Is Your Threat Intelligence Certified Organic?

Certified _Organic_Threat_Intelligence

7 questions to ask before choosing a web-based threat intelligence feed.

It should come as no surprise that CISOs are under ever-increasing pressure, with many facing the prospect of losing their jobs if they cannot improve the strength of the enterprise security posture before breaches occur. And, occur they will. Consider these figures—recent studies report that web-based attacks are one of the most common types of digital attacks experienced by the average enterprise, costing $96,000 and requiring 27 days to resolve a single incident. Furthermore, there is a definite positive correlation between both the size of the organization and the cost of the cyber attack and additional correlation between the number of days taken to resolve an attack and the cost of the attack—the larger the organization or days required to remediate, the higher the cost.

Enter, Threat Intelligence

CISOs increasingly embrace threat intelligence as a means to enhance their digital security posture. In the past three years, organizations have significantly raised their spending on threat intelligence, allocating almost 10% of their IT security budget to it, and this number is expected to grow rapidly through 2018. And, this budget allocation appears to be well spent as organizations report enhanced detection of cyber attacks—catching an average 35 cyber attacks previously eluding traditional defenses.

Not all threat intel feeds are created equal

Sure, threat intelligence feeds are increasingly accepted and adopted as an essential element in the enterprise security strategy. In fact, 80 percent of breached companies wish they had invested in threat intelligence. But even as the use of third-party threat intelligence feeds increase, IT/security teams are realizing that not all threat intelligence feeds are created equal.

To begin with, there are several types of threat intelligence feeds based on web-based threats or email threats, and feeds that scan the dark web, among others. While not discounting the value of the various types of feeds, CISOs need to understand why web-based threat intelligence is the first among equals. Web-based malware target the enterprise network and the endpoints through day-to-day internet use by employees–internet critical to their day-to-day office functions. A truly valuable threat intelligence feed will help CISOs achieve their end goal of keeping their organization safe and blocking confirmed bad actors.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Checklist for Choosing the Right Threat Intelligence

Ask these seven questions to determine if the web-based threat intelligence feed(s) you choose are “certified organic” enough to provide tangible goodness and value to the health of your enterprise security posture:

1.    Is the data original source?

Our previous post, Your Threat Intelligence Isn’t Working, discussed the pitfalls of using compiled third-party sources in a threat intel feed—more data isn’t necessarily good data! The time-consuming process of managing duplicates and false positives cripples the performance of most information security teams to the point that many alerts are ignored. Protect cherished resources—budget and time—by choosing an original source threat intelligence feed.

2.    How is the data collected?

While original source threat intelligence minimizes false positives and duplicates, how the data is collected maximizes the tangible value of the feed. Web-based malware is typically delivered through mainstream, heavily-trafficked websites, either via ads or third-party code such as data management platforms, content management systems, customer identification engines, video players and more. Hence, the threat intelligence feed needs to source the data by replicating typical website visitors. This means continuously (24*7*365) scanning the digital ecosystem across multiple geography, browser, devices, operating system and consumer behavior, using REAL user profiles. Unless the engine that gathers the threat intelligence behaves like real internet users (who are the targets of web-based malware), the quality of the “internet threat” data is questionable at best.

3.     Is the threat intelligence dynamic?

Threat intelligence should be a living (frequently updated), constantly active data source. The data in the threat intelligence feed needs to adapt to reflect the rapidly transforming malware landscape. The engine behind the feed should both track and detect malware in real-time, while also accounting for the changing patterns of attack. Even the algorithms driving the machine learning needs to be dynamic and continuously reviewed.

4.     Does it prevent AND detect threats?

As the adage goes, an ounce of prevention is worth a pound of cure, and this holds true in the cyber security space. However, reliance on prevention isn’t practical or realistic. Prevention boils down to deployed policies, products, and processes which help curtail the odds of an attack based on known and confirmed threats. What about unknown or yet to be confirmed threats?

Threat hunting is becoming a crucial element in the security posture. It refers to the detection capabilities stemming from a combination of machine generated intel and human analysis to actively mine for suspicious threat vectors. Does your threat intelligence account for both indicators of compromise (IOC) and patterns of attack (POA)? The goal of threat hunting is to reduce the dwell time of threats and the intensity of potential damage. The threat intelligence feed should allow you to act on threats patterns before they become overt.

