HTML5: A Safe Haven for Malware?

Authored by Patrick Ciavolella, Head, Malware Desk and Analytics, The Media Trust

Mobile Redirects Targeting iOS Devices.

In the digital marketing and media world, the user experience is king. HTML5 has played a key role in enabling developers to deliver a richer yet smoother user experience and, as everyone presumed, without the security risks frequently associated with plugins like Flash. In fact, over the past five years, developers, along with publishers and browser providers, have staged a mass exodus from Flash technology into HTML5, which seemed to promise greater security and more advanced web app features. In 2015, when the Interactive Advertising Bureau updated its digital advertising guide with best practices for using HTML5, they cited security as the chief reason behind publishers’ adoption of HTML5.

Over the past two months, The Media Trust malware team has discovered numerous malware incidents which call into question HTML5’s mantle of security.  The malware, which has produced at least 21 separate incidents affecting dozens of globally recognized digital media publishers and at least 15 ad networks, uses JavaScript commands in order to hide within HTML5 creative and avoid detection. The scale of the infection marks a turning point for HTML5’s presumed security and demonstrates the advances malware developers have made in exploiting the open standards’ basic functionality to launch their attack.

HTML5’s Cloak and Dagger

HTML5 renders multimedia content—images, videos, audio—and runs on any computer and mobile device.  The very same attributes that enable it to render popular formats without external plugins also can be used to break apart malware into chunks, making it hard to detect, and reassemble those pieces when certain conditions are met. The malware incidents recently identified by The Media Trust carried out their attacks by infecting HTML5 ads.

The screenshot below illustrates the malware’s behavior through the call chain. When a user views the media publication’s webpage, the JavaScript checks the device for key criteria, namely (1) whether the device is iOS and (2) whether the user is connected via their carrier. When the device meets these criteria, the JavaScript inserts the malicious code into the website (see line 20). The malware is reassembled and issues a separate call which automatically redirects to a new domain that serves a pop-up soliciting input of personal information. Meanwhile, the JavaScript puts together the ad’s various components (see lines 48 through 56).

Figure 1: Call Chain of 2018 HTML Malware Phishing Via an Ad

HTML5 malware are by no means new. In 2015, just as the retreat from Flash began in earnest, researchers discovered several techniques to convert HTML5 into a safe haven for malware. Their techniques used APIs, which in turn employed the same obfuscation-deobfuscation JavaScript commands in delivering drive-by malware. In 2016, tech support scammers used an HTML5 bug to freeze computers and obtain unsuspecting users’ phone numbers. One year later, The Media Trust identified a small number of HTML5 malware delivered pell-mell through a few online publishers. This year’s incidents are different because they require no interaction with the victim and are targeting devices known to make detecting malware even more challenging.

It is important to note that throughout the years, no version of the HTML5 malware has been stopped by antivirus solutions.

HTML5 Malware in the GDPR Era

In this instance, the HTML5 malware was designed to entice victims to enter their information in response to a pop-up ad and is quickly coursing through the digital marketing and media world, waiting for individuals with the right devices to trigger the collection of personally identifiable information. Thwarting this malware will be more urgent than ever as the European General Data Protection Regulation (GDPR) is applied to organizations around the world—regardless of where they are located–that collect personal information on EU citizens. The GDPR, which is poised to penalize infringing organizations as much as four percent of their annual revenues, is merely a precursor to what appears to be a growing trend around the world towards greater online privacy.  Public weariness with hacking and with platform providers sharing user data with their partners has spiked distrust even in brands whose reliability and transparency were previously believed to be unassailable.

What steps should organizations take? First, they should continuously scan in real-time their digital assets for vendors and code. Second, organizations should share and clearly written policies and enforce privacy clauses with their vendors as part of creating a compliance culture within their digital ecosystem. GDPR can impose penalties on an organization and their data processing partner even if the partner is entirely at fault.  Third, they need to lay out an expeditious process that details how they will respond to a breach or to any unauthorized vendor activity. That process should include the immediate termination of any vendor that continues to break policy or clauses after being put on notice. Finally, companies should have quick access to information in case they are required to respond to a regulatory review.

What are the Experts saying about PyRoMine?

Article appeared in Brilliance Security Magazine, April 25, 2018.

