security advisory, and research and development. A more advanced package will likely expand the SOC scope to include 24×7 emergency assistance. The most advanced packages usually provide full 24×7 coverage, as well as all the services included in the other two packages. Depending on the chosen package, managed SOC pricing can range from $750/month to $50,000/month.

Conclusion

The cyberthreat landscape is constantly evolving, and companies cannot afford to ignore the many threats nipping at their heels. A Security Operations Center enables them to keep these threats at bay, but many organizations are unable to utilize an in-house SOC.

Managed SOC provides an ideal solution for such organizations, offering ongoing monitoring, security experts and proactive security in a cost-effective, low-barrier avatar. With Security as a Service, organizations of all kinds and all stripes can detect, prevent and respond to threats with confidence.

Retail Cybersecurity: Threats, Statistics and Best Practices

Sun, 26 Sep 2021 08:24:48 GMT

In 2020, U.S. consumers spent $861.12 billion on online retail transactions – 44% more than 2019. Clearly, consumers want to shop “differently.” To keep up with these expectations, many retailers have launched or revamped their e-commerce stores, offering services such as curbside pickup, to help meet the growing demand.

While these trends create great opportunities, they also generate new retail cybersecurity threats.

Retail Cybersecurity Statistics

Retailers have always been attractive targets for cyber attackers and data thieves. But now, cybersecurity issues in retail have become an even bigger concern. Consider these recent (2020) retail cybersecurity statistics:

24% of cyberattacks targeted retailers, more than any other industry (Trustwave)
34% of retailers said cybersecurity worries were their primary hindrance in moving to e-commerce (BDO)
34% also said that cyber attacks or privacy breaches were their most serious digital threat (BDO)
Financial motives drove cyber attackers in 99% of retail cyber attacks (Verizon 2020)
When data is compromised in an attack, 42% is payment information and 41% is personally identifiable data (Verizon 2020)

Why Retail Cybersecurity Threats Happen

Retailers collect, process and store increasingly large amounts of customer data, including PII and credit card numbers. But this goldmine has a downside: bad actors who are looking to profit from selling it on the dark web. Furthermore, cloud-based storage and mobile apps are leaving a larger data presence on the web, leading to new threat vectors.

Many retail businesses are a hybrid of brick-and-mortar and e-commerce. To manage this ecosystem, they use a mix of technologies (e.g. PoS in stores and cloud-based systems for e-commerce). However, this hybridization also creates numerous e-commerce cybersecurity risks.

Other cybersecurity issues in retail are created by:

Cloud-based botnets
Use of Near Field Communications (NFC) for payments
Software vulnerabilities
Lack of point-to-point encryption (P2PE) in PoS systems
Use of insecure third-party plugins

To protect themselves and their customers, retailers must be aware of these threats. They must also have a good security team who can understand and think like threat actors, in order to anticipate possible attacks. Let’s take a look at a few of the most common types.

Types of Retail Cybersecurity Threats

Phishing Scams

In a phishing attack, a threat actor sends fake emails that mimic emails from legitimate sources. If a victim clicks on the malicious link or attachment within the email, the attacker can steal their information, or install malware on their system to cause further damage.

Ransomware

Threat actors actively exploit vulnerabilities in retailer networks to install ransomware . This allows them to encrypt systems and bring transactions to a standstill, until the retailer pays a ransom. This can lead to huge financial losses, and also damage the retailer’s reputation.

Data Breaches

Customer information, particularly payment card data and PII, are big-ticket items that hackers sell in underground markets for huge payouts. To steal this data, they often use stolen credentials to disguise themselves as legitimate users.

Attacks on IoT Devices, Payment Systems and Machine Learning Systems

In the post-COVID environment, many online retailers are investing in contactless transaction technologies that use IoT to process payments. These technologies help to protect human health, but they also introduce new cyber risks. In 2020, 9 of the top 10 exploits targeted IoT devices. (Fortinet)

Machine Learning- and Artificial Intelligence-based systems also create cybersecurity risks. Attackers deploy intricate systems of bots to harvest data like credit card information or credentials.

Advanced Persistent Threats (APT)

Many retailers are now:

Increasing their digital footprint
Adopting more cloud-based services
Deploying more complex IT stacks
Managing large, geographically distributed networks

These factors widen their attack surface and make it more likely that APTs will persevere in their systems for longer. APT groups will even frequently distribute malware via email to move laterally across networks.

Supply Chain Attacks

E-commerce companies work with numerous vendors to support different aspects of their operations. A single vulnerable access point at one vendor could lead to a supply chain attack, jeopardizing the retailer’s cybersecurity posture.

If you want to know more about Supply Chain Attacks, watch our webinar below:

Retail Cybersecurity Best Practices

Here are some ways to address cybersecurity issues in retail, or at least mitigate their impact:

Encrypt all Sensitive Data

Ideally, sensitive data (e.g. credit card numbers) should not be retained. However, if retention is a must, then all data must be encrypted, whether at rest or in transit. To balance the need for privacy with ease of use, homomorphic encryption (which allows calculations to be executed on encrypted data) is often employed.

Segment the Retail Network

Network segmentation can keep POS details, PII and customer financial information safe. Network monitoring tools should monitor each segment for signs of lateral movement, APTs, and breach attempts.

Perform Regular Data Backups

To minimize the potential for data loss following a ransomware or phishing attack, it’s critical to regularly back up all data from the e-commerce website, POS systems, and other applications. The backup process can be automated with the help of a Managed Service Provider (MSP).

Deploy POS Malware

An anti-malware solution must be implemented on the entire retail network, especially on POS systems. Timely security patches must also be implemented on all software and applications used by the company.

Implement Multi-factor Authentication (MFA)

To keep customer data safe from phishing attacks or account takeovers, MFA must be implemented. It’s also important to select an e-commerce platform that complies with the Payment Card Industry Data Security Standard (PCI-DSS).

Implement Zero-Trust Access (ZTA)

The ZTA approach controls user and device identity and access. Its “trust no one” philosophy can boost cybersecurity effectiveness for retailers.

Educate Employees

Over the past 2 years, insider threats in the retail industry have grown by 38% (IBM). Moreover, 81% of malicious breaches start with compromised passwords. This is why training employees on cybersecurity best practices (including password hygiene) is essential.

Conclusion

For the most part, the shift to e-commerce is a welcome move for retailers. However, this pivot is also endangering e-commerce cybersecurity. Fortunately, there are ways to stay ahead of such cybersecurity challenges in retail. In the increasingly-digitized post-COVID world, retailers must improve their awareness of both risks and safeguards.

Evolve’s threat intelligence tools provide a strong bulwark against retail cybersecurity threats. Click here to know more.

External Penetration Testing: A Brief Guide

Mon, 20 Sep 2021 08:30:26 GMT

In Q2 2021 , publicly reported data breaches in the U.S. are up by 38% over Q1. Moreover, 78% of IT security leaders believe their organizations lack sufficient protection against cyberattacks. What is more, the average cost of a data breach has risen from $3.86 million in 2020 to $4.24 million – an almost 10% increase.

Given these facts, strong cybersecurity is an absolute must. For this, organizations must regularly assess their security posture, and proactively find weaknesses in it. Here’s where penetration testing is invaluable.

Penetration testing is about “thinking like a hacker.” Pen testers identify which vulnerabilities exist in the enterprise network, systems or applications, how they could be exploited by cybercriminals, and the impact of such exploitation. In other words, purposefully being “hacked” now is better than unwittingly being hacked later.

External penetration testing – also known as ethical hacking – involves testing perimeter systems from the perspective of an attacker who has no prior access to the network or systems. Perimeter systems are directly accessible over the Internet, and therefore most vulnerable to external attacks. Testers simulate the actions of real hackers to gain control over the network, find weaknesses, and assess the potential impact of a breach.

Difference Between Internal and External Penetration Testing

Internal penetration testing assumes that attackers – including malicious insiders – have already found a foothold into a compromised system, and are looking to elevate their presence and cause more damage, whether that is collecting data, installing malware/ransomware, or simply harming a business’ reputation. In this pen test, the tester requires access to the target system. They will attempt to access privileged user accounts or sensitive data sources by bypassing existing access controls.

In external penetration testing, however, the tester takes the perspective of an attacker who has no prior access to the target system. This pen test is usually done on a “black box” basis, where the tester has no information about the system’s design, architecture, source code, credentials, or internal structure.

External Penetration Testing Methodology

The external penetration testing methodology is a tried-and-true collection of best practices that cover the following steps:

Scoping

First, the testing team understands the requirements for network/infrastructure assessment and defines the test scope. These can be very open, or get very specific. For example, a pentest may involve a customer-facing webpage, but will not cover employee email accounts. It is vital that the team know the scope of the test going into it.

Reconnaissance

They identify all network assets and security gaps that malicious actors may exploit to compromise the network. This may involve everything from keycard access at the front door to password strengths.

Data Collection

Information is collected about the target system, including databases, software versions, plugins, hardware, etc. Together, the Reconnaissance and Data Collection phases are known as “enumeration.”

Vulnerability Detection and Assessment

Testers actively look for flaws in the network, systems, and applications. This may include unpatched software, least privilege vulnerabilities, or pwned passwords.

Exploitation

Identified flaws are actively exploited to compromise a target using an exploit kit. The tester may use tools such as Metasploit or Netsparker, or compromised usernames and passwords may be used to log into an otherwise inaccessible network.

Privilege Escalation

Testers try to gain greater control over the network by gaining higher privileges in a system, or by accessing other systems on the network. This may even include creating his or her own account, enabling the pentester to log in whenever he or she wants.

Data Exfiltration

The tester uses tools and techniques to extract data from the network, simulating the actions of hackers. In a pentest, this is unlikely to be anything sensitive or dangerous, but in a real-world attack, that could be devastating.

Reporting

All identified issues and recommendations are documented, so the organization can produce an accurate threat and risk assessment. The pentester may even schedule a follow-up test, to see if any remediations have been effective.

External Penetration Testing Steps

Step 1: Planning and Reconnaissance

This initial phase focuses on gathering relevant information about the target system and preparing an asset inventory.

Step 2: Establish Objectives and Scope of Work

Next, the testers define the test objectives and scope of work. This enables them to identify the key performance indicators to gauge the success of the test. They also define test limitations to ensure the security of all assets and information.

Step 3: Scan Target System

The testers test the system to find exploitable vulnerabilities with Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), or both. They also quantify the potential security risks if vulnerabilities remain unaddressed.

Step 4: Gain System Access

Once they identify the system’s core weaknesses – insecure code, lack of encryption, authentication flaws, user session management loopholes, etc. – external pen testers leverage them to gain access to the system.

Step 5: Maintain Access

The tester attempts to retain persistent access, and remain undetected by system safeguards.

Step 6: Exploit the System

The external pen tester attempts to access confidential data and identifies all the possible routes they took to achieve this objective. They also exploit vulnerabilities and identify threats. They remain within the agreed-upon scope to ensure that data remains protected.

Step 7: Prepare a Report

Once the external pen test is complete, the testing team prepares a comprehensive report that documents the test results and includes recommendations for improvement. The report explains the test purpose, tactics and techniques used, and risk levels.

External Penetration Testing Tools

Many tools are available to conduct external penetration testing. These include:

Metasploit : Tool to verify vulnerabilities, manage security assessments, and improve security awareness
Nikto : Open source web server scanner that looks for potentially dangerous files/programs, outdated versions, and version-specific problems
Wireshark : An open-source network protocol analyzer to assess traffic for vulnerabilities in real-time
Nmap (Network Mapper) : A port scanner for network discovery, security auditing, and host/service uptime monitoring

Evolve Automated External Penetration Testing

Evolve supports automated, on-demand, real-time external penetration testing to quickly detect and verify critical security weaknesses. The solution combines automated reconnaissance and active attacks with intelligent and safe exploitation against publicly accessible infrastructure to provide deep insights into Internet-based risks. It empowers security teams to effectively identify and reduce business-critical risks, and stay on top of the latest threats.

Conclusion

To protect any organization from data breaches and cyberattacks, identifying security gaps in the network infrastructure is critical. External penetration testing helps answer two extremely important questions:

How could a hacker penetrate our network to compromise our applications or steal our data?
How can we find and fix open vulnerabilities before that exploitation happens?

External penetration testing helps your business to immediately take corrective action against flaws and vulnerabilities, and stay several steps ahead of threat actors.

What is Ransomware: A Pocket Guide for IT Professionals

Mon, 13 Sep 2021 09:13:44 GMT

In one of the most high-profile ransomware attacks of recent times, Colonial Pipeline, the largest petroleum pipeline in the U.S., was attacked. Following the attack, the company had to shut operations for several days. To bring their systems back online, they ended up paying a ransom of 75 bitcoins (approx $4.4 million).

This attack highlighted the increasing vulnerability of firms to ransomware attacks. In 2019, over 200,000 U.S. firms were compromised by ransomware – a serious number by any standards. But then, in the first half of 2020, global ransomware attacks increased by 715% YoY.

So, what is ransomware?

How does ransomware work?

How does ransomware spread?

In this article, we address all these questions about this increasingly common cyber threat.

What is Ransomware?

Ransomware is a kind of malware (malicious software) that a bad actor installs on a victim’s system without their knowledge. It then encrypts their files or data, and locks them out of the system. To decrypt these locked files, the criminal demands a ransom from the victim.

How Does Ransomware Work?

In 2020, ransom payouts touched nearly $350 million in cryptocurrencies , a 311% increase over 2019. Ransomware attacks often yield such huge payouts for attackers because they’re easy to set up, and require almost no technical or coding skills. As long as the threat actor can access the Dark Web, they can buy ready-to-use ransomware toolkits or a Ransomware-as-a-Service (RaaS) subscription to easily author and launch an attack.

Ransomware works on the basis of asymmetric encryption that uses two keys – a public key and a private key. The attacker generates this unique key pair for the victim. They send the private key to the victim only after they pay the ransom – or so they say. In many cases, the victim never receives the private key, so they lose access to their files or data forever. Between 2020 and 2021 , the number of organizations that paid the ransom rose from 26% to 32%, but only 8% got all of their data back.

How Do Ransomware Attacks Happen?

There are several possible vectors for ransomware infections. A malicious actor may, for example, distribute ransomware using email phishing. The victim receives a ransomware-infected attachment. Once they open it, the ransomware is installed on their system, and the game begins.

Other possible ransomware attack vectors include:

Social engineering
Malware downloads
Directly from a malicious site – something known as “Drive by Downloading”
By clicking on a “malvertisement” or a fake ad
Chat messages
USB devices

Sometimes attackers launch ransomware to exploit network vulnerabilities, and spread to other systems across the organization. This kind of lateral movement can be especially dangerous, because it now involves unlocking and recovering data for not just one device, but multiple devices.

How Does Ransomware Spread?

As we mentioned above, ransomware is easily available to any script kiddie who has the means to acquire it (a script kiddie is someone who can acquire and use a malicious program or code with little to no expertise). With good generic interpreters, they can create cross-platform ransomware, which can spread easily in a very short time. They can also leverage new techniques to encrypt complete hard disks, allowing them to expand the scope and scale of their attacks.

Types of Ransomware

Crypto Ransomware

This ransomware encrypts hard drives, folders and files. Attackers then demand a ransom with the promise of decrypting the data.

Locker Ransomware

It infects the device operating system to completely lock the user out. The lock screen displays the ransom demand, often with a countdown timer, which is used to create a sense of urgency.

Scareware

This fake software dupes a victim into thinking there are security issues on their device, and demands money to eliminate them.

Doxware/Leakware

It hijacks a device, and threatens to publish the user’s sensitive information online unless they pay a ransom.

Most Common Ransomware Strains

Over the years, many ransomware strains have evolved, and continue to cause problems for organizations (and individuals) all over the world. The most well-known ransomware strains are:

Bad Rabbit
Petya
NotPetya
Ryuk
WannaCry
CryptoLocker
CryptoWall
Cerber
Locky
Jigsaw
GoldenEye
REvil

How to Prevent Ransomware Attacks

It’s hard to trace ransomware perpetrators, especially if they demand ransom in anonymous cryptocurrencies. Moreover, modern ransomware is polymorphic, allowing attackers to bypass traditional signature-based security.

However, it is possible to prevent ransomware attacks, or at least minimize their impact by following these best practices:

Use updated security software ( e.g. antivirus and firewall)
Patch and update the operating system
Back-up all data, preferably in the cloud or an external hard drive
Take secure backups, and separate them from original data/files
Educate users on phishing, social engineering, and other possible threat vectors
Avoid using insecure or open WiFi networks

What to Do After a Ransomware Attack

If a system is infected with ransomware, it’s vital to act quickly to mitigate its impact. The important actions to take are:

Quickly isolate the infected device from the enterprise network and the Internet
Disconnect all devices from the network if they are behaving suspiciously
Assess the damage and create a list of infected systems
Identify the ransomware variant and educate all affected users on how to spot the signs of infection
Report the ransomware to the proper authorities
Wipe all infected systems with antivirus/anti-malware solutions
Restore systems from the backup
If a viable backup is not available, look for possible file/data decryption options

If neither backups nor decryption keys are available, the only option is to accept that the files and data are lost forever, and start rebuilding the system from scratch. This can be a painful process, which is why it’s crucial to take regular backups. Periodic vulnerability scans and penetration tests are also a proactive way to find possible weaknesses that may leave the organisation vulnerable to ransomware. .

Conclusion

We hope this article answers your question: what is ransomware?

In 2019, ransomware caused $11.5 billion in global damage. In 2020, this figure jumped to $20 billion. Ransomware is now a lucrative business, and companies everywhere are vulnerable to it. That’s why they must take preventive action to protect themselves and their customers from this threat.

Security Operations Center (SOC): All you need to know

Mon, 06 Sep 2021 09:39:22 GMT

Your organization’s cybersecurity team is kind of like plumbing: when it works, no one really notices, but when it doesn’t work, things get messy. If you are a C-Suite officer at a business, then you know that your network should be protected (we call that “hardened”) against the chances of cyber threats or unauthorized persons getting access to a company’s data. Your company’s data can be anything from intellectual property and financial information to client and employee information, and threats against this information are constant. Your security crew works hard to protect that data against cyber threats in a team known as a Security Operations Center, or SOC.

What Does a Security Operations Center Do?

Your organization’s SOC is the central command post that takes in hundreds of thousands of pieces of information, processes and analyzes them, and responds to potential threats, all while working diligently to prevent both internal and external incidents. They monitor your intranet, customer-facing web apps, all devices (whether printers and desktops, to work-at-home laptops), data servers, and employee activity – in other words, your entire IT infrastructure.

Your SOC’s responsibilities may include any or all of the following:

Taking stock of available resources

The SOC safeguards the entire threat landscape, including different endpoints and software on-premises and servers. If it is connected to the internet or intranet (an intranet is an internal network, cut off from the web at large), they monitor it.

Preparations and preventive maintenance

One of the most important jobs of a SOC team is to work hard to prevent attacks from happening. This is a difficult and far from foolproof task. We lock our doors to keep people from simply walking in, but this won’t prevent someone from breaking our windows with a rock. With that said, your SOC team is going to work hard, doing everything they can to make sure your network is safe, keeping an eye on trends and new attacks, and performing regular hardening and maintenance to your organization’s network.

Alert ranking and management

Your SOC will use automated software to monitor and alert for any potential threats. These tools – known as SIEMs – are growing more sophisticated, but it is still the SOC team’s responsibility to look closely at each alert, dismissing false positives and investigating legitimate (or legitimate-looking) alerts. Your SOC team will then rank legitimate alerts, so that the Tier 2 Analysts (see Roles Within a Security Operations Center below) can know which threats and attacks to deal with first.

Threat response

The moment an incident is confirmed, the SOC will act as first responders. They will shut down or isolate infected endpoints, they will terminate harmful processes, and, if malicious file transfers have occurred, remove those harmful files. Bear in mind, too, that they will do all of this while maintaining business continuity as much as possible.

What Are the Components of a Security Operations Center?

All Security Operation Centers have three components: personnel, tools, and policies.

Personnel

Within this industry, there are many, many automated tools. However, in our experience, no amount of automation can completely replace a person’s instincts and thought-process. The personnel on your team are the ones who will do the hard work of keeping your business, employees, and customers safe. While the size of your team will vary based on needs and budget, all SOC teams, regardless of size, have the following roles:

Manager: As in any industry, the manager leads and manages the group. He or she directs the focus of the day, assigns tasks, and – if needed – fills in for other roles and duties. He can also step into any role if need be.
Analyst: Analysts do exactly as it sounds – they analyze data, mostly in the form of alerts, and triage the severity of the alert. They may also examine other data points, compiling long-term reports of threats, breaches, and successful prevention.
Investigator: Just like an investigator in law enforcement, a SOC investigator looks deeply into breaches, determining how and why they happened, so as to enable the team to harden that area of the network.
Responder : Responding to a security breach is a complex job, and the responder will work closely with the investigator to find the vulnerabilities and fix them. In many cases, the Responder and Investigator are one and the same person.
Auditor : The cybersecurity industry is heavily regulated, and it is the auditor’s job to make certain that your company’s network is in compliance with local and applicable international laws. If you want your official audits to go smoothly, you will want a top-notch auditor on your organization’s SOC team.

Again, how many people you have will depend on your budget. In many cases, smaller businesses will combine several of these roles into one person. In other cases, larger corporations may have multiple analysts, investigators, and responders.

Before we move on to tools, let’s examine the analysts for just a moment. SOC Analysis comes in three tiers. While an analyst in your organization may fulfill the role of one, two, or even all three of these tiers, the tiers are very important.

Tier 1 Analysts

Tier 1 Analysts are the triage nurses of your SOC team. They monitor alerts and network systems, field incoming calls, and collect and compile any data that needs to be escalated.

Tier 2 Analysts

Tier 2 Analysts evaluate internal and external attacks to determine the scope of the incident [whether it was an attempt, an advanced persistent threat (APT), or a breach of data], review event logs, and provide remediation suggestions.

Tier 3 Analysts

These are the threat hunters. They work with an in-depth knowledge of computer forensics, malware reverse engineering and network security. Threat hunters may also be involved in studying zero-day malware (in efforts to discover them on your network) and security logs, looking for the more intricate and minute incidents that the lower-tier analysts may have missed.

SOC tools

Your SOC team is going to rely heavily on a number of tools, including firewalls, Active Directory (if your organization is using Windows), Endpoint Detection and response software (EDR), and many others. One of the most important tools at your SOC’s disposal is a security incident and event management (SIEM) tool, which assesses and monitors data from across the network. It compiles and analyzes the data in real-time, and offers your SOC team the ability to set threshold alerts for any potential threats (for example, if your typical web app traffic has 400 hits per hour, and you suddenly spike to 20,000, this could indicate a number of problems).

Other tools your SOC team may use include:

A sandbox for malware quarantine and analysis
User- and entity-behaviour analytics (UEBA)
Security orchestration, automation and response (SOAR), and
Ticketing software

Procedures and policies

Security operations center personnel rely on policies and procedures to keep your network safe. These can include detailed responsibilities for each member of the team, security policies such as password requirements and least-privilege practices, and procedures for alert analysis, threat detection, and compliance monitoring. Now, your SOC should also be making efforts to adapt and update policies and procedures often, making sure that they are working efficiently and to the best of their abilities. One valuable tool that your SOC can use to help revamp policies is the use of Key Performance Indicators (KPIs). There are several parameters that these KPIs can measure, but some of them include:

The time between incidents and threats (How vulnerable is the network? Where can it be strengthened?)
Average incident detection time (Meant Time to Detection, or MTTD)
Average time from discovery to remediation (Mean Time to Recovery, or MTTR)
Incidents by device (which may indicate an insider threat)
Number of incidents per analyst (is your team understaffed? Can they take on more responsibilities?)

What’s the Difference Between a SOC and a NOC?

It is very easy to confuse your Network Operations Center (NOC) with your Security Operations Center (SOC). Though they will often work together, they are not the same thing. Here are some of their differences:

Your NOC is tasked with keeping your network up and running, while your SOC is tasked with keeping the network secure.

Your NOC is important and vital to your organization, but the SOC is far more specialized in what they do. It is the difference between a family doctor and a neurologist.

SOC challenges

Shortage of Cybersecurity Skills

The need for cybersecurity professionals is rapidly outgrowing the number of cybersecurity professionals who are entering the field. This is confirmed when recent studies have shown that not only are SOCs understaffed, but unemployment within the cybersecurity industry is almost zero. Understaffed organizations aren’t having trouble finding good employees, they are having trouble finding any employees.

