Blog Goal Of Threat Intel
21Apr

Implementing a Threat Intel Program is Critical to Cybersecurity


Organizations today are under constant attack from cybercriminals so developing an effective threat intel program is imperative as a way to defend your organization. The recently published Consortium Networks’ CISO white paper The Goal of Threat Intelligence offers practical advice on the best way to set up your threat intel defense.

The basic steps cover setting clear goals, so you can target the right data set from the vast amount of data available to avoid “over analysis.” Then, you gather input from both your technical and business teams to establish priorities. This is followed by leveraging the knowledge of all stakeholders to identify common perceived and actual threats that currently exist.

Ideally, it’s important to find the right blend of data analysis and cybersecurity expertise. Combining this technical knowledge with business intelligence leads to a synergistic analysis of data that will yield the best results.

Setting up a successful threat intel program requires establishing a repository to hold the data discovered in the fact-finding stage. Ultimately, you need to document rules for classifying and organizing the gathered intel. Then you define how you will share updates, information, and other actionable communication.

As discussed in the CISO whitepaper, the key to an effective program is being able to deliver easy-to-understand, actionable intelligence to all relevant stakeholders, decision makers, and employees. An actionable threat intelligence program takes time, but it is never finished since it must be flexible enough to adapt to changes that arise. It’s important to keep the lines of communication open with everyone involved – vendors, peers, decision makers – to be able to correct any missteps that occur along the way.


Join Consortium Networks today to download the full white paper and to receive access to other valuable security technology content.


Intelligence Driven Security Programs
14Mar

Cyber Threat Intelligence is an important component of any effective security program. The elevated increase of high-profile breaches in recent years has led to an increasingly complex and stringent compliance regime. Depending on your business vertical, you may already have some familiarity with the Payment Card Industry – Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), National Institute for Standards and Technology (NIST) Cyber Security Framework, and 800-53. The ultimate objectives of all of these standards in to ensure the protection of personal data held by our companies. Although building your security program around a particular compliance regime may insure compliance with that regime, it may not provide the best security posture for your organization.

To be clear, I am not suggesting that compliance is unimportant or to be ignored. However, I am a proponent of intelligence-led security programs, as intelligence - not compliance - should drive your security program. Our overall objective should be to move from a reactive security posture to one that is predictive.

The first thing to understand is your organizational risk and threat profile. You must position your resources against the threats that matter to YOUR organization. In order to effectively do this, you must first understand what your threat landscape looks like and establish the organizational risk tolerance within your organization.

Intelligence-Driven-Security-programs-chart1.png#asset:2618
The First Step to Establishing A Solid Foundation for Intelligence-Driven Security


A good friend once said (he says it all the time actually) “the first rule in cyber security is to know thyself.” To that end, you might consider your answers to the following questions:

  • What sector am I in? Am I considered "critical infrastructure"?
  • What are my business units, how are they interconnected?
  • What is my geographic footprint (the EU has a very different view of PII than we have in the US)?
  • Who are my partners?
  • Who are my customers?
  • What/where are my assets?
  • What is our threat history?
  • What data do I hold/process (customer data, HR data, business critical data, etc.)?

Once you have a firm understanding of your organizational risk, the next step is to understand your stakeholders and consumers. What are the roles of the consumers of your intelligence; what information is relevant for them? In what format and in what degree of frequency would they like to receive intelligence? What are the use cases for your consumers? Understanding the various use cases should allow you to tailor the intelligence for your customers, thereby increasing the value to your organization.

You must also establish your intelligence requirements?

Some questions to help establish requirements might include, but are not limited to, the following:

  • What intelligence is needed by our customer?
  • What vulnerabilities are being exploited in the wild?
  • Can we detect and defend against those exploits?

You must also establish collection requirements.

  • Liaison with like organizations within your business sector
  • Liaison with other members of the information security community
  • Open source feeds
  • Online forum monitoring where exploitation and vulnerabilities are discussed
  • Blog monitoring

Establishing requirements should allow for effective response to incidents. The intelligence must be categorized and prioritized in a way that allows for detection and response to the most critical information with the requisite speed and resources.

You must also develop sources (subscribed intelligence feeds, indigenous intelligence and/or intelligence provided by one of the many government entities) to maximize the intelligence value. Finally establish the expected actions on the intelligence.

