The U.S. Computer Emergency Readiness Team (US-Cert) issued a warning last week stating HTTPS interception weakens TLS security. As the use of encryption for privacy has increased, the security industry has responded by intercepting and decrypting SSL sessions to perform deep-packet inspection (DPI).
Integration decreases cost and increases effectiveness. For this reason, Vectra is adaptive by design. Everything we do considers how to help our customers be more efficient and faster at fighting attacks. Sometimes it involves determining where to deliver sophisticated threat intelligence beyond the Vectra. Working with Splunk is a great example of this integration.
According to Gartner, “The goal is not to replace traditional SIEM systems, but rather to provide high-assurance, domain specific, risk-prioritized actionable insight into threats, helping enterprises to focus their security operations response processes on the threats and events that represent the most risk to them."
Shamoon is back, although we are not entirely sure it ever left.
On Monday, Saudi Arabia warned organizations in the kingdom to be on alert for the Shamoon virus, which cripples computers by wiping their disks. The labor ministry said it had been attacked and a chemicals firm reported a network disruption. This has been dubbed Shamoon 2 by some news outlets.
Here is a simple explanation of what is likely to be happening.
The adversary is using a combination of social engineering and email phishing to infect one or a number of computers on an organization’s networks. Either downloading a file or clicking a link downloads an exploit kit.
The computers infected with the exploit kit rapidly perform port sweeps across the subnet to which hosts are connected. Using automated replication, it then attempts to move laterally via remote procedure calls (RPCs). To cover an organization’s entire network, the adversary needs to infect machines on many subnets.
Shamoon 2, like Shamoon that struck Saudi Aramco in 2012, moves extremely fast with the sole objective of destroying systems and bringing businesses to their knees.
Healthcare organizations are prime targets of cyber attackers because they are reliant on vulnerable legacy systems, medical IoT devices with weak security and have a life or death need for immediate access to information.
This is a prediction made by Gartner analyst Avivah Litan in her latest blog entry, The Disappearing UEBA Market. Of course it caught our attention here at Vectra. We are not UEBA, nor do we want to be. But we often find ourselves in this discussion with people who believe UEBA will solve the world's problems (and possibly make coffee in the morning, too).
On the cybersecurity website ThirdCertainty.com, Byron Acohido makes some very important points about the use of encryption by hackers to avoid detection tools and the need to detect these attacks. This is a water cooler discussion at Vectra headquarters. Encrypted traffic is an easy hiding place for attackers and difficult for organizations to deal with.
However, trying to monitor this traffic by decrypting first, performing deep-packet inspection, and then encrypting again at line-rate speeds is problematic, even with dedicated SSL decryption, especially in the long term. There are several factors at play here.
With an increasing global desire for privacy, more traffic is encrypted by default. It is becoming a standard for cloud applications. The Sandvine Internet Phenomena Report states that encryption doubled last year in North America.
This is actually great news, especially for consumer privacy. Enterprises have a strategy to encrypt everything. With this encryption however, attempts to perform SSL decryption mean there will be large volumes of encrypted data to process.
In previous research from the Vectra Threat Labs, we learned that seemingly innocuous vulnerabilities can become serious problems in the context of the Internet of Things (IoT). IoT is the unattended attack surface, and more IoT devices means bigger clone armies.
The recent public release of source code for malware named "Mirai" has proven exactly that. Mirai continuously scans the Internet for IoT devices using factory default usernames and passwords, primarily CCTV and DVRs.