The Office 365 Avenue of Approach

The Office 365 Avenue of Approach

Threat actors, advanced persistent threats, and simple cybercriminals are always looking for the latest way to get in or take advantage of potential victims. An avenue of approach is defined as a route of an attacking force leading to its objective. The latest and easiest avenue of approach is Office 365. Since this capability is relatively new and IT organizations have not put as much thought and expertise around defending this critical communications capability in the same ways they did with their on-premise Exchange infrastructure, the threat has been able to take advantage of this lack of attention.

Office 365 is complex and has many caveats without a lot of security guidance or documentation available. The initial vector remains to be primarily phishing. Although two-factor authentication has helped reduce phishing, there are many cases in the past several years where attackers phished the 2-factor code as easily as the normal credentials. There are even several open-source two-factor bypass frameworks that are being leveraged daily to compromise users. With all the available ways to continue to steal user credentials, the attackers continue to go after the O365 as a way to manipulate or execute social engineering to steal money.

In one scenario, an attacker gained access to an account on O365 and enabled send on behalf privileges, created administrator accounts, created inbox rules for certain individuals – all in attempts to hide malicious communication activity and spoofed emails. The attacker sent an email from a self-created email string with the response and forwards of legitimate company executives with instructions to wire funds.

In another scenario, attackers sent requests for payment with a PDF invoice that contained new, attacker-controlled, account information. All of these actions leveraged unauthorized access to the email environment. The activity went undetected for many weeks. The new norm for defenders must be to monitor and review activity, configuration changes, inbox rules, and account delegations. Hunting in real-time and watching not just for security events, but also suspicious or abnormal IT activity is a must for reducing the dwell time. Fraud and security teams must develop processes and playbooks for working together to combat this attacker technique.

So how do we impede or block the O365 avenue of approach? The playbooks must include what alerting is available by security teams and what use cases or non-security related activity a security and or fraud team may need to identify malicious activity. Ensuring there is a monitoring and hunting capability while doing configuration verification is simply a must. This includes a thorough review of current licensing and logging so that when an incident happens, administrators are not blind to attacker activity because logging was insufficient. An important report to review is the malware detections report. The ability to detect a security control failure and limit the impact of account compromises is paramount. Just like other systems, using multi-factor authentication for O365 helps protect the data and devices accessible by each individual, but is not the silver bullet. Limiting the number of global administrators and monitoring the activity of those administrator accounts identifies when the most valuable accounts are being used. Another good practice is turning on, consuming and eventing on mailbox auditing for all users allows for the visibility of unauthorized access of exchange online activity. Email is, of course, a normal phishing avenue of approach, so, understanding how your users within your O365 environment are being targeted by malware to then determine further mitigations or more aggressive malware defense actions is key.

Some other security actions are reviewing mailbox access by non-owners which identifies possible malicious activity and turning on Spam notifications. This allows you to see which accounts are blocked for sending spam, which is also an indication of an attacker using that account. Whatever actions you take, make sure there is a continuous periodic review. Never use a set it and forget it approach. Additionally, Microsoft has been rolling out more advanced security options for O365 within its Automated Investigations and Response (AIR) framework to include some Security playbooks for automation of opening investigations. The initial set of playbooks include User-reported Phish Message, URL Click verdict change, Malware ZAP, Phish ZAP, and email investigations.

O365 is complex and moving from on-premise exchange to O365 does not reduce your need for security activities and actions required to defend your environment. Attackers will continue to use this Avenue of Approach until we as security professionals force them to move to a different avenue in order to gain ground.  Making this lucrative objective a hardened target should be on everyone’s to-do list.


Requirements to Action: Cyber Threat Intelligence

Requirements to Action: Cyber Threat Intelligence

“Military intelligence” is no oxymoron. I’m not a career intelligence professional, but I have worked with some of the best intel organizations and operations in the world, including cyber operations and U.S. military intelligence. So, when I need to assess cyber intelligence, I revert to the framework used in a military environment.