Too Many Alerts

This shortage of staff is a problem in and of itself, but couple this with the rapidly-evolving threats and attacks that are out there, and SOCs are finding that their SIEM alerts are coming in at an overwhelming pace. This is leading to lengthened MTTDs (see “Procedures and Policies” above), longer MTTRs, and something known as “alert fatigue” – simply employee burnout.

Operational Overhead

Another challenge facing the SOC is the challenge that faces all aspects of a business: the budget. Cybersecurity networks in an organization experience different and many threats, and funding all of them at a go can be challenging. Most organizations have difficulty in obtaining the funds needed to maintain an adequate capability.

Compliance Requirements

The final challenge we will touch on briefly is compliance requirements. The cybersecurity industry must adhere to legislation and regulation requirements, requirements which are often made by people who do not work in the industry. This is a challenge because, while many of these regulations are good (for example, protecting credit card information), regulations also run the risk of slowing things down and tying hands.

Automating SOC operations with SIEM + SOAR solutions

SIEM tools are some of the most powerful tools at your organization’s disposal. They collect and compile data from different sources within your network, offering insight for your SOC team to quickly detect and respond to external and internal attacks, gather more intelligence, minimize risks, and in general offer more network visibility to your team.

Evolve Security Automation

One solution to all of this – budget constraints, automation, reducing alert fatigue – is to invest in our Evolve security automation system. It offers on-demand security capabilities with flexible pay-as-you-go pricing models, while automating and streamlining security operations. It delivers a new level of deep security expertise, without blowing up your security budget. Request a demo here .

Conclusion

Every organization needs tight security. Incorporating SIEM and outsourcing most of your SOC functionality to staff or third-party service providers can certainly help your in-house team, but in order to make sure you have the best SOC to suit your needs, you must identify what your security needs are, address the important security questions a SOC is supposed to answer, and then find the solution that your organization needs. Please feel free to contact us. We’d be happy to help you get started on this journey of giving you the piece of mind that your network is secure, and your SOC team is perfectly-chosen to meet your needs.

Cybersecurity for Healthcare: Challenges and Best Practices

Mon, 30 Aug 2021 09:53:36 GMT

In 2020 , there were over 800 attempted attacks per healthcare endpoint – a whopping 9,581% increase over 2019. While the COVID-19 pandemic is largely responsible for this upsurge, these disquieting facts show that the need for cybersecurity for healthcare is greater than ever.

What is Cybersecurity for Healthcare?

In almost every month of 2020, over 1 million people were affected by data breaches against healthcare organizations. Furthermore, at $7.13 million , the average total cost of a breach was the highest in the healthcare industry. In 2021, this has risen to $9.41 million .

Healthcare organizations are vulnerable to cyber attacks because they possess valuable information that’s very attractive to cybercriminals:

Patients’ protected health information (PHI) and personally identifying information (PII)
Patients’ financial information
Organizations’ intellectual property

This data resides in assets like:

Hospital information systems
Remote patient monitoring devices
Internet of Things (IoT) devices
Legacy medical devices
Communication systems

Cybersecurity for healthcare protects electronic data and digital assets from unauthorized access, use, disclosure, manipulation or theft. This aim underpins the importance of cybersecurity in healthcare.

Healthcare Cybersecurity Threats

Ransomware

Ransomware is a huge threat in the healthcare industry. A threat actor deploys ransomware on a medical system to encrypt its files and/or data, and then demands a ransom from the victim to unlock them. In 2021, healthcare ransomware attacks cost an average of $4.62 million per incident.

Phishing

Attackers send fake emails that mimic emails from reputed healthcare organizations. Such attacks are successful because victims are often fooled into disclosing sensitive information with high financial value.

HTTPS Spoofing

Hypertext Transfer Protocol Secure (HTTPS) spoofing is an increasingly common problem for cybersecurity in healthcare 2021. Hackers clone the website of a real healthcare organization and fool users into visiting this fake website, and sharing critical information that they would not have shared if they knew the truth.

Man-in-the-Middle (MitM) Attacks

In a 2020 survey, 62% of healthcare organizations said they had been a victim of an MitM attack in the prior five years. In such attacks, hackers place themselves between healthcare providers, or between patients and providers, to gain unauthorized access to sensitive data. They may also introduce ransomware into patient records, and deny access to them unless the victim pays a ransom.

Malicious Network Traffic

This has been one of the biggest threats to cybersecurity in healthcare 2020 and 2021. Malicious traffic is a connection, file or link created and received over a corrupted or exposed network. It executes malicious operations like illegal software downloads and snooping, or leads to other problems like malware downloads, ransomware attacks or cryptojacking.

Healthcare Cybersecurity Challenges

More Connected Medical Devices

Over the past decade, the use of hyper-connected medical devices has exploded. However, a majority of these devices still operate on legacy platforms, meaning many are not patched properly. These security weaknesses leave healthcare organizations vulnerable to cyberattacks.

Patient Information is Valuable

On the black market and the Dark Net, patients’ medical records are sold for hundreds of dollars. According to Trustwave, a single healthcare data record may be valued at up to $250 .

Remote Access of Devices

With the rise in remote care and telemedicine, medical professionals often use insecure or vulnerable devices to remotely access patients’ medical data. Bad actors could gain control of these devices to steal patients’ data, and even risk human lives.

Inadequate Healthcare Cybersecurity Training

Inadequate healthcare cybersecurity training means that healthcare professionals are not aware of cyber risks, and therefore cannot protect the organisation, patients and themselves from cyber attacks and data breaches.

Cybersecurity Regulations for Healthcare

To secure themselves from cyber threats, healthcare organizations must follow the standard cybersecurity frameworks created by regulatory bodies. One such general framework is the NIST Cybersecurity Framework . It enables healthcare providers to establish processes to minimize cyber risk and identify areas for improvement.

A critical healthcare-specific cybersecurity regulation is the Healthcare Information Portability and Accountability Act (HIPAA). HIPAA directs healthcare companies to protect patient electronic PHI and enforce patient confidentiality.

Other cybersecurity healthcare regulations in the U.S. include:

Internet of Medical Things Resilience Partnership Act
Medical Device Cybersecurity Act of 2017

Healthcare Cybersecurity Best Practices

Healthcare organizations must protect their devices and data by following some cybersecurity best practices.

Ensure Uninterrupted Adherence to HIPAA

Between 2003 and 2020, there were almost 75 cases of HIPAA non-compliance that resulted in fines of over $116 million. HIPAA non-compliance for healthcare organizations can be very expensive. That’s why they must comply with the two key components of HIPAA related to healthcare data protection:

HIPAA Privacy Rule: Implement safeguards to protect patients’ PHI
HIPAA Security Rule: Secure the use, creation, receipt, and maintenance of patients’ electronic PHI

Implement Adequate Security Controls

In addition to HIPAA-mandated controls, healthcare organizations should also implement other controls to protect data and assets. One is to ensure that patient information is only accessible on a need-to-know basis. Application control and whitelisting of devices, users and applications are also critical.

Maintain Secure Backups

All healthcare providers must maintain secure data backups at offsite locations – ideally a HIPAA-compliant cloud server – so they can access it in case of a breach. Ideally, the backups must be part of a larger business continuity and data recovery plan.

Encrypt All Data

To protect data from intruders, organizations must encrypt both in-transit and at rest data.

Conduct Regular Risk Assessments

Cybersecurity for healthcare should not be an intermittent effort, but a regular and consistent one. Regular risk assessments enables healthcare organizations to spot cybersecurity weaknesses, and quickly fix them before they can lead to data breaches or other kinds of cyber threat events.

Conclusion

Some critical healthcare cybersecurity statistics 2020:

Over the last year, healthcare cybersecurity attacks have risen by 55%
Hacking incidents comprised 62% of patient data breaches
In 572 incidents, more than 41 million patient records were breached

Cybersecurity for healthcare providers is a huge concern. Healthcare organizations must not ignore these risks, but take proactive action to strengthen their cybersecurity posture. Evolve provides strong, highly capable tools designed for cybersecurity for healthcare, get a quote with our cyber security expert.

Automated Incident Response: What It Is, Tools and Use Cases

Mon, 23 Aug 2021 10:12:33 GMT

In the first half of 2021, global cyber attacks jumped 29%, compared to the same period in 2020.
(Checkpoint).

Cyber attacks and data breaches pop up on security radars with alarming frequency. If your organization does not have a powerful and timely process to respond to such security incidents, it remains vulnerable to all kinds of threats, including ransomware, phishing attempts, zero-day exploits, Man-in-the-Middle (MitM), Distributed Denial-of-Service (DDoS) attacks, and SQL injections, to name just a few.

Even if you do have an incident response process, you may be struggling with issues like:

Inability to effectively integrate people, processes and security infrastructure
Staying ahead of clever attackers armed with sophisticated tools
Fragmented, sub-optimal workflows that increase threat exposure
False positives creating alarm fatigue among security teams

The most effective way to eliminate such challenges, improve threat response and boost cyber defence is through automated incident response.

What is Automated Incident Response?

When you see the term Incident Response , what that refers to is an organization’s ability to identify and investigate attacks and breaches, and reduce their impact. We call this process, Assess and Mitigate. This has often been done in the past with human elements monitoring traffic, investigating suspicious activity, drafting procedures when new threats arrive, etc. However, as the name suggests, automated incident response eliminates the human element from the process. It automates repetitive tasks, expedites threat detection and response, and provides ‘round-the-clock defence, allowing your SOC team the time and space to further develop and strengthen your security posture in other ways.

How to Automate Incident Response and Detection with the Right Tools

It’s critical to expedite the incident response process in order to minimize the potential damage of a cyber incident. Manual analyses of events are rarely feasible, and neither are manual reviews of every alert raised by security tools. Automated incident response addresses these limitations.

The right technology platform is essential to automate incident detection and response. Such tools provide integrated workflows, automated scripts and pre-built tasks, so the organization’s security infrastructure can automatically take actions for threat detection, response, containment, and closure.

When selecting an automated incident response tool, it’s important to consider which part of the process should be automated. It’s also useful to remember that there are different tools available for:

Data gathering and analysis
Response procedure automation
Forensic investigations
Complex incident response and management

The below considerations are also important when selecting an automated incident response platform:

If the tool will run on analyst workstations or be deployed as a server
If agents will be deployed on specific machines
If it requires integration with security tools

A Security Orchestration, Automation and Response (SOAR) tool provides one of the best ways to automate the incident response process. By leveraging SOAR (defined here by Gartner), security teams can effectively triage alerts, respond quickly to critical cybersecurity events, and deploy an efficient incident response program.

Benefits of Automated Incident Response

Automate Manual Security Processes

Instead of wasting time on manual incident response tasks, security teams are better off investigating and responding to genuine and serious security events. Automated incident response enables them to do exactly that. From alert notification and correlation, to initial investigation, triage, ticket generation and report generation – automating these tasks enables analysts to focus on areas where their skills and inputs are most required.

More Efficient Security Operations

Automation brings advanced proactivity, consistency, and speed to incident detection, response, and mitigation. Instead of manually copying and pasting evidence of a threat, analysts can focus on stopping attacks before they cause irreparable harm. Security operations also become more efficient as they improve mean-time-to-resolution (MTTR).

Generate Critical Insights in Real Time

An automated incident response platform can report on relevant metrics in a centralized dashboard, allowing security personnel to prioritize incident response activities and optimally manage security alerts at scale. Notifications can be automatically enriched from varied security intelligence sources to provide greater insight into the threat environment, and further improve incident response.

No More Alert Fatigue

For many organizations, security tools generate an overwhelming number of alerts. To determine whether these alerts refer to genuine threats or false positives, analysts have to manually review each alert. This is fine as long as alerts are low, but for most businesses and organizations, SOC teams can spend days tracking down one day’s worth of alerts. This leads to what we call alert fatigue. Alert fatigue often results in genuine issues being ignored, which makes the organization far more vulnerable. Automated incident response takes care of this problem by completely eliminating the human element from alert analysis and response. This benefit also enables security teams to analyze and remediate more threats, and thus strengthen enterprise security.

Automated Incident Response: 5 Key Use Cases

Automated incident response has a number of applications and use cases. Here are just five of them:

Automatic Firewall Updates

Security staff can automatically update the enterprise firewall to block malicious IPs as soon as they’re detected.

Limit Malware Damage

The automation of tasks, such as gathering forensics data, disconnecting infected systems from the network, and running vulnerability scans, can speed up malware investigation and removal.

Breach Investigation

Investigating a breach requires repetitive, manual actions like log reviews and data analysis. Automated solutions with log management capabilities eliminate this need, delivering all required investigation data in a compiled, easy-to-digest format.

Block Communications with Malicious Domains

Sometimes, organizations discover traffic to or from a known malicious domain. This traffic must be blocked as they investigate the potential intrusion. It’s faster and easier to take such actions – and then move from detection to response – with automated incident response.

Prevent Ransomware Infections

An automated incident response tool generates actionable threat intelligence, performs regular vulnerability scans, and raises alerts about at-risk systems – all of which enable the organization to build a proactive, protective shield against ransomware attacks.

Evolve Automated Incident Response

Traditional approaches to incident response are very slow and often fail to address legitimate issues, leaving your business exposed for days or even weeks. This is where Evolve steps in.

As soon as suspicious activity is identified, our Evolve Security Automation platform triggers Automated Incident Response procedures to ensure the incident is contained as quickly as possible, minimizing any negative impacts to your organization. With Evolve you’ll have:

Automated Incident Detection
Automated Incident Response Evidence Collection
Automated Incident Response Evidence Analysis

Request a demo here .

Conclusion

A robust incident response process is critical to every organization’s cybersecurity infrastructure. Because manual processes cannot always provide the proactivity, fast response, or real-time mitigation required to deal with modern threats and threat actors, however, new tools have been developed to help counteract these increasingly complicated threats. Automated incident response provides the solution to these limitations. By investing in automated tools, organizations can strengthen their cybersecurity posture and set themselves up for success.

DevSecOps: A Comprehensive Guide

Mon, 16 Aug 2021 10:27:34 GMT

One of the newer buzzwords circling in business, IT, and cybersecurity circles is DevSecOps. To those unfamiliar with it, it sounds like gibberish, but that couldn’t be further from the truth. The first half of 2020 alone saw nearly a dozen 0-day attacks, and software developers are working constantly on patches to try and combat this (an example of this is Microsoft, which rolls out software patches once a month), but such patches are often too late. Furthermore, fixing a software issue after it has been released can cost up to 100X more than fixing it while it’s still in development.

Clearly, organizations cannot afford to wait to secure their software applications. The costs of doing so are simply too high – not only financially, but also in terms of lost customers and a damaged reputation. As a result, developers are now under pressure to identify security gaps early and close them before they can be exploited by bad actors. Here’s where DevSecOps comes in.

What is DevSecOps?

DevSecOps is about shifting security in the Software Development Lifecycle (SDLC) “to the left” (i.e., earlier). In practical terms, DevSecOps (short for Development, Security and Operations) enables development teams to incorporate strong security measures into the SDLC from the outset, making software development and security a collaborative approach. In other words, security is “baked in early,” not “tacked on later.”

This new approach to security differentiates DevSecOps from traditional SDLC practices. In the latter, security considerations entered late, and were the sole responsibility of specific teams in the final stages of development and testing. Sometimes teams even ignored or postponed security reviews and fixes to speed up time-to-market. This resulted in insecure code that made the final product vulnerable to data breaches and other cyberattacks. DevSecOps is a radical departure from this sub-optimal approach, since it integrates strong security practices from the very beginning – and at every stage – of the SDLC.

DevSecOps focuses on:

Test-driven security (TDS) : Write security tests representing desired behaviours, then implement the necessary controls
Continuous monitoring and response : Implement strong processes for issue logging, intrusion detection, and incident response
Risk assessment and security testing : Evaluate application security with vulnerability scanning and configuration auditing

What is the Goal of DevSecOps?

In the past, when development cycles were long – extending for months or even years – a “development first, security later” approach was acceptable. But now, when cycles are much shorter and organizations are looking to become more agile and flexible, the older approach just doesn’t work. DevSecOps is about incorporating security into the entire SDLC, enabling development teams to find and fix any issues early on before they move down the SDLC and cause bigger problems later.

DevSecOps Benefits

Faster, Cost-effective Application Delivery

As a collaborative approach, DevSecOps roles and responsibilities are intertwined and interdependent. Development, Operations and Security teams share responsibility for security from end to end. By shifting left, they can speed up security testing and raise the assurance level within the SDLC. They can also quickly fix any issues to accelerate delivery and avoid costly, time-consuming rework.

Think about it this way: if you are building a house, you don’t wait until the walls are up, the roof is on, and everything is painted and furnished before you check to see if the floors are level. By then, fixing the issue can be costly and time-consuming. You do that early on, so that it is easier to fix if things are off. You do the same with corners, walls, rafters, etc. The DevSecOps approach was designed and developed to help prevent costly and time-consuming security issues later.

Proactive, End-to-end Security

Security teams share feedback and insights on known threats so developers can code with security in mind. The DevSecOps pipeline includes continuous – often automated – security checks, threat monitoring and vulnerability scanning. This mitigates risks that may otherwise impede the delivery schedule, and negatively impact the application and end-users.

Accelerated Vulnerability Fixes

With the DevSecOps model, teams run security checks as part of the build. As a result, they can find common vulnerabilities and exposures (CVE) early, allowing them to fix them faster. If there is a security incident, DevSecOps helps speed up recovery, so there’s less disruption to delivery, deployment and time-to-value.

Security Automation Compatible with Development Goals

Security automation in DevSecOps enables teams to accelerate innovation with new technologies like containers and microservices. They can also integrate security-driven coding and testing into the SDLC with minimal disruptions to the delivery schedule. Automated test suites are also useful in a Continuous Integration/Continuous Delivery (CI/CD) pipeline.

Getting Started with DevSecOps

To transition to the DevSecOps model, organizations must change the way they view security, and how they achieve it.

In a recent survey :

42% of respondents said testing happens too late in the SDLC
36% reported it was hard to understand and fix discovered vulnerabilities
31% found it hard to prioritize vulnerability remediation
29% of security team members said that everyone should be responsible for security

Making security an intrinsic part of the DevOps process is the most efficient answer to these challenges. This requires regular conversations about security, integrating policy-as-code within the DevOps workflows, streamlining workflows, and centralizing playbooks.

It’s also critical to incorporate several key processes into the DevSecOps model:

Regular and iterative code analysis
Streamlined change management
Maintaining consistent and continuous compliance (e.g. with GDPR)
Threat investigation and response
Vulnerability assessment and patching
Secure coding training

Conclusion

The modern software development landscape demands speed and agility from organizations. By integrating development with security, DevSecOps helps teams create more secure, better-quality software that meets their customers’ needs. It also provides greater control over release cycles and creates a strong foundation for application modernization and digital transformation. The shift to DevSecOps requires some effort on the part of teams, but the things in life that are most worth it require effort. In the long run, the effort to move to a DevSecOps model is always worth it.

How to use Windows as an Evolve Virtual Appliance

Tue, 10 Aug 2021 10:58:58 GMT

Evolve provides the ability to generate pre-configured Evolve Virtual Appliances for a variety of platforms, such as VMware, Hyper-V, AWS, Azure and Docker – as detailed within our Getting Started with the Evolve Virtual Appliance blog post.

In addition to these platforms, a Windows host can always be utilised as an Evolve Virtual Appliance, as detailed in the steps below.

Step 1 : Download the VPN Gateway configuration from the Evolve Console. Navigate to Security Zones > Gateways and click the Download button for the relevant VPN Gateway:

Step 2 : Evolve will provide a ZIP file with the required configuration files, including your corresponding Evolve Certificate for trusted encryption and authentication.

Step 3 : Download an OpenVPN client from the following source:

Windows: OpenVPN Client Connect For Windows | OpenVPN

Step 4 : Unzip VPN gateway configuration into the:

C:\Program Files\OpenVPN\config

Step 5 : Rename evolve.conf to evolve.ovpn

Step 6 : Navigate to the Control Panel > Network and Sharing Centre > Change Adapter Settings. Enable Internet Connection sharing on your LAN interface, typically named Ethernet, selecting the OpenVPN TAP interface to share with:

Step 7 : Change OpenVPN TAP interface back to DHCP addressing*:

Step 7.1:

Step 7.2:

*The sharing will set a static IP, which we don’t want.

Step 8 : Connect VPN, there will be an OpenVPN GUI as an option:

Step 9 – Done!

You’ll see traffic going across VPN to host on the network:

And traceroute too:

Now that we’ve shared how to use Windows as an Evolve Virtual Appliance, book a demo with our Cybersecurity Experts and see how Evolve can augment your security team with specialist security automation and orchestration capabilities.

Cybersecurity in Finance: Risks and Mitigation Strategies

Mon, 09 Aug 2021 14:19:45 GMT

In 2017, Equifax, an American credit reporting agency, was the victim of a massive data breach. In just a couple of months, hackers stole personal/sensitive information on 147 million people. In January 2020, the FTC confirmed that Equifax would pay $425 million to the victims.

Cybersecurity in the Financial Services Market: Why It Matters

By 2025, the global financial services market is expected to grow to $28,529 billion. The industry remains one of the key drivers of the global economy.

In general, cybersecurity incidents continue to plague the sector, particularly following COVID-19. In fact, since the pandemic began, 74% of financial firms have experienced a rise in cyber crime, including data breaches, ransomware and phishing, fraud, and account and money theft. The average cost of a data breach in the sector is $5.83 million , compared to $3.86 million across all sectors. For all these reasons, financial firms must become more aware of the cybersecurity threats to the financial sector.

Cybersecurity Threats to the Financial Sector

Regulatory Inaction

Regulations in the financial industry protect customers from fraud, and prevent companies from taking excessive risks. Laws like Sarbanes-Oxley (SOX) and standards like Payment Card Industry Data Security Standards (PCI-DSS) are part of this regulatory regime. Without them, financial companies and customers are vulnerable to cybercrime.

However, many financial firms face cybersecurity compliance challenges due to:

Increased use of endpoint devices: More devices, more risks
Cloud adoption: Data and asset sprawl make tracking and control difficult, and increases cybersecurity risks

It can also be challenging to stay updated with evolving compliance regulations.

Human Errors: Employees and Third Parties

In 2019, 53% of breached organizations revealed that human error was the primary cause of the breach (Shred-it). Many errors originate from clueless employees, using weak passwords, mis-sending email, using unauthorized software, and other poor cybersecurity hygiene practices.

Careless vendors or suppliers are also a huge cybersecurity threat to the financial sector. In 2019, data breaches linked to vendors (“Supply Chain Attacks”) increased the average cost by $207,411 . Greater interconnectivity creates more entry points and exploitable vulnerabilities that introduce more cybersecurity risks.

External Threat Actors

Malicious ex-employees and external threat actors are also a serious source of cybersecurity threats to the financial sector. In 2020, 56% of attacks against financial institutions were carried out by external threat actors motivated by financial gain (Verizon), usually via:

Credential attacks
Phishing
Ransomware

Social engineering attacks accounted for 81% of data breaches (Verizon), where criminals stole PII, credentials, and bank data.

State-sponsored Attacks

State-sponsored attacks are a serious concern for the financial services industry. Unlike individual attackers, their goal is not financial gain, but to steal and exfiltrate PII, financial secrets or intellectual property.

The intruders break into a network, implant malware, and maintain an imperceptible presence until they can siphon off the targeted data. The good ones can even cover their tracks to avoid discovery.

Cybersecurity Strategy For Financial Institutions

Following numerous cyberattacks on financial institutions in 2020, cybersecurity in the financial industry is more vital than ever. Here are some ways financial firms can protect themselves.

Establish a Formal Cybersecurity Framework

Financial institutions can manage cybersecurity risk with a robust cyber risk management framework. Numerous tried-and-tested frameworks already exist, so they don’t need to start from scratch:

In addition, the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook provides comprehensive guidelines to help financial firms improve their security and compliance.

Assess and Manage Vulnerabilities

In 2020, scanning and exploiting vulnerabilities were among the top infection vectors (IBM). As more vulnerabilities are discovered, the risk surface will grow. This is a particularly serious problem for financial institutions, since they manage massive amounts of data and money.

Other key developments that create significant cybersecurity vulnerabilities:

Increasing number of apps in enterprise IT
Growth of shadow IT
Remote work
Bring Your Own Device (BYOD) policies
Adoption of Internet of Things (IoT) technology

To mitigate these risks, financial organisations must proactively assess and eliminate open vulnerabilities. Other strategies like regular software updates/patches and penetration testing are also crucial to boost cybersecurity in finance.

Adopt Continuous Security Monitoring

As threats evolve, financial companies are at risk of data theft, credential compromise, extortion attempts, and even espionage. This is why continuous security monitoring (CSM) is a must for effective cybersecurity in finance.