Implementing Practices for Intelligence-Driven Security Programs

Step two is developing best practices (methods) for managing the intelligence life cycle. That lifecycle should include building and analytic framework, developing your analyst tradecraft and expertise, collection and processing, develop relevant production standards, etc.  Subsequently, or simultaneously, you must integrate intelligence within your technology stack. This could include feeds into your SIEM, Content Management System, anti-virus, endpoint technology, network traffic analysis tools, etc.

Realizing Capabilities

Assuming a strong foundation and the development of best practices, the benefit is realizing the capabilities. A mature intelligence program should provide a myriad of benefits to the enterprise, including:

  • Provide for proactive threat detection
  • Effective and repeatable threat communications
  • Effective two-way information sharing
  • Threat trending and predictive analytics
  • Proactive threat detection
  • Analytic/tactical support to security operations
  • Enterprise strategic decision support

I started this conversation with a statement that I believe in intelligence over compliance-driven security programs. Compliance does matter, but the fact is that you can do both at the same time. However, the intelligence-driven security model allows for the best opportunity to achieve a predictive security state.

Intelligence-Driven-Security-programs-chart2.png#asset:2619


Get access to more content by becoming a member of Consortium today.


Security Awareness Blog
21, 2017

Security Awareness and Building a Security Culture


User awareness is an important, but an often-overlooked component of your cyber security program. Statistics show that between 70 and 80 percent of all cyber security breaches emanate from some form of user behavior. One of my favorite lines “the greatest vulnerability sits between the chair and the keyboard” was true in 2008 and is no less true today. 

Creating a Culture of Security Awareness

So how do we reduce the risk of user error and vulnerabilities? Implementing a security awareness program is a necessary activity. However, instilling a culture of security is the most effective method for reducing user risk. According to a recent SANS institute report, the greatest challenges impacting organizations around security awareness are time and communication. The lack of dedicated resources (time) is a key blocker, as many organizations think of security awareness as an afterthought or a compliance concern. Few have dedicated resources to a security awareness program but allocate those responsibilities as ancillary duties to their information technology team. Communication is another challenge. How, how often, and in what form, does your organization deliver their security message? If it is only through online security awareness training, your program is likely failing.  

Before you begin transforming your company’s security awareness, you need to define your current awareness maturity level:  

Baseline and Metrics
Before developing your program you must establish a reasonable baseline as to where the organization stands. The best way that I have found to do this is to run a few internal phishing campaigns, capture and analyze that data. This should include at least two metrics that matter, total click rate, and from that data should come the second metric around the percentage of people that provide credentials. These data points should provide a pretty good optic on the security awareness maturity of your organization.   

Set your goals and objectives based on the results of the aforementioned baselining activities.  For example. If your internal phish indicates a click rate of 25% and a secondary credential compromise of 50% (of that 25%) then your goal could be to reduce those numbers to less than 10%.  

Executive Buy-in
Executive leadership must buy-in to the program and take an active role in its implementation. This could be in the form of a monthly security newsletter authored by an executive. Regular security messaging, visible participation in security training, etc. displays a security mindset from the top, and is the best way to influence culture.

It should be stressed that information security is not only the responsibility of the Information Technology and Information Security teams but also of every member of the organization. This can be emphasized through the executive messaging, newsletters, etc. Security awareness is not your annual online security awareness training but a continual program that might include that training coupled with other activities.  

Training
In my opinion, online training is generally not very good. It is hard to hold an employee’s attention during online sessions. How many times have you gone through one of these sessions while you were answering emails, taking phone calls, etc. I know that I am guilty of this more times that I care to admit. Also, online training tends to become “check the box training,” meaning you have a requirement and the online training satisfies that requirement. All this being said, online training is the most prevalent means of providing security awareness today.  In addition to the online training, I would include stand and deliver (in person training) as well.  In person training from an engaging instructor increases the likelihood that your employees will remain engaged, provides the ability to give real life examples from recent events, allows for questions and answers, etc.  

Employee Buy-in
Encouraging participation and employee buy-in is an important aspect. Soliciting employee ideas, encouraging feedback, including recent event (breaches, scams, etc.), utilizing real life stories, and an engaging presenter helps to ensure employee participation.  