Read article

Recently, a new python-based cryptocurrency mining malware that uses the ETERNALROMANCE exploit was uncovered and dubbed “PyRoMine.” This malware is particularly malicious and those Windows machines that have not installed the patch from Microsoft remain vulnerable to this attack and similar attacks.

Alex Calic, Chief Strategy and Revenue Officer of The Media Trust explains, “Cryptomining is a profitable business, and its perpetrators are accelerating in numbers and innovation thanks to a growing number of weaponized exploits in their arsenals. What makes this incident unique and alarming are (1) the exploit’s ability to spread fast around the world, (2) the malware’s ability to disable a machine’s security features for future attacks, and (3) the malware authors’ intent to test a campaign before a multi-phased, full-scale launch. Such a campaign will pave the way for harvesting CPU power and personal data from millions of Windows users. Now is the time for enterprise IT to fortify their defenses by identifying who is executing on their sites and flagging suspect executables that indicate unauthorized activity may be afoot. Otherwise, enterprises may find themselves running afoul of GDPR, a European privacy protection regulation that goes into force on May 25th and is poised to fine infringing parties up to four percent of their annual global revenue.”

Continue Reading

Cryptomining: the new lottery for cybercriminals

This article by Chris Olson, CEO at The Media Trust, was originally published on CSO, March 14, 2018

Read

Cryptomining has surpassed even ransomware as the revenue generator of choice according to a Cisco Talos report, which claims crypto-mining botnets can earn hackers up to $500 dollars a day and a dedicated effort could equate to more than $100,000 dollars a year. Representing the perfect balance of stealth and wealth for cybercriminals and some unscrupulous, but legitimate online businesses, cryptomining is quickly becoming a major concern for enterprise IT who frequently don’t know their digital assets have been compromised.

With stringent privacy laws coming online in 2018, it is imperative that organizations know all partners that execute code on the website. This information is critical for not only identifying the rogue source but also communicating expectations and enforcing compliance—key mitigating factors when it comes to regulatory penalties.

Continue Reading

Parked Domains, pantry moths, and you

Authored by Patrick Ciavolella, Head, Malware Desk and Analytics, The Media Trust

Enterprise digital ecosystems are ripe for compromise via long-forgotten domains.

In a span of just 30 days, Equifax morphed from a reputable credit bureau to the latest victim of cybercrime. Sadly, Equifax is just one in a slew of recent website compromises. In fact, the past 12 months bore witness to the malicious use of consumer-facing websites belonging to embassies, national banks, popular brands, premium digital publications, and government organizations. Comparing these incidents with The Media Trust’s historic malware attack data reveals an uncanny commonality – parked domains.

Parked domains are pests

Yes, parked domains are a security problem. Let’s take the real-world example of pantry moths as an analogy. Imagine hoarding supplies in your kitchen pantry due to forecasts like historical storms, end of the world, etc. Alas, the event turns out to be not so epic and life moves on unaffected. Except now, you have a cartload of forgotten excess supplies sitting in your pantry, attracting pantry moths, their larvae (gross), and other pests. Translate this to the digital world: companies buy domains for various purposes such as marketing campaigns, testing advertising code, domain squatting prevention, or holding for future use. Unfortunately, life happens; companies do not renew domain ownership, forget to manage them, campaigns end, or the company may go out of business. This leaves these domains ripe for compromise, as it’s the perfect opportunity for a bad actor to either buy a legitimate-looking link or stealthily infect it to load malicious code.

“We detect parked domains in more than 10% of web-based incidents and have recorded a steady increase in parked domains in the consumer internet,” stated Patrick Ciavolella, Head Malware Desk and Analytics, The Media Trust. “Saying parked domains are a cause for concern, is an understatement. Malicious parked domains in a large corporation’s digital ecosystem can not only damage an enterprise’s reputation but can inflict widespread harm on consumers.”

By putting Equifax’s second website compromise under the scanner, we can better understand how parked domains are exploited by bad actors. 

Equifax Case File

The user experience: When users visited certain credit reporting service page(s) on Equifax’s website, they were automatically redirected to a malicious domain or page. This landing page falsely alerted users to an outdated program (Adobe Flash) and prompted a download of an update, which when clicked, would eventually deliver a malicious exploit kit to user devices. Sounds like a typical and simple website-level malware attack, but what happened behind the screens points to an interesting revelation about parked domains.