5.     How is the data verified?

Just as the automation or machine learning behind the threat intelligence feed should simulate a real user for data collection, human intervention is important for data verification. Without the element of human analysis, data accuracy should be questioned. Otherwise, you run the risk of experiencing increased false positives.

6.     Is the information actionable?

Malware is malware, and by its definition it is “bad”. You do not need an extensive payload analysis of threat data. You do, however, need information about the offending hosts and domains, so that compromised content can be blocked, either manually or via Threat Intelligence Platform (TIP). The granularity of the data can also save CISOs from the politics of whitelisting and blacklisting websites. As a bonus, real-time intelligence will enable you to unblock content when it is no longer compromised.

7.     Does it offer network-level protection?

While CISOs still debate over an optimal endpoint security solution, web-based threats attack at the enterprise network. Frankly, stopping malware at the endpoint is too late! The threat intelligence you choose must offer network-level protection and deter web-based threats from propagating to endpoints in the first place.

Your Threat Intelligence Isn’t Working

False positives undermine your security investments. 

Your Threat Intelligence Isn't Working

The rapid adoption of threat intelligence data by enterprises signals an increased emphasis on preventing targeted malware attacks. While few question the strategy fueling this boom, it is the quality of this intelligence that is debatable. Recent news of organizations suffering brand damage due to false positives in their “compiled” threat feed, puts the quality of numerous threat intelligence feeds under scrutiny.

In simple terms, a compiled threat intelligence feed aggregates data from various open sources and may also include observed data from the security vendor. The pitfalls of these multiple dependencies are many, the most debilitating of which is the quality of this so-called “intelligence.” In most cases, a compiled threat intelligence feed is a minefield of false positives, false negatives and unverified data.

To make your digital threat intelligence work for you, consider these factors:

Go for original source

Compiled isn’t conclusive

Many vendors use the euphemisms like “comprehensive” or “crowdsourced” threat intelligence to characterize the value of their data. These euphemisms typically describe data compiled from multiple sources. Very few (most likely none) reveal the fact that this aggregated data hasn’t been thoroughly vetted for accuracy – a process that requires significant manpower hours for the volume of data within the feed. In fact, the time needed to properly assess the data would delay an enterprise’s receipt of and action on the intelligence. Needless to say, this time lag is all it takes for serious damage to be done by cyber criminals.

Avoid Costly Cleanups
False positives can be damning

The inherent inaccuracies in a compiled threat intelligence feed can lead to false positives and duplicate threat alerts. It is a well-established fact that malware alerts generate around 81% false positives and average 395 hours a week of wasted resources chasing false negatives and/or false positives.

A critical by-product of false positives is alert fatigue, which induces enterprise security professionals to not react in a timely manner – fatal behavior when an actual breach or violation does occur. In this “boy who cried wolf” scenario, the enterprise is vulnerable from two perspectives. Failure to react to a “positive” alert could expose the entity to malware. On the flip side, reaction to a “false positive” expends countless resources. Whatever the situation, the consequences could damage careers, cripple the security posture, and tarnish the enterprise’s image. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur.

Focus on patterns, not just appearances
Both IOCs and POAs are important

Another aspect to deciphering the value of  threat intelligence is what actually goes on behind the scenes. Most threat intelligence feeds factor in indicators of compromise (IOCs) to describe a malware alert is valid  or is marked with “high confidence” in its accuracy. However, what is harder to determine is the actual behavioral pattern of a threat or the method of malware delivery, which is what patterns of attack (POAs) depict. By understanding the POAs, high-quality threat intelligence can also detect new threat vectors, hence allowing enterprises to block suspicious malware before it becomes overt.

The key determining characteristic between IOCs and POAs is that IOCs contain  superfluous, easy-to-alter data points that are not individual or specific to the bad actor, whereas POA data points are difficult to mask. To put it in simpler terms, think of a bank robbery. Information describing the appearance of the robber, such as a shirt or hair color, could be easily changed for the robber to evade detection and be free to commit additional heists. However, more specific, innate information regarding the robber’s gait or voice, would make the individual easier to detect and block their ability to commit the same crime again. These inherent factors or POAs are difficult and expensive to alter. Therefore, threat intelligence data should factor in both IOCs and POAs in order to provide a more conclusive picture of a threat and minimize false positives.