CSM is an automation-powered threat detection strategy where the IT ecosystem is continuously scanned to find security weaknesses. When gaps are discovered, alerts are sent to a Security Incident And Event Management (SIEM) system . The approach enables companies to boost security, manage vendor risks, and improve compliance.

Manage Third-party Risks

Third-party risk management should be a component of the cybersecurity policy for financial institutions. It enables firms to identify and mitigate security risks arising from third-party vendors, partners, and suppliers.

For maximum effectiveness, companies must continuously catalogue risks, assign risk levels to each vendor, verify their security posture, and use this information to guide their cybersecurity strategy. They must also limit third-party access to critical assets and data.

Invest in Employee Cybersecurity Training

Since human errors are common causes of cybersecurity breaches in the banking industry, it’s vital to build a cyber-aware workforce. Employees must be trained on the various cybersecurity risks and the best practices to prevent breaches.

The program should teach them how to spot phishing schemes, strengthen password security, and guard against social engineering attacks. It should also demonstrate the risks of remote work, and how to mitigate them effectively.

Conclusion

Financial organizations are becoming an increasingly lucrative targets for cybercriminals. However, they can boost their cyber defences to evade threats and protect their assets and customers.

For strong cybersecurity in finance, they must take a holistic, multi-pronged and balanced approach. This means they should invest in both technological and human solutions. Failing to do so could be catastrophic.

A Guide to Endpoint Detection and Response (EDR)

Mon, 02 Aug 2021 14:58:07 GMT

In an enterprise network, an endpoint is any device that occupies one end of a communication channel. This may include:

Desktop computers
Laptops
Printers
Servers
Mobile phones
IoT devices
WiFi access points

Simply put, if a device is connected to a network, it is an endpoint.

Endpoint security is concerned with protecting these endpoints from malware, ransomware, phishing attacks, zero-day attacks, and other threats. Over the years, it has evolved from traditional antivirus software to now include firewall services, web filtering, and email filtering. Yet even with all of these important components, one of the most vital components of endpoint security today is Endpoint Detection and Response (EDR).

What Is Endpoint Detection and Response?

In 2013, Gartner’s Anton Chuvakin suggested the term Endpoint Threat Detection & Response (ETDR) to describe the “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”

ETDR eventually became EDR.

What are the Benefits of Endpoint Detection and Response?

Endpoint Detection and Response is one of the two critical pieces of the endpoint security puzzle – the other being an Endpoint Protection Platform or EPP. Often, EPP and EDR are combined to create an integrated, multi-layered approach to endpoint security.

An EPP solution goes beyond the limited capabilities of antivirus tools to offer better protection, even against advanced threats. However, while it can identify vulnerabilities and prevent attacks, it cannot take action if active threats have already moved past endpoints. This is where an EDR solution can be a valuable addition to an endpoint security program.

EDR expands EPP support by collecting and analyzing data from network endpoints to actively neutralize attacks. Instead of reactive, detection-based cyber defence, EDR proactively identifies and removes threats, and prevents them from causing too much damage. It also remediates endpoints to pre-infection state. Once an attack is stopped, the EDR can be used to trace its source and prevent similar attacks from recurring.

With real-time continuous monitoring, endpoint data analytics, and rule-based automated response, an EDR can stop an attack at the earliest signs of detection, and often before the human security personnel even realize the threat exists.

EDR Use and Capabilities

Endpoint Detection and Response tools:

Monitor and collect activity data from endpoints
Analyze this data to identify vulnerabilities and threats
Automatically respond to threats to remove or contain them
Notify security personnel about the threat and its removal
Trace threat source to prevent recurrence

As EDR tools monitor endpoints and network events, they record this information in a central database, where the data is then analyzed, investigated and reported on. They also identify internal threats and external attacks, and respond to them automatically to minimize their damaging impact.

Endpoint Data Collection Agents

A software agent installed on host systems enables Endpoint Detection and Response tools to monitor endpoints and collect data about them, such as running processes, data transfers, logs, configurations, files, activity volumes and connections. It then places this data into a centralized threat database. This information can be contextually enriched to help security teams identify irregularities or anomalous trends that may indicate signs of an attack.

Data Analytics and Threat Hunting

An EDR tool may provide both real-time analytics and forensics tools. The analytics engine searches for patterns, and enables fast analysis of threats that may not fit the software’s pre-configured rules. Forensics tools are ideal for establishing timelines and analyzing the source of an attack that has already happened. They provide a combination of current situational data and historical data to guide the actions of security teams, and help prevent recurrence. They also enable security personnel to hunt for threats (e.g. malware) that may be lurking undetected on endpoints.

Real-time Visibility

Endpoint Detection and Response tools provide real-time, full-spectrum endpoint visibility so security teams can view the activities of bad actors as they attempt to breach the endpoint, and take action to stop them immediately.

Behavioral Protection

Effective EDR tools (such as Evolve’s SIEM and EDR tools) adopt a behavioural approach, carefully monitoring typical user activities in order to search for Indicators of Attack (IOA). Anomalous activity is then flagged before a compromise or breach.

Automated Incident Response and Remediation

EDR provides rule-based automated response to any detected threat. These pre-configured rules recognize when incoming data indicates a threat, and trigger an automatic response to mitigate or deflect it. The response could be to send an automatic alert to a security administrator or log the suspected user off of the network.

Incident Triage

An EDR solution can automatically triage and validate potentially suspicious events. This enables security teams to prioritize investigations and focus their efforts on the incidents or threats that truly matter, saving valuable time and resources in the prevention of chasing false flags. It also reduces “alert fatigue,” which will help both the morale and longevity of your employees!

Threat Intelligence

Integrated threat intelligence capabilities provide additional context and details about current threats and adversaries, and their characteristics. This strengthens the EDR’s ability to identify, respond to, and neutralize attacks.

Evolve’s On-demand SIEM and EDR Capabilities with Unlimited Agents

Evolve’s on-demand SIEM and EDR capabilities provide comprehensive visibility across all endpoints. Unlimited and easy-to-deploy EDR agents work in tandem with the SIEM to provide immediate information and alerts about security breaches and malicious activities.

The EDR applies powerful behavioural analytics to automatically detect suspicious behaviours and stealthy attackers. It can easily be scaled to meet changing business requirements. For more information, download our Evolve On-demand SIEM and EDR Capabilities brochure here .

Conclusion

Endpoints have increasingly become common entry points for malicious actors. That’s why it’s important to continuously monitor them and catch threats and attacks before they spread. Endpoint Detection and Response provides the means to do so, with improved endpoint visibility, contextualized threat hunting, rapid threat investigations, and automated remediation. All in all, EDR is one of the best investments modern organizations can make.

A Guide to Mobile Application Penetration Testing

Sun, 25 Jul 2021 20:19:56 GMT

Penetration testing is one of the best and most thorough methods for checking perimeter defenses and weaknesses. Its versatility (it can be used across an IT infrastructure’s entire spectrum, from the database security, web applications, and the network) makes it the ideal tool for testing security.

What is Mobile Application Penetration Testing?

Compared to other electronic devices, our dependence on phones has grown exponentially. We use them in healthcare, banking, education. . . well, just about everything. With that expansion, of course, come new vulnerabilities. And just as many organizations are struggling to keep up with their network security, managing security risks has become a challenge.

The good news is that mobile application’s security vulnerabilities do not differ much from vulnerabilities in web applications. Because frameworks and guides (such as OWASP) exist to work with networks and web applications, the frameworks and guides for mobile security also exist. Let’s take a look at some of these.

Mobile Application Penetration Methodology

Mobile Application Penetration Testing Methodology is primarily concerned with hardware, file security, and network security. MAPTM has the following stages:

Discovery
Analysis/Assessment
Exploitation
Reporting

Discovery

Also often called the Reconnaissance stage, in the Discovery stage, the pentester must collect all the crucial information required to successfully exploit mobile applications. This ability to uncover hidden clues and seemingly insignificant vulnerabilities can be the difference between a successful pentest and an unsuccessful one. The process involves:

Open Source Intelligence (OSINT) – the pentester searches for information from social networking sites and search engines, leaked source codes via developer forums, source code repositories, and the dark web.

Understanding the platform – to aid in developing a threat model, a pentester should learn and understand the mobile application platform (e.g, Are there known vulnerabilities that perhaps have not been patched?).

Client-Side vs. Server-Side Scenarios – the pentester should also understand the type of application he or she is testing, considering such factors as the application’s network interfaces, session management, user data, rooting behaviour and jailbreaking communication with other resources.

Analysis or Assessment

The Analysis and Assessment phase requires the pentester to go through mobile application source codes and identify potential weaknesses and entry points that can be exploited. The different MAPTM assessment techniques include:

Local File Analysis – the pentester checks the files written on the file system by the application to check for vulnerabilities.

Archive Analysis – the pentester checks to see if the data at rest is safe. Can the pentester access files that are being stored on a disk? Can the pentester use one app to access the files and history of a different app?

Reverse Engineering – the penetration tester decompiles applications into readable code. This allows the tester to examine the apps’ internal files and search for vulnerabilities. For reverse engineering, the following tools are available:

iOS – class-dump-z, otool
Android – JD-GUI, dex2jar

Inter-Process Communication Endpoint Analysis – The tester reviews different endpoints on the applications’ IPCs. The assessment is done on:

Content Providers – ensuring that they can access the databases
Intents – these are signals used to send messages between the components of the Android system
Activities – these are user-facing components of an app, such as your browser screen.
Services – these run from the background and quietly perform tasks, though they may not have a specific running app associated with them.

Exploitation

Once the tester has uncovered existing vulnerabilities, it is time to exploit them. This is exactly what it sounds like: behaving “maliciously” in order to see how far he or she can damage the system. Can we upload a SQL-injection into a website? Can we intercept and decrypt traffic?

Exploitation involves one other thing, too, and that involves privilege escalation. If the pentester can gain root access or admin privileges, then there will be no restrictions on the activities that he or she can perform, even going so far as to install a backdoor into the system: creating his or her own private username and password.

Reporting

The report is exactly what it sounds like: an account of any discovered vulnerabilities, as well as the full extent of successful exploitations. The report should be detailed, and should include plenty of supporting documentation (e.g., screenshots).

All in all, the most successful penetration tests include a thorough examination of each component of a system, making use of a wide variety of tools. So, what kind of testing tools are available? Let’s take a look.

Mobile Application Penetration Tools

Among the mobile application penetration testing tools used on both Android and iOS devices, these are some of our favourites:

Quick Android Review Kit (QARK) – a framework for exploiting and auditing Android applications
OWASP Zed Attack Proxy Project (ZAP) – a free security tool that helps pentesters automate the process of finding security vulnerabilities in both mobile apps and web applications
Drozer – a framework for testing Android security
Frida – a dynamic instrumentation toolkit for reverse engineers, developers, and security researchers
Android Debug Bridge (ADB) – though not a penetration testing tool, it is a versatile command-line tool for communicating with Android devices.

OWASP Mobile Security Testing Guide (MSTG)

The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for reverse engineering and mobile app security testing for Android and iOS mobile security testers. It gives guidelines for the following:

Basic static and dynamic security testing
Mobile platforms
Assessing software protections
Mobile app reverse engineering and tampering
Security testing in the mobile app development lifecycle

Mobile App Security Requirements and Verifications

The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name implies, the standard for mobile app security. This is particularly useful for software architects and developers as they seek to develop secure mobile applications.

Mobile App Security Checklist

The current checklists for both MASVS and MSTG can be found on Github, in English, French, Spanish, and Japanese.

Mobile Application Penetration Best Practices

Some of the best Mobile Application Penetration Practices include:

Creating a detailed plan
Picking the right penetration testing tools
Preparing a thorough penetration testing environment
Managing time wisely
Launching server attacks
Remaining focused, patient, and being thorough
Launching network attacks
Making use of source instrumentation
Always practising to sharpen your skills
Conducting both file-level and binary analyses.

Conclusion

One final thought: it’s good to note that each penetration testing environment is different from the other. To ensure the best results, be flexible: choose and modify the best practices that match the penetration test environmental conditions specific to that job. When it comes to mobile security, we now know that penetration testing is of the utmost importance. Follow these guides (and check out the available resources), and let’s work together to make our online experiences as safe as possible.

Our history with Black Hat

Mon, 19 Jul 2021 06:11:49 GMT

The Threat Intelligence team has been heavily involved with Black Hat globally since our first presentation in around 2008, which was followed by the launch of our first training course in 2011.

We are now proud to say that we run the longest running training course at Black Hat USA, being the now famous “The Shellcode Lab” training, and we are the only company in Australia who have been invited to run training at Black Hat for the past 11 consecutive years (as of 2021).

Since our entry into the Black Hat world, we have run countless Black Hat training sessions globally including at Black Hat USA, Black Hat Europe and Black Hat DC. These include “The Shellcode Lab”, “Practical Threat Intelligence” and “Automating Security with Open Source”.

Our team have also run numerous Black Hat Presentations and Black Hat Webcasts including “Reverse DNS Tunneling Shellcode”, “The Active Directory Botnet”, “The Best Way to Catch a Thief”, “Automating Threat Detection and Response” and “Intelligent Security Automation”.

Threat Intelligence was also invited to hold a position on the “Black Hat Asia Review Board” where we select the presentations to go through to Black Hat Asia each year. This provides us with a unique insight into the phenomenal security research that happens around the world and also within the AsiaPac region. We also moderated and/or participated in the “Black Hat Asia Locknote Panel” in 2020 and 2021 where we, along with the Review Board Members, discussed our favourite presentations from the briefings and put our 2 cents in, amongst discussing other current cyber affairs.

One of our most profound moments was being Gold Sponsors at Black Hat USA as our global launch of the Evolve Security Automation Cloud.

The Shellcode Lab

The Shellcode Lab is one of the most popular courses at Black Hat with feedback like “This is the BEST class I have attended in my 17 year professional career”, which is why our team always enjoys running this training.

Ultimately this training teaches students how to write custom shellcode for macOS, Linux and Windows on 32-bit and 64-bit systems to increase their exploitation success rate. Students then integrate their custom developed shellcode into public exploits and create a Metasploit payload module to leverage their shellcode within thousands of exploits.

The training consists of 17 multi-part hands-on labs and over 150 slides of deep technical content. Students start with learning the fundamental knowledge, being how to code in assembly and basic memory management concepts, as well as techniques for how to make their shellcode as small as possible so it can fit into as many exploits as possible and avoiding “bad characters” to ensure that the exploits work, through to compiling and extracting shellcode, as well as using syscalls and dynamically locating functions in memory.

Day 1 starts with Linux 32-bit assembly and Command Execution with Privilege Escalation shellcoding, followed by macOS 64-bit shellcoding. One of the things that amazes us every year is how students can go from zero-assembly coding experience to writing their own macOS 64-bit Port Bind shellcode from scratch to remotely compromise a server by the end of the first day!

Day 2 then kicks off with Windows memory management and Windows 32-bit and 64-bit shellcoding where students get their own Egg Hunter and Reverse TCP shellcode working to get a remote shell on the target system. This is followed by integrating their custom shellcode into public exploits and creating a Metasploit Payload Module.

The training is closed off with a walkthrough of Kernel-Level shellcode to open the students eyes as to what else is possible if they take their skills to an advanced level. Although as you can see the training is not for the fainthearted, we hold the students’ hands the whole way along to ensure they enjoy it and learn a huge amount in 2 days.

Automating Security with Open Source

This training course is into it’s 4th year at Black Hat and has been delivered across both Black Hat USA and Black Hat Europe.

With quite a large lab set up with a total of around 2,000 servers running in the cloud, the first year we ran this training it was an absolute disaster! This was only recovered due to our dedicated team training during the day and working throughout the night, sometimes with only 45 minutes sleep before training the next day.

Thankfully, the lessons were learnt that first time and from the second version this training became a well oiled machine, which was confirmed with fantastic feedback and an average total score of 96%! We were told years ago that anything over 85% is absolutely fantastic. Security automation is designed to reduce your security costs, increase your security skills and capabilities, and streamline your security resources to mature your security posture so that security teams can effectively and efficiently stay on top of the constantly evolving threats, attacks and security breaches that occur every day.

Automating Security with Open Source teaches students what areas of security can be automated and how they can streamline their security operations, including:

Automated Intelligence Collection and Security Monitoring
Automated Vulnerability Identification and Penetration Testing
Automated Incident Investigations and Response
Automated Security Infrastructure Integration and Protection
Automated Security Alerting

Black Hat students like their courses to be based on open source, so this is what we did. It is common to find that enterprises often find that open source automation has too much operational overhead to maintain compared to a commercial automation platform. But this course provides students with the option to build security automation using open source if they wish to, or at least learn the concepts and ask the right questions when they go to implement a commercial security automation capability.

Thank you to the Black Hat Team

It has been an absolute pleasure working (and drinking) with the Black Hat team over the years – including one year where we wiped out half the Black Hat team during the conference with our over enthusiastic night time activities. We appreciate all of the support that the Black Hat crew have given us over the years, and we hope that everyone continues to support Black Hat during the pandemic with their fantastic virtual events and training. They are, by far, still the #1 conference after all of these years for security training and top notch technical presentations.

We are looking forward to working with Black Hat over the next decade!

What are Managed Security Services?

Sun, 18 Jul 2021 20:29:25 GMT

Before delving into the myriad of benefits from managed security services we must first examine what this type of service actually is. In general, managed security services provider (MSSP) represents a service provider in the IT sector delivering specialised, IT security capability.

If an organization requires help with some aspect of monitoring or management in cybersecurity, MSSPs fill the gap within the organization’s in-house capability. Examples of services provided by an MSSP could include VPN management, firewall configuration and monitoring, intrusion detection tuning and monitoring, to email and web content filtering. Furthermore, MSSPs may also be equipped to deal with system upgrades and modifications.

Types of Managed Security Services

You will find that there are many varied types of managed security services; these are applied in different situations and in response to the client’s specific needs.

In order to assist you in identifying what kind of managed security services you may need, below are a few examples of typical managed security services and the gap they fill.

Managed Vulnerability Scanning

In order to proactively manage cybersecurity threats an organization must conduct vulnerability management as an ongoing process. The first step in effective vulnerability management is to perform vulnerability scanning, allowing issues to be identified and subsequently managed throughout the vulnerability management process.

A managed security services provider can assist with the ongoing task of vulnerability scanning an organization’s assets.

Managed Penetration Testing

Among the benefits of managed security services, you will find that the crucial one is their adaptability. For example — when it comes to penetration testing services, you can apply these to your organization as best you see fit. In other words — these can be an ongoing service, or a simple one-time assessment of the security situation.

The engineers from MSSPs are there to test the information systems of your business for any potential weaknesses and vulnerabilities. If you opt for ongoing services, MSSPs are equipped to provide you with regular penetration tests that continue to examine the cybersecurity of your business environment; for instance, on a yearly or quarterly basis.

In the fast-paced and quick-changing world of cybersecurity, being aware of all new trends is incredibly important. Furthermore, managed penetration testing lets you quantify the progress of any security initiatives that your organization undertakes.

Managed Incident Response

Naturally, MSSP teams don’t just work to detect threats; one of the benefits of managed security services is the agility of incident response teams. Should any incident be detected, your MSSP team is available to quickly remediate an issue.

Adopting an outsourced incident response team can help increase the pace of incident handling within your company or organization. Tapping into an experienced incident response team will enable you to quickly contain threats, minimize any delays in the handling of security incidents and ultimately restore service faster. These teams contain individuals with immense analytics skills and experience across varied customer environments.

Managed Security Operations Center (SOC)

A SOC is responsible for analyzing and monitoring the security stance of an organization on a constant basis. This analysis is conducted using system logs and event data collected from various sources, such as endpoints and network security controls – such as firewalls or intrusion detection.

Utilising available telemetry, a SOC team is able to swiftly respond to identified, or potential cybersecurity incidents., A managed SOC will work closely with internal stakeholders, ensuring security issues are addressed quickly.

How to Choose a Managed Security Services Provider (MSSP)

Considering all of the benefits of a managed security service provider, the question is — how do you choose the right MSSP?

First of all you need to think about the expectations that your organization has from this relationship. Think about the specific expertise and services which you need for your security program. Then, choose the best MSSP by evaluating different vendors on these merits.

Also, it’s important to note which technology your service providers employ. MSSPs either develop their proprietary software or use third-party products for analysis and examinations. Thus, you want to choose service providers with their own in-house tech for sophisticated threat detection. This is usually the hallmark of an expert company.

Finally, you need to consider cost efficiency while choosing between different MSSPs. Pick the service providers that’s the most willing to give you a flexible option, one that aligns perfectly with your organization’s budget constraints.

Managed Security Services for mid-sized and smaller businesses

Managed security services can be incredibly important for mid-sized and small businesses. Statistics released by the U.S. government state that around half of all midsized and small businesses actually suffer from cyber attacks. In case of serious data breaches, more than half of the smallest companies shut their doors within a year after the breach. That’s why using managed security services is the best prevention tactic from disastrous and unpredictable attacks.

Conclusion

MSSP can provide incredibly useful managed security services for all kinds of companies and organizations. Furthermore, one of the biggest benefits of managed security services is the fact that clients can pick and choose the precise kind of security package which they need.

A Brief Guide of Metasploit

Sun, 18 Jul 2021 06:29:54 GMT

If you’re familiar with cybersecurity at all, then you are no doubt aware of the value of penetration testing. As cybercriminals seek to find new vulnerabilities and develop new exploits, penetration testing continues to become more important than ever for the security of any network. Fortunately, just as the sophistication of cybercrime has developed, so have the tools we use to help fight it, and one very powerful tool is an automated system called Metasploit.

Metasploit is a modular, Ruby-based, open-source framework that can probe and verify enterprise vulnerabilities, execute attacks, and evade detection. Offensive security teams also leverage its toolset to manage security assessments and improve security awareness.

A History of Metasploit

Released in 2003, Metasploit originally had only 11 exploits. However, since being acquired by Rapid7 in 2009, Metasploit has become an open-source program, which has now amassed over 2,300 exploits and almost 4,000 modules and payloads. Metasploit is now one of the world’s most popular frameworks for automating many aspects of penetration testing. Many zero-day reports also include a Metasploit module as proof-of-concept.

Metasploit Benefits

Metasploit integrates with the open-source Metasploit Framework to provide a wide range of exploitation and reconnaissance modules. It incorporates numerous attacker techniques, such as finding weak credentials (e.g. recycled passwords), evading antivirus and other security software, and finding backdoors, so as to maintain persistence throughout a network. Metasploit also contains a vast library of ready-made codes and viruses (and allows you the tools to build custom-made malware!) into a network. Among other things, these codes can simulate real-world social engineering or phishing campaigns to harvest credentials and deliver payloads. They can also run brute-force attacks against databases, web servers, and remote administration solutions. Like we said: it is powerful .

Metasploit is also easy to use. Once it’s installed, penetration testers can easily obtain information about the target system, find a way into the network, and then pick an exploit and payload. It can also be used to find weak spots, and prioritize vulnerabilities and attack vectors by impact. Unlike traditional command line interface (CLI) tools, Metasploit easily scales to support thousands of hosts and automate many penetration testing steps. Lastly, it generates data-rich, action-oriented reports to help organizations remediate these vulnerabilities faster.

The Metasploit Framework and Modules

Metasploit Framework is a modular system, each module is designed to accomplish a specific task, including:

Exploits: Deliberately take advantage of weaknesses in the target system to access sensitive information and/or deliver payloads
Payloads: Malicious code sets (e.g. Meterpreter ) used to attack target systems
Auxiliary: Scanners, fuzzers, DoS attacks and SQL injection tools to understand the target system and transition to exploit modules
Shellcode: Sub-module in a payload that uploads malicious code, and executes the commands inside the payload
Listeners: Handlers that interact with the sessions established by payloads
Post-exploitation code: Enables further testing once the (ethical) hacker is already inside the target system
NOP generator: Produces a series of random bytes to bypass standard IDS and IPS NOP-sled signatures (buffer overflow)

The Metasploit installer includes all the necessary dependencies, as well as MSFconsole (a CLI access to the Metasploit framework), and tools like John the Ripper and NMap.

How to Use Metasploit: Brief Metasploit Tutorial

Metasploit download and install

Download a Metasploit installer from here , or get the full source code from Metasploit GitHub .