Behind the screens: After entering the credit report discounts assistance page, there were at least five rapid auto-redirects (no user interaction required) that delivered users to the malicious domain (Centerbluray.info), which hosted the Fake Flash Update alert. This fake online asset appeared legitimate and even used Adobe’s logo to trick users. Once the user clicked on this fake prompt, malicious toolbars or exploit kits were delivered to the devices.

Culprit: Centerbluray.info was the domain hosting malicious code, but the multiple redirect links that navigated to this malicious page were all parked domains. “Our Malware Desk blacklisted Centerbluray.info well before the Equifax incident and detected it in at least six different web-based malware incidents. In every case, parked domains were used to navigate to the final malicious domain,” added Patrick.

Parked Domains FAQs:

1. Wait, so a parked domain via a third-party vendor running code on my website can affect my website?
   Yes. Today’s websites and mobile apps are inundated with unmonitored third-party vendors that contribute code (content management systems, video hosting, data management platforms, marketing analytics, social media widgets, and more) to the rendering of digital content. Often, these third-parties will bring fourth and fifth party code into the mix, increasing the probability of a parked domain’s presence in your enterprise digital ecosystem.
2. Can my own parked domain be compromised?
   Yes. The Karmic forces of the internet are strong. Without caution and care, your own parked domains are vulnerable to compromise. Let’s not forget that parked domains are still affiliated with your digital assets. Now would be a good time to ask your teams—marketing, sales, product, operations—about all the domains your company has ever purchased.
3. Can my current website security solution detect these parked domains?
   Sigh, if only! For the most part, website appsec only monitors owned and operated code, which is an increasingly small part of today’s website and mobile app code. Also, most website security solutions do not comprehensively monitor outside the firewall, which is exactly where your users are! Without real-time monitoring of executing code, you would not know if your website has been compromised unless users complain or, even worse, you read about it in the paper.
4. So what can I do?
   Based on the incidents detected in the broader digital ecosystem and managed by The Media Trust, here’s what Patrick recommends:
   “When it comes to your own domains, renew them or cancel the ones that are not in use; please cancel through the appropriate channels. Once canceled, the domain code needs to be completely removed from your website and mobile app codebase. Where it makes sense, sign up for an auto-renewing domain. Remember, when it comes to third-party parked domains, the only way to detect and manage them is through continuous, real-time monitoring of code rendering on user devices.
5. Ok, since you brought up pantry moths – how does one get rid of those annoying pests?
   Ah! Clean out your pantry. Get rid of the old dry supplies as they are probably infested by moths and larvae (gross). When you eventually do buy fresh supplies, freeze it first before transferring to storage containers and use the supplies as quickly as you can.

 

5 Reasons to Focus on Malware Delivery Mechanisms

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Originally published by Security Magazine. 

Defending against today’s pervasive web-based malware is not as straightforward and simple as it used to be. According to Symantec’s Monthly Threat report, the number of web attacks almost doubled in April of this year alone, up from 584,000 per day to 1,038,000 per day. Bad actors – seasoned cyber criminals, hacktivists, insiders, script kiddies and more – target premium, frequently whitelisted websites with varied motives such as financial, espionage and sabotage, to name a few. These web-based attacks are more targeted, complex and hard to detect, and when an employee visits an infected website, the damage to an enterprise network can be debilitating. Traditional security defenses like blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls fail to offer comprehensive protection. An alternative security approach is necessary, especially when working with malware data.

Managing malware data needs a paradigm shift

Currently, Information Security Professionals (InfoSec) and IT teams are trained to focus on the context of the web-based malware: What the payload might be; Is it replicating or morphing; Where’s the payload analysis; Who is targeting the website and why; along with a host of other variables. These are definitely valid questions, but should only be asked after action is taken to block it – not in order to take action.

Using existing analysis tactics to assess the ever-increasing volume of malware information is a Sisyphean task in the digital environment. The time it takes to agree that something is malicious is in direct proportion to your network’s exposure to web-based malware.

It’s time for InfoSec and IT teams to take a new, proactive approach to shielding customers and Internet real estate from web-based malware. It starts with adopting this simpler definition of malware: “Any code, program or application that behaves abnormally or that has an unwarranted presence on a device, network or digital asset.”