Soft skills, the ability to communicate effectively, are critical to increasing the employee buy-in to your program. However, information security often is left to the IT department. In my experience, technologists are generally not the best communicators. Entities should look for effective communicators to deliver training and security specific messaging. This could be someone from HR, legal, or some other team in the organization. In addition to a more effective messenger, it also demonstrates that the security mindset is endemic across the organization, thus enhancing the culture of security. Also, the organization might consider bringing in outside expertise.  

Another way to ensure engagement with your users is to relate the training to their personal computer usage. Virtually everything that we might discuss from a corporate information security perspective translates directly to personal information security. The security culture should extend beyond the workplace and into the everyday life of your employees.  

Reinforce the Message
As stated, building a security posture is a continuous process encompassing all of the aspects discussed above. Training should include both online and in person. The training should be reinforced with messaging from senior leadership about security best practices, praise for employees who operate securely, and maybe even some kind of award system for employees or teams that perform best during awareness testing.  

Test
Finally, continue to measure your program. The internal phishing tactic mentioned earlier should be a regular part of your program. The two metrics (click rate and credential compromise) are good metrics to gauge the effectiveness of your program. Also, through these tests, you may be able to identify your “serial clickers” who can then take advantage of remedial training.  

Creating a strong security culture takes time. Installing a strong security, and security awareness program is key, but it must be more than just compliance with some regulation. The following steps should be helpful:  

  • Baseline – Where do we stand today, where do we need/want to be
  • Executive Buy-in – Let your employees know that the C-suite is all in and expects everyone to take ownership of the program
  • Training – Design and deliver an effective training program, online and in-person training with an effective communicator
  • Employee Buy-in – Get your employees to buy into the program, relate information security to their personal security, tell real life stories, incentivize security, etc.
  • Reinforce the Security Message – With monthly newsletters and other leadership communications
  • Test, Test, Test – How do you demonstrate to leadership the return on investment?  Internal testing is a good way to measure your organizations security awareness maturity

The Consortium Networks was developed to help you navigate through the maze of products and make the best spending decision for your organization.  Reach out to us at contact@consortium.net for more information.


Get access to more content by becoming a member of Consortium today.


Blog Network Security Without Visibility
30, 2017

There Is No Network Security Without Visibility


I have been in the security business for a very long time, both in the physical and logical realm. In my previous roles and in my current role with Consortium Networks, I often ask our membership about their top five security concerns. Invariably visibility, or lack thereof, is in those top concerns. 

Let me first clarify what I'm talking about. Visibility to the CEO or board is generally something very different than visibility for the SOC manager. A CEO may want to know how the company’s security posture compares to peer companies. However, in this instance, I'm talking solely about the visibility of assets in your environment. 

You have probably heard the adage “You can’t protect what you can’t see.” The CIS Top 20 security controls lists “Inventory of Authorized and Unauthorized Devices” as the number one control. Although I do not believe this list is prioritized, I think this is one of the most essential controls. So, what are some strategies and tools we can employ to achieve maximum visibility? 

First off, obtaining visibility should be the cornerstone of your overall information security strategy. As the title of this article states, there is no security without visibility. So, understanding the assets in your environment is paramount.  You must ensure you have the right tools in your environment, which provide real-time asset inventory or authorized devices.  Furthermore, these tools must provide alerts whenever unauthorized devices pop up on your network. I have been involved in audits that we have identified substantial shadow IT infrastructures with direct (unsecured) connections to production networks. 

The Risk of Network Security Without Visibility

I often ask members, “How many endpoints do you have in your environment?” After an investigation, the truth is usually 20 to 30 percent more than what the member thought they had. Situations like these put the entire enterprise at a significant risk. 

So, what do you need to address this challenge:

  • Senior leadership buy-in
  • Enforceable policy
  • A security strategy that includes asset management
  • The right tools
  • The right people

We'll assume that you have the senior leadership buy-in to take the necessary steps required to secure your environment (which would include asset management).  

The first logical step is the creation of enforceable policy detailing what types of assets are allowed/not allowed, asset tracking, how they are cataloged and the process for adding and removing/disposing of assets. 

Strategy - Asset management should be a key component of your overall information security strategy. Without a clear understanding of what devices (endpoints, servers, printers, etc.) are authorized to connect to the network, it is impossible to devise an effective security strategy.  Effective asset management will facilitate hardware and software management, license compliance, regulatory compliance, as well as security.  Therefore, it must be part of the overall security strategy. 