Security Buyer Beware

Yes, factors such as real-time data, number of data points on threat vectors, easy access, and seamless integration with TIP/SIEM are important in determining the overall quality of a threat data feed. However, inaccurate data and false positives are fundamental flaws in many market solutions for threat intelligence. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur. Choose wisely.

The Blind Spot in Enterprise Security

Website security is overlooked in most IT governance frameworks. 

website security blindspot

Managing a website isn’t as easy as you think. Sure, you test your code and periodically scan web applications but this only addresses your first-party owned code. What about third-party code?

Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/ website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune.

Masked vulnerability: What you don’t know can hurt you

The fact that the majority of the code executing on an enterprise website is not seen, let alone managed, does not absolve the enterprise from blame should something go wrong—and it does.

Much publicized stories about website compromises and digital defacement point to the embarrassing reality that websites are not easy to secure. But that’s not all.

Digital property owners—websites and mobile apps—are beholden to a series of regulations covering consumer privacy, deceptive advertising, and data protection. The U.S. Federal Trade Commission U.S. has dramatically stepped up enforcement of deceptive advertising and promotional practices in the digital environment over the past few years and recently signaled interest in litigating enterprises found to be violating the Children’s Online Privacy Protection Act (COPPA).

Data privacy regulations don’t only apply to minors accessing the website. The recent overturning of EU-US Safe Harbor and resulting EU-US Privacy Shield framework calls attention to the need to understand what data is collected, shared and stored via enterprise digital operations.

Don’t forget that these third parties directly affect website performance. Problematic code or behavior—too many page requests, large page download size, general latency, etc.—render a poor experience for the visitor. Potential customers will walk if your website pages take more than two seconds to load, and third parties are usually the culprits.

The problem is that the prevalence of third-party code masks what’s really happening on a public-facing website. This blindness exposes the enterprise to unnecessary risk of regulatory violations, brand damage and loss of revenue.

Seeing through the camouflage

This is a serious issue that many enterprises come to realize a little too late. Third-party vendors provide the interactive and engaging functionality people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, they are also the source of numerous back-end services used to optimize the viewing experience—content delivery network, marketing management platforms, and data analytics.

Clearly, third parties are critical to the digital experience. However, no single individual or department in an organization is responsible for everything that occurs on the site—marketing provides the content and design, IT/web operations makes sure it works, sales/ecommerce drives the traffic, etc. This lack of holistic oversight makes it impossible to hold anyone or any group accountable for when things go wrong that can jeopardize the enterprise.

Case in point: can you clearly answer the following:

  • How many third-party vendors executing on your website?
  • How did they get on the site, i.e., were they called by another vendor?
  • Can you identify all activity performed by each vendor?
  • What department authorized and takes ownership of these vendors and their activity?
  • How do you ensure vendor activity complies with your organization’s policies as well as the growing body of government regulations?
  • What is the impact of individual vendor activity on website performance?
  • What recourse do you have for vendors that fail to meet contractually-agreed service level agreements (SLA)?

Questions like these highlight the fact that successfully managing an enterprise website requires a strong command of the collective and individual technologies, processes and vendors used to render the online presence, while simultaneously keeping the IT infrastructure secure and in compliance with company-generated and government-mandated policies regarding data privacy.

Adopting a Website Governance strategy will help you satisfy these requirements.

Take back control

What happens on your website is your responsibility. Don’t you think you should take control and know what’s going on? It’s time you took a proactive approach to security. The Media Trust can shine a light on your entire website operation and alert you to security incidents, privacy violations and performance issues.

 

Did malvertising kill the video star?

Video Malware Vector

Large-scale video malware attack propagates across thousands of sites

Malware purveyors continue to evolve their craft, creatively using video to launch a large-scale malvertising attack late last week. Video has been an uncommon vector for malware, though its use is on the rise. What’s different is the massive reach of this particular attack and the ability to infect all browsers and devices. Much like The Buggles decried about video changing the consumption of music, this intelligent malware attack used video to orchestrate mayhem affecting 3,000 websites—many on the Alexa 100. Is this the future?