In essence, any code or behavior not germane to the intended execution of a web-based asset is considered malware. While this definition covers the obvious overt offenders it also includes seemingly non-malicious items including toolbars, redirects, bot drops, etc. Adopting a simple, yet broad definition enables you to focus on shielding your enterprise network from a wide range of active and potential malware attacks.

Understanding the digital environment is critical to breaking the analysis paralysis cycle and replacing it with a “block and tackle” approach. To do so, IT professionals need to focus on what matters: identifying the delivery mechanism in order to stop malware from penetrating the enterprise network. Here are five reasons why you should focus on the delivery mechanism:

Reason 1: Temporal malware is still dangerous

Web-based malware or malware delivered via the consumer internet (websites a typical person visits in the course of their daily activities, such as news, weather, travel, social and ecommerce sites) is fleeting and temporal. Research from The Media Trust reveals that in many scenarios web-based malware is active for as short as a few hours, giving little time for a deep dive analysis before blocking offending domains. If you spend time on analysis, you are a target for compromise because if the malware doesn’t infect your organization at the outset, it will most likely morph into another malicious domain or code to retarget the website with something more debilitating such as ransomware or keystroke logging.

Reason 2: Non-overt malware will turn on you eventually

Malware does not necessarily need to be complex or overtly malicious right from the start or upon initial detection. Annoying or seemingly innocuous behavior such as out-of-browser redirects, excessive cookie use, non-human clicks/actions or toolbar drops qualify as malware. While these behaviors may initially appear benign, they will frequently reveal their true intention upon a closer look at both Indicators of Threat (IOC) and Patterns of Attack (POA).

It happens quite often and reports suggest that every year researchers track 500+ malware evasion tactics used to bypass detection. For instance, a recent attack on several small and medium-tier ecommerce websites demonstrates malicious domains executing over varying time intervals and, in at least one instance, move from website to website across various geographies in order to avoid detection. In other instances, malware is specifically coded to look benign and only execute when certain conditions are met, e.g., geography, device, user profile or combinations of conditions. Taking weeks or months, this delayed execution is an effective technique to evade detection by most scanners. An auto-refresh ad on the browser or an alert to update software could be a red flag.

Reason 3: What’s in a name? 

While names are understandably necessary to tag malware, there is a tendency to initially fixate on labels rather than block the malware itself. For professionals in the frontlines of trying to stop web-based malware from infecting the enterprise network, focusing on the name can increase the dwell time and do more harm than good. Instead compromised domains will give teams better insight and allow them to block the malware from penetrating networks.

Reason 4: Past malware doesn’t predict future attacks

Just because malware is validated with a name or belongs to a recognized family; it does not always mean that information to defend against future attacks is necessarily reliable. The polymorphic nature of web-based malware allows it to propagate via different domains in various shapes and forms – embed malicious code on a web page through a particular CMS platform, execute an out-of-browser redirect, or present a fake system update alert. Not only is the delivery channel constantly changing, but also the actual intent and payload may change as well. Relying on past research is not a foolproof defense when it comes to ever-changing malware propagating in the digital ecosystem, which is a complex, mostly opaque environment.

Reason 5: Death by analysis

Extensive analysis of web-based malware before blocking it could have severe repercussions – either by way of a corrupted endpoint or a larger network breach. Once web-based malware reach endpoints, it is already past the security perimeter which means remediation efforts are necessary. According to reports, the average cost for an enterprise to clean up a web-based attack is estimated to be $96,000 and more.  Think of how many resources – people, time, money – could be saved if malware was immediately blocked upon detection.

By focusing on the delivery mechanism, security professionals can take a proactive stance to harden website defenses against web-based malware and also significantly reduce the time to action when it comes to securing endpoints and the enterprise networks. Real-time response is required or it provides the perfect window of opportunity for an attack to be successful.

Getting serious about malvertising with TAG

Authored by Alex Calic, Chief Revenue Officer, The Media Trust

3 steps to anti-malware certification

Malware is a serious problem in the digital advertising ecosystem. Not only is it a contributing factor to ad blocking adoption, but also a significant driver of ad fraud. The World Federation of Advertisers estimates that the total cost of ad fraud could exceed $50B by 2025. Clearly, something must be done.