Tools - There are many tools that claim to map, categorize, catalog, track, alert on assets. One of the most significant benefits of membership to the Consortium is the ability to cut through the vendor noise and identify what is working for your peers and what is not. I have my opinion on tools that I think do the best job (and on those that I believe do not), but you can use our portal and review what the users are saying about the tools they use. This should help you make a more informed spending decision. 

People - Finally, you must build the right team. The pool of information security talent is shallow, and we all struggle with it.  Having the right team members, with the correct skills, in the right numbers, is crucial to every security program.  Attracting good talent is one issue, retaining that talent is another. Obviously, we must compensate appropriately. But also, we must provide other incentives to grow and keep our talent. Providing training, certifications, excellent working conditions, meaningful work, etc. will help retain the great talent you worked so hard to obtain. 

Building your security strategy must begin with merely knowing what is on your network. The explosion of IoT devices, BYOD, remote workers, contractors, etc. make this a daunting, but an important task. However, cybersecurity best practice and regulatory compliance demand that we have a firm grasp of assets in our environments.  

There are a number of tools that help automate the discovery of assets in an environment. These solutions range in price, complexity, and effectiveness. The Consortium Networks was developed to help you navigate through the maze of products and make the best spending decision for your organization. Reach out to us at contact@consortium.net for more information.


Get access to more content by becoming a member of Consortium today.


Security Disciplines Convergence
09, 2017

How Relevant is Security Convergence?


“Organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk”
(ASIS Standard)

Historically many organizations have managed security functions as independent functions without recognition of the interdependencies between the physical and the logical security world. 

Convergence of the security disciplines is key to an effective enterprise security risk management program. Failure to integrate the disciplines would most likely increase the level of risk for an organization and could introduce unnecessary vulnerabilities. At a minimum, I am talking about the information and physical security world. But, one could also conclude that bringing in Privacy, Risk, Compliance and Governance also makes sense.

I am not surprised when I talk with a member company (or potential member company) to learn that their security functions are in silos with not much cross communication/collaboration going on. I have even been engaged with members whose information security and physical security functions in silos to the point whereby one side is unaware of the other’s activities. This is an obvious enterprise risk management (ERM) challenge, but there are organizations that continue to function in this manner.  

Security Convergence: A Holistic Approach to Security

Converged security/risk management offers a more holistic approach and there are many benefits. In addition to physical and logical security, risk management and general business benefits can also be realized. To be clear, I am not merely talking about the merger of security organizations (although that is a viable option), but more about developing practices, policy and governance that ensures that the all security related activities function in a coordinated way with each discipline supporting the others.

The first benefit from convergence is the cost savings that can be realized. The re-alignment of teams may allow for better utilization of personnel resources. This could mean the re-allocation of resources to fill gaps and cross training team members to perform multiple duties in either domain, etc. Leveraging teams in a more efficient manner makes good business sense and builds continuity across all of your security related functions. Finally, convergence will illuminate duplicate roles and allow for the opportunity to better address resource allocation.

Convergence should include convergence of technology as well. Think about the technology tools used in the physical security realm today. IP based centralized security systems for CCTV, access (physical) control, alarm monitoring, and the associated systems. Bringing all of that together in a security operations center (SOC) provides a single (maybe multiple SOCs) collection analysis point for security professionals. This enables the sharing of all relevant security/threat/risk data. Furthermore, having security analyst(s) from both disciplines in the same SOC increases the likelihood and speed of information sharing across the teams. Bringing teams together is to everyone’s benefit.

Finally, security convergence can provide a single “hand to shake” for the organizations. Alignment of all security functions under a single security organization lead by an executive-level security person (be it CSO or CISO) would shorten the timeline of relevant information provided to senior leadership and decision makers. Furthermore, it should reduce instances of inaccurate or erroneous information making its way to the executive suite. Depending on the structure and culture of the organization, the CSO/CISO could report into the Chief Risk Officer, the Chief Information Officer or even the Chief Executive Officer. Also, security risk is a board level conversation and should be sponsored by and owned at that level.