Set up the Metasploit environment

Minimum system requirements

Operating Systems

Windows Server 2008 R2/2012 R2/2016/2019
Windows 7 SP1+/8.1/10
Ubuntu Linux 14.04/16.04/18.04 (recommended)
Red Hat Enterprise Linux Server 5.10/6.5/7.1/8 (or later)

Hardware

2 GHz+ processor
Minimum 4 GB RAM (8 GB recommended)
Minimum 1 GB disk space (50 GB recommended)

Browsers

Microsoft Edge (latest)
Mozilla Firefox (latest)
Google Chrome (latest)

Install Virtual Box

Before learning how to use Metasploit, set up a hypervisor to run the attacking machine (Kali Linux) and a victim machine (metasploitable2) in a safe and secluded network environment. VirtualBox is one such (free) hypervisor. Other options are KVM, VMware Player, VMWare Workstation and VMWare Fusion.

Install Kali Linux

Kali Linux is an advanced, free Linux distribution for pen testing and security auditing.

Start Using Metasploit

Once you have the Metasploit machine and the target machine set up, you can begin playing around with Metasploit.

Evolve Automated Penetration Testing

Evolve is a new approach to securing systems and applications. You can execute on-demand automated penetration testing to identify key attack vectors and security flaws faster than ever before. ‘Location-Agnostic Penetration Testing’ now allows penetration testing environments to be orchestrated in the cloud or across your organization’s security zones. It will give you better quality penetration
testing and repeatable real-time verification of risks.

Get started now!

Conclusion

In the ever-expanding cyberthreat landscape, security teams need to understand the vulnerabilities in their systems and plug them before bad actors can take advantage. Powerful frameworks like Metasploit enable organizations (and even home networks) to successfully test and find any such vulnerabilities.

Metasploit provides powerful tools for exploitation, privilege escalation, packet sniffing, keyloggers, pivoting and more. It includes thousands of exploits and payloads, with more being added every year. Modular, extensible and scalable, Metasploit is supported by a vibrant open source community, making it one of the best pentest automation tools available today, and a vital part of any organization’s security ecosystem.

How the KRACK Attacks Work and the Long-Term Impacts

Mon, 12 Jul 2021 06:48:08 GMT

WPA2 is used to secure wireless networks by almost every enterprise, SMB, individual and mobile device. For many years, WPA2 has been considered a secure Wi-Fi protocol, assuming that you have secure authentication setup, such as a strong password (PSK) and/or digital certificate.

The KRACK attacks (Key Reinstallation Attacks) were developed by security researcher, Mathy Vanhoef, who claims that every Wi-Fi device on the planet is vulnerable.

KRACK is achieved through a set of newly discovered security flaws related to how our systems and devices connect to wireless networks. Most wireless attacks target the Wi-Fi network itself, whereas in this case the vulnerabilities are present in the end user devices that affect the confidentiality and integrity of the encrypted wireless data.

Adversaries are now able to set up malicious wireless networks that manipulate the WPA2 handshake of wireless clients to force them to “reinstall” their encryption key. This causes a side effect on the wireless encryption that enables an attacker to decrypt the encrypted wireless traffic, replay encrypted wireless packets, and/or forge valid encrypted wireless traffic into the target Wi-Fi network.

Wireless Security Background to explain KRACK attacks

If we take a step back and look at an overview of how wireless security protocols work, then it will provide an insight into the attack.

Encryption is highly dependent upon an “Initialisation Vector” (IV) that can be thought of as a random number that enables data to be scrambled effectively. If this random number is not random then the encrypted data can potentially be decrypted, replayed or forged.

This applies directly to the CCMP and GCMP protocols that protect the confidentiality of wireless networks. These protocols create the IV through the concatenation of the sender MAC address and a nonce (incremental replay counter). CCMP also concatenates some additional flags. The nonce is the key part of the IV that is unknown and is ultimately protecting the wireless data confidentiality.

This is where the “Key Reinstallation Attack” comes in. When the key is installed, the nonce is reset to zero, which means that the IV can now be predicted and the encrypted data cracked and/or manipulated.

In a real-world attack we need to force, or wait for, the wireless access point to request the wireless client to reinstall the key to trigger the weak IV. This can be forced by performing a standard “de-authentication attack” where the attacker kicks the client off the wireless network to force them to reconnect, at which point the vulnerability is exposed.

It was also found that some wireless access points can be forced to send the required requests, and the even scarier part is that this condition could occur on wireless networks even without an attack.

Insecure Wireless Protocol Impacts

The potential impact associated with these wireless security protocols are as follows:

If you are using AES-CCMP, then the encrypted wireless network traffic can be replayed and decrypted. This protocol does not allow direct forging of encrypted wireless network traffic; however, by decrypting TCP SYN packets an attacker can get enough information to perform TCP Hijacking attacks to inject arbitrary malicious data into TCP network traffic.
If you are using WPA-TKIP or GCMP, then encrypted wireless network traffic can be replayed, decrypted, and forged.

As can be seen, this is a highly concerning attack technique. The upside is that the attack is dependent upon the vulnerability being present in the wireless client. The downside is that the vulnerability is present to some extent in all major operating systems, including Windows, macOS, iOS, Android and Linux.

Android and Linux – Critical Impact

Android phones (v6.0) and some Linux devices contained the most critical vulnerability where unencrypted messages can be sent and full control can be gained over the victim’s wireless network traffic. IoT devices typically use Linux, including cameras, TVs, watches, cars, and home automation systems, of which some are likely to also be affected.

The Linux and Android specific vulnerability is due to a flaw in their implementation of the protocol standard where the Temporal Key (TK) is overwritten with zeros. This is basically comparable to your password being overwritten with all zeros to gain access to all of your data. This allows the capture of sensitive information such as usernames and passwords, as well as the ability to inject malicious data into your web browsing.

Even after the majority of mobile phones and Linux systems are patched, the major long-term risk to organisations in this case are those IoT devices that remain unpatched for a long time, or simply never have patches released by the vendor.

If you fail to patch one of your wireless projectors, wireless cameras, wireless speakers, and so on, then at any point in time an attacker is able to decrypt and manipulate the wireless traffic for these devices on your network.

It is a well-known fact that IoT devices have a terrible history when it comes to security, such as requesting software updates over HTTP. This would enable the attacker to deploy a fake update to the vulnerable device causing it to become compromised, and ultimately provides the attacker with a foothold within your wireless network. If this device is on your corporate network, then your organisation is suddenly at risk of a major security breach.

Apple and OpenBSD – Major Impact

macOS and OpenBSD were the next most significantly affected with four out of the six attack conditions being present. The primary challenge is that these operating systems only accept encrypted messages to be sent to the wireless client that makes it slightly more difficult.

This security control was still able to be bypassed by identifying encrypted messages by their size, and then replaying them against the vulnerable wireless client.

This makes them just as vulnerable as in the Linux example above, except that some additional effort will be required to crack the key. The upside is that the main risk is associated with macOS devices in this case, which are far more likely to be patched across the board than IoT devices.

The security researcher also stated that they have developed a more stable and advanced attack for macOS that they will be releasing.

Windows and iOS – Minor Impact

Windows and Apple iOS devices were found to be vulnerable to only the least effective attack technique. There are actually three different areas where keys can be used to abuse wireless encryption, which are the PeerKey, Group Key, and Fast BSS Transition (FT) handshake.

The Peer Key is negotiated between two Wi-Fi clients to establish uniquely encrypted communications between them that no one else on the wireless network can view the data.
The Group Key is for encrypting broadcast traffic where all Wi-Fi clients have the key so they can decrypt the broadcast traffic that is destined for everyone.
Fast BSS Transition (FT) (802.11r) performs a handshake to calculate the Pairwise Transient Key (PTK) before a Wi-Fi client transitions to another Access Point to minimise any delays.

Windows and Apple iOS are only affected when the Group Key reinstallation occurs. This means that attackers can decrypt or replay encrypted broadcast traffic onto the target wireless network, which has limited practical uses.

One example is where encrypted NTP packets can be replayed to perform a TimeJacking attack to freeze the time of the systems on the wireless network, which can theoretically affect the expiration of SSL certificates, Kerberos tokens, cached files, and even bitcoins by forcing the system to accept an alternate block-chain to increase the chance of double-spending.

The risks to organisations and individuals

Although this attack is not currently exploiting wireless networks in the wild, that we know of, the white-paper that has been released is extremely detailed and has sufficient information for an attacker to develop a working exploit for the various vulnerabilities.

Despite the attack technique being new and everyone trying to get their heads around it, the attack is actually quite a simple concept and wouldn’t take much for a determined attacker to create a working attack tool.

Depending upon the intention of the attacker, this could lead to:

A major security breach of any organisation’s wireless and corporate networks
A security breach of individual mobile and desktop operating systems
Compromised usernames, passwords and email accounts
Bypass of wireless security controls including multi-factor authentication

The steps to take to protect yourself

Operating system vendors were notified prior to the release of this research and security patches have been, or are being, released by the major players. The priority is to patch all of your wireless clients, including workstations, laptops, mobile devices, watches, projectors, cameras, SmartTVs, wireless network repeaters, and so on.

If you leave any of these devices unpatched then there is a distinct possibility that the device may be used as an entry point into your corporate or home wireless network.

Although still vulnerable, the AES-CCMP in theory causes less of an impact than GCMP, so wireless access points should be configured with AES-CCMP to increase the difficulty of attacks.

This attack targets vulnerabilities in wireless clients; however, there were also weaknesses identified in some wireless access points that aided in the ability to trigger the vulnerable condition that is required to perform this attack. With this in mind, updates to wireless access points should also be investigated and updated where appropriate.

Threat Intelligence Expert Provides Insights on the long-term impacts of the KRACK attacks and what organisations should do to protect themselves long-term. Get in touch with us.

So, what is SIEM and how it works?

Sun, 04 Jul 2021 19:55:15 GMT

Modern companies have to deal with several difficult cybersecurity questions:

How can we protect our networks and devices from bad actors?

What kind of threats do they pose for our enterprise, employees and customers?

What can we do to stay ahead of these adversaries, and is it even possible?

It’s not always easy to find the answers to these questions, particularly with traditional or outdated enterprise security approaches. What we need now is a more evolved cybersecurity approach that allows companies to track activity within their IT environment, deploy the right security tools, assess their ability to resist threats, and respond appropriately to any security events that will occur.

This evolved approach has a name: Security Information and Event Management (SIEM) .

So, what is SIEM?

SIEM software uses advanced detection, analytics, and response capabilities to provide insights into everything going on within an IT environment. It provides organizations with a holistic view of their security profile., and enables security professionals to detect, analyze and mitigate different threats.

How SIEM Works

In general, SIEM:

Collects and aggregates data from multiple sources,
Correlates and categorizes events,
Identifies deviations from the norm, and
Raises real-time alerts about security incidents and events

works by effectively combining and leveraging two key capabilities – Security Information Management (SIM) and Security Event Management (SEM) . The SIM side collects data for analysis from log files, host systems, applications, and even security devices like firewalls and anti-virus software. The SEM element, on the other hand, monitors systems in real time and identifies, correlates and analyzes events that seem anomalous. These events can include everything from malware attacks and spam emails, to traffic spikes, failed logins and changes to security configurations. Thus, a SIEM software can identify and detect threats in email, endpoint devices, applications, cloud resources, and more.

In addition to behavioral anomalies, SIEM can also detect and raise alerts about compromised accounts and lateral movements. These alerts can be set as high- or low-priority, so security teams can focus on addressing the critical threats (or events) that could seriously impact the organisation in adverse ways. SIEM also generates reports on these security threats and events by leveraging threat intelligence and User and Entity Behaviour Analytics (UEBA).

The Benefits of SIEM

Some of the key benefits of SIEM solutions are:

Analyze network and user behaviors in order to generate useful intelligence about potentially malicious activities
Detect and mitigate incidents early to minimize their damaging impact
Create threat rules based on insights into attacker tactics, techniques and procedures (TTPs) and known indicators of compromise (IOC)
Notify security personnel if an event triggers a SIEM rule
If incidents do occur, determine their nature and understand their business impact
Identify, isolate or remove compromised sources
Perform forensic analysis on major security/data breaches
Generate visual information so teams can identify patterns that could indicate security issues

Common SIEM Use Cases

Improve Threat Hunting, Detection and Management

The use of intelligent products like Evolve provides visibility into the threat environment, so organisations can better manage the operational and strategic aspects of threat hunting. With multi-source log data, these products can streamline threat management workflows and also improve incident response.

Enterprise Compliance

SIEM software provides the advanced, ongoing and reliable monitoring and reporting capabilities organizations need to auto-generate reports about logged security events. These reports enable them to meet numerous compliance mandates like HIPAA, SOX, GDPR, and PCI-DSS, and improve their compliance management.

Increase IoT Security

It is estimated that by 2025, there will be 25 billion connected IoT devices. As more devices, from washers and dryers to thermostats and printers become connected, however, this creates more points of entry for bad actors to target enterprises and move laterally across their networks. That raises serious concerns about security in IoT setups. SIEM software can mitigate IoT threats, such as DoS attacks, and also raise alerts about at-risk or compromised devices.

Prevent Insider Threats

Insider threats pose a considerable risk to organizations. With SIEM, they can create rules for what constitutes “normal” employee activity. The software will then monitor employee actions, and raise alerts for irregular events based on these predefined baselines. SIEM can also monitor privileged accounts and create alerts if a particular user performs an action they’re not allowed to perform, such as installing non-standard or non-approved software.

Evolve On-demand SIEM and EDR Capabilities

Evolve’s on-demand SIEM product is redefining security monitoring and automation. Its unlimited EDR (Endpoint Detection and Response) agents provide enhanced visibility into malicious activities and security breaches. These activities are mapped to the MITRE ATT&CK framework across the entire IT infrastructure and tech stack.

The Evolve SIEM solution can be orchestrated at the click of a button for immediate protection. Plus, it can be easily scaled up (or down) to support the organization’s changing environment and security needs.

With built-in standards like PCI-DSS, HIPAA and FedRamp, Evolve visualises compliance gaps and allows for fast remediation. It also lowers security costs with flexible monthly investments and almost no capital expenditures or expensive integration projects.

Start a 30-day free trial here.

Conclusion

In 2017, a Gartner study stated that “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.” A SIEM solution like Evolve provides a powerful way for organizations to strengthen their cybersecurity through improved visibility, threat detection, mitigation, analytics, and incident response. Smart organizations know that they need to move beyond basic questions, like “How do I protect my network?” to ask more evolved questions, like, “How can we best leverage SIEM for our needs?”

DNS Sinkholes: What is it and how to start using

Sun, 20 Jun 2021 20:03:01 GMT

In our Internet-dominated world, the increasing prevalence of malicious URLs is a huge problem for enterprises everywhere. A malicious URL is an infected link that’s typically used to perpetrate a scam or fraud, or launch an attack on an enterprise network. When a user clicks on the infected link, he or she may end up downloading ransomware, viruses, Trojans, or other malware that could compromise, not just their individual system, but the entire corporate network. One way to prevent the access of malicious URLs at an enterprise level is to use DNS sinkholes.

What is a DNS Sinkhole?

Domain Name Service (or DNService) is a protocol for data exchange over the internet. Occasionally, outbound DNS requests attempt to access known malicious domains that contain such things as spyware, botnets, and fake antivirus software. When a DNS request attempts to connect to known malicious or unwanted destinations like botnets or Command-and-Control (C&C) servers, the sinkholing mechanism intercepts these requests, and returns a controlled IP address, which points to a sinkhole server that has been designed for just this purpose. This prevents the client from connecting to the target host, and thus protects users and networks. It’s similar to a “honeypot” – a fake network designed to catch cybercriminals. In essence, aA DNS sinkhole redirects Internet traffic to change the flow to malicious URLs, and prevents devices from connecting to these dodgy domains. Think of a DNS sinkhole as a black hole where bad URLs go to die!

With a DNS sinkhole, organizations can restrict access to malicious websites, as well as non-malicious websites that violate corporate policies, like social media sites. So along with firewalls, web proxies, Network Intrusion Prevention Systems and other security gatekeepers, a DNS sinkhole can help strengthen the organization’s “defence-in-depth” strategy.

Sinkhole administrators can use open source or commercial DNS sinkhole lists of known malicious domains to populate the organization’s DNS sinkhole. They can also set up a customised webpage that can display which the corporate policy is being violated, should the user try to access a “sinkholed” URL.

Why Use a DNS Sinkhole

The primary reason for using a DNS sinkhole is to prevent users from accessing malicious domains or destinations, but as we’ve just seen, there are other uses for it. For example, it can block “drive-by downloads” (when a user accesses a legitimate website in which an attacker has secretly inserted malicious code, which the visitor’s computer unwittingly downloads). One other important thing that DNS sinkholes do in addition to protecting a network from an immediate threat, however, is help protect other networks from future threats.

Sinkholes can help identify, isolate and fix compromised hosts trying to connect to known malicious domains by analyzing the sinkhole logs. If the logs show that a host is continuously attempting to connect to a botnet but the sinkhole is redirecting the request, it may indicate that this machine is infected and therefore needs further analysis, containment and remediation. This knowledge also helps threat researchers to craft defence strategies to counter attack tactics, techniques and procedures (TTP).

How to Start Using DNS Sinkholes

While a DNS sinkhole for single platforms can be constructed using a simple host file, this is only suitable for a small number of hosts. For it to be effective, a list of malicious domains must be maintained and regularly updated. Ongoing maintenance requires reviewing and processing the automated updates from either free DNS sinkhole open source lists, or paid commercial lists. Admins can use these lists to verify which hosts or domains should be blocked, even without performing active testing. Organizations can also integrate their own closed-source sinkhole entries for hosts or domains, creating custom lists.

One last note: a DNS sinkhole should be isolated from the external network. Otherwise attackers may be able to manipulate the entries and use them for malicious purposes. It wouldn’t do to have a domain on the block list, only to have the owner of that domain go in and remove it from the list.

Automated DNS Sinkhole Breach Detection with Evolve

The Automated DNS Sinkhole Breach Detection solution from Evolve provides the latest threat intelligence, allowing organizations to detect and prevent threats, attacks and security breaches. They can seamlessly orchestrate on-demand, high-availability DNS sinkholes that automatically ingest 350+ threat intelligence feeds. Thus they can prevent users from accessing malicious websites, proactively block malware from locating their C&C systems, and ensure that their business remains safe from bad actors.

Conclusion

DNS sinkholes are useful for day-to-day network management, threat analysis, and overall security, as well as a research tool to improve their ability to react to and prevent attacks. This makes them an important weapon in the cybersecurity war. It’s not only important, though, it just makes good sense.

Disrupting the Ransomware Industry

Mon, 14 Jun 2021 20:25:30 GMT

I recently read a blog post by Matthew Rosenquist titled “Paying Ransomware Should be Illegal”. Long story short, the concept is that if paying the ransom is made illegal with significant penalties (with even jail time being suggested), then the revenue streams for ransomware would be significantly impacted that would reduce the number of threat actors and active ransomware campaigns.

Are illegal ransomware payments a feasible idea?

Making ransomware payments illegal is certainly an interesting idea, but is it feasible? Based on our experience, let’s step through our experience with different sized organizations.

Our Experience with Ransomware Industry and Extortion

On a weekly basis our team perform Rapid Response to help breached organizations who fall victim to major ransomware and/or extortion campaigns to get their business back up and running quickly.

Mature Enterprises and Government Departments

In nearly all cases where there are multi-million dollar ransoms, we have found that if the organization is large enough to afford to pay a multi-million dollar ransom then they already have a Business Continuity Plan, Disaster Recovery Plan and also a solid backup and recovery solution in place where around 97% of systems and data can be restored.

In this case, there is no need to even consider paying a ransom. This makes the concept sound feasible to deem ransomware payments as illegal.

Immature Startups and SMBs

The problem arises with smaller companies with limited security or backups where their entire business and their family life (losing their sole income to pay their house repayments, petrol, kids schooling, food, clothes, etc) is being held to ransom with no other option than to pay.

When looking at it with a personal lens on where people will lose their house if they don’t pay a $700 ransom, it’s not feasible to expect them not to pay. This is likely to force them to pay in an “underground manner” to avoid detection whilst getting their business and life back on track.

In this case, the only feasible option for these businesses is to pay the ransom. This suddenly puts a question mark over making ransomware payments illegal, or at least makes it a more complex proposition.

Immature Enterprises and Government Departments

Now here is where we get to a really interesting situation. Large organizations who have limited security and no backups.

This is the major concern that we are really talking about since these organizations are forced into paying multi-million dollar ransomware payments to keep their business alive and keep hundreds or thousands of staff employed.

In industries like Critical Infrastructure, this can have major effects on the wider community or even the country. This was seen with the US pipeline being affected, as well as the JBS meat processing and distribution, both of which affected multiple countries.

These multi-million dollar ransomware payments inject a significant amount of revenue into the ransomware campaign, which funds the next round of campaigns to scale up the attacks even further that then have a knock on effect to hundreds of other businesses.

In this case, we have a conflicting situation where we need to recover the large organization but we are also funding future attacks.

So what is the greater good?

Negligence and Ransomware Payment Fines

Unfortunately, and apologies if this offends some readers in the above situation, but an enterprise without sufficient security or backups can be classified as negligence.

Don’t get me wrong, I understand the challenges and I am sympathetic to your situation.

When we start throwing around the term “negligence” then we start talking about breaching criminal laws. This introduces the option of introducing major fines if you make a ransomware payment.

Let’s say for arguments sake that the fine is 3 times the ransomware payment.

What this does is significantly increase the cost of paying the ransom and acts as a significant deterrent. This is also an automatic sliding scale where SMBs don’t go under but are likely to then invest in security moving forward, and major enterprise breaches that provide significant funding to ransomware gangs are hit harder and so are deterred from paying the ransom.

Conclusion

This approach could have multiple effects. This may reduce the number of large ransoms being paid in the region that then redirects the ransomware attack elsewhere. It may also encourage large organizations to invest in their security and backup strategies to prevent the breaches occurring.

On top of this, it introduces a nice revenue stream for Governments that would encourage the adoption of the approach on a wider scale.

Our Rapid Incident Response Approach

Our specialist security team execute Rapid Incident Response that is up and running in less than an hour. This is achieved by using our Evolve Security Automation Cloud to orchestrate the following automated security capabilities in minutes:

13 minutes – Automated SIEM with EDR Orchestration
10 minutes – Automated External and Internal Penetration Testing
3 minutes – Automated Compromised Account Monitoring
10 minutes – Automated Incident Response
Automated Evidence Collection, Analysis and Response
8 minutes – Automated DNS Sinkhole with Cyber Threat Intelligence

This approach provides immediate fine-grained visibility into malicious activity, leaked passwords, exploitable systems, breached systems and backdoor communications. At the same time, this approach enhances your organization’s security posture to prevent a second attack from being successful whilst also allowing for ongoing security assurance over your systems, your data and your business.

You also gain the added benefit of augmenting your team with our security specialists to ensure that you have a strong security strategy and effective controls moving forward.

Guide to Security Orchestration Automation and Response (SOAR)

Sun, 13 Jun 2021 20:46:59 GMT

Gartner defines Security Orchestration Automation and Response (SOAR) as “technologies that enable organizations to collect inputs monitored by the security operations team.”

SOAR enables organisations to understand potential threats, streamline security operations, and effectively respond to security events without human intervention. To achieve these goals, SOAR platforms provide three key security components:

Orchestration: Integrate disparate security systems and tools to improve incident responses
Automation: Automate security operations to eliminate the need for human input
Response: Improve the planning, management, and reporting of actions in response to security incidents

In this article, we will explore the capabilities of Security Orchestration Automation and Response. We will also discuss its benefits and the differences between SOAR and Security Information and Event Management (SIEM).

SOAR Capabilities

Today’s expanding threat landscape is driven by serious threat vectors, malicious actors, and sophisticated attack tools. In such a critical scenario, it’s not easy for organizations to even keep up with the ever-changing landscape, let alone achieve their security goals. Security Orchestration Automation and Response can help bridge the gap between these goals and their implementation. Offering crucial advantages like automation, integration, threat context, and data-rich reporting, SOAR enables firms to streamline security operations, understand the threat landscape, and effectively deal with real-world events.

Threat and Vulnerability Management

In SOAR, threat and vulnerability management comes under the purview of security orchestration, which integrates different security platforms, such as:

External threat intelligence feeds
SIEM platforms
User behaviour analytics (UBA), network analytics and incident forensics
Vulnerability scanners
Firewalls

Reliable security orchestration is the key to centralizing data, standardizing processes, and improving threat remediation and incident response. It also supports security operations automation, providing real-time threat intelligence.

Security Operations Automation

With security automation, organizations can seamlessly execute security workflows at the right time, without human intervention. SOAR tools provide playbooks and scripts to build automated workflows, resolve incidents with intelligence and agility, and minimize the impact of cyber attacks. They also automate alerts and threat response, and even trigger any follow-up investigative tasks. All these capabilities reduce the burden on security teams to improve their efficiency and productivity and decrease their Mean Time to Detect (MTTD).