Various groups have attempted to address this malware problem with little success, but one group is taking decisive action. The Trustworthy and Accountability Group (TAG)—supported by the IAB—recently launched a malware certification program. As an inaugural certification recipient, The Media Trust is fully behind this initiative—just ask for program details.

The certification program is open to any entity that touches creative as it moves through the digital advertising ecosystem, from buyer to intermediary to seller. Even malware scanners like The Media Trust have the option to participate and commit to industry efforts for creating a healthier advertising supply chain.

Benefits: Reap what you sow

TAG’s “Certified Against Malware” seal is awarded to enterprises that can demonstrate adherence to rigorous anti-malware standards, especially those delineated in TAG’s Best Practices for Scanning Creative for Malware.

The program yields a host of benefits for publishers and their upstream partners. Specifically, participating companies can:

• Improve their enterprise security posture: Adoption of continuous, 24/7, client-side scanning of digital advertising campaigns detects malware before it propagates to consumer devices.
• Speed incident response: By allowing The Media Trust to send simultaneous alerts to you and your business partners, you reduce the time needed to resolve the issue across your entire advertising value chain.
• Satisfy upstream partner requirements: Demonstrate compliance with advertiser and/or buyer directed policies for security.
• Protect your brand value: Receive a “Certified Against Malware” seal from TAG to signal your enterprise’s efforts to identify and remediate malware in the digital ecosystem, a key element in many value propositions
• Prove digital asset governance: Discovery and validation of all parties executing in your digital ecosystem supports enterprise-wide governance and risk frameworks.

Requirements: Steps to anti-malware certification

Anti-malware certification program participants promise to adhere to malware scanning best practices, make best efforts to identify and terminate malicious activity, and submit to a TAG-directed audit.

You, too, can join industry efforts by following these steps:

1. Complete TAG registration: If not already a TAG-registered company, fill out the registration form, signal interest in malware certification (fees may apply), and designate both a TAG Compliance Officer and a primary malware point of contact. Indicate anticipated anti-malware certification path:

• Self certify: Enterprise submits forms and documentation directly to TAG
• Independent validation: Accredited audit firm or digital media auditor submits forms and documentation to TAG on the enterprise’s behalf

2. Evaluate digital advertising ecosystem: To determine a reasonable scanning cadence, companies need to understand existing inventory flowing through the environment and the involvement of all upstream partners. Review existing inventory and assess typical volume by in-house, direct and programmatic; and, also consider the volume percentage by display, mobile, video, header bidding, etc.

Upstream partners should be identified and points of contact for security violations documented. Appraise each partner according to their history of addressing malware incidents, industry reputation and general relationship experience. Especially if a direct contract is not involved, discuss respective malware scanning responsibilities.

3. Scan inventory: Implement malware scanning according to TAG’s Best Practices for Scanning Malware and document the entire processes. As a Certified Against Malware scanner, The Media Trust provides documentation on the scanning protocol for your environment including resolution procedure for malware incidents (Red Flag event).

NOTE: Watch this quick overview of TAG’s recommended scanning cadence.

Terminate malware: What are you waiting for?

The future of the digital ecosystem rests on everyone’s shoulder—advertiser, agency, ad tech and publisher. Let’s make it a better place. Verify your inventory is malware-free. The Media Trust can show you how—Just ask.

Malware is Malware… except when it isn’t

So block anomalous activity first and ask questions later (please).

As IT professionals (and logical human beings) we have been taught to analyze a situation first and then act based on knowledge gained from the analysis. Acting without an understanding of the full picture is considered impulsive and oftentimes, even foolish.

This is not always the best strategy in today’s fast-paced environment of ever-evolving and growing security threats. When working with malware, security professionals need to unlearn the “think twice” philosophy – they need to act first on qualified intelligence and then, if needed, analyze the data in more detail. This is especially true in the temporal world of the internet where web-based malware needs to be treated like harmful parasites that must be terminated immediately upon detection to stop propagation. Frequently, web-based threats initially present as benign code or operations; however, they easily morph into overt threats without your knowledge.

Going against the grain is a good thing

Today, Google reports more than 495,000 monthly searches for the term malware, producing around 76.4 million results. This should come as no surprise considering that there are nearly 1 million new malware threats detected every day.  