Charting the infection

The Media Trust team detected a surge in the appearance of the ad-based attack late Thursday night and immediately alerted our client base to the anomalous behavior of the malware-serving domain (brtmedia.net). As it unfurled, the team tracked the creative approach to obfuscation. (See image)

First, the domain leveraged the advertising ecosystem to drop a video player-imitating swf file on thousands of websites. The file identified the website domain—to purposefully avoid detection by many large industry players—and then injected malicious javascript into the website’s page. Imitating a bidding script, the “bidder.brtmedia” javascript determined the video tag placement size (i.e., 300×250) and called a legitimate VAST file. As the video played, the browser was injected with a 1×1 tracking iframe which triggered a “fake update” or “Tripbox” popup which deceptively notified the user to update an installed program. (In the example below, the user is instructed to update their Apple Safari browser). Unsuspecting users who clicked on the fake update unwittingly downloaded unwanted malware to their device.

The compromise continued unabated for hours, with The Media Trust alerting clients to attempts to infect their websites. This issue was resolved when brtmedia finally ceased delivery, but only after tainting the digital experience for thousands of consumers.

video-borne malware infection

Process flow for video-borne malware infection

The devil in the artistic details

The use of video as a malware vector is increasing. As demonstrated above, video and other rich media provide avenues for compromising the digital ecosystem, impacting both ads and websites.

The clever design and inclusion of multiple obfuscation attempts allowed this attack to propagate across some of the largest, most heavily-trafficked sites. As The Media Trust clients realized, the best defense against this kind of attack is through continuous monitoring of all ad tags and websites, including mobile and video advertising.

The Skinny on L.E.A.N. Ads

IAB LEAN

Breaking down newly-announced advertising industry principles.

In October 2015, the Interactive Advertising Bureau (IAB) announced L.E.A.N. Ads (LEAN), an initiative to overhaul and update standard advertising principles. In response to the steady rise in ad blocking capabilities, Flash furor, surge in HTML5 creative and a corresponding battery drain on mobile devices, the IAB proposed these principles to guide the development of the next phase of advertising technical standards. These principles aim to address consumer concerns regarding the affect advertisements have on site performance, security and data privacy.

What exactly is LEAN? That’s what The Media Trust clients want to know.

Defining LEAN

In a nutshell, LEAN aims to tighten the guidelines associated with the delivery of advertising content across desktop, mobile and tablet devices. As clients have discovered, The Media Trust’s Media Scanner service already supports the proposed LEAN elements, and more.

L – Light: Limit the ad file size.

This is easier said than done. The actual size of an ad’s creative design can be weighty, and the larger it is the longer it takes to load on a browser. For example, a 10MB design file loading on a 10k page destroys the user experience, especially if viewed on a mobile device.

But, the creative file size is not the only contributor to an ad’s disruption to the user experience. Once the initial creative is inserted into an ad tag, it moves through the advertising ecosystem accumulating additional components not critical to the actual rendering of the ad. For the most part, well-intentioned parties append tags to evaluate and optimize the ad’s overall performance and provide a more positive customer experience so that, in the future, the user is served a relevant ad when and how he wants to see it.

With the more widely adopted use of HTML5, site performance will become a bigger challenge as additional scripts—i.e., more verbose HTML, CSS, JavaScript—run, resulting in a more resource-intensive process. Combined, an ad’s design and its technical tag components significantly affect a page’s ability to load efficiently and meet the user’s expectations.

Managing the total ad file size is critical to the user experience—if it takes too long to load then the entire experience is at risk, negatively impacting both the advertiser and publisher. Hundreds of publishers and advertisers already use features in Media Scanner to set policies to alert on ads that exceed client-determined policies spanning total creative file size, total download size, number of calls/connections and CPU utilization, among others.

E – Encrypted: Ensure ad complies with HTTPS standards.

Site security initiatives took the world by storm earlier this summer when Google ad networks moved to HTTPS and the White House directed federal sites to be HTTPS compliant. As outlined in a previous post, to have a truly encrypted site EACH and EVERY connection made must communicate through HTTPS, including all third-party code, not just advertising. This means other site vendors—content delivery networks, data management platforms, hosting services, analytic tools, product reviews, video platforms, etc.—need to ensure all of their connections are made via HTTPS. Just one break in any call chain will cause the entire site to be unencrypted.