Security Incident Response

Most organizations have to deal with a growing volume of alerts, many of them irrelevant and unworthy of further investigation. Security Orchestration Automation and Response automates incident responses so teams can deal with alerts more efficiently. They can also accelerate threat qualification, standardize threat investigation and response, and remediate security events faster.

The best SOAR platforms integrate with numerous third-party security platforms so a more effective incident response approach can be designed and implemented. They also collect incident data from these tools to provide a more detailed view of incidents. All in all, SOAR can help speed up Mean Time to Resolution (MTTR).

SOAR vs SIEM

A SIEM platform collects and aggregates log data from the firm’s IT infrastructure, categorizes incidents and events, and analyzes them. However, most SIEM tools are limited to simply raising alerts about anomalies and vulnerabilities. They do little (or nothing) to actually rectify them.

Security Orchestration Automation And Response tools fill these gaps. With security orchestration, teams can consolidate data and initiate proactive response actions. They can automatically compare security alerts flagged by the SIEM against threat intelligence feeds to find malicious indicators. They can also automate security tasks to improve the organization’s ability to respond to threats or incidents. It’s very similar to the difference between an IDS and an IPS, and as such, it is best to use SIEM and SOAR together to strengthen your network’s overall security strategy.

Benefits of SOAR

Security Orchestration Automation and Response is a powerful way to mitigate security challenges. In addition to automation, SOAR also allows human decision-making, providing the best of both worlds.

Here are some more vital benefits of SOAR:

Optimized Threat Intelligence

SOAR platforms integrate up-to-date data from multiple security tools. They also offer contextual and intelligent decision-making to improve analysis and lessen the impact of threats. Analysts can focus their efforts on devising appropriate responses to threats that require human input.

Improved Operational Efficiency and Efficacy

Automated workflows eliminate time-consuming manual processes so teams can prioritize tasks better, save time, and simplify management.

Enhanced Incident Response

Security Orchestration Automation and Response tools can execute incident response tasks automatically and instantly. It not only reduces the MTTR it also effectively combats advanced threats, and minimizes their impact.

Easier Reporting

SOAR provides a unified view of data from various security systems through a single interface. Plus, built-in reporting and analysis highlights threats and delivers insights that can be converted into actionable, automated responses.

Lower costs

Because automation eliminates many manual tasks related to threat monitoring and detection, the cost of maintaining a security system lowers dramatically.

Getting Started with SOAR

Despite its advantages, Security Orchestration Automation and Response is not a silver bullet, or a replacement for SIEM and other security technologies. So before investing in SOAR, it’s important to start with the most important question: Does my organization need SOAR?

To make the right decision, it’s important to consider the following:

What are the problems we aim to solve with SOAR?
Do we spend too much time collecting, aggregating and analyzing information?
Are we wasting too much time with false flags?
Is alert fatigue an issue in our team?
Are we struggling to hire security talent?

These are all important things to consider. If, for example, your team is not experiencing fatigue, or chasing down false flags, then SOAR may not be a current necessity. If, on the other hand, the growing threat landscape is also expanding these issues, then SOAR may be exactly what your organization needs.

Conclusion

Security Orchestration Automation and Response is a useful framework to automate security monitoring, analysis and response, and strengthen enterprise risk profiles. In the coming years, bad actors will step up their efforts to exploit security weaknesses, and SOAR provides effective protection against such risks. If this kind of automation is something your enterprise is interested in, contact us today.

Breach and Attack Simulation vs Automated Penetration Testing

Sun, 06 Jun 2021 21:00:08 GMT

There is a lot of confusion in the market around the difference between “Breach and Attack Simulation” and “Automated Penetration Testing”. They are different technologies that deliver different outcomes. Let’s clarify the difference for you.

Breach and Attack Simulation

The primary aim of a BAS technology is to test the effectiveness of your operational security controls by emulating security breaches within your internal network.

To get the full capabilities out of a BAS technology, you must deploy BAS agents across all of your internal hosts and deploy virtual machines in key zones throughout your security architecture.

BAS host-based agents are typically used to identify vulnerabilities on the hosts by gathering missing patches and to simulate host-based breach scenarios. Many BAS technologies use the MITRE ATT&CK framework as the basis for their breach simulations, which may include simulating malware infections to determine if your host-based security controls detect the activity and alert your security operations team.

BAS virtual machines are used to simulate network-based attacks between each other to test the effectiveness of the network-based IDS/IPS or next-generation firewalls and whether they will alert your security operations team.

BAS certainly adds value to organisations; however, there are some critical limitations to BAS technologies that you need to consider:

Since the BAS agents are deployed on internal systems, there is no simulation of internet-based attacks against your perimeter systems, which is pretty important considering that the attackers are on the internet. In fact, we would argue that testing your perimeter defenses against internet attacks is one of the most important aspects of a pentest, and the BAS simply cannot provide that.
Since the BAS virtual machines are typically deployed internally, the network-based simulations are only tested internally. If you get creative, you could deploy a virtual machine on the internet to test your internet-facing threat detections.
All authenticated or agent-based vulnerability scans report an absolute huge number of vulnerabilities, with most of them not having any working exploits and therefore not really introducing risk to your business.
BAS technologies don’t perform real attacks and actual exploitation of vulnerabilities to verify that they are real, which means that around 99% of the vulnerabilities are not going to be exploitable.
BAS technologies also don’t touch your web applications, which means that critical areas of your business are not being assessed.
Around 80% of all security breaches originate from leaked passwords from third-party security breaches, which BAS technologies do not monitor or test for.
BAS attack simulations are often not recognized as a threat and are less effective than emulation of real attacks
BAS is unable to safely detonate destructive attacks such as malware and ransomware, which puts into question the reality of the simulations

This demonstrates that there is certainly value delivered through a BAS solution by testing the effectiveness of your operational security controls; however, it is clearly not a penetration test, so let’s now understand what an Automated Penetration Test encompases.

Automated Penetration Testing

The primary aim of Automated Penetration Testing is to perform continuous penetration testing of your organisation to identify and verify the real risks to your business across your external and internal systems, applications and even your supply chain (third party vendors).

This is achieved through black box assessments without requiring any agents to be installed onto any systems, allowing a fast and cost-effective deployment.

Types of Automated Penetration Testing

Features vary per vendor, with many focusing only on internal infrastructure, so we will use the wider range of Automated Penetration Testing capabilities offered within our Evolve Security Automation Cloud:

Evolve Automated External Penetration Testing
Evolve Automated Internal Penetration Testing
Evolve Automated Supply Chain Penetration Testing
Evolve Automated DevOps Application Security Testing
Web Applications and APIs

Automated Penetration Testing Methodology

The Evolve Automated Penetration Testing covers a full five-stage penetration test:

Automated Internet Reconnaissance
Automated Fingerprinting and Scanning
Automated Attack and Exploitation
Automated Post-Exploitation and Lateral Movement
Automated Reporting

Rather than performing simulations, Automated Penetration Testing performs contextual attacks specific to your organisation that real-world attackers would perform in order to reveal actual risks to your business. These contextual attacks include:

Extracting employee details from social media networks in order to predict employee email addresses and locating their leaked passwords from thousands of third-party security breaches to breach exposed administrative services
Real-time identification of vulnerabilities, intelligent safe contextual exploitation and post-exploitation, password cracking and lateral movement attacks to demonstrate and prioritise actual exploitable vulnerabilities and the corresponding impact
Passive Supply Chain Penetration Testing against third-party vendors using intelligence sources to map out employees, email addresses, leaked passwords, domain names and IP addresses, software versions, vulnerabilities, latest exploits and recommended exploit configurations.
Web application and API vulnerability identification using intelligent automation that utilises contextual requests specific to the application to ensure that business flows are followed and real application data is used to provide both broad and deep application security coverage

To provide an insight into the deployment effort required compared to BAS, there is very little setup required for Automated Penetration Testing, which varies for external and internal.

There is next-to-no setup required for “Automated External Penetration Testing” and “Automated Supply Chain Penetration Testing” so they can literally both be up and running in less than 5 minutes.

The “Automated Internal Penetration Testing” simply needs a single pre-configured virtual appliance that is deployed through a simple “download-and-boot”, which supports proxies and authentication. No changes to firewalls are required, which means Automated Internal Penetration Testing can be deployed within minutes.

The “Automated DevOps Application Security Testing” can be integrated with DevOps pipelines in as little as 10 minutes and will automatically orchestrate an Automated Application Security Testing environment upon the next code commit, without any further actions from any team member.

Since Automated Penetration Testing sends attacks across the network, both internally and externally, IDS/IPS and next-generation firewall detections are triggered using a wide range of attacks allowing your operational security controls to be tested.

Since safe intelligent exploitation is used to actively compromise systems, perform privilege escalation and execute post-exploitation, host-based security controls are tested for their effectiveness and often highlights unexpected gaps in security operations.

One key example is where malicious code is detected, but the security operations team is unable to locate where the exploit originated due to connections passing through proxies or load balancers, or that network connection information simply doesn’t exist.

Conclusion

If you are purely looking at testing the effectiveness of your internal operational security controls, such as the effectiveness of your SOC to respond to a security breach, then BAS is likely to be the technology that you are after.

However, if your business needs to identify, verify and manage real risks to your business, across your external and internal infrastructure and applications, as well as your supply chain, to proactively prevent a security breach, whilst also gaining the added benefit of streamlining your security team through prioritised remediation activities and also testing your security operations, then you need Automated Penetration Testing.

To get started with Automated Penetration Testing within minutes, register for a free Evolve Account

Threat and Risk Assessment: What is it, Guides and Benefits

Mon, 31 May 2021 21:25:46 GMT

As more and more sophisticated crime operations spread across the globe, and as new software vulnerabilities are discovered and exploited by cyber criminals, companies have an increasing obligation to assign experts and analysts to systematically identify and remediate threats. One invaluable tool for creating and implementing an effective security program is a detailed and comprehensive Threat and Risk Assessment (TRA).

What is a Threat and Risk Assessment?

A TRA is a process used to identify, assess, and remediate risk areas. The result of this process will be to, hopefully, harden the network and help prevent (or at least reduce) attacks.

Threat and Risk Assessment provides a more thorough assessment of security risk than the standard assessments, such as studying threat statistics or conducting a facility walk-through. The analyst takes information and data from many methods and then combines these pieces, forming an extensive plan for sound security management, while also assessing a company’s compliance with industry practices and applicable laws.

The goals of Threat and Risk Assessment

The main objective of Threat and Risk Assessment is to protect organizations against liabilities by identifying and understanding the various risks facing the client property and community. Threat and Risk Assessment identifies exposures by determining potential security weaknesses and taking the appropriate actions to reduce the impact of threatening events and manage the risks.

When do you need to assess the risk of insider threats?

Not only does the TRA assess external threats, but it can also be effective in assessing and protecting from internal threats. If you are an organization that works with sensitive data, you should also assess the risk of insider threats. No one wants to imagine that their employees can be a security risk, but an estimate of 63% of cyber attacks are internal . There are three steps to assess the risk of insider threats:

Audit your organization’s cybersecurity
Apply for cybersecurity insurance
Comply with laws, regulations, and security standards

Audit your organization’s cybersecurity

Risk assessment is an essential part of risk management strategy. aside from being part of a regular routine, here are just a few of the times when your organization should perform an assessment:

To plan for reorganization or expansion of a business
An abnormally high increase in cybersecurity incidents within your industry
A known attack on your organization

Apply for cybersecurity insurance

Just as we insure our buildings and businesses for risks such as fire, theft, and natural disasters, it’s advisable to also insure your company for cyber attacks. As with most insurance, the insurance company may require an assessment before issuing the policy, and in order to help define the terms of your coverage. The risk assessment method used by insurers for analyzing an organization’s risk level includes:

Client meetings
Research
Underwriting questionnaires
Risk audits
Open-source intelligence
Threat intelligence
Third-party assurance reports

Comply with laws, regulations, and security standards

There are many laws and regulations that directly involve the security of data. Whether it is dealing with PCI, HIPAA, or organizations such as ISO and NIST, assessing the risk of insider threats is mandatory. Below, we will run through a few of these regulatory requirements:

NIST Risk Assessment Guide

The National Institute of Standards and Technology (NIST), suggests the following steps:

1. Prepare for the assessment

Here you define the scope and purpose of the assessment, as well as constraints (you may, for example, limit the assessment to only the customer-facing network). Further, it explains the risk model you are comfortable with, sources of information, and which analytical approaches you will use.

2. Conduct the assessment

At this stage, you identify the relevant sources of threats and events, together with any vulnerabilities that could be exploited. Further, you determine the potential and likely impact of the specific threat events.

3. Share and communicate risk assessment information

To support risk responses, communicate risk assessment results to decision-makers and other relevant personnel.

4. Maintain the risk assessment

This includes remediating vulnerabilities (such as updating and patching software, or monitoring known, but low-level risks (using an IDS)).

PCI DSS Risk Assessment Guide

The PCI Guide offers pages of guidelines and assessment values to consider. Here are just a few of the most important tips:

All data should be encrypted, both in-transit and at-rest
Monitor and assess networks on a regular basis
Only store customer data when necessary (for example, keeping a card on file at popular retail websites)

Guidance on Risk Analysis Requirements under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires that health organizations conduct a regular risk assessment. During this assessment, auditors should check for:

Malicious software installation
Computer- and network-based attacks
Inaccurate data entry
Unauthorized access to electronically protected health information

Five Key Steps for Assessing Insider Threats

As we mentioned at the beginning of this article, while external threats are certainly a risk, a large number of attacks come from internal sources. For this reason, it is vital to assess your organization’s security from the inside, as well. The five critical steps of insider threat risk assessment are:

Identifying essential assets of an organization

Risk assessment starts by distinguishing the valuable assets that insiders can compromise in an organization. It would help if you, therefore, focused on:

Access to admin accounts and servers (both physical and cloud)
Confidential information, such as trade secrets
Employee’s sensitive data
Subcontractors’ and partners’ data
Crucial services and systems

Defining the possible insider threats

Activities done by legitimate users but with negative connotations are referred to as insider threats. These include:

Sensitive data disclosure
Misusing, changing, or deleting data
Malware uploads (both intentional and unintentional)
Failure to follow the principles of least privilege

Prioritize risks

Here, you determine which risks most threaten your business, both in terms of profitability and customer confidence. A risk matrix can help you determine the level of each risk. Here are the four factors that you should analyze:

How critical the threat is
Importance of the at-risk assets
Likelihood of an occurrence
System vulnerability

Create a risk assessment report

Wrap your risk assessment results into a comprehensive report. This will help to simplify the decision-making processes at the further stages of the management strategy. The report can help you to:

Communicate results of risk assessment to decision-makers
Share the risk-related information with your employees
Adjust your risk management approach (updating software more regularly, making password requirements more stringent, etc.)

Make insider risk assessment a common practice

You should note that with time, organizations tend to change either software and tools, or expand their departments and their practices. Such changes create new vulnerabilities, and your organization should therefore conduct a risk assessment regularly.

Conclusion

Risk assessments collect essential information and expose weak cybersecurity spots. They also provide an organization with the tools they need to evaluate the consequences of potential security incidents. Lastly, they also help an organization improve its security practices, helping to prevent incidents in the future. While it is impossible to prevent all incidents, risk assessments are a vital tool for protecting any organization from the ever-growing threat of cyber criminals.

Getting Started with the Evolve Virtual Appliance

Mon, 31 May 2021 06:49:14 GMT

Evolve is the world’s first Security Automation Cloud, with global Evolve Regions for data sovereignty, Evolve Security Zones for secure isolated automation processing, global Evolve Internal Certificate Authority for strong trusted encryption and authentication, as well as Evolve Gateways for easy integration with your internal corporate and cloud networks.

Deployment Options

Evolve automatically generates pre-configured Evolve Virtual Appliances to be deployed into your corporate networks and on-premise data centers, supporting VMware or Hyper-V, and third-party cloud providers, including AWS and Azure, as well as Docker and even a Command Line Installer for automating the build of hardware-based Evolve Virtual Appliances on devices like a Raspberry Pi for physical deployments.

Security

Secure Deployment

Evolve Virtual Appliances have been designed with security as a top priority, which means they fit within your existing security architecture.

The Evolve Virtual Appliance connects outbound back to Evolve, which means that no inbound firewall rules are required. Connectivity options includes “Direct Connectivity” if direct outbound HTTPS is available, as well as “Proxy Connectivity” including both unauthenticated and authenticated proxies, with support for both Basic Authentication and NTLMv2 to integrate with your organization’s Active Directory security policies.

This means that no firewall changes are required for a fast and simple deployment, including into secured networks that can connect outbound through proxies located in a DMZ. This also enables fine-grained security enforcement through native integration with your Active Directory security policies.

Trusted Encryption and Authentication

The Evolve Virtual Appliance natively uses the “Evolve Global Certificate Authority” to generate dedicated authentication and encryption certificates specific to your Evolve Account and your Evolve Region. This ensures strong encryption and certificate-based authentication is enforced with native anti-interception and anti-decryption controls for all network traffic between the Evolve Virtual Appliance and your Evolve Account.

The security enforcement of the Evolve Virtual Appliance is that strict that environments with SSL / TLS Decryption controls will need to whitelist the Evolve Virtual Appliance since this activity is detected as a man-in-the-middle attack that will automatically have the connection dropped by the Evolve Virtual Appliance to prevent interception attacks.

Secure Connectivity

Once booted, the pre-configured Evolve Virtual Appliance automatically registers itself within your Evolve Account. This is achieved using two parallel techniques designed to make the Evolve Virtual Appliance a powerful solution to introduce multiple remote automation and orchestration capabilities to your business.

Security Automation capabilities, such as automated penetration testing, require direct network connectivity to your internal network from your dedicated and isolated Evolve Security Zones. The Evolve Virtual Appliance connects back to your dedicated “Evolve VPN Gateway” within your Evolve Account, which uses the Evolve Global Certificate Authority for trusted certificate-based authentication and encryption.

Only the specific Evolve Security Zones that are connected to your corresponding Evolve VPN Gateway will have connectivity to your internal network. All other Evolve Security Zones within your account will not have this connectivity since they are in separate isolated environments without the required network access or routing to establish this connectivity.

Security Orchestration capabilities, such as DNS Sinkhole orchestration, are performed via the Evolve Agent running within your Evolve Virtual Appliance, providing Remote Orchestration capabilities.

The following information describes the connectivity information for the Evolve Virtual Appliance that can be used for domain or URL whitelisting in proxy servers or firewalls.

Evolve API Endpoints
*.evolve.threatintelligence.com over port 443/TCP
Used by the Evolve Agent to communicate with your Evolve Account.

Evolve VPN Gateway
*.evolve.threatintelligence.com over port 443/TCP
Your Evolve VPN Gateway static IP address and unique Evolve domain name, allocated upon orchestrationAny SSL decryption controls will need to be whitelisted for the Evolve Virtual Appliance device due to anti-interception controls.

Remote Orchestration

Evolve Virtual Appliances provide far more than just connectivity. They run an Evolve Agent to provide you with remote security orchestration capabilities to dynamically turn your Evolve Virtual Appliance into any security capability that you need.

You can remotely trigger your Evolve Virtual Appliance to orchestrate into an on-demand Incident Response Environment, an internal DevOps Application Security Testing Environment, or even orchestrate production security infrastructure for breach detection, such as a DNS Sinkhole with integrated Cyber Threat Intelligence feeds.

Since Evolve Virtual Appliances can be deployed across distributed environments, including globally distributed networks, you now have the capability to automate and orchestrate on-demand security capabilities throughout your environment from a central console.

Evolve Architecture

The following architecture diagram demonstrates the connectivity between your Evolve Account and your internal network via an Evolve VPN Gateway and the Evolve Virtual Appliance:

Generating a Virtual Appliance

The following steps will guide you through the creation of an Evolve Virtual Appliance to provide remote security automation and remote orchestration capabilities.

Step 1: Navigate to the Remote Orchestration → Virtual Appliances page using the side menu and the green plus button to create a new Evolve Virtual Appliance

Step 2: Select your desired Virtual Appliance format / type

Step 3: Set a Name for your Evolve Virtual Appliance and the email address to receive your Evolve Virtual Appliance secure temporary download link

Step 4: Select your Evolve VPN Gateway that your Evolve Virtual Appliance will connect back to. This step assumes that you have already created an Evolve VPN Gateway via the Security Zones → Gateways page.

Step 5: Select your Evolve Agent that your Evolve Virtual Appliance will have installed. If you don’t have an Evolve Agent simply select the “Create New Agent” option.

Step 7: Click the Next button, review your settings and click the Create button.

This will return you to your Virtual Appliances page where you will see that your Evolve Virtual Appliance is being generated.

Once available, you will receive an email with a secure temporary download link. You can also download your virtual appliance at any time directly using the corresponding Download button.

All you need to do now is download and boot your Evolve Virtual Appliance!

Connectivity Testing

After you deploy an Evolve Virtual Appliance, it is important to confirm that the connectivity is working as expected to ensure that Evolve can connect to the required hosts.

Evolve provides two options to test connectivity:

Direct VPN Gateway Connectivity
Evolve Security Zone Connectivity

Follow these steps to confirm the connectivity of your Evolve Virtual Appliance is working as expected.

Direct VPN Gateway Connectivity

Step 1: Download the VPN Gateway configuration from the Evolve Console. Navigate to Security Zones → Gateways and click the Download button for the relevant VPN Gateway.

Step 2: Evolve will provide a ZIP file with the required configuration files, including your corresponding Evolve Certificate for trusted encryption and authentication. Within the ZIP file you will find a file named user.ovpn, which is an OpenVPN configuration file.

Step 3: Download an OpenVPN client from the following sources:

Step 4: Once your VPN connection is established you can test connectivity via the Evolve VPN through your Evolve Virtual Appliance to your internal network. Use common utilities, such as “ping” or “nmap”, to test connectivity to the hosts on your internal network.

Note: if you are unable to install an OpenVPN client on your machine the following Evolve Security Zone Connectivity instructions may be of interest.

Evolve Security Zone Connectivity

Step 1: Import the “Kali Server” from the Evolve Marketplace so we can orchestrate a server within your Evolve Security Zone

Step 2: The Kali Server workflow requires you to have created “Evolve Credentials” for your SSH username and SSH public key. Navigate to Credentials -> Key Pairs. Click the green plus button. Create a Key Pair for your SSH username (not encrypted). Create a second Key Pair for your SSH public key (not encrypted). When you paste in your SSH public key you need to surround it with quotes (eg, “ssh-rsa AAAAB…aaa”).

Step 3: Navigate to Workflows and launch an instance of the Kali Server workflow. If you don’t have a security zone yet, then you will need to launch one first and connect it to your Evolve VPN Gateway. Enter the CIDR you want to restrict SSH access to, select your Evolve Credentials, and set the Security Zone to be the internal security zone connected to the VPN Gateway.

Step 4: You then need to select the security zone where you want to launch your Kali Server, else Evolve will automatically create a new one for you that will not be connected to your Evolve VPN Gateway and so will not have access to the corresponding internal network.

Step 5: Once the workflow instance is in the Available state, your Kali Server will get its own unique Evolve domain name. You can find this if you go to the Resources tab of the workflow instance, click the Kali Server Module Instance ID, then in the Kali Server module instance you will have a Configuration tab where you will see your Kali Server domain name.

SSH into your Kali Server using the following command. It listens on port 2222/tcp:

ssh -i my-private-ssh-key.pem -p 2222 myuser@i-yourinstanceid.tcp.evolve.threatintelligence.com

Step 6: From there you can run a nmap across a selection of the client’s private network ranges to confirm that you get the expected results.

Once you have finished testing your connection, delete your Kali Server Workflow Instance. This ensures that your security zone scales down when you are not using it.

Connectivity Troubleshooting

Internal Firewall Rules

If you don’t get the expected results, then it is likely that they have firewall rules blocking the Evolve Virtual Appliance from connecting to internal systems.

Outbound Firewall Rules

If your Evolve Virtual Appliance is configured with a “Direct Connectivity” back to Evolve, then the outbound connectivity may be getting blocked outbound at the firewall preventing it from establishing a connection. Confirm that port 443/TCP can connect back to your Evolve VPN Gateway IP address or that firewall URL filtering is allowing connectivity back to *.evolve.threatintelligence.com.