The essential basics of any intelligence operation, whatever the sector, cover requirements definition, collection, processing and exploitation, analysis and production and dissemination. So, what particular insights do you examine within this framework used by the best cyber intelligence organizations?

A critical part of any intelligence operation is determining the need. Just saying ‘I need cyber intelligence’ or ‘I am going to create cyber intelligence’ will get you nowhere. A consumer or producer of intelligence needs to understand what is required in order to not only build a collection platform which meets the needs but executes the required collection.  If you’re a cyber intelligence organization, the value of your production not only depends on your analysis but is just as dependent, if not more, on your collection.

Another aspect of your needs may be strategic and not just tactical. Strategic intelligence can help when building a network or security architectures or detection capabilities and hunting operations.   There are knowledge bases for threat techniques, such as the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CKTM), which can be used to evaluate your defenses or detection capabilities. Some of the best organizations use and build their security operations and detection frameworks from these threat techniques. These organizations use strategic intelligence to protect against threats to things in their vertical, infrastructure or their architecture.

Another part of strategic intelligence is actor and intent. Although intent may be evident in some situations, APTs have a very different intent from a simple ransomware attack. Intent and attribution can be a specific requirement for government and law enforcement to meet their needs, but intent also can be useful in other sectors like critical infrastructure. Understanding the long-term goal or intent of intellectual property theft, denial of service or physical destruction within your sector can go a long way toward understanding your risks, your specific strategic intelligence requirements and the real-time tactical intelligence you require to mitigate those risks.

The size and/or scope of your collection platform capability will determine the size of your output. Single intelligence sources or implementing single-function processes like scraping the web for malicious content or links are valuable but deliver limited intelligence with specific applications. If you only collect, process and analyze malware, it stands to reason that you will only produce malware intelligence. Collection capabilities really come from the ability to acquire unique data. Companies execute collection with various techniques, media and locations. Incident response collects data. Security products collect data. Web and darknet scraping collect data. Intrusion and Network analysis collects data. Hunting collects data. The best intelligence organizations are multi-faceted, so they can fuse together all the intelligence collected from different platforms.

Size and scope of collection are analogous to your own internal network collection and processing. Think about your network Security Information and Event Management System (SIEM). Your SIEM scales in value with more data sources (collection platform) and better correlation (processing) within the platform. If you have one data source, firewalls, for instance, you get collection and correlation from only firewalls. But if you have servers, endpoint detection capabilities, email gateway logs as well as firewalls providing data that you can correlate the information you receive from these multiple sources. When it comes to intelligence collection, companies who have a large platform or multiple platforms provide different intelligence than a provider who scrapes the dark web for specific attributes. Both can be valuable but again this goes back to your need and requirements.   The main point to remember: not all intelligence providers are created equal and one big differentiator is the quality of their collection platforms.

The ability to process raw data plays a significant role in an intelligence provider’s ability to produce real-time intelligence. The best intelligence organizations have developed two important capabilities: vast collection and big data analytics. Using, storing and executing complex analytics on large amounts of data is challenging. The future is now when it comes to using artificial intelligence such as machine learning to support operations. The key to success is figuring out which providers are just using “AI” as a buzzword.  Data, without good analytics, only yields piles of data with no actionable outcome. The larger and more diverse the data types and structures, the better your data storage and your ability to perform analytics must be.  If you understand your provider’s ability to conduct analytics on their collection, you are another step closer to ROI on intelligence.

The goal of intelligence analysis is to figure out what will happen next. Great providers understand they must assess what is happening now and why it’s happening. Intelligence activities include trying to determine the attacker tactics, techniques and procedures. Some attackers use botnets, malware, ransomware. Others use phishing, metasploit or file-less attacks. All these techniques and the tactics of code writing, timing, sequence, targeting, and infrastructure used, need to be collected to find and attribute the most sophisticated threats.