This high level of interest in the topic of malware combined with the aggressive growth of the security software market (valued at $75 billion in 2015) indicate that enterprises struggle to analyze and come to terms with the increasingly complex digital threat landscape. As studies consistently report on this lack of understanding about cybercrime and threats, it is high time that enterprises do something about it.

(Re)Defining Malware

First, let’s get back to basics and clarify the definition of malware:

“Any code, program or application that displays abnormal behavior or that has an unwarranted presence on a device, network or digital asset.”

This means any code or behavior not germane to the intended execution of a web-based asset is considered malware. Malware does not need to be complex, overt or malicious right from the time it is detected.

This definition means annoying or seemingly innocuous behavior, such as out-of-browser redirect, excessive cookie use, non-human clicks/actions or toolbar drops qualify. Most of these behaviors may seem benign now, but a close look at both Indicators of Threat (IOC) and Patterns of Attack (POA) typically suggest another story altogether.    

Don’t question the malware, question yourself  

IT professionals who’ve spent thousands of dollars and hours of learning to develop a knowledge base find it difficult to simply act without questioning and possibly over-analyzing ready to utilize data sources.

Working with qualified intelligence sources will make it much easier to change the “endless analysis” paradigm. If you must ask questions, question yourself and not the malware (at least not before blocking it first).

IT professionals need to reflect on the rapidly evolving web-based threat landscape. On a frequent basis, ask yourself:  

1. Where are the vulnerabilities in my enterprise network?
2. Are the tools used to secure my organization effective enough to handle increasingly sophisticated web-based attacks?
3. What kind of threat intel resources are available? What is our experience with each source?
4. What does my incident response look like? Is it swift and cost-effective?
5. Where and how can I increase my operational efficiencies around my threat intelligence strategy?

Block first, ask questions later

The idea is simple, shield yourself against web-based breaches by being more proactive about the enterprise security posture. If and when breaches do occur, you should have at least limited the level of damage caused by loss of data, reputation and business continuity.

Before you spend all your time, money and effort on a full payload analysis of every malware alert, oftentimes, trying to verify the impossible, remember to block it first. What’s the worst that can happen? You block something that an employee needs? Trust me, they’ll let you know.

 

Ransomware and the small/medium-sized enterprise

When the “cost of doing business” is no longer an option.

“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.

The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.

It’s not just you, Mr. SME

Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.

Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.

Clearly, it’s a big problem that needs a big solution, right?

Backups, backups, backups

From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.

“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.

Beyond backups – seal the entryway

Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.

“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”

First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.

Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.

“Well, dammit, what should we do?”, you ask.

All is not lost – A new year has dawned

Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:

1. Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
2. Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
3. Estimate costs to collect and store data.
4. Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
5. Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
6. Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.

Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.

Ransomware isn’t as hard to tackle as many SME information security teams think.

---

 

You know nothing, CISO

Shadow IT can stab you in the back

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

• RSS Feed
• News Feed
• Third Party Partner Widgets
• Third Party Content MS Integrations
• Third Party Digital Asset MS Integrations
• Third Party ECommerce Platforms
• Image Submission Sites
• Ad Tags
• Video Hosting Platform
• Crowd Sharing Functionality
• File Sharing Functionality
• Customer Authentication Platforms
• Third-Party Software Development (SD) Kits
• Social Media Connectors
• Marketing Software
• Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

Is Your Threat Intelligence Certified Organic?

7 questions to ask before choosing a web-based threat intelligence feed.

It should come as no surprise that CISOs are under ever-increasing pressure, with many facing the prospect of losing their jobs if they cannot improve the strength of the enterprise security posture before breaches occur. And, occur they will. Consider these figures—recent studies report that web-based attacks are one of the most common types of digital attacks experienced by the average enterprise, costing $96,000 and requiring 27 days to resolve a single incident. Furthermore, there is a definite positive correlation between both the size of the organization and the cost of the cyber attack and additional correlation between the number of days taken to resolve an attack and the cost of the attack—the larger the organization or days required to remediate, the higher the cost.

Enter, Threat Intelligence

CISOs increasingly embrace threat intelligence as a means to enhance their digital security posture. In the past three years, organizations have significantly raised their spending on threat intelligence, allocating almost 10% of their IT security budget to it, and this number is expected to grow rapidly through 2018. And, this budget allocation appears to be well spent as organizations report enhanced detection of cyber attacks—catching an average 35 cyber attacks previously eluding traditional defenses.