Benefits of security convergence include, but are not limited to:

  • Cost saving through the merger of teams and technologies
    • Reduction in tool duplication
    • Reduction is role duplication
    • Allows for the re-alignment of resources to better fit business/security goals
    • Improved information sharing
  • Increased efficiencies through the leveraging of the teams and technologies
  • Single point of contact for the flow of information to senior leadership
  • A single enterprise security vision
    • Elimination of internal “turf wars”
    • Elimination of silos of information
  • Improved alignment of business and security goals

The idea of security convergence is not new. In fact, convergence is happening whether you realize it or not. Use of the same infrastructure for information and physical access control is now common and can result in real savings, improved risk mitigation and increased business and security efficiencies, we should continue down this path and accelerate the effort.


Get access to more content by becoming a member of Consortium today.


Steps For Cyber Security Blog Header Template
14, 2017

5 Fundamental Steps for Cyber Security


Every business connected to a network is data rich target for cybercriminals. “Ransomware,” which was a term rarely unheard of until a few years ago, is now a daily threat. IoT hacking, DDoS attacks, and internal threats are all a reality today as well, making the job of IT security teams never complete. And as cyber threats and attack methods evolve, so must the way businesses think about IT security.

Michal Zanga, formerly of the Royal Bank of Scotland, stresses that having a cyber security policy document in place is the first step in protecting businesses data and other digital assets from malicious actors. “You have to start with a policy in place,” says Zanga, “and it has to be comprehensive across the organization.” But the policy is just that-a first step in a series of actions IT teams and businesses must commit to and stay on top of.

The whitepaper CISO Best Practices: The Starting Point for Cyber Security -- available to members of Consortium -- is based on the premise that, at some stage, all networks will face attacks that expose flaws in the system. On top of building a stakeholder approved policy document, the article covers four additional steps IT teams should take in order to be prepared for when the attack happens. These additional steps include:

  • Assume you will be breached and develop a response plan
  • Using external parties to test the system and obtain valuable, independent assessment data on how to strengthen current and future security posture.
  • Addressing the internal and external channels, including those that may come from stakeholders and employees.
  • Planning ahead and instituting a system for promptly addressing ongoing changes.

Join Consortium today to get access to the full article along with other information that will help keep your data, digital assets, and business brand secure.


Crowd Strike Training Event Header Va
07, 2017

Half Day Training Course: Cyber Security - Advanced Threat Hunting - Virginia


Wednesday, October 11 | 8:00am - 2:00pm EST
Venue: Hilton - Crystal City, VA


Security Operations Centers must evolve if they hope to hunt for and deal with sophisticated, file-less threats capable of evading standard security measures. Only the right combination of technology, intelligence and people is key to the team’s ability to detect, hunt and eliminate threats and immediately execute a cyber crisis response plan.

On October 11, join CrowdStrike and Consortium Networks for an intense adversary threat hunting program; learn the latest advanced adversary techniques and latest tradecraft. You will advance your threat hunting skills and methods and take your organization's ability to detect and hunt to the next level.

Through real world examples and war stories our world renowned 24/7 Overwatch Threat Hunting Team will show you new and existing techniques adversaries use; followed by our Response Team training you on how to hunt for new and existing techniques.

Highlights:

  • You will learn about the latest real-world hacking techniques
  • You will leave knowing how to hunt for these techniques in your environment
  • Bring your own laptop, log into our cloud environment and hunt for threats yourself using your newly acquired skills
  • See a live red team/blue team exercise

Who Should Attend:

If you manage a Security Operations Center; are a Security Analyst; Threat Intel Analyst or Incident Responder this is an immersive and interactive training to hunt, identify and get ahead of your attackers before a mega-breach occurs.

Agenda:

8:00AM - 8:30AM

  • Breakfast is served

8:30AM - 10:30AM

  • Overwatch Threat Hunting - War stories from the trenches; what CrowdStrike sees from 51 billion endpoint events

10:30AM - 12:30PM

  • Training - How to hunt for new and existing adversaries

12:30PM - 2:00PM

  • Track the steps of a real pen-tester through a Red Team/Blue Team Exercise (working lunch)

2:00PM

  • Close

register-Cyber-Security-Training-Course.png#asset:2286

Register now and take your organization's ability to detect and hunt to the next level.


Get access to more content by becoming a member of Consortium today.