The best nation-state actors develop techniques to look like other nation states. Finding advanced persistent threats (APT) take an enormous amount of data combed through by the best analytics fast enough to find the needle in a field on haystacks.  Understanding your provider’s analysis capabilities is very different from knowing their collection methods, analytics and production capabilities. Good analysis comes from years of experience working to get in the mind of the threat actors, to understand their motivation and the goals of those threats. When assessing analysis, look for experience and historic achievements as well as a good methodology for using what they collect to reach conclusions on your requirements.

In some ways, understanding how you will consume threat intelligence or how it will be provided determines your requirements. Understanding how intel is disseminated is key: Are there automated feeds? Do I get an email? Do I read it on a portal? Are indicators of compromise provided? Is it a list of exploits being used against the newest vulnerabilities? How is it structured to be used by my security tools like direct SIEM ingestion?

In its simplest form, the intelligence needs to be actionable by security staff or security tools. In other words, have an actual effect on your defenses. Knowing the Chinese hacked the Office of Personnel Management (OPM), the Russians hacked the DNC, or the latest botnet is spreading across America may be good to know, but how does that help your security staff change your security posture?

What of that is actionable? Does your security team or provider get actionable intelligence and how do they make it useful? Do they have a way to translate data, information and intelligence into a useful defense scheme or execute real-time targeted hunting in your unique environment based on your atmospherics, architectures, vulnerabilities and priorities? How many times have you seen the intel provider send you an email with links to other web articles? Having an intelligence feed because its required by regulation, maybe checking the box, but you must figure out how to use that feed to the max extent possible. How does crawling the web help my situation? Situational awareness about threats is one thing, but actionable intelligence is what reduces risk, finds threats and stops breaches.

Even the best intelligence-producing organizations are producing for a specific need. Know what your needs are, so you can make sure you choose one that gives you actionable intelligence for your particular needs – tactical or strategic. The current landscape for cyber intelligence is vast and confusing. Providers will give you the intelligence they gain based on their own collection, processing, analysis and production capabilities.

Article originally appeared in SC Magazine. Read it here.

Next Generation Hunting

Next Generation Hunting

The newest buzz word around cybersecurity and managed services is managed hunt operations; the main nuance which might be lost is simple enough, hunting is not new! From platforms to people, everyone is touting the need to find the threats in your network, but security professionals have been looking for and finding threats in networks for 20 years. This “new” concept or theory of hunting has been executed by the best network defenders with the help of sensors, logs, AV, tools, and various scanners for a very long time.

The real trick is going from hunting to search and destroy. While finding historical evidence that attackers have been stealing your Intellectual property for the last four months and remediating may seem to be a success for most threat hunting capabilities. The truth is, discovering threat actors executing commands and watching the techniques is the goal for any modern hunt team. Crushing your advisory in real time as they move laterally, looking to steal intellectual property (IP), Personally Identifiable Information (PII) or Payment Card Industry (PCI) is the dream scenario for any member of your enterprise hunt team.

How many times has your security analyst said, “I can see at this time, this process ran which is an indication of possible blah, blah, blah.”  The goal needs to be, “I see the attacker dumping hashes from memory using Mimicatz… I see the active RDP session and the attackers attempt to move laterally from Host 10.X.X.X. I see PowerShell activity on X host not associated with our internal SCCM.”

Active real-time hunting reduces the “find” time from the most recent estimate of about 99 days down to near real time. This real-time hunting takes talent, training, and humans actively executing structured activities to find threat activity. In military terms, some would say it’s a movement to contact. Movement to contact defined by FM 3-0 Operations is a type of offensive operation designed to develop the situation and establish or regain contact. A cyber movement to contact requires not only some of the best behavior-based detection capabilities and best internal collection capabilities but real-time interactive operations within the networks, systems, and hosts.