Not all threat intel feeds are created equal

Sure, threat intelligence feeds are increasingly accepted and adopted as an essential element in the enterprise security strategy. In fact, 80 percent of breached companies wish they had invested in threat intelligence. But even as the use of third-party threat intelligence feeds increase, IT/security teams are realizing that not all threat intelligence feeds are created equal.

To begin with, there are several types of threat intelligence feeds based on web-based threats or email threats, and feeds that scan the dark web, among others. While not discounting the value of the various types of feeds, CISOs need to understand why web-based threat intelligence is the first among equals. Web-based malware target the enterprise network and the endpoints through day-to-day internet use by employees–internet critical to their day-to-day office functions. A truly valuable threat intelligence feed will help CISOs achieve their end goal of keeping their organization safe and blocking confirmed bad actors.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Checklist for Choosing the Right Threat Intelligence

Ask these seven questions to determine if the web-based threat intelligence feed(s) you choose are “certified organic” enough to provide tangible goodness and value to the health of your enterprise security posture:

1.    Is the data original source?

Our previous post, Your Threat Intelligence Isn’t Working, discussed the pitfalls of using compiled third-party sources in a threat intel feed—more data isn’t necessarily good data! The time-consuming process of managing duplicates and false positives cripples the performance of most information security teams to the point that many alerts are ignored. Protect cherished resources—budget and time—by choosing an original source threat intelligence feed.

2.    How is the data collected?

While original source threat intelligence minimizes false positives and duplicates, how the data is collected maximizes the tangible value of the feed. Web-based malware is typically delivered through mainstream, heavily-trafficked websites, either via ads or third-party code such as data management platforms, content management systems, customer identification engines, video players and more. Hence, the threat intelligence feed needs to source the data by replicating typical website visitors. This means continuously (24*7*365) scanning the digital ecosystem across multiple geography, browser, devices, operating system and consumer behavior, using REAL user profiles. Unless the engine that gathers the threat intelligence behaves like real internet users (who are the targets of web-based malware), the quality of the “internet threat” data is questionable at best.

3.     Is the threat intelligence dynamic?

Threat intelligence should be a living (frequently updated), constantly active data source. The data in the threat intelligence feed needs to adapt to reflect the rapidly transforming malware landscape. The engine behind the feed should both track and detect malware in real-time, while also accounting for the changing patterns of attack. Even the algorithms driving the machine learning needs to be dynamic and continuously reviewed.

4.     Does it prevent AND detect threats?

As the adage goes, an ounce of prevention is worth a pound of cure, and this holds true in the cyber security space. However, reliance on prevention isn’t practical or realistic. Prevention boils down to deployed policies, products, and processes which help curtail the odds of an attack based on known and confirmed threats. What about unknown or yet to be confirmed threats?

Threat hunting is becoming a crucial element in the security posture. It refers to the detection capabilities stemming from a combination of machine generated intel and human analysis to actively mine for suspicious threat vectors. Does your threat intelligence account for both indicators of compromise (IOC) and patterns of attack (POA)? The goal of threat hunting is to reduce the dwell time of threats and the intensity of potential damage. The threat intelligence feed should allow you to act on threats patterns before they become overt.

5.     How is the data verified?

Just as the automation or machine learning behind the threat intelligence feed should simulate a real user for data collection, human intervention is important for data verification. Without the element of human analysis, data accuracy should be questioned. Otherwise, you run the risk of experiencing increased false positives.

6.     Is the information actionable?

Malware is malware, and by its definition it is “bad”. You do not need an extensive payload analysis of threat data. You do, however, need information about the offending hosts and domains, so that compromised content can be blocked, either manually or via Threat Intelligence Platform (TIP). The granularity of the data can also save CISOs from the politics of whitelisting and blacklisting websites. As a bonus, real-time intelligence will enable you to unblock content when it is no longer compromised.

7.     Does it offer network-level protection?

While CISOs still debate over an optimal endpoint security solution, web-based threats attack at the enterprise network. Frankly, stopping malware at the endpoint is too late! The threat intelligence you choose must offer network-level protection and deter web-based threats from propagating to endpoints in the first place.