Proxy Access

If your Evolve Virtual Appliance is configured with “Proxy Connectivity” back to Evolve, then connectivity to the proxy port may be getting blocked within an internal firewall or your proxy settings configured within the Evolve Virtual Appliance are not correct. Confirm the following for your Evolve Virtual Appliance:

Connectivity to your proxy on the correct proxy port and that port 443/TCP is allowed to *.evolve.threatintelligence.com.
The Windows username, password and domain are correct and exist within your Active Directory with the required permissions

SSL / TLS Inspection

A less common issue is that SSL Inspection is occurring at the firewall or proxy, which attempts to decrypt the connection back to Evolve. The Evolve Virtual Appliance detects as a man-in-the-middle attack and will not establish the connection as a security precaution. This means that SSL / TLS Inspection needs to be whitelisted on your security device for the Evolve Virtual Appliance.

Evolve Virtual Appliance CLI

The Evolve Virtual Appliance also has an interactive console. SSH into the Evolve Virtual Appliance as the “evolve” user with the password that was set upon creation of the virtual appliance. This will drop you directly into the “vaconsole” prompt where you can type “help” to see the various options.

There is a “test” option that allows you to test that the virtual appliance is working as expected, which includes testing that the VPN is established and that DNS is working, amongst other things. Correct anything that is not working as expected.

Conclusion

Evolve Virtual Appliances introduce powerful capabilities into your organisation with minimal effort allowing you to augment your security team with specialist security automation and orchestration capabilities.

Please reach out to our support team if you need any assistance here .

A Guide to Internal Penetration Testing

Fri, 21 May 2021 07:01:18 GMT

Are you an IT professional who is looking to get into penetration testing (often called “pentesting”)? If so, then this article is a good place for you to begin. It will, hopefully, serve as a jumping-off point for you to get into the exciting and important field of pentesting.

In the U.S. alone, it is estimated that there is some form of cyber attack every 39 seconds. Given the costs that a company can sustain when it suffers a breach, it is very important to perform regular penetration testings, so that they can identify and address the vulnerabilities. As we said a moment ago, this is a very important field. So where to start? Well, pentesting comes in two forms: Internal and External pentests. This article will deal solely with internal testing.

What is Internal Penetration Testing?

Where External Pentesting examines a front-facing network, internal penetration testing involves carrying out a series of tests to help and identify what an attacker who has internal access to a network can accomplish. Disgruntled employees, errors, and bad policies can all produce internal cyber threats. Testing for these things may include monitoring, credential stealing, man in the middle attacks (MITM), privilege escalation, information leakage, malware infections, or any other malicious activity.

The attacker can be a contractor, an employee, or a staff member with internal access. This test will show the organization’s entry points/weaknesses, and help assess an attack’s impact. Even if you are secure from external threats, internal testing is vital should an attacker access your network from the inside.

Internal Penetration Testing Methodology

An internal Penetration test has four phases:

Reconnaissance

The first phase involves passive intelligence gathering. This may include analyzing the traffic and “sniffing” networks. It further includes collecting information, such as domain and subdomain names, data leaks, technical information shared on social networks or forums, versions, and types of technologies used. It may also include employee names and – if existent – pwned passwords (a pwned password is a password that has been breached and released to the public). This phase’s main purpose is to identify all the sensitive information.

Mapping

During the mapping phase, pentesters gain better insight into the most exposed and critical elements of an organization’s infrastructure. This particular phase is essential, especially if you are looking at vulnerabilities within the entire framework, rather than just one particular aspect (such as, say, guest wi-fi).

Discovery

Is the phase where you will actively search for vulnerabilities. This phase generally uses automated programs that are designed to scan the network (and software) as thoroughly as possible. The goal here is to find as many vulnerabilities as you can.

Exploitation

This last phase tests all the possible exploitation flaws that were identified during the discovery phase. Exploitation allows you to discover just how much of an impact a particular vulnerability can have. For example, a cracked password for an employee who has access to customer and client PII can lead to massive threats of identity theft.

How to do an Internal Penetration Testing

Any potential internal vulnerabilities are identified by carrying out tests on one or more of the following areas:

WIFI Networks
IPS/IDS
Local Servers
Firewalls
Access Points
Computer Systems
Employees

Internal Penetration Testing Checklist

The internal penetration checklist ensures that your efforts in penetration testing deliver results.

Scheduling ( 2-4 months before Penetration Test )

Communicate your testing methodologies, and follow best-practice standards in the industry.

Testing Preparation ( 5 weeks before Penetration Test )

Collect as much information as possible. The amount of information you receive will obviously depend on whether this is a black, grey, or white box test.
Outline what the organization can expect to see on their end as you test: impacts on the website, server issues, etc. If the company has an IDS or IPS, they will need to monitor those alerts to make sure it is the pentest, and not a real-time threat.
Schedule the penetration test, keeping in mind that you will need time for remediation. Also, when scheduling the test, bear in mind how much of an impact on business it may have, and try to schedule accordingly.

Testing ( During Penetration Test )

This is the actual test. During this time, you will run all automated and manual processes, as outlined with the organization beforehand.

Work with the organization’s team members. Communicate regularly, asking questions and being willing to answer any of their questions.
Stay within the scope of the agreed-upon work! If the job scope includes only email servers, then test only email servers – do not go outside of that!

Reporting ( 0-6 weeks after Penetration Test )

After completing the test, you will work up a report, detailing vulnerabilities, any exploitations you were able to introduce, as well as projected impact and suggested remediation. You must then give the organization time to review the report. Be patient!

Do not only address exploitations, but also root causes.
Keep yourself available to answer any questions.
If requested, work with their Technology/Security Teams to help remediate any issues they wish to address.

Retesting ( 0-3 months after Penetration Test )

Depending on the company’s budget and resources, they may request you to come back and do a retest. Bear this in mind when you are scheduling your next pentests!

Retest to satisfy that fixes are working (within 90 days after initial report date)
Repeat remediation until all corrections have been made

Internal Penetration Testing Tools

The internal penetration testing tools that are popularly used include:

For Frameworks, you can use the following testing tools:

Kali Linux
Backtrack5 R3
Security Onion

For Reconnaissance, some of the internal penetration tools you can use include:

Smartwhois
dnsstuff
CentralOps
DIG
nslookup
netcraft
Have I been pwned?

For Discovery, the following are the tools that you can use:

OpManager
Maltego
nmap
Colasoft ping tool
Angry IP scanner
LanSurveyor
NetResident

The following tools can be used for Enumeration:

Netbios enumerator
Superscan
Ps Tools
Enum4Linux
Netscan
nslookup
NsAuditor
Jxplorer
DumpSec
Hyena
WinFingerprint
Snmpcheck

Tools you can use for Scanning include:

GFI Languard
Nexpose
SAINT
Retina

For Password Cracking, you can use the following tools:

John The Ripper
Cain & Abel
Ncrack
Ophcrack
LC5
Rainbow Crack
Hydra

For Sniffing, you can use these tools:

Ettercap
Wireshark
Capsa Network Analyzer

For Exploitation, use the following tools:

Core Impact
Metasploit

Automated Internal Infrastructure Penetration Testing

The Evolve “Automated Internal Infrastructure Penetration Testing” solution helps organizations orchestrate on-demand penetration testing environments. This means you can run an internal penetration test in any location across corporate networks within on-premise data centers and public clouds, including AWS and Azure.

Evolve orchestrates scalable penetration testing environments specifically for the type of penetration test you want to perform. You choose the level of protection and intensity that is right for your business needs with event-driven or daily, weekly and even monthly periodic penetration testing.

If you want to try automating your security in your own time, start our 7-day free trial. Check how easy and fast it is:

Step 1: Register an Evolve Account

Step 2: Navigate to the Evolve Marketplace

Step 3: Import the Automated Internal Penetration Test workflow into your account

Step 4: Click to launch a workflow instance to start running a test

Step 5: Done! Evolve does all the work to secure your business!

START FREE TRIAL

Conclusion

Organizations need to carry out internal penetration tests as often as – or perhaps even more often than – external penetration tests. This will ensure that they clearly understand what information can be exposed to attackers, which will help prevent malicious activity. Data breaches and the exposure of PII is a large and growing threat in today’s global cyber market. Now, more than ever, pentesting is a valuable and necessary tool for protecting assets of all kinds.

Network Segmentation and How it Can Prevent Ransomware

Tue, 18 May 2021 07:16:07 GMT

Ransomware is on the rise. In 2020, ransomware attacks surged by 150% , with the average attack extorting as much as $170,000 (although cybercriminal groups such as Maze, Egregor, and RagnarLocker extorted much higher amounts of $1-2 million). Ransomware has even been dubbed “ the face of cybercrime in 2020 .” Clearly, this is a lucrative crime, but what is considered ransomware?

Ransomware is any number of malicious programs launched by bad actors who then gain unauthorized access to a system. Once they’ve gained access, these criminals then encrypt the victim’s files, denying access until the victim pays a ransom. As you can no doubt imagine, ransomware can be very, very devastating, especially when the attackers target healthcare systems and financial firms, gaining access to medical and PCI data.

To mitigate the risks of ransomware and boost their IT security, many organizations are adopting something known as network segmentation. In this article, we will explore various aspects of network segmentation, including:

What network segmentation is,
What the different types of network segmentation are, and
The benefits of network segmentation.

What is Network Segmentation?

Network segmentation refers to dividing a larger network into smaller sub-networks with limited inter-connectivity between them. By controlling traffic flows between various sub-networks and by restricting attacker lateral movement, network segmentation prevents unauthorized users from accessing the organization’s intellectual property and data. In other words, a large, open network can be easily traversed by a user, but if the network is segmented – and the “doors” between these segments are limited and locked – it becomes much more difficult for an attacker to navigate his or her way through the network.

Types of network segmentation

Network segmentation VLAN

Segmenting by VLAN is already a common practice for most businesses and organizations, because segmenting a network into subnets, in addition to preventing free lateral access, helps speed up network performance. We’re willing to bet that your business already has subnets in place.

Firewall Segmentation

Firewalls are another common method of preventing unauthorized access to various parts of a network. Firewalls work by using a predetermined set of rules to either allow or deny certain traffic into and out of a network. These rules can be signature-based, anomaly-based, or a whole host of other custom parameters.

Least Privilege Segmentation

In IT, we don’t typically think of Least Privilege rules as a form of segmentation, but they are. “Least Privilege” is a common practice that restricts access to certain areas within a network, based on a user’s credentials and job requirements. For example, a custodian in a hospital would have access to patient rooms, but would not have access to medical records. Likewise a CSO for a company may have root privileges within a network, but the accountant would not.

What are the Benefits of Network Segmentation?

We would argue that network segmentation is a critical security measure for any network, because it works on multiple levels to protect data and endpoint devices, as well as reduce and remove attack vectors. Think of it like a neighborhood. In a place where each house is separate, it would be very difficult to break into one house and move to the next house from the bedroom window of the first house. To break into a second house would require the thief to leave the first house and move, in the open, to the next, increasing his or her chances of being caught. Contrary, in a set of row houses, where each house is connected to the next – say, with a common shared attic – moving from one home to the next without being caught or stopped is much easier.

However, as we noted earlier, ransomware is a growing threat within cyber security. So while segmentation is good for the overall security of a network, how does segmentation protect a business, specifically, from ransomware?

Using Network Segmentation to Stop Ransomware

Ransomware is a malicious code that does one of two things:

Identifies and encrypts important files, or
Locks access to the computer/network.

The attacker then holds the files/devices “ransom,” only unlocking the devices after his demands have been met. As we also noticed, the ransom amounts can reach into the billions.

Threats from Ransomware

Without network segmentation, lateral movement within a network is extraordinarily simple. Think about printing from your computer at home: that is a lateral movement between your computer and the printer, and it’s as easy as a click of a button. Network segmentation divides the network, preventing this lateral movement, and therefore preventing access to sensitive data. Instead of one security perimeter around the entire network, you’ve essentially set up multiple security perimeters within the network.

Here are a few examples of networking segmentation:

Secondary Switches

By allowing users to connect securely to the network through secondary switches, you are adding another layer of security, as each switch can be configured with several different options, including firewalls and DHCP Snooping.

RAID Configurations

There are several kinds of RAID configurations. While only a few apply in this situation (e.g., RAID 0), what RAID configurations do is divide the data between two or more servers, each with its own layer of protection. This way, should an attacker gain access to one server, he or she will be unable to move (or at least have great difficulty doing so) between these servers.

Network Segmentation Best Practices

Extranets

One attack vector that is becoming popular is to gain access to a network through a vendor . A common practice when working with vendors is to establish an extranet: an access portal with limited access to the network. By establishing an extranet for vendors, you are once more tightening the attack surfaces between the compromised vendor and your own network.

Least Privilege

As we noted above, practicing the principle of Least Privilege will help prevent lateral movement within a network. For example, if Bob’s account is compromised by an attacker, but Bob has no access to any sensitive data at all, then the attacker has, essentially, wasted his own time.

Perform Regular Network Audits

Audits are one of the best ways to make sure a network is being regularly inspected for threats and risk assessments. They can be time-consuming, but they well-worth the effort.

Automated Security

Lastly, using an IDP/IDS is a vital part of protecting any internal and external network. Make sure your baseline traffic is established and alerts are set, and you will have a vital layer of protection.

Conclusion

One other good practice that we should definitely mention, however, is regularly backing up your data (this is where RAID configurations also come in handy, as some of them include disc parity). In the event of a successful attack, one of the worst things you could do is actually pay the ransom. Why? Because paying the ransom alerts the attacker – and his or her colleagues – that you are an easy target. Once your organization is labelled as such, you can expect to receive more breaches and more ransom demands. Secondly, the attacker may not even give you your data back. He or she can simply destroy it, leaving you both several thousand dollars poorer and without your data. By having data backed up on a separate storage device – preferably one not connected to the main network – you can simply remediate the infected machines and use the back-ups to restore business.

While none of the practices we’ve mentioned is enough on its own, together, these network segmentation practices will help prevent bad actors from moving and spreading across your organization’s network as they search for valuable files. As an organization, you have a responsibility to protect data, whether it is patient, customer, or employee. Following these guidelines will help you do just that.

Secure Code Reviews: What is it, Benefits and Checklist

Mon, 10 May 2021 07:28:57 GMT

No one disputes the importance of testing and validation during the Software Development Lifecycle (SDLC). But it’s also equally (if not more) important to conduct an additional review that focuses solely on security . Often times, applications and software have vulnerabilities and flaws that are unknown to the developers, but are found by hackers, sometimes years after release. Secure code reviews enable development teams to identify and eliminate such potentially risky vulnerabilities before the application is released, minimizing these exploits. They are also mandatory for regulatory compliance in many industries ( e.g. healthcare and payments).

What is Secure Code Review?

Secure code review is the process of checking an application’s source code in order to identify and eliminate vulnerabilities that may have been inadvertently placed there during development. It may be done manually with a real person reviewing the code line by line, or with automated secure code review tools, which scan the code and report flaws.

Both methods have pros and cons. Manual reviews are time-consuming, error-prone and require domain expertise to be truly effective. Automated secure code review tools are faster and less error-prone, but also expensive. In addition, some tools only find certain types of flaws, while others produce “false positives,” which require time-consuming human intervention. This is why we recommend using a combination of the two.

Security code reviews should focus on these areas:

Authentication and authorization
Data validation
Error handling
Session management
Security configuration
Logging
Encryption

Benefits of Secure Code Reviews

The goal of secure code reviews is not to find and address every potential issue or “glitch,” but to harden the code, making it more secure. Reviewers attempt to find specific security-related defects that a malicious actor could exploit to compromise the CIA triad of Confidentiality, Integrity, and Availability .

Another vital aim is to “fail fast”, which means to ensure that bugs are revealed as early as possible, closer to their cause. This makes it easier to fix them before they cause serious security breaches post-release, which may lead to lost revenues, fines, angry customers, or a damaged reputation.

According to Microsoft, code reviews also help ensure the code’s “long-term maintainability” and enable teams to “communicate over a shared view of an evolving artifact.”

Secure Code Review Tools

These secure code review tools are very valuable for security analysts:

Automated static code analysis

These tools support quick identification and remediation of flaws on a single platform without requiring source code, and offer nearly 100% code coverage.

Threat modeling

Structured threat modeling provides context to security efforts, and reveals threats that need closer investigation.

Software composition analysis

These tools identify vulnerabilities in open source code to mitigate risks and improve the remediation process.

Secure Code Review Checklist and Best Practices

To successfully review the code, reviewers should understand the application and its use cases, and be aware of the security controls to look out for. They should also follow some best practices, such as:

Use multiple techniques

Each review method can reveal issues that improve the final results, so it’s best to use a combination of complementary methods and secure code review tools.

Review code every time a meaningful change is introduced

Regularly testing code during development is usually better than waiting until just before release.

Continuously track insecure code patterns

Monitoring and tracking repetitive issues is useful for future reviews, and for updating the review guide.

Focus on the big picture and the intent of the review

It’s best to focus manual reviews on important general areas, while automated secure code review tools should be used to find specific flaws.

The OWASP guide to secure code reviews is a great resource for more secure coding best practices.

Secure Code Review Checklist

A secure code review checklist can help maintain consistency between both reviews and different reviewers. As part of a comprehensive and well-structured audit strategy, it clarifies the security challenges that need addressing.

Here is a good template:

1. Download the code to be tested

2. Check the file/folder structure to confirm that nothing is missing

3. Open the code in an IDE or text editor

4. Search the code for:

Configure files
Application routes
Sensitive keywords

5. Scan the code with static analysis tools

6. Log valid security issues into a reporting tool and cross off invalid issues. To determine validity, look for three pieces of information:

Source
Sink
Data transformations while flowing from source to sink

7. For valid issues, perform search queries on the code to find more issues of the same type

Conclusion

In today’s expanding threat landscape, bad actors are everywhere, waiting to exploit application vulnerabilities. Secure code reviews can help mitigate this risk.

Development teams should harden their code through a combination of secure coding and secure code reviews. Secure code review training can also be invaluable and worth the investment for everyone involved.

The Guide to Secure Code Review by OWASP perfectly encapsulates the importance of secure code reviews:

“The code is your only advantage over hackers. Don’t rely only on external penetration testing…(Code review) is the fastest and most accurate way to find and diagnose many security problems.”

What is Security Automation: A Brief Primer

Mon, 03 May 2021 08:50:07 GMT

As recent cyberattacks against companies and governments have demonstrated, no organization is safe from cybercrime. Moreover, security incidents and data breaches are becoming expensive, costing a staggering $3.86 million on average. It is clear that prevention is, now more than ever, a necessary focus.

To prevent malicious attacks, enterprises need strong cybersecurity programs with constant vigilance, threat detection, and remediation. However, these objectives are difficult to achieve with a strictly human-based approach. This is due to the prevalent problem of alert fatigue, a combination of sheer volume (large amounts of data) and wasted time (mostly in the form of large amounts of false positives). Security automation can help minimize this problem, strengthening an organization’s security posture while also aiding the security team’s day-to-day responsibilities. Here’s how.

What is Security Automation?

Most organizations rely on multiple defensive cybersecurity measures to detect and prevent threats. Although essential to cybersecurity, these systems often create an uninterrupted flood of alerts. To separate the real threats from the “false positives,” security teams must prioritize and investigate these alerts – a burdensome task that causes the aforementioned alert fatigue.

According to recent research, 70% of IT leaders say that security alert volume has more than doubled since 2015. Moreover, 83% believe that their security teams experience alert fatigue. To address the issue, security personnel either increase the alert thresholds (therefore reducing volume), or simply ignore certain alert categories. With either approach, genuine alerts often get lost in the noise, which can be disastrous in today’s expanding threat landscape. While it would seem, therefore, prudent to expand the employee pool, hiring more human resources is not always feasible. Here’s where security automation can be very valuable.

Security automation replaces manual incident response processes, such as scanning, detection, investigation and remediation, allowing SecOps teams to respond more efficiently to threats. A security automation tool minimizes the need for human intervention to identify incoming threats and prioritize alerts. It instantly engages with an incident, quickly responds to alerts, and contains and resolves issues.

What are the Benefits of Security Automation?

Enhanced security capabilities

With security automation, the organization’s Security Operations Center (SOC) can reduce false-positive alerts, reduce MTTR, and increase MTBF. They can also conduct deeper analyses and implement more proactive security measures, strengthening the organization’s capability to withstand threats.

Optimized security budget and higher ROI

Security automation empowers security teams to move away from routine detection and response tasks, and focus on more value-added work (like advanced threat defense).

Fewer errors for stronger threat detection and incident response

Intelligent security automation “learns” from patterns, and standardizes threat detection and incident response. This allows for better protection, minimizes errors, and improves the accuracy of alert investigations.

In addition, security automation tools can also:

Determine legitimate alerts for deeper investigation
Triage and mitigate potential risks by following the organization’s decision-making workflow
Standardize incident response processes to reduce response times
Streamline communications between security and other teams
Increase visibility of security metrics for a stronger cybersecurity posture

The Evolution of Security Automation

Security automation is a direct result of two key developments: the increasing number of cyber attacks, and growing alert fatigue. As we know, security breaches can have severe consequences, so organizations need strong threat detection and remediation capabilities. But manually analyzing each threat is overwhelming, and as we’ve seen, a vast majority of alerts are often ignored. Security automation was a necessary solution to these challenges.

From automated penetration testing to streamlined security queues, security automation has evolved into a more holistic approach where human intervention is not required. Today, the focus is increasingly on Orchestration, Automation and Response.

What is Security Orchestration, Automation and Response?

Security Orchestration, Automation and Response (SOAR) combines automated data gathering, case management, analytics, and security automation, so organizations can easily implement more sophisticated defense-in-depth capabilities to protect themselves. While security automation is about replacing manual incident response tasks with automation, security orchestration is about integrating disparate security tools and platforms to enable automated, machine-speed decision-making. It centralizes security operations data from different sources into a single interface, so security teams can quickly understand the threat landscape and respond appropriately.

What that means is the threat is placed within the overall context of the network and organization. It is difficult to make an informed decision without information, and Orchestration helps provide that information.

How to Get Started with Security Automation

To get the most value out of security automation, it’s important to first establish security needs and objectives, define relevant use cases, study other security automation examples, and research providers.

Establish security objectives

In addition to improving their threat detection and remediation capability, organizations may also have other specific security goals: reduce alert fatigue, minimize inefficiencies, make operations leaner, etc. It’s important to identify these goals before implementing a security automation system.

Define use cases and examples

The enterprise lists the ways they will use security automation. It helps to review other security automation examples for inspiration and information.

Research providers

While researching providers, it’s useful to ask these questions:

Is their platform “no-code” for easy deployment and use?
Is it customizable and scalable?
Does it provide third-party integrations and plugins?
Can they provide security automation examples from previous deployments?
Is staff training required?
Is technical support available?

The best security automation systems offer:

Standardized incident response workflows
Pre-built and customizable playbooks based on internal rules
Integration with other security systems, like SIEMs, firewalls, and endpoint solutions

Evolve: The World’s First Dedicated Security Automation Cloud

Evolve extends, integrates and streamlines security automation, orchestration and response capabilities across the organization’s internal networks, data center environments, and cloud environments. Scalable, cost-effective, and available on-demand, Evolve optimizes security resources, and enhances security capabilities across the infrastructure.

Getting started with Evolve is easy and fast it is:

Step 1: Register an Evolve Account

Step 2: Navigate to the Evolve Marketplace

Step 3: Import the Automated External Penetration Test workflow into your account

Step 4: Click to launch a workflow instance to start running a test

Step 5: Done! Evolve does all the work to secure your business!

Conclusion

In an increasingly worrying cybersecurity landscape, security automation provides a powerful way for organizations to strengthen their threat detection, analysis and remediation capabilities. And when combined with security automation, orchestration and response, the enterprise can strengthen their cybersecurity posture, and stay several steps ahead of bad actors who want to harm them.

What is Cybersecurity Staff Augmentation?

Thu, 22 Apr 2021 09:01:42 GMT

Even though a business or a company may have its cybersecurity assessed through penetration tests, more personalized and extensive assistance is often needed. You’ll find that most companies lack adequate resources (in terms of technology and manpower) to manage their security programs.

Cybersecurity staff augmentation involves partnering with third-party security experts and advisors on an as-needed basis. This allows for the customization of a team that meets business needs. It offers flexible and scalable solutions that establish the best tools, practices, and assessment frameworks to put your company on the right track. By augmenting your security team, you can have highly-specialized experts who will:

Help your team complete projects promptly
Address specific security weaknesses
Do the jobs your team has neither the time nor resources to do

How does Cybersecurity Staff Reinforcement work?

Cybersecurity staff augmentation essentially works by supplementing IT departments with security advisors who can be called upon to come in and assess a situation that goes beyond the basics of what the company’s cybersecurity team can handle. Cybersecurity staff augmentation works by partnering with the IT departments to test and remediate a number of things, such as: network firewalls, specific cybersecurity risks, security tools, and even updating company policies.