Other types of hunts we can take from military tactics, techniques and procedures are:

Area Defense: A defensive task that concentrates on denying enemy forces access to designated terrain for a specific time rather than destroying the enemy outright. This type of hunting operation allows us to conserve or use resources to focus on the “crown jewels.” These tactics may include blocking, canalization into the engagement area of the defenders choosing. Some newer deception technologies allow for a more advanced defense as opposed to the honeypot scenario.

Attack: An offensive task that destroys or defeats enemy forces, seizes and secures terrain, or both. Hunting operations within one own’s network which can be categorized as an attack must focus on the threat tools or capabilities, ensure the threat does not own, hold or control infrastructure which is too valuable to be simply wiped and baselined.

Pursuit: An offensive task designed to catch or cut off a hostile force attempting to escape, with the aim of destroying it. Or in other words, making sure the threat knows they were caught and has no way back into the network.  Shut the preverbal “backdoor.”

All that being said, hunting needs planning, real-time humans executing operations. Using a military framework may help organize the plan, but either way, get eyes on the threat actions in real time.

As opposed to attacking someone in their network, hunters can find and render any threat attempt useless through understanding tactics and techniques an attacker would use. Once in contact, the hunters must clearly understand what actions to take. If your analysts see real-time activity, have you developed a real-time response to each of the interactive scenarios? Understanding the requirements of not just finding and blocking bad stuff but knowing what tools and actions to take if your hunter sees the active RDP session, finds PowerShell running, sees certain processes running or sees the recon scanning activity is critical.

Thoroughly thought out plans, hunts, hunter actions, responses and activities upon finding the threat is sometimes referred to as hunting maturity level. What level is your organization? Start by developing a plan for real interactive hunting, build hunting goals, train hunters, understand the needed tools so we create a contested environment.

Why Fusion is Necessary

Why Fusion is Necessary

A cursory glance at any MSSP listing shows that the focus of most mainstream network and security operations centers (SOCs) is generally health monitoring, configuration, accounting, performance, security (FCAPS), mean time to repair (MTTR), and the security events as they arise.

It’s not a focus that is enjoying enormous success. According to Gartner, breach activity in 2017 was up by 43.8% year-over-year and the scale and severity of attacks as well as reporting requirements are increasing.

Speed of response is at the heart of the issue. Some of the recent largest-scale breaches, such as OPM, Equifax, Target, etc., may have had a slow decision cycle.  And this is where the idea of ‘fusion’ provides an interesting answer. Fusion seeks to make better decisions based on the best available information possible and gain the advantage of having a faster decision cycle than your enemy or threat.

Clearly, the decision maker who has the fastest process to gather the best, most up-to-date information possible is going to have the advantage. This is not a new concept. As retired general Stan McChrystal said “The answer is for leaders to have a process in place that helps them gather relevant information, adequately consider dissenting views from a mix of trusted sources, make a decision, communicate the decision, and act on it. Such a system does not eliminate risk entirely, as real decisions always involve uncertainty and risks, but it does help to ensure that the decision made is well-informed, timely, and the best course of action in an evolving and complex environment.”

The military has evolved in some part due to Gen. McChrystal’s vision for fusion. Put simply, fusing who has the information with who needs the information is critical for timely decision making and action.

In cyber, this is even faster and more important than in any other domain. Before the Internet, the telephone, the telegraph, radio, and carrier pigeon, information traveled at the speed of humans. Think Paul Revere or Pheidippides. Now information travels at the speed of light, so decision cycles are faster. The need for fusion is even more important because of technology, not less important because we have technology. Traditional fusion is intelligence with operations. The critical piece to figure out in any “fusioning” is what needs to be fused. In some organizations fusing Cyber Intelligence and threat activity has led to an evolution on cyber defense, but this still falls short for two reasons.

First, using contextual information not only from IT operations but from business operations adds huge value to the speed of understanding cyber events. The old false positive problem is significantly reduced by knowing up front or in real time the cause of an event in context to operations. Think PowerShell – PowerShell may be legit if done by an Admin yet may be bad if being done by an external RDP connection.