However, encryption is just one element of providing a secure consumer experience. Publishers and ad tech partners need to continuously be on the lookout for compromised ads exposing site visitors to malware. The only way these will be found is through continuously scanning sites and ads for malware, vulnerable ads and all encryption call failures.

A – Ad Choice Supported: Comply with industry data collection standards.

Launched in 2011, AdChoices is an industry self-regulation program outlining how advertisers and publishers collect consumer data used for re-targeting and giving consumers control over the process by allowing them to opt out of data collection activity. While created with good intentions, the program is not well understood by most consumers with the net effect that many who are against data collection do not actually opt out.

Determining an ad’s compliance with AdChoices is relatively straightforward. The tricky part is ensuring compliance with the myriad of state and federal regulations covering healthcare and children. In these instances, compliance isn’t a consumer choice, it is the law.

Data privacy is a serious concern among the general public who want to know the “who,” “what” and “how” of data collection—who is collecting, what is collected and how is it going to be used. Publishers want to know the answers to these basic questions and use Media Scanner to identify, analyze and report on all vendors executing on their digital properties with particular attention paid to the players involved in serving an ad. What publishers frequently discover is that their vendors—and external parties called to help the vendor render a service—perform actions that are not germane to the contracted relationship, such as dropping customer-tracking cookies. Besides giving up valuable customer data, publishers know that these unauthorized actions are contrary to many privacy policies posted on their sites and use Media Scanner to track this violating behavior.

N – Non-invasive: Don’t irritate the site visitor

This vague statement can be broken down into two categories that affect the consumer experience: technical performance and visual quality of an ad. Technical aspects of an ad, such as download size and CPU utilization, are represented in the “L” of LEAN described earlier. Visual ad quality refers to how an ad looks and behaves to the user. There’s nothing quite as startling as visiting a page to be greeted with ads automatically blaring audio or playing a video. And almost everyone is annoyed at ads that shake, blink, expand and push content around, or take over the page.

Reputable publishers have policies regarding the presence of these irritating ads on their sites. They use Media Scanner to enforce the policies by alerting on any ad in violation. In addition, publisher clients set policies regarding appropriate content of ads for their audience. While many clients ban adult, alcohol and gambling, some categorize ads by company, industry and brand to ensure the ads don’t conflict with the content. For example, an airline would not want their ads appearing on pages featuring a plane crash; nor would an automotive company appreciate their ads appearing on pages chronicling a safety recall for their vehicle brand.

Why Now?

The mounting backlash from consumers regarding slow site performance, malware exposure and data collection activities generated from digital advertisements must be addressed. Publishers that truly understand the value of a positive customer experience already closely protect it and avoid serving resource-draining, unsecure and intrusive ads. They use The Media Trust to preview ads (and third-party code) before being served and to continuously monitor and detect any policy-breaking activity.

In the end, the best way to protect the consumer experience is for advertisers and publishers to work together, adopt LEAN and enforce compliance with the proposed technical standards.

Content Management Systems: Friend or Foe?

The downside of open source affordability and flexibility

CMS Friend or Foe

More than 7,000 ecommerce sites were shut down this past weekend due to malware infiltrating the open source or community version of Magento, a popular content management system. Unfortunately, this type of revenue-impacting event has become all too common with similar attacks affecting WordPress, Joomla and Drupal within the past 12 months. As thousands of online merchants have just learned, taking advantage of the affordability and flexibility offered by an open-source website vendor requires investment in continuous site security.

Start-up savior

Millions of small and medium-sized merchants rely on open source content management systems (CMS) to support their initial foray into online commerce. These platforms provide a “plug-n-play” infrastructure that pulls together basic design schema, content delivery features and shopping cart capabilities—critical cost-saving tools for a start-up operation. Platform providers make these tools available in the hopes that as the retailer grows it will seek more features and eventually upgrade to a more robust, enterprise version. But, these supposedly “free” tools come with a price.

When free isn’t free

Open source is a great resource; however, it is not supported by the vendor. Open source platforms rely on a passionate community of users to build plug-ins and extensions which extend the capability of the free tool. A major shortfall is that open source lacks the protection users expect—there’s no accountability for the developer community should something go horribly wrong. In fact, the very nature of open source suggests that the “source” is “open” to all who wish to contribute.