Cybersecurity Staff Augmentation through Security Automation

Just as with many IT-related tasks, cybersecurity staff augmentation can also be automated , with security automation software, to detect any cyber threats using an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS). This will allow you to allocate manpower resources into other areas, and give you the peace of mind you need to know your system has an added layer of threat intelligence .

Benefits of Cybersecurity Staff Augmentation

There are several benefits to Cybersecurity staff augmentation. First, this process removes pressure from your security team by delegating specialized and time-consuming tasks. When your team is already stretched thin and inundated by projects, bringing in a temp specialist/group helps relieve that pressure.

Secondly, augmentation offers scalability. One of the benefits of working with a VCN is that resources can be allocated or shut down as needed, reducing costs in the long-run, but allowing for extra space/operational abilities when necessary. Staff augmentation works the same way. Your company can’t afford to keep certain positions on year-round, but bringing that specialist in when needed – and releasing them when the job is done – will allow you to complete the necessary work without spending more money than necessary.

Roles Make Up an Augmented Security Staff?

Cybersecurity staff augmentation includes the following roles:

Virtual CISO

A CISO (chief information security officer) is the engineer of a cybersecurity program. Any moving part related to compliance certifications, risk assessments, cybersecurity tool selections and penetration testing is overseen by CISO. Unlike before, CISOs have now switched to part-time and virtual roles for small enterprises, usually because they are more objective, as well as cheaper.

Analysts

Cybersecurity work requires data gathering, organization, and interpretation. All of this is handled by analysts, and while it is a good idea to have analysts on your team, augmenting analysts during high-traffic or security issues is an excellent alternative to overworking your team.

Auditors

An auditor’s job is to examine your company’s security framework, specifically checking for compliance standards, such as GDPR or CCPA. They look for critical holes in the data management process, also checking for policy infractions internal to the company. Because many businesses do not need auditors 24/7, augmenting with auditors may be a good option.

Technical Writers

Cybersecurity staff augmentation also requires a team that can establish a successful security program. Analysts send information to this team, who translates it into network diagrams, instruction manuals, reports, and disclosures. In other words, a quality technical writer helps ensure that company policies are effectively communicated.

White Hat Hackers

The best way to know how secure your network is is through penetration testing. Pentesting detects cybersecurity vulnerabilities, remediating them when possible. Pen testing requires impeccable data gathering analysts, grounds, authentic hack attempts, non-disclosure agreements, and formal reporting. Because your company is unlikely to need constant pentesting , augmenting your staff with pentesters once or twice a year is a good idea.

Who Needs Cybersecurity Staff Augmentation?

While the need for cybersecurity data varies differently from one organization to another, almost all organizations collect, store, and share consumer data. From big-box retail to the local coffee shop, every organization needs cybersecurity to some degree. Because a full team is often unnecessary, however, staff augmentation can be beneficial to everyone.

Cybersecurity Staff Augmentation for Enterprises

Large businesses have full-time cybersecurity teams and CISOs. The CISOs are, however, not objective. Therefore, they can employ temporary experts who access the organization’s network from an outsider’s perspective, run penetration testing, and perform audits.

Cybersecurity Staff Augmentation for Small/Mid-sized Businesses (SMBs)

Small businesses quite often don’t feel the need for augmentation, because they don’t believe they are in danger of a security breach. However, recent trends reveal that SMBs are the primary targets for the fraudsters and cybercriminals. Because they operate on modest budgets, they cannot afford a full-time cybersecurity team – perhaps only a couple of IT employees.

But with the virtual CISOs, small businesses can protect themselves from losing data, while at the same time staying within budgets that are reasonable.

Conclusion

You can raise your cybersecurity to an acceptable level through cybersecurity staff augmentation. It helps ensure that organizations are safe from security breaches and that they are compliant with current regulations and laws. And it does all of this with a flexibility and affordability that is difficult to achieve through a lage, full-time security team. So who needs to consider cybersecurity staff augmentation? Everyone.

Automated Penetration Testing Beginner’s Guide

Wed, 14 Apr 2021 07:37:20 GMT

Advancements in technology are a double-edged sword. As technology advances and discoveries are made, so do weaknesses in an organization’s web applications, networks, and software applications. And, of course, new vulnerabilities mean new attack vectors for bad actors. It is, therefore, up to an organization’s security team to find, fix, and/or monitor these vulnerabilities before the attackers do.

The vulnerabilities themselves happen for a number of reasons: poorly designed architecture, certain misconfigurations, insecure code, etc. They are often introduced accidentally during the implementation phase of software development. The most common vulnerabilities include software bugs, configuration errors, and design errors, to name a few. To uncover these vulnerabilities, organizations should frequently carry out penetration testing by testing and identifying all the present security risks. Penetration Testing is carried out through two techniques, automated penetration testing and manual penetration testing. This post will explore automated testing.

What is automated penetration testing?

Automated penetration testing involves using automated tools to scan the vulnerabilities within an organization’s network. Manual tests are expensive, and they often take more time than an organization might have. Automated testing, by comparison, is cheaper and faster (sometimes taking only a few hours, rather than a few weeks). Automated penetration tests have 5 phases: Automated Reconnaissance
Automated Fingerprinting and Scanning, Automated Attack and Exploitation, Automated Post-Exploitation and Lateral Movement and Automated Reporting – of course, designed to function the same way as the traditional red team penetration testing – which continuously launches simulated attacks against a company’s defenses and identifies whatever vulnerabilities it might find. Once the security gaps are discovered, the Automated Penetration Testing platform then provides remediation guidance.

Manual Penetration Testing vs. Automated Penetration Testing

What are the types of Automated Penetration Testing?

Automated Reconnaissance Penetration Testing

Automated Reconnaissance Penetration Testing is a passive test that detects security vulnerabilities and critical issues that exist on the very front-end of an organization (such as an employee’s breached email account). Just like its manual counterpart, the Reconnaissance phase of pentesting is simply meant to gather information in the hopes of finding a loophole or easily exploitable entry point.

Automated External Penetration Testing

Automated External Infrastructure Penetration Testing detects and verifies security weaknesses and critical risks for the publicly-accessible infrastructure. With a powerful combination of active attacks and automated reconnaissance, security teams can find and remediate public-facing risks.

Automated Internal Penetration Testing

Automated Internal Infrastructure Penetration Testing allows you to run internal pentests across corporate networks – on-demand – from any location within public clouds and on-premise data centers, including Azure and AWS. It helps to minimize the time it takes to detect and verify security weaknesses and internal risks.

Automated DevOps Application Penetration Testing

Automated DevOps Application Security Testing helps integrate security testing into an organization’s DevOps pipeline. For every code deployment, automated DevOps application testing helps developers discover application-layer vulnerabilities early in the process, saving time, frustration, and – potentially – problems later down the road.

What is the penetration testing process?

There are four penetration testing methods, which can be categorized as follows:

Data collection

There are many data collection tools available for free, not the least of which is Google. Whether the tester is using Google to enumerate employees, or using Nmap to map the network, the tools available can give you a wealth of information including t he hardware used, software versions, DB versions and the third-party plugin used in a system.

Vulnerability assessment

Based on the data collected, you can then begin to search for security vulnerabilities. For example, earlier versions of WordPress (before 5.2.3) did not properly filter comments, allowing for SQL injections and XSS. Once existing vulnerabilities are discovered, the pentesters can then launch attacks through the identified entry points.

Exploitation

Here is where the actual attacks occur. In the above example, the pentester may execute a SQL injection, or open a backdoor into the database.

Report preparation and result in analysis

After all the tests have been completed, the pentester prepares a detailed report to make corrective actions. The report lists all the vulnerabilities that were identified together with recommendations for remediation.

Best Automated Penetration Testing Tool

There are many automated Penetration Testing tools out there, but in our opinion, the best tool is Evolve. Evolve’s penetration testing environments are scalable, and can be tailored to the specific type of penetration test you want to perform, allowing the user to choose the level of intensity and protection that is right for his or her business needs.

Automated Penetration Testing by Evolve

Evolve secures both internal and external applications and systems in an organization, and allows you to execute on-demand automated pen-testing across an organization’s systems. Evolve even offers monitoring of an organization’s domain names and email addresses. To date, there have been over 700 billion compromised accounts, whether email, health sites, or e-commerce sites. Evolve will protect and monitor your corporate accounts from sites whose credentials may have been breached, helping to keep your business from being added to that statistic.

Conclusion

Automated Penetration Testing, when used in conjunction with regularly scheduled manual tests and standard detection tools, can provide a much more efficient and effective security position. It’s high time to consider reaping the benefits of automated breach simulation by moving beyond the limitations of point-in-time testing.

Threat Intelligence: Types, Benefits and It’s Lifecycle

Sun, 11 Apr 2021 21:29:00 GMT

Cybersecurity challenges, such as security breaches, data thefts, and malware attacks, are becoming increasingly more frequent all over the world. More and more organizations are realizing that reactively addressing these issues is not an effective security strategy. Instead, they are taking more proactive steps by investing in threat detection technologies and building robust Security Operations Centers (SOC). They are also instituting threat intelligence programs to identify and prevent cyberattacks before they happen, in greater efforts to minimize damage.

There are three critical questions that we must ask:

What is cybersecurity threat intelligence?
What are the main types of threat intelligence?
What is the threat intelligence lifecycle?

This guide will address these.

Before we dive into the details, though, there are a few key things to keep in mind. One, the development of threat intelligence is not a linear, end-to-end process, but a circular and continuous process known as the Intelligence Cycle. Further, although the idea of threat intelligence can provide a sense of comfort and safety, intelligence alone is not enough. Organizations also need to implement the right defense technologies and threat intelligence tools to protect their operations, data, customers and workforce.

What is Threat Intelligence

According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Threat intelligence is contextual information that enables organizations to take proactive actions that can prevent, or at least mitigate, cyber attacks.

Threat intelligence is about data: about potential attackers, their intents, motivations and capabilities, and about possible Indicators of Compromise (IoC). This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyber threats.

Why is Threat Intelligence Important and Who Does It Benefit?

With threat intelligence, organizations can leverage key data about threat actors and threat vectors to understand them better, tailor their defense strategies, and prevent attacks . . . before they happen. They can also respond faster to security incidents that do happen. This is one reason why the threat intelligence market is expected to grow at 17.4% CAGR from 2017 to 2025 (Grand View Research), potentially earning revenues of a whopping $12.6 billion in 2025.

In addition to threats from devious cybercriminals, organizations also face other challenges that weaken their security postures, such as a shortage of skilled cybersecurity professionals and the availability of too much data. This is a dangerous combination because it creates a larger gap between what needs to be addressed and what can be addressed, often leading to situations where serious threats go unnoticed, and they waste time chasing after issues that should have been ignored. For instance, most SOC teams can only investigate 56% of alerts, while only 34% of them are deemed legitimate, and it’s estimated that security analysts spend around 25% of their time investigating and chasing false positives (Ponemon Institute). These factors all waste time and resources, and reduce the overall impact of cybersecurity programs.

A cyber threat intelligence solution can effectively address these issues and strengthen organizations’ security postures by:

Revealing the vital “triad” of actors, intent and capability, as well as their tactics, motivations, techniques, and procedures (TTPs)
Helping them understand the relevant actions that can be taken to neutralize them
Revealing previously unknown threats, promoting proactive decision-making
Integrating disparate bits of data to provide timely warnings and actionable information

Threat intelligence is timely, contextual and actionable, which are valuable benefits for both the decision-makers – who must often make vital decisions quickly – and for protecting the organization from threats.

Threat intelligence benefits everyone in security:

Security Analysts: It boosts the organization’s cyber defense capabilities.
Intelligence Analyst: It helps uncover threat actors, and helps make more accurate predictions to prevent the misuse or theft of information assets.
Computer Security Incident Response Team (CSIRT): It speeds up incident investigations, analyses and remediations
SOC: It provides a “single pane of glass” solution to strengthen internal alerts and enable better incident prioritization
Vulnerability Management: It leverages key insights and context to prioritize vulnerabilities

On a broader level, threat intelligence is also crucial for executive leadership, empowering them to understand the enterprise’s cyber risks, and helping them to make data-driven decisions to mitigate the impact of those risks.

In short, threat intelligence benefits everyone!

The Threat Intelligence Lifecycle

As mentioned earlier, the process of gathering, analyzing, prioritizing and utilizing threat intel is not a linear (or one-time) process, but part of an ongoing lifecycle. Thus, an effective intelligence program, particularly one that uses Machine Learning (ML), is iterative – learning, adapting and refining over time to strengthen the organization’s security paradigm. It enables security teams to optimize their resources and maximize the value of the information they receive. The threat intelligence lifecycle includes the following six phases:

Requirements Gathering and Planning

This first stage is critical, because it is where the security teams set the program’s objectives, align these objectives with the organization’s core values, and forecast the potential impact of future decisions based on this intelligence. They try to uncover more information about possible threat actors, the size of the attack surface, and consider how they can shore up their defenses.

Data Collection

Based on the requirements and objectives identified in the first stage, the team collects relevant threat data. This may include IoCs (like malicious IP addresses, URLs and domain names, email addresses, registry keys, and file hashes) or vulnerable information (like PII data), or raw/shared code.

They may look in various places and at multiple sources to gather this data, including:

Network event logs
Traffic logs
Records of past incident responses
Technical sources
Open web
Dark web
Social media
Paste sites (e.g. Pastebin)
Industry thought leaders
Subject matter experts

Data Processing

Simply gathering data is not enough. It also needs to be sorted, organized and filtered to support further analysis. At this stage, metadata tags are added, while redundant, irrelevant and unreliable information is removed. Teams may also organize data into spreadsheets, decrypt encrypted files, and translate information from foreign sources.

Manually doing all these tasks for millions or even thousands of data points is time-consuming and error-prone, which is why automation is useful. Security Information And Event Management (SIEM) solutions provide correlation rules to simplify data structuring. However, they are limited in the number of data types they can take, so a robust threat intelligence tool is required. ML- and NLP-based threat intelligence platforms can structure data into entities, structure text from sources in different languages, classify events and alerts, and generate accurate predictive models. All these advantages augment the organization’s threat intelligence program. Software and programs such as OSSIM, Splunk and Kibana are useful for this.

Data Analysis

Once data is processed, it needs to be analyzed. The primary goals here are to understand the data, check to see if it satisfies the requirements and objectives identified in the first phase, and search for potential security issues.

The security team converts the data into a format the audience (e.g. senior executives) can understand. This may be a simple threat list, a concise presentation deck, or a comprehensive report. The team also identifies the key action items and provides relevant recommendations to prevent or mitigate threats.

Dissemination

The results of the analysis are presented to the relevant stakeholders. To maintain continuity between one threat intelligence cycle and the next, every piece of intelligence must be tracked. A ticketing system that can be accessed by multiple people is very useful in this regard.

Feedback and Adjustments

Once the report is presented, stakeholder feedback is solicited to determine whether adjustments are required to objectives, requirements, report schedules, threat intelligence operations and procedures, and/or priorities.

The Three Key Types of Threat Intelligence

By itself, “threat intelligence” is a fairly vague term. That’s why it’s useful to break it down into its three main types. Each type serves a different purpose and is aimed at a specific audience (though with some possible overlaps).

Strategic Threat Intelligence

Key stakeholders/audience: Senior/C-Suite managers (CISO, CTO, etc.), Company Boards.

What it does: It provides a bird’s eye view of the organization’s threat landscape, including risks, trends and threat actor motives. Since the audience consists of senior executives and other key decision-makers, this intelligence is less technical. It usually requires massive amounts of research, so a solution that automates data collection and processing can be very helpful.

Operational (Technical) Threat Intelligence

Key stakeholders/audience: Threat hunters, CSIRT, SOC analysts, vulnerability management teams.

What it does: Operational threat intelligence focuses on understanding important operational aspects, including cyber attacks and threat actor capabilities, infrastructure and TTPs. It often includes technical information from threat intelligence feeds that enables security teams to optimize cybersecurity operations through more targeted and prioritized actions.

Machine Learning-based solutions that automate data collections can simplify operations and increase the efficacy of the threat intelligence program.

Tactical Threat Intelligence

Key stakeholders/audience: SOC analysts, system architects, SIEMs, firewalls, endpoints.

What it does: Tactical threat intelligence includes contextual information about TTPs and targeted vulnerabilities. It enables security teams to better understand threat vectors, and how the organization can prevent or mitigate potential attacks. Teams can also leverage this information to strengthen existing security controls and accelerate incident response.

Threat Intelligence Use Cases

Instead of focusing on only basic threat intelligence use cases (e.g., incident response and the integration of threat intelligence feeds with existing firewalls and SIEMs), organizations must ideally leverage it for other use cases as well. These include:

Risk analysis

Since threat intelligence is contextual, it strengthens risk models so the organization can better define risk measurements, and understand their assumptions, variables, and outcomes. It also helps develop a better handle on threat actors, frequency of attacks, and exploitable vulnerabilities.

Security operations and triage

Due to large alert volumes, manually triaging alerts is a time-consuming and complex process, often leading to “alert fatigue”. Threat intel makes it easier for security teams to filter alarms, triage alerts, and analyze incidents.

Vulnerability management

By effectively leveraging threat intelligence tools, security teams can identify the vulnerabilities that pose the biggest risks to the organization. They can thus identify more real threats before they can cause significant damage.

Fraud prevention

It can help prevent data compromise (e.g. leaked credentials) and payment fraud. It also raises alerts on phishing and typosquatting domains that cybercriminals often use to illegally impersonate brands and defraud users.

Strengthen security posture

Threat Intel is more than short-term information. It also enables organizations to better understand the long-term threat landscape, assess business risks, identify mitigation strategies, and make better investment decisions to strengthen their security.

Evolve: An Automated, Relevant, Contextual Threat Intelligence Tool

Evolve’s automated threat intelligence platform enables organizations to implement proactive protection, take data-driven decisions, and get maximum value from their intelligence investment.

From spam and phishing intelligence, to intelligence about TOR, open proxy, ransomware, and more, Evolve is a cutting-edge threat intelligence tool for transparent and comprehensive investigations. Evolve seamlessly collects “global” threat sources and integrates threat intelligence feeds into its workflows and internal security solutions. This empowers organizations to stay on top of the latest attacks to proactively prevent them from damaging their systems, devices or data.

For more information about this powerful threat intelligence platform, click here .

A Final Word

In our globally expanding threat landscape, cyber threats can have serious repercussions. But with timely, targeted and contextual threat intelligence, enterprises can shore up their defenses, as well as mitigate the risks that could damage their reputation and financial health, keeping them a few steps ahead of clever cybercriminals. The time for reactive security is long gone. Proactive threat intelligence is here to stay.

Penetration Testing: Everything You Need To Know

Sat, 06 Mar 2021 20:55:59 GMT

Today, government agencies, businesses and many other organisations are implementing more sophisticated cybersecurity measures to guard against the ever-changing nature of cyber attacks. One tactic these organisations are using is penetration testing. Penetration testing is gaining so much traction that it is estimated that by 2025, it will be a $4.5 billion industry .

In this post, we will explore everything you need to know about penetration testing (pentesting). Let’s dig in:

What Is Penetration Testing?

Penetration testing is the practice of evaluating an IT infrastructure to find security vulnerabilities that an attacker can exploit. The IT infrastructure being evaluated could be a software application or network. The vulnerabilities could include configuration errors, software bugs, design flaws and risky end-user behavior, to mention a few.

Although penetration testing can be done manually, automated software is sometimes used to systematically compromise wireless network, servers, network devices, web applications, mobile devices, endpoints and other potential exposure points.

The primary objective of penetration testing is to identify security weaknesses in IT infrastructure. Penetration testing can also be used to test an organisation’s security policy, its ability to identify and respond to security incidents and its employees’ security awareness.

Penetration testing is also known as pentesting or ethical hacking. It is also sometimes referred to as a white hat attack.

Financial service organisations and tech companies commonly conduct pentesting, but all organisations can significantly benefit from this type of evaluation.

Why Is Penetration Testing Important?

It reveals vulnerabilities

Penetration testing evaluates the existing vulnerabilities in your network infrastructure or application system configurations. Your employees’ habits and daily actions that could lead to malicious infiltration and data breaches are also under scrutiny during a pentest.

Once the testing is over, you receive a report informing you of all the weaknesses found and the software and hardware improvements you should consider. You also get recommendations on policies that would boost the overall security.

It reveals real risks

Pentesters try to exploit the identified weaknesses. This gives you a chance to see what a black hat hacker could do in the real world. This helps you to prioritise real-world risks so you can focus on the weaknesses that really matter rather than theoretical ones.

It tests the capability of your cyber defense

Your organisation should be quick to detect and respond to attacks. You should detect intrusions in time, launch investigations promptly, discover the intruders and block them. This should be the case, whether it is a malicious actor or an expert testing your protection strategy’s effectiveness.

The feedback you receive from the pentest will let you know how you can improve your defense.

Ensures business continuity

For your business operations to be running all the time, you need access to resources, 24/7 communications and network availability. Disruptions to these necessities will have a negative impact on your business.

A pentest is similar to a business continuity audit, in that it identifies potential threats that would lead to unexpected downtimes or a loss of accessibility. Addressing these threats will ensure your business continues to run without interruptions.

Helps illegal compliance and certifications

Your organisation might be operating in an industry with legal requirements that dictate a certain level of penetration testing. For example, the ISO 27001 standard and the PCI regulations require all system owners and managers to conduct regular security reviews and pentests with skilled testers.

Helps you maintain trust

Data breaches and cyber attacks affect the loyalty and confidence of your customers negatively. However, if your organisation is known to conduct strict and systematic reviews and penetration tests, this will assure your shareholders.

What Is The Difference Between Vulnerability Scans And pentests?

Vulnerability scans scrutinize an environment and create a report of all the weaknesses uncovered. Vulnerability scanners can expose thousands of vulnerabilities but do not help in prioritising the most severe ones. Also, their results do not account for the unique circumstances of each IT environment. This is where penetration testing comes in.

While vulnerability scans give you a picture of the security weaknesses present, a penetration test adds additional context by finding out if it’s possible to leverage the vulnerabilities to gain access to your environment. Penetration testing also helps in prioritising recommendation plans based on the threat that poses the highest risk .

Access the full comparison report here .

Penetration Testing Tutorial

Before we look at the steps or stages of penetration testing, let’s determine who conducts pentesting.

Who Performs Penetration Tests?

For a complex pentest that requires going deep into different applications and systems, you need an expert pentester or a group of them. To sufficiently test a realistic attack scenario, you will need a red team that employs complex strategies and solutions similar to what real threat actors would use.

For less demanding tests, you can create a robust pentesting program by using readily-available resources. Even if you don’t have extensive pentesting knowledge, you can use automated testing tools to run simple tests that are easy to run but vital to perform regularly. Such tests include validating vulnerability scans, privilege escalation, network information gathering and phishing simulations.

What Are The Stages Of pentesting?

Penetration testing can help you proactively identify the most exploitable security vulnerability before a malicious actor does. However, the process involves much more than infiltration. Penetration testing is a thorough, well thought out process made up of the following phases:

Planning and preparation
For the pentest to go well, you and your testers need to be on the same page on the test’s goals. Your testers need to know some of the tests they should run, who are aware that the tests are being run and how much information you will provide them with.
Discovery
This phase is where testers perform reconnaissance on their target, gathering data such as names, job titles, email addresses and IP addresses.
Penetration attempt and exploitation
Now that the pentesters have enough data on their target, they attempt to infiltrate the environment and exploit the weaknesses they discover.
Analysis and reporting
pentesters create a report that details the entire pentesting procedure, the tools used, the weaknesses found and recommendations to remedy them.
Cleanup and remediation
pentesters have to go back and remove any artifacts used to penetrate the system since real hackers could use them in the future. Your organisations should then implement the recommended changes to fix the vulnerabilities in your system.
Retest
The best way to be sure that the recommendations you implemented were effective is to test again. Quite often, as methods used to attack IT environments are always evolving, this may uncover new weaknesses.

How Often Should You pentest?

There is no one-size-fits-all when it comes to pentesting. The following factors affect how often an organisation should pentest:

The size of the company – If you run an organisation with a large online presence, you have more attack vectors and are therefore more attractive to hackers, so you should test often.
Budget – Large businesses can afford an annual pentest while a smaller one can only conduct a pentest once every two years.
Regulations – organisations in some industries are required to perform specific security checks, including penetration testing.