Knowing if SCCM is being used at the same time PowerShell launches is a huge win for fusing IT operations information with security event information. With understanding IT and Business context, event fatigue then becomes minimal and the one event which is almost the same but is missing the business contextual information does not get missed because your only analyst is drowning in useless events.

Second, get rid of the notion that intelligence feeds will solve all problems in real time. “If I could only automate those feeds I’d catch the crook in the act!” If you don’t know and understand your threat through intelligence way before they break the window, you won’t see them or catch them until it’s too late. CrowdStrike estimates the average attacker takes 1 hour and 58 minutes to move laterally in your network. This means you need to have a decision cycle faster than two hours to stop that initial compromise from becoming much worse. Cyber intelligence is knowing the threat, building detection for those threats, and then spending your time hunting for those threats not relying on some automated detection with real-time cyber intelligence.

For cyber decision making, attackers fuse the latest vulnerabilities with techniques and capabilities to exploit those vulnerabilities. For the defender, the fusion comes from having the intelligence information, the network contextual information and the activities that are occurring in real time on the infrastructure. Only then can the defender reduce the decision cycle to an actionable timeframe, block the attacker decisively, contain the damage to critical assets – and hopefully – avoid becoming the next big cyber attack headline.

Think Like the Enemy: Leveraging OPSEC to Stop Social Engineering Exploits

Think Like the Enemy: Leveraging OPSEC to Stop Social Engineering Exploits

Globally, organizations spend billions of dollars trying to prevent their networks from hackers, terrorists and even nation states. They’ve built fortresses of technologies designed to keep the bad actors out. And yet, there’s not a CISO in this world who isn’t worried that their network was compromised last night. (By the way, I’m sure there was a network that was totally compromised last night, so one of the aforementioned CISOs is having a bad day.)

Why is that? Well, it comes down to you. Yes, you, and your colleagues, your team, and heck, even your boss. Cyber attackers know that these fortresses exist, and so, they look for an easier way to get in – a weak link. Most often that weak link is people.

Cyber attackers recon publicly accessible personal information on Facebook, LinkedIn or any publicly accessible social media or database on a daily basis. They know about you. Public information and social media accounts are the easiest way for attackers to gain access to your passwords and security questions. Where did you go to High School, what’s the Mascot? What’s your Mother’s Maiden name? What’s your daughter’s birthday? (Nice picture of her eating birthday cake by the way!) It’s all there; waiting on a silver platter for an attacker to leverage for their own gains.

As an Army officer, one of the simple principles we learn very early on is Operations Security. In practice, OPSEC is about protecting information that could be pieced together for enemy exploitation and then reducing exposure of that information. This information may not mean much when disconnected from the current situation or larger operation, but when pieced together by enemies, it makes for a bad day. When an enemy can gather information from all sorts of places and piece together when that supply convoy or next operational will occur, it makes all other efforts useless.

Strip away the military jargon and this is the same way cyber attackers are compromising passwords every day. Seemingly disconnected information is pieced together until there is enough of a picture to act on.

Maintaining OPSEC in the business world is a hard problem to solve. Even in the security business, companies want to highlight the great talent they have fighting cybercrime. This talent now has a huge target on its back.

The key is this: targets must understand they are targets. From the basic system administrator to the CFO, attackers will continually engineer ways to get critical information from people they consider high value. Training targets  in the organization, from the top down, to identify and stop a social engineering attacks is the best defense.

CISOs need to think like the enemy:

  • Perform your own recon to find out what attackers “see” and how they target high value people.
  • Build information assurance policies, cyber defenses and countermeasures that prevent exploitation of that information.
  • Drive this from the top down. Everyone in the organization is partly  responsible for its security. Know the weak links and hunt for activity aimed at them.

The team at Kudelski Security is here to help you get started or compliment an already mature program. Get in touch with us for a discussion more tailored to your specific needs.