Bad actors easily infiltrate these communities and cause considerable harm. From compromising an existing extension to creating a flawed one, bad actors can quickly penetrate thousands of ecommerce operations and execute a host of crimes—mine for credit card data, trigger malware downloads onto shopper browsers, deface the site with inflammatory language or completely disable site operations, to name a few. Whatever the action, the merchant suffers serious damaging consequences from which it may not ever recover.

To protect an ecommerce operation, online merchants need to invest in security measures to ensure the open source environment is safe from compromise. This means a thorough review of all code and vendors used to render the site on consumer browsers—both front-end services, like image library and product recommendation, and back-end services, like CMS and content delivery networks. In effect, open source is not really free, as the money saved from licensing needs to be poured back into IT to secure the site.

Preparing for the worst

Considering that an open source platform can bring an ecommerce site to its knees, online merchants must keep abreast of industry news and take immediate action to locate and fix compromised code. In addition, merchants should also adopt basic security best practices such as:

  1. Regular participation in the open source community to know when issues are detected and how to resolve
  2. Careful screening of plug-ins and extensions before using in your environment
  3. Limited use of un-vetted extensions
  4. Continuously monitoring of the third-party vendors executing on the site

The best way to secure revenue continuity is to constantly monitor the site for anomalies and unexpected vendor behavior. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

For those not planning to upgrade to a licensed, vendor-supported platform, an effective security program will be your best friend. The Media Trust can make the introduction.

 

Ad Ops can rest a bit easier with malware resolution strategies

Sharing of malware incident information proving a success

Ad Ops can rest easy

The continuous threat of malware in the advertising ecosystem keeps many advertising operations professionals awake at night. The speed at which ads are bought and served and the number of players involved comes at a steep price—vulnerability to malware. For years, The Media Trust has tackled this vulnerability head on by detecting malware in our clients’ digital ecosystems and providing the critical details that allow the malware to be located and shut down. Impacted clients then communicated these details with the specific partner serving the infected ad. This daisy-chain process involves a series of communications with upstream partners, a process that can take up to 72 hours while the malicious ad continues to circulate.

To minimize the daisy-chain effect, The Media Trust introduced Media Scanner’s Resolution Services, an information sharing service that provides for simultaneous communication of malware alert details among partners. Announced in April, Media Scanner’s Resolution Services has proven to be a resounding success with 20 digital publishers and more than 20 ad tech partners enrolled in just under six months.

Reaping what you sow

Media Scanner’s Resolution Services is a SaaS-based service that provides real-time information sharing with upstream and downstream business partners about malicious ads detected in a client’s advertising operation. As part of the Media Scanner product family, this solution is available as a complimentary add-on to existing clients with significant ad tag volume.

Designed for publishers, ad networks, ad exchanges, demand platforms and paid-content engines, the service’s continuous, real-time information sharing compresses cycle times for malware detection, notification and remediation from several days to mere seconds, drastically reducing infected tags’ ability to harm site visitors and the site’s brand reputation. By compressing this cycle time, companies can speed incident remediation, protect revenue by ensuring ad tags stay active and strengthen business relationships.

Real-time, actionable malvertising intelligence delivers a host of benefits to the entire digital ecosystem.

  • Revenue continuity: By sharing malware incident data with the upstream party serving the malware, bad ads are removed more quickly thereby allowing ad tags to remain active and generating revenue.
  • Improved incident response: By allowing Media Scanner to send an alert to clients and their mutually-impacted business partners, everyone realizes a shorter cycle time to resolve the issue across the entire advertising value chain.
  • Streamlined incident handling: Once an anomalous ad tag is detected and confirmed, The Media Trust automatically notifies all impacted partners throughout the advertising ecosystem, which ensures the ad can be removed and then permanently blocked.
  • Enhanced security posture: 24/7 access to information on malicious ad tags improves not only the health of a publisher’s advertising operation, but also strengthens their organization’s security posture, bridging the gap across ad ops, sales, marketing, site operations and security teams.
  • Strengthened relationships among partners: Real-time communication and cooperation generates a positive network externality that improves the overall health of the entire online and mobile advertising ecosystems and severely limits malware’s success rate.