Bec Campaigns Header
29, 2017

BEC Campaigns Target Organizations Across Sectors Using Credential Phishing


Business email compromise (BEC) scams are widely viewed as being a type of cybercrime that necessitates relatively minimal technical ability. Despite this, analysts industry-wide have observed BEC operators progressing from simple schemes such as 419 and fake lottery scams – in which unwitting victims are simply duped into sending payments to fraudsters after being promised large sums – towards experimenting with malware and creating sophisticated networks in order to quickly and reliably move money from one account to another. 

Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites. 

Using a VirusTotal retro hunt, Flashpoint analysts identified a campaign in which threat actors sent 73 malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.

Of the 73 files identified during the retro hunt, analysts were able to identify 70 unique Uniform Resource Identifiers (URIs); many of these overlapped based on domains. Attackers used 29 different domains across these documents.


BEC-Campaigns-1.png#asset:2294

Image 1: A sample of the domains utilized by the actors across campaigns.

A potential victim of this phishing campaign would receive a malicious PDF containing a malicious link. Upon opening the PDF, the potential victim would be presented with a prompt to view a secure online document; when clicked, this prompt would redirect the victim to a phishing website to input their login credentials.


BEC-Campaigns-2.png#asset:2295

Image 2: Upon opening the malicious PDF, a potential victim sees a prompt to access a secure online document, which directs them to a phishing page.

Once on the phishing page, the potential victim is presented with several options to “download” the file and are asked for login credentials for their organization. Once a victim enters their login credentials, the script re-directs the victim to a document or web page owned by the targeted organization.


BEC-Campaigns-3.png#asset:2296

Image 3: A view of the phishing webpage for harvesting credentials.

If valid credentials were submitted, the actors behind the phishing campaign would harvest them. Once harvested, the threat actors would then use the compromised accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information. 


Who’s Responsible for the BEC Campaigns?

Based on analysis of the phishing emails identified by Flashpoint in VirusTotal, analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in Western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and a lack of operations security (OPSEC) practices on the attackers’ part. 

Based on artifacts left in the PDFs, these documents likely represent a small glimpse into the credential phishing community of West African cybercriminals.


BEC-Campaigns-4.png#asset:2297

Image 4: A phishing email sent from a cloud-provided email service provider has a Nigerian IP address as the originating IP. 

While BEC actors operating out of western Africa are broadly considered among the lowest-skilled cyber threat actors, they have been responsible for more than $5 billion USD in fraud in the last three years. In comparison, ransomware was projected to be a $1 billion USD industry in 2016, and Europol estimated that the now-defunct AlphaBay Market was responsible for almost $1 billion USD in business between its creation in 2014 and its closure in July 2017. 

BEC actors and cybercriminals located in West Africa typically do not typically make significant efforts to enhance their OPSEC practices or conceal their locations; however, they are still largely successful in stealing billions of dollars from publicly traded and high-profile organizations each year. 

Additional information on Business Email Compromise (BEC) is available in the Cisco 2017 Midyear Cybersecurity Report. Access it here.

 

Key Takeaways

  • Through source intelligence, Flashpoint identified a recent credential phishing campaign that had a low detection rate due to its simplicity; the campaign relied on malicious PDF files containing embedded links that redirected potential victims to credential-harvesting phishing sites. 
  • Using a VirusTotal retro hunt, Flashpoint analysts identified a campaign in which threat actors sent seventy-three malicious PDFs in credential phishing campaigns between March 28, 2017 and August 8, 2017. These malicious PDFs targeted a range of verticals, including universities, software and technology companies, retailers, engineering organizations, real estate firms, and churches, with the goal of harvesting user credentials.
  • In this campaign, attackers used compromised email accounts to send phishing emails to victims’ contacts; the emails may have been viewed as “trusted” by email services given that they were coming from legitimate email accounts. This practice helps threat actors committing Business Email Compromise (BEC) gain a better foothold into target organizations, and allows them to potentially breach additional organizations. Actors can also use the credentials from compromised accounts to monitor inboxes for additional incoming and outgoing information. 
  • Analysts assess with moderate to high confidence that these attacks are likely being carried out by attackers located in western Africa due to the originating IP addresses of the phishing emails, as well as the actors’ tactics, techniques, and procedures (TTPs), such as the focus on credential phishing, the relatively minimal use of malware, and the lack of operations security (OPSEC) practices on the attackers’ part.

This article was originally published on Flashpoint’s blog and was republished with their permission. 