That being said, you should aim at conducting a pentest once a year to ensure more consistent IT and network security management. In addition to your yearly analysis and assessment, you must also conduct a pentest when you:

Add new network applications or infrastructure
Establish offices in a new location
Modify your end-user policies
Make substantial upgrades to your infrastructure and applications

What Should You Do After A pentest?

After a pentest, take time to disseminate, discuss and fully understand the findings. You should also relay the results of the test and actionable insights to the decision-makers within your organisation. Ensure that you emphasise the risks these vulnerabilities pose and how remediation will impact your business.

Types of Penetration Testing

When conducting a pentest, it can be tempting to ask the pentesters to do a general test where they “test everything” however, with this approach, pentesters will end up only scratching the surface of several vulnerabilities. Therefore, they would miss out on the valuable intelligence they would gather if they took a more in-depth approach by concentrating on a few areas. To ensure pentests are effective, there are several types of pentests that focus on specific areas of an IT infrastructure. They include:

Network Testing Penetration Testing

This is the most common type of pentest. Network service penetration testing aims to discover gaps and weaknesses in your organisation’s network infrastructure.

When conducting this type of pentest, an ethical hacker will run tests locally at the site and remotely from the outside. The tester will focus on targeting the following network areas:

IPS deception
Firewall configuration testing
DNS level attacks
Stateful analysis testing

Network service penetration testing helps you protect your organisation from the following network-based attacks.

DNS level attacks
IPS/IDs evasion attacks
SSIT attacks
Router attacks
Unnecessary open ports attacks
Man in the middle attacks
Proxy server attacks
Database attacks

Web Application Penetration Testing

Web application penetration testing is a more detailed pentest used to discover weaknesses in web-based applications. The scope of this pentest includes browsers and web-based applications and components such as Applets, ActiveX, Scriptlets, plugins and Silverlight.

Because of the increase in threats and complex nature of web applications, penetration testing generally requires more time to plan and execute, as techniques are continually evolving.

One of the main reasons you should conduct this type of pentesting is to expose security vulnerabilities within your web-based applications and their components, including back-end networks, databases and underlying code.

This type of pentest also helps in prioritising determined vulnerabilities and provides solutions that might help mitigate them.

Client-Side Penetration Testing

This type of penetration testing is used to expose security vulnerabilities in client-side applications. Apps like program applications – such as web browsers, Putty, Macromedia flash, email clients, Microsoft Office Suite and Adobe Photoshop.

Client-side penetration testing is valuable in identifying attacks such as:

Cross-site scripting attacks
Cross-origin resource sharing
HTML injection
Malware infection
Clickjacking attacks
Form hijacking
Open redirection

Wireless Penetration Testing

Wireless penetration testing aims to find out and evaluate connections between all the devices connected to your organisation’s Wi-Fi. All IoT devices, laptops, smartphones and tablets are examined.

Pentesters usually conduct wireless penetration testing on-site because they need to be in the range of the wireless signal to access it. However, where necessary, they can also deploy a device to carry this out remotely.

Because wireless networks allow data to flow in and out of your organisation, you should conduct wireless penetration testing to prevent data leakages and unauthorised access. Before you conduct wireless pentesting, please consider the following.

Have you identified all access points and noted the ones with inferior encryption methods?
Do you have monitoring systems to identify unauthorised users?
Is all the data flowing in and out of your network encrypted?
What measures are you currently taking to protect your wireless network?
Is it possible that your IT team may have duplicated or misconfigured a wireless network?
Are all your wireless access points using WAP protocol?

Social Engineering Penetration Testing

In a social engineering penetration test, a pentester attempts to persuade users to give their sensitive information, such as their passwords and usernames. Some of the common attacks pentesters use include:

Phishing attacks
Smishing (using SMS)
Imposters
Vishing (using Voice)
Pre-testing
Tailgating
Namedropping
Dumpster diving
Gifts
Eavesdropping

Social engineering penetration testing is a vital part of pentesting. This is because social engineering scams are very lucrative and internal users are the biggest threats to your network’s security. In fact, recent statistics show that 98% of cyber attacks rely on social engineering.

Physical Penetration Testing

In physical penetration testing, a pentester simulates a real-world threat by attempting to compromise physical barriers to access a business’s infrastructure, employees or systems.

Physical penetration testing is essential because most businesses treat physical barriers as an afterthought, but a malicious actor could cause severe damage if they can access your server room.

Physical penetration testing is useful to expose vulnerabilities in controls such as cameras, locks, sensors and barriers.

Penetration Testing Software

Different penetration testing targets require different software, such as those used for port scanning, Wi-Fi break-ins, application scanning and direct penetration of the network. The types of pentesting tools fall into five broad categories:

Reconnaissance tools that help testers discover network hosts and open port
Vulnerability scanners that help discover issues in the network services APIs and web applications
Proxy tools
Exploitation tools that help in accessing assets
Post-exploitation tools for integrating with systems and maintaining access.

Penetration tools and software should have the following characteristics:

They should be easy to configure, deploy and use
Should automate the verification of vulnerabilities
Generate detailed vulnerability logs and reports
Categorize vulnerabilities based on their severity
They should reevaluate previous exploits

Most of the popular penetration tools are open source or free to use. Open source tools give pentesters the freedom to modify and adapt the code for their specific needs. Some of the most commonly used penetration testing software includes:

Nmap- Nmap, short for Network Mapper, is a pen tool that scans networks and systems for weaknesses linked to open ports. This tool is directed to the IP address of the system to be scanned and it tests the system for open ports. Nmap can also be used to monitor host or service uptime and map networks attack surfaces.
Wireshark – This is a valuable tool for analyzing network traffic and packets. It allows organisations to see the minute details of what is taking place on their networks in real-time.
John the ripper- This tool contains several password crackers in one package. It automatically identifies different types of password hashes and decides on a customizable cracker. John the reaper is commonly used to launch attacks to discover password weaknesses in databases and systems.

Penetration testers use the same tools that black hat hackers use. This is because these tools are already readily available, well documented and it gives pentesters a better understanding of how these tools can be used against their organisations.

Automated Penetration Testing

Although penetration testing is mostly a manual process, tools can be used to automate the process. Automated penetration testing delivers results much faster than manual testing and does not require highly qualifies professionals to do the job. Automated pentesting tools automatically track results and sometimes export their findings to a centralised reporting system.

Although they are much faster, automated testing can give false positives and lack the depth that manual testing has. Also, automated testing solutions follow a scripted routine – unlike human pentesters who think and act like cybercriminals while analysing data and simulating attacks.

Conclusion

Although penetration testing is costly and labor intensive, it is vital there are security processes in place that will enable your organisation to discover weaknesses before malicious actors do. The knowledge you gain from a pentest can help you mitigate security risks to prevent future data breaches and losses associated with them. Feel free to contact us to today if you have any question or need help with penetration testing.

Web application penetration testing: tools, methodology and best practices

Sat, 06 Mar 2021 13:33:33 GMT

It could be devastating to see your website being hacked after investing enormous resources to set it up. Such a feeling could be worrisome and the experience might be frustrating. Web penetration could be faced by owned web applications or organizations. So, all you have to do is to relax and read through as you will be taken through web application penetration testing tools, methodologies, and all you need to know to avoid a further breach of your web application or to prevent it if you haven’t had the experience.

A reminder that a web application means software or program which is accessible using any web browser while a website means a collection of interlinked web pages that are globally accessible and have a common domain name.

WHAT IS WEB APPLICATION PENETRATION TESTING?

Web application penetration testing is a technique used to examine how vulnerable a web application is. If you want to make sure that your web application is free of vulnerabilities then web application penetration testing is what you should do.

Web application penetration testing ensures that your web applications aren’t susceptible to attack. The goal is to identify security patch over the whole web application (root code, database, back-end network) and also help to list the identified risks and vulnerabilities, and viable ways to eliminate them.

WEB APPLICATION PENETRATION TESTING METHODOLOGY

Since there are different web applications and each demands unique testing style, therefore testing is carried out from a list of widely accepted methodologies. Typically, a web application penetration testing methodology involves:

Information gathering – information concerning the web architecture, information leakage, web service integration, and other associated information to give the tester a guide
Installation of tools for experimentation. Examples of such tools include: N-Stalker, Sand Cat;
Understanding firewalls and other security protocols.
Platform testing and configuration
Error handling and data validation testing
Encryption related protection testing
Client-side and business logic testing.
Tests report generation and remedies suggestion
Vulnerabilities retest and cleanup

To be certain about the validity of testing methodologies, such method could be compared with some other testing methodology benchmark such as; Penetration Testing Framework (PTF), Open Web Application Security Project (OWASP), or Information Systems Security Assessment Framework (ISSAF).

With all the processes put to use and they do not perform below the testing methodology benchmark such as examples given above, you can be confident of the safety of your web application. Web application penetration testing methodology can be mitigated by security professionals by detecting any concerns and highlighting any weaknesses inside your sites.

HOW LONG DOES IT TAKE TO PERFORM A WEB APPLICATION SECURITY TEST?

The duration of performing a web application penetration security test is usually between 3 to 10 days. The duration depends on the testing type, the number of systems and obstacles encountered. Testing could be manual or automated. The time taken to complete manual testing is usually longer than an automated one.

WEB APPLICATION PENETRATION TESTING TOOLS

As stated earlier, there are many web application penetration testing tools, but the validity of a testing tool depends on the type of task it is meant for. Listed below are some open source web application penetration testing tools:

Zed Attack Proxy (ZAP)
Wfuzz
Wapiti
W3af
SQLMap

And Evolve, our Security Automation Platform, that reduces your security costs and augments your Security Team by automating your Penetration Testing, Third-Party Vendor Monitoring, Incident Response, Compromised Account Monitoring, On-Demand SIEM with EDR, DNS Sinkhole and Cyber Threat Intelligence. Click here to request a demo.

WEB APPLICATION PENETRATION TESTING BEST PRACTICES

Some best practices that could be indulged in web penetration testing are:

Adoption of a cybersecurity framework
Making security everyone’s business (especially for corporate/big business web app)
Know your web assets
Incorporate security into web development practices
Fix vulnerabilities as soon as it is detected
Automate and integrate
Test your defenses

All above- listed web application penetration test practices are suggested for all sizes of business from startups and small scale enterprises to multinational companies.

WEB APPLICATION PENETRATION TESTING CHECKLIST

Man-in-the-middle tests, as well as cloud storage tests, are factors to be considered in penetration testing.

Typically, the things to be done in pen testing include;

Conduct search engine exploration for leakage of information
Retrieve and evaluate files on robot.txt
Review content of web page
Assess the software edition, database information, the technical error part, coding errors when requesting invalid pages.
Examine the configuration of network infrastructure
Analyze the sources code from the front end of the application accessing pages
Test retention of sensitive information by file extensions
Check CAPTCHA for presenting or not presenting authentication vulnerabilities.
Cloud storage test
Testing the manipulation of roles and privileges to access resources
Check cryptography and error handling
Test by checking Encryption for Exposed Session variables
Data validation testing
Conduct a Directory Traversal Attack to access and execute Restricted Directories commands from outside the root directories of the Web server
Use vulnerability scanning software such as HP web inspect, Evolve conduct vulnerability scanning to identify the network vulnerability and decide whether it is possible to exploit the device.
Conducting a MITM (Man-in-the-middle) attack by blocking communications between end-users and web servers to access confidential information.

The web application penetration testing checklist isn’t restricted to the above but the listed have been streamlined to give a reliable outcome in pen-testing.

WEB APPLICATION PENETRATION TESTING COST

Web application penetration testing cost varies with varieties like; objective, scope, approach, skills and service. Typically, a web application penetration testing costs between three thousand dollars to a whopping amount of a hundred thousand dollars. For small scale businesses, don’t fret! Get a professional that would give you the best of service and you could talk out the price with the person. It is better to spend little on running a security test before your web app is breached than to spend a lot after it has been penetrated. It is never a wrong deal to spend reasonable costs on your web application penetration testing.

A Comprehensive Guide to Incident Response: What it is, Process and Examples

Fri, 05 Mar 2021 15:18:38 GMT

In 2020, the COVID-19 pandemic and organizations’ rapid transition to remote operations have created numerous opportunities for threat actors to launch sophisticated cyber attacks, with serious repercussions. Research suggests that since the start of the pandemic, remote workers have caused security breaches in 20% of organizations , while ransomware attacks accounted for over one-third of cyber incident response cases in 2020. Yet another report called 2020 the “worst year on record,” with almost 3000 publicly-reported data breaches , leading to the exposure of a staggering 44+ billion records.

Clearly, cybersecurity incidents are inevitable. However, how organizations respond to an incident can have a tremendous bearing on its ultimate impact. To mitigate an incident’s effect on their data, and ultimately on their revenues and reputations, organizations must take appropriate steps to minimize their vulnerability. Here’s where Incident Response (IR) can play a game-changing role in preparing and protecting organizations from future threats. We must ask four questions when considering Incident Response Plans:

What is incident response and why is it important?
What are the four phases of incident response?
What are the five steps of incident response?

In this detailed guide, we will cover all of these key aspects. We will also explore incident response plans for small businesses, and give examples of incident response plan flow charts.

Let’s start with the most basic question: What is Incident Response?

What is Incident Response?

“Incident Response” (IR) involves more than just responding to a security incident. IR is a systematic, proactive, reactive and preventative approach that enables organizations to prepare for, detect, mitigate, and recover from cybersecurity incidents. It involves both planning and execution, and allows firms to respond effectively to an incident in an orderly and effective manner so that they can minimize its impact and protect their assets, financial health and reputation.

An IR program helps strengthen the organization’s ongoing risk assessment and incident response process. It also supports knowledge-sharing and documentation, and helps with litigation so legal teams can understand the applicable reporting and notification requirements under data breach laws.

Why is Incident Response Important?

A failure to implement an IR Plan (IRP) can have disastrous consequences. It weakens the organization’s security posture and makes them more vulnerable to the business, financial and legal consequences of attacks. Their insurance claims may be rejected, which will affect their bottomline, business continuity and longevity.

Unfortunately, most organizations lack a formal IRP. In fact, IBM found that although organizations using an IRP experienced less business disruption and greater cyber resilience, 51% of them have only an informal or ad hoc plan. The good news is that organizations with an IRP spend about $1.2 million less on data breaches than companies without such preparations.

Many cybersecurity risks are often not detected until it’s too late ( 280 days on average), which creates numerous operational challenges for organizations. Due to its emphasis on anticipation, adaptation, agility and speed, a formal IRP with clear measures can help eliminate these challenges quickly, and/or minimize their impact.

What Are The Four Phases Of Incident Response?

The National Institute of Standards and Technology (NIST) has created an “ Incident Response Life Cycle ” that effectively answers the question: What are the four phases of incident response?

I. Preparation

It is impossible to effectively respond to incidents – much less prevent them – at a moment’s notice. That’s why preparation is critical when establishing IR capability and ensuring the security of the organization’s systems, networks and applications.

Preparation must include all the below activities:

Set up an IR team, define responsibilities and clarify their decision-making powers
Set up multiple communication and coordination mechanisms, including devices, software and incident analysis resources
Create a jump kit containing materials that may be needed during an investigation in order to facilitate faster responses
Conduct periodic risk assessments of systems and applications
Harden hosts using standard configurations, following the principle of “least privilege”
Configure the network perimeter to deny all unauthorized activities
Deploy anti-malware software at the host, application server and application client levels

Conduct awareness training so users are clear on the appropriate use of networks, systems and applications .

II. Detection and Analysis

The second phase helps determine whether a security incident occurred, and analyze its severity and type. The NIST outlines the following steps:

Identify the most common attack vectors so as to define specific handling procedures
Pinpoint signs of an incident, both current (indicators) and future/possible (precursors) to determine the type, extent and magnitude of the problem, as well as weed out false positives.
Analyze and validate incidents to determine their scope, points of origin and attack vectors
Document and timestamp all incidents including system events, conversations and observed changes in files
Prioritize incidents based on relevant incident-specific factors like:
Functional impact
Information impact
Size
Type of resources affected
Notify appropriate individuals so they can execute their specific roles and functions

This phase can be challenging for numerous reasons. One, incidents may be detected by many means, making the detection process extremely complex. Next, some incidents are nearly-impossible to detect. Third, the high volume of indicators of potential compromise (IOCs) make it difficult to separate genuine issues from “noise.” Finally, incident analysis is a people-dependent activity, even with automation, so a lack of human expertise can weaken the organization’s detection/analysis capabilities.

III. Containment, Eradication and Recovery

The goal here is to mitigate or minimize the effects of a security incident before it can overwhelm resources or cause too much damage. But it’s necessary to predetermine strategies and procedures. It’s also important to define containment strategies based on acceptable risks and criteria, such as:

Potential for resource damage
Value and business impact of affected assets
Need to preserve evidence/order of volatility
Continuity of service
Resources and time required to implement the strategy

Other important steps include:

Evidence gathering, handling and documentation: For incident resolution and (possible) legal proceedings
Identifying the attacking host(s): By validating the attacking host’s IP address, using incident databases, and monitoring possible attacker communication channels
Eradication and recovery: By identifying all affected hosts and exploited vulnerabilities, and eliminating components of the incident (e.g. malware)
Restore systems to normal operations: By remediating vulnerabilities to prevent similar incidents in future

IV. Post-incident Activity

While cybersecurity incidents cost organizations, on average, $3.86 million , they also provide opportunities for learning and improvement. This is why NIST suggests that every IR program should include a “lessons learned” element based on meetings and follow-up reports that produce a set of actionable data, like:

Incident count
Time spent per incident
Objective assessment via logs, forms, reports, etc.
Subjective assessment of performance and outcomes

These metrics can help improve security measures and the incident handling process, and also help with risk assessment and the implementation of additional controls.

What Are The Five Steps Of Incident Response?

What are the five steps of incident response in order in this model?

Preparation: Develop IR policies and guidelines, conduct cyber hunting exercises, assess threat detection capability, and incorporate threat intelligence feeds
Detection and Reporting: Monitor security events, create tickets, and report incidents
Triage and Analysis: Collect data from tools and systems for further analysis
Containment and Neutralization: Restore systems and resume normal operations
Post-incident Activity: Document all information to prevent similar future occurrences

What is An Enterprise Incident Response Plan, and What are Its Key Steps?

Incident response plan elements

An incident response plan usually includes these elements:

The organization’s approach to IR
How IR supports the firm’s vision, mission and goals
IR phases and activities
Personnel roles and responsibilities, a clearly articulated chain of command, and senior management approval
Resource and activity prioritization strategy depending on the attack vector, data exfiltrated, and the criticality of the infrastructure components that may be affected
Key metrics to capture the capability, effectiveness and performance of the IR program
Communications flows between the IR team and stakeholders (internal and external)
How lessons learned will be reinforced across the enterprise

An effective incident response framework also includes a tailored IR policy that clearly defines elements, such as:

Purpose, objectives and scope
Statement of management commitment
Definition of security incidents
Definitions of roles, responsibilities, and levels of authority
Reporting, communications and information-sharing requirements
Handoff and escalation points in the IR process
Incident prioritization
Performance measures

Standard Operating Procedures (SOPs) should also be defined based on the IR policy and plan. They must specify the processes, techniques, checklists, etc. to be used, and should be tested to validate their usefulness. Training on SOPs can ensure that security incidents are handled efficiently and with minimal impact to the flow of business.

Incident response plan steps

This 7-step process is very effective for creating an effective IR plan:

Prepare for potential incidents with triage exercises and playbooks
Identify the size and scope of an incident by starting with the initial compromised device
Isolate compromised devices to stop the spread of the attack
Eradicate threats by patching devices, disarming malware, disabling compromised accounts, etc.
Recover and restore normal services to the business
Document lessons learned to prevent future incidents
Train staff on incident response

Incident Response Plans for Small Businesses

An incident response plan is critical for small businesses, particularly in a post-COVID world because it can help them react quickly and correctly to security incidents while minimizing cost and potential damage.

Here are the steps to create an incident response plan for small businesses:

Identify possible security incidents that could impact the business
Decide how to react to each incident
Identify the personnel who will be responsible for handling incidents
Implement internal and external communications channels
Consolidate this information to create a comprehensive plan
Practice incident response
Adjust the plan as needed

Incident Response Plan Flowchart

A fllowchart can be a great way to visualize the creation steps outlined in the previous two sections. Below is a good example of one:

Incident Response Team

The IR team’s main goal is to ensure that the proper response is initiated with any security incident. It should include specialized sub-teams, each with a job to do. These include:

Security Operations Center (SOC): The first line of defense to triage security alerts
Incident Manager: To determine incident response and a plan of action with various stakeholders
Computer Incident response Team: To provide expert technical inputs
Threat Intelligence Team: To constantly assess the cyber threat landscape and strengthen the organization’s security profile

Incident Response Plan Examples and Templates

Instead of building your IRP from scratch, you can save time and effort by starting from a template. One such example is provided by the California Department of Technology here . It discusses the steps to be taken to implement an incident response plan, and to prevent the intrusion from happening again. Another template from the Criminal Justice Information Center provides guidelines on how an incident response plan can be written in order to respond to security incidents.

Automated Incident Response

As soon as suspicious activity is identified, our Evolve Security Automation platform triggers Automated Incident Response procedures to ensure the incident is contained as quickly as possible to minimize any negative impacts to your organization.

Conclusion

Incident response begins as soon as a threat is detected in a company’s environment. With a detailed incident response plan, the organization can properly prepare for and plan to prioritize actions and minimize potential damage in the event of an incident. The threat landscape is widening and will continue to do so over the next few years. In this scenario, incident response is as critical for large enterprises as it is for small businesses, not only to regain control over systems and data, but to ensure business continuity in an unstable world.

THREAT INTELLIGENCE

Securing Remote Workers

Secure Hardware

Secure Software

Secure Connectivity

How Can Threat Intelligence Help?

Security Within Agile Methodologies

Waterfall vs Agile

The Waterfall Model

The Agile Method

Why Security Must Not be an Afterthought

How Can Threat Intelligence Help?

Embracing Cloud Without Compromising Security

Four Benefits of Embracing a Cloud Computing

Hybrid Solutions – Aligning On-Premises and Cloud Environments ﻿

How can Threat Intelligence help your organisation embrace cloud securely?

The Smart Choice: Outsourcing Your Cybersecurity Requirements

Fighting an Uphill Battle: The Challenge of Cybersecurity Staffing

5 Key Benefits of Outsourcing Some (If Not All) Of Your Cybersecurity Requirements:

5. Expedite Your Cyber Maturity

How can Threat Intelligence help?

How to identify your Log4j exposure

EvolvePT VS Log4j

Log4j External Exposure Penetration Test (Unauthenticated)

Log4j Authenticated External Application Penetration Test

Log4j Internal Infrastructure Penetration Test (Unauthenticated)

Log4j Authenticated Wireless Penetration Test

Log4j Authenticated Internal Exposure Assessment

EvolveMDR VS Log4j

Log4j Security Breach Investigation

Vulnerability Scanning vs Penetration Testing: What Is the Best Approach for Your Organisation?

Why You Need to Test Your Systems Regularly

What is Vulnerability Scanning?

What is Penetration Testing?

Scope

Reconnaissance and Planning

Interrogation

Reporting

Evolve Automated Penetration Testing: The Best of Both World

Security Architecture: What it is, Benefits and Frameworks

Elements of Security ArchitecturE

Security Architecture Frameworks Examples

TOGAF Framework

SABSA Framework

OSA Framework

Benefits of Security Architecture

Strong security architecture leads to fewer security breaches

Proactive security measures save money

Mitigate disciplinary measures in the event of a breach

Conclusion

What is a Managed SOC? And why use one?

Managed SOC Meaning Unpacked

Why Use a Managed SOC?

Benefits of SOC As a Service

Technology Deployment and Management

On-demand Access to Experts

Security Event Prevention and Management

Security Incident Prevention and Remediation

Proactive Threat Protection

Managed Detection and Response (MDR)

Threat Intelligence Management

Managed SOC Pricing

Conclusion

Retail Cybersecurity: Threats, Statistics and Best Practices

Retail Cybersecurity Statistics

Why Retail Cybersecurity Threats Happen

Types of Retail Cybersecurity Threats

Phishing Scams

Ransomware

Data Breaches

Attacks on IoT Devices, Payment Systems and Machine Learning Systems

Advanced Persistent Threats (APT)

Supply Chain Attacks

Retail Cybersecurity Best Practices

Encrypt all Sensitive Data

Segment the Retail Network

Perform Regular Data Backups

Deploy POS Malware

Implement Multi-factor Authentication (MFA)

Implement Zero-Trust Access (ZTA)

Hybrid Solutions – Aligning On-Premises and Cloud Environments

Evolve Automated External Penetration Testing