In the past few months, this solution simultaneously communicated hundreds of malware incidents to impacted publishers and their authorized ad tech partners, greatly accelerating the termination of malware, removing hours—sometimes days—from the cycle. This increased speed of malware incident resolution exponentially improves the level of protection across the greater online and mobile advertising ecosystem. But more can be done.

An eye to the future

Ad tech providers want to get into the game and initiate this program with their buying partners, attesting to the true value of Media Scanner’s Resolution Services. The Media Trust is now working with ad tech clients to share incidents with authorized agency media buyers and trading desks—a critical step to tackling malware as it enters the advertising environment. Malvertising will never be eradicated, but, limiting its ability to rapidly propagate throughout the digital ecosystem helps everyone rest a bit easier.

Ecommerce–What’s happening on your site?

Wayward third-party vendors impact site performance, collect first-party data and expose site visitors to malware

Online shopping is now a primary revenue source for many retailers, and its growth trajectory is forecast to continue its double-digit growth rate. With their high-volume traffic and access to consumers’ credit cards, these sites also serve as revenue sources for hackers and fraudsters, who find retailers’ reliance on third-party vendors especially appealing. They gain access to sites by compromising legitimate third-party vendors.

Pinpointing the third-party vendors

Everyday ecommerce sites are rife with third-party vendors, many of them not clearly visible to site owners. These services provide the interactive and engaging experience consumers have come to expect and also enable the site to be monetized. Unbeknownst to many retailers, the third-party vendors they use to render these critical services—product reviews, content recommendation engines, payment systems, automated marketing services, analytics, content delivery networks, social media tools and more—can unintentionally function as a conduit for a host of unsavory activities including malware drops, first-party data collection, and latency-causing actions.

The challenge is to quickly identify the point of compromise, yet most ecommerce site operators don’t have a clear grasp of the vendors actively executing on their digital properties. The following infographic of a typical ecommerce site provides clues to where vendors can be found.

Ecommerce–What's happening on your site?

[Get your pdf copy at www.TheMedia.Trust]

Check yourself before you wreck yourself

How do you control these vendors and what they do on your site? The ability to effectively manage an ecommerce site requires intricate command of the technology, processes and vendors needed to render pages that not only meet revenue goals, but do so without compromising the user experience. This means the site must be free of malware, performance-sapping vendors and privacy-violating data collection activity.  To protect against third-party code’s inherent risks, ecommerce teams must work with their IT, information security, and legal teams to constantly monitor—in real time—the code executing on their sites. Otherwise, a host of activities can be underway without your knowledge which can negatively impact the user experience, your brand and your revenue stream.

Malvertising: The story behind the story

Security firms make mountains out of molehills

Malware alert! Malware alert! It seems every time you turn around there’s a news story or report exposing the presence of malware in the online and mobile advertising ecosystem. The vector, exploit kit or function may change, but the story is the same—some industry expert uncovers new ad-based malware or malvertising and the media sounds the alarm. Preying on cyber-related anxieties, these stories typically present an exaggerated synopsis of the situation and focus on a single instance, spotlight one industry provider, and don’t offer actionable information for the reader. As a result, these provocative articles often make mountains out of molehills and end up missing the real story: Why does the industry expert believe this particular malware incident is news?

 

Malware Alert

Keeping it real

Malware serves as an umbrella term for any intrusive software program with malicious or hostile intent, and covers a variety of forms including viruses, Trojans, and worms. Diagnosing malware provides critical insight into identifying current system vulnerabilities and mitigating future compromises and the classic approach used by traditional security researchers requires the collection of malware samples and days of analysis by experts.

Ad-related malware behaves differently from other forms of malware and requires a distinct approach. Anyone that truly understands the advertising ecosystem recognizes that ad-based malware delivers through a publisher website for a very brief time period, typically for an hour or less, before it terminates and moves on in a mutated form to infect hundreds of other sites. In addition, the infected ad must first render on a browser before it deploys—automatically or through site visitor action—and there’s no guarantee that it will impact every browser or deploy every time rendered.

For these reasons, it’s misleading to report on one malvertising incident captured on one site. In addition, it’s irresponsible to call out a publisher for something that cannot be replicated, and these reports cause unnecessary panic among advertisers, ad networks, exchanges and publishers who spend countless resources addressing a malware event that no longer exists.