Flashpoint Sources: 
https://www.ic3.gov/media/2017/170504.aspx
https://documents.trendmicro.com/assets/resources/olympic-vision-business-email-compromise.pdf  
http://abcnews.go.com/amp/Technology/wireStory/justice-dept-announces-takedown-online-drug-marketplace-48745482
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017


Get access to more content by becoming a member of Consortium today.


Crowd Strike Cyber Security Training Course
22, 2017

Half Day Training Course: Cyber Security - Advanced Threat Hunting


Thursday, September 21 | 8:30am - 2:00pm EST
Venue: The Westin Boston Waterfront, 425 Summer St. | Boston, MA 02210


On September 21, you're invited to join CrowdStrike and Consortium Networks for an intense adversary threat hunting program.

In this exclusive event, you'll learn the latest advanced adversary techniques and tradecraft and advance your threat hunting skills and methods.

Highlights:

  • You will learn about the latest real-world hacking techniques
  • You will leave knowing how to hunt for these techniques in your environment
  • Bring your own laptop, log into our cloud environment and hunt for threats yourself using your newly acquired skills
  • See a live red team/blue team exercise

Agenda:

8:00AM - 8:30AM

  • Breakfast is served

8:30AM - 10:30AM

  • Overwatch Threat Hunting - War stories from the trenches; what CrowdStrike sees from 51 billion endpoint events

10:30AM - 12:30PM

  • Training - How to hunt for new and existing adversaries

12:30PM - 2:00PM

  • Track the steps of a real pen-tester through a Red Team/Blue Team Exercise (working lunch)

2:00PM

  • Close

register-Cyber-Security-Training-Course.png#asset:2286

Register now and take your organization's ability to detect and hunt to the next level.


Get access to more content by becoming a member of Consortium today.


Blog Header Defendpoint Product Testing Report
02, 2017

Avecto Defendpoint | Standardized Product Testing Report


Avecto Defendpoint is an endpoint security product that seeks to combine privilege management and application control technology into a single agent capable of eliminating administrative rights across an enterprise. With privileges being assigned to applications rather than users, individuals can still access the applications they need to perform their jobs. Defendpoint gives users the same experience as administrators and collects data that can later be configured to develop a comprehensive end-user solution. But finding the right balance between user freedom and security can be challenging. Enterprises have multiple user types to balance, each which require a tailored endpoint solution that doesn’t compromise security efficacy.

Consortium Standardized Product Testing

Using standardized control objectives, Consortium performed independent product testing of the Defendpoint application. A series of injects against the testing (victim) system were performed by the Consortium assessment team. These tests included:        

  • Baseline system test (no security controls in place)
  • Product baseline (a high flexibility configuration)
  • Product tuned (a low flexibility configuration)

The Results

Avecto Defendpoint is a uniquely valuable solution for post-exploit protection of endpoints. Our full results include:

  • Raw testing data analytics
  • A full list of the injections used to test the product
  • Detailed findings and observations with screenshots from the HTTP shell from the attacker’s point of view

Get full access to the product testing report that includes the procedures and results from The Consortium’s standardized product testing of Avecto Defendpoint.

view-the-report.png#asset:2164


Get access to more content by becoming a member of Consortium today.


Ciso Dlp System
01, 2017

Developing, Implementing and Maintaining a Data Loss Prevention (DLP) System


A data loss prevention program (DLP) ensures sensitive and critical data is not sent outside the corporate network in an unauthorized manner. Unfortunately, many organizations rely on a software-only approach to monitor and control the flow of data, resulting in large gaps that leave room for internal and external threats to damage business assets. Though technology plays an important role in any effective DLP program, it's only one component. Corporate governance, team resources, and processes also need to be established in order to maximize security within the DLP framework.

Developing a business-wide DLP program requires IT to create and conduct a detailed risk assessment. The results from the risk assessment inform the CISO and other corporate stakeholders on how to proceed in implementing a DLP program. The next step of the risk assessment stage, classification of breaches, requires CISOs to identify the type of incidents that lead to data loss. This stage also identifies which internal and external groups are most likely to trigger a data loss event. The final step for the CISO is to index which departments need to be involved as part of the DLP response plan.

After risk assessment planning, the real work begins. Implementing and monitoring, resolving challenges, DLP program sustainability, network versus endpoint choices are just some of the challenges CISOs face when keeping corporate data safe.

Join Consortium today to get access to the full Best Practices white paper. Inside, you'll see how one CISO successfully deployed a DLP solution along with the lessons he learned along the way.


Get access to the full article by becoming a member of Consortium today.


Ciso Best Practices Engaging The Board
19, 2017

When board members need to understand information security, risk, and vulnerabilities, they turn to the CIO. However, it’s the CISO who typically has the most up-to-date knowledge on the information related threats and opportunities facing the organization. With the right preparation, the CISO can engage the board with a streamlined security assessment that balances the need to deliver detailed information with operational outcomes.

In this article, Michael Zanga, former CAO of the Royal Bank of Scotland, uncovers the best practices for engaging the board. These practices include: 

Addressing Budgetary Issues

The CISO needs to convey that the level of security provided is correlated to the IT security budget the board approves. At the same time, the CISO needs to inform the board that total security doesn’t exist no matter the level of the budget approved.

Measuring Security Posture

Operational risk, internal audit, technology risk, and third party assessments are all measurements the CISO needs to succinctly explain to the board.

Developing Presentation Frameworks

“Boards don’t need a monthly update,” says Zanga. Taking this tip, the CISO needs to develop a presentation framework that gives the board exactly what they need to know. Overloading the board with information only leads to confusion.

Explaining to the Board the Role of the CISO

Board members may have different expectations of what is required of the CISO on a day-to-day basis. It’s up to the CISO to explain the role through which actions are taken to continually improve security posture.

The role of CISO is too important to not operationally define to the Board.

Get access to the full article by becoming a member of Consortium today.


Ciso Best Practices Securing Big Data
28, 2017

Scattered data storage and access patterns have created a scenario where enterprise information is under constant threat from internal and external actors. It’s up to the CISO to design, develop, and implement a solution that secures big data and drives business value across the organization. The CISO must also be able to justify the big data security plan to the Board and obtain critical stakeholder buy-in.

Michael Zanga, former CAO of the Royal Bank of Scotland, understands the big data strategies faced by CISOs. In this article, he shares his best practices for:

Cleaning Big Data

Data needs to be unified, tidied, and cleaned before any thoughtful analysis can begin. More importantly, practicing good data hygiene gives all stakeholders access to the data in a way that can be understood or easily explained.

Addressing Access, Control, and Validation Concerns

After cleaning data, CISOs need to use the data patterns to identify scenarios and situations that constitute a red flag.

Presenting Big Data to the Board

CISOs should present big data findings to the board in the simplest way possible. Board experts need answers and solutions to business problems - not how to become experts in the language and practices of big data.

Leveraging Big Data to Drive Business Value

The problems that big data exposes can also be turned into business opportunities. The more data that enters the system, the more value CISOs can extract.


Get access to the full article by becoming a member of Consortium today.


Ciso Best Practices Developing Communication Plan Breach
14, 2017

Developing a Communication Plan for a Breach


When a breach occurs, CISOs need to have a clear communication plan in place that describes to stakeholders and managers what occurred and what steps are being taken to solve the crisis. This requires the CISO to develop both internal and external communication plans. Both documents are meant to guide the board, stakeholders, and managers on the steps they should take going forward to ensure business operations proceed without further exposing the organization to additional cyber attacks.

Michal Zanga, former CAO of the Royal Bank of Scotland (RBS), understands the need for communication planning all too well. “Our business continuity plan (BCP) never really considered how to deal with hacking,” says Zanga. “We had to learn about the need for an escalation based communication plan during a breach.”

Join Consortium to learn the best practices for developing a communications plan. Inside, you’ll learn more from Zanga’s experience in developing a communication plan, including:

Scenario Planning

Scenario planning asks the CISO to answer the question, “plan for what?” Without developing a range of likely scenarios, the communication plan can’t be developed.

Scenario Testing

Zanga explains the need and value-add of bringing in a third-party to conduct a risk assessment. Outside vendors can adequately stress the IT security environment, setting off triggers that put the communication plan into action. After the testing is done, the CISO can evaluate how well the communication plan performed.

Reporting

Daily system reports are an important supplement to communication plan building. Everything from port scanning to breach attempts need to be reported for CISOs keep the communication plan up to date. A communication plan lets organizations respond to breaches as a single, unified entity.


Get access to the full article by becoming a member of Consortium today.