Diagnosing the motivation

Publishing incident-specific ad-based malware reports provides very little useful information and does very little to eliminate malvertising from the advertising ecosystem. Yet, this reporting persists for two primary reasons—extortion or publicity.

Known as “White Hat Ransomware”, disreputable security analysts mine websites for malvertising incidents and present the findings to the site/publisher hosting the bad ad. They offer to sell the vector information so the publisher can shut down the infection, with the understanding that the malware incident could be publicly released should the publisher choose to not pay. Usually perpetrated by obscure individuals or groups, this type of extortion proves very lucrative as many publishers purchase the information in order to avoid the time-consuming fallout of negative publicity.

The more reputable network, endpoint and intelligence security firms try to extend their traditional malware analysis skill set to malvertising and digital content. However, it doesn’t work. Effective analyses requires continuous, real-time monitoring of the advertising environment from the browser or consumer point of view which requires scanning active ad placements using simulated users set up with the exact geographic and behavioral profiles that the ad is targeting—something that can’t be accurately replicated after the fact. In addition, the ever-shifting nature of malvertising means that capturing a screen shot of an incident found on a single site is misguided—if it exists on one site, it exists on hundreds or thousands of other publisher sites and ad networks—and the post-incident analysis offers no valuable benefit to the consumers already exposed. By publishing malvertising-related reports about something that happened days, weeks or months ago, these firms unleash chaos in the ad tech industry as the publisher and its partners attempt to locate a vector that no longer exists.

Protecting the advertising ecosystem

Malware in the ad tech industry is not news. Admittedly, the ad tech industry plays a central role in the propagation of malware in the online and mobile advertising ecosystem, however, this fact is not ignored by responsible industry players who fiercely combat it every day. From establishing working groups to creating “good ad” certifications to performing extensive due diligence on buyer clients, the industry works hard to tackle the presence of malware. In fact, many of largest, most-visited websites actively scan their advertisements to identify and remove anomalous vectors before they morph and become overt malware drops. Unfortunately, a few ad-based malware vectors get through, but that number is minuscule in comparison to the billions of ads successfully rendered every day.

In effect, malvertising isn’t a new trend. In fact, it emerged shortly after the birth of banner ads 20+ years ago. What’s new is that traditional security companies are finally realizing that digital properties—websites and mobile apps—can be compromised. If you want to know how malvertising really works, ask The Media Trust. We’ve been detecting malware in the online and mobile environment for close to a decade, not the past few months.

Encryption – Your website isn’t as secure as you think

HTTPS code does not mean a site is encrypted

Encryption is complicated

Today is D-Day for ecommerce and IT professionals, basically anyone with a revenue-generating digital property. June 30 marks the day that Google’s ad networks move to HTTPS and follows previous statements indicating HTTPS compliance as a critical factor in search engine rankings.

From Google’s announcement to the White House directive mandating HTTPS-compliant federal websites by December 2016, encryption has become the topic du jour. And, rumors abound that browsers are getting into the encryption game by flashing alerts when a site loses encryption. Why all the fanfare?

Encryption adds elements of authenticity to website content, privacy for visitor search and browsing history, and security for commercial transactions. HTTPS guarantees the integrity of the connection between two systems—webserver and browser—by eliminating the inconsistent decision-making between the server and browser regarding which content is sensitive. It does not ensure a hacker-proof website and does not guarantee data security.

Over the past year, businesses worked to convert their website code to HTTPS. With Google’s recent announcement, ad-supported sites can sit back and relax knowing their sites are secure, right? Wrong.

To have a truly encrypted site you must ensure ALL connections to your website communicate through HTTPS, including all third-party code executing on your site, not just advertising. This means sites using providers such as content delivery networks, data management platforms, hosting services, analytic tools, product reviews, and video platforms, need to ensure connections—and any connections to fourth or fifth parties—are made via HTTPS. Just one break in any call chain will unencrypt your site. Considering 57% of ecommerce customers would stop a purchase session when alerted to an insecure page, the ongoing push to encrypted sites should not be ignored.

What’s a website operator to do? By its very nature, third-party code resides outside your infrastructure and is not detected during traditional web code scanning, vulnerability assessment, or penetration testing. To ensure your site—and all the vendors serving it—maintains encryption you must scan it from the user’s point of view to see how the third parties behave. Only then can you detect if encryption has been lost along the call chain.