RSA Rises to the Challenge of APTs

Recent news around APT attacks have underscored the critical importance of improving our techniques for rapidly detecting, analyzing and responding to APTs. To foster research in this area, Los Alamos National Lab (LANL) recently released an anonymized dataset of DNS activity collected from their internal servers over a two months window (February and March 2013), overlaid with traffic from 20 simulated APT attacks during the month of March. LANL also issued a public challenge to the cybersecurity community to “develop techniques for detecting malicious externaldomains given the DNS logs for a site and to identify potentially infected hosts in the process.”

The Danger of Denial

I was very surprised recently, in a conversation I had with someone I used to work with, to hear him remark that he didn’t think there is any such thing as stealthy, targeted attacks. His comment was something like “those warnings about APTs, targeted attacks, whatever you want to call them, is just a distraction…


The Need for Cyber Risk Intelligence Intensifies

Cyber risk has traditionally been a top concern for IT leaders. But recently, this challenge has been elevated to a top economic and national security concern. In a recent news report, Andrew Haldane, the Bank of England’s Executive Director for Financial Stability cites cyber attacks as the number one risk facing UK banks – overtaking the Eurozone crisis. In a statement to the US House Intelligence Committee earlier this year, James R. Clapper, Director of US National Intelligence, testified that cyber threats have supplanted terrorism as the top security issue for the U.S.

Introducing The SBIC Blog — Strategic Guidance from Global Security Executives

Imagine if you had regular access to a group of top-notch advisors – security leaders from some of the world’s largest brand-name companies – to help you build your security strategies? Companies like Coca-Cola, Fed-Ex, Intel, Johnson & Johnson, JPMorgan Chase, SAP and Walmart. For the last five years, the Security for Business Innovation Council (SBIC) has been publishing reports which deliver actionable recommendations from some of the world’s most accomplished security leaders. Given the immense challenges in information security today, we know that practitioners are hungry for more guidance based on real-world experiences and lessons learned. This new SBIC blog provides increased access to Council members’ valuable insights.

Mandiant Malware? Not Exactly.

In this particular case, we see a common cybercrime attack methodology, mass spam, a social engineering hook and a downloader Trojan, crossing over into APT space, likely due to all of the recent press coverage of Mandiant and other APT-related investigations. This is further evidence of the constant evolution of online attacks based on current events.

Five Common Corporate Pitfalls in Cyber Security Management

A fair percentage of clients that I have provided incident response services to over the last 12 months are operating without security or oversight on the Internet, meaning not a single person employed at that organization is solely dedicated to working on security issues. While this is common for small companies and startups, these clients matured over the years to the point where they had hundreds or thousands of employees and even more computing devices on the network. What had not occurred, however, was the investment in security commensurate with the growth of the company.

The Top 10 Gaps in Breach Readiness

After having conducted a number of such Breach Readiness Assessments over the past year or so with customers in a variety of industry sectors – including, aerospace, financial, telecommunications device manufacturers, and health care technology – we’ve compiled a list of the Top 10 gaps that we’ve observed during these engagements. The following list is roughly ordered in frequency of occurrence (gaps at the top were seen at more customers than those further down the list), but all were observed at numerous customers.

An Intelligence-Driven SOC – Come See It

I just returned from a weeklong trip to Europe, where I contributed my voice to the wildly successful series of RSA Security Summits. With near unanimity in London and Zurich the audience accepted our premise that as a result of the changing IT landscape – including cloud, mobile, big data, extended workforce, supply chains – and the realities of today’s sophisticated attackers, the approach to security in organizations needs to dramatically change. Furthermore there was also general agreement that today’s preventive security systems, that are largely perimeter and signature-based, no longer provide sufficient defenses, and that to compensate organizations must improve their detective and response focused security controls. This quickly led to the practical and real challenge of how organizations can best make those improvements. How in an environment of fixed security budgets can organizations invest to create or significantly enhance their monitoring and response capabilities?

The “Switch Target” Part II – The Three “R’s” of Cyber Defense?

In Part I of my post on Switch Targeting, I discussed the fundamentals of how adversaries use seemingly trusted hop points as vectors in and out of primary targets similar to how bank robbers target, stage and execute their robberies. Now I want to introduce the concept of the three “R’s” or R3 based on my experience in the field helping organizations position themselves to detect where these switch targets may be relative to their own attack infrastructure as part of designing a Next Generation Security Operations Center (SOC). R3 is comprised of three focal areas for the Chief Information Security Officer (CISO) to consider —- Readiness, Response and Resiliency.

Beyond the Zero Day: Reverse Engineering Malicious Class Files

In part 1 of this blog, “Beyond the Zero Day” we focused on detecting malicious JVM [Java Virtual Machine] activity and identifying the ‘blob’ that was downloaded. No subsequent network activity was detected after the download, but that doesn’t discount successful malware delivery and deployment. We can certainly seize and forensically examine the host, but that might require massive time investment for an organization and we don’t even know what we’re looking for yet. The first place to start is by examining the Class file that kicked off the HTTP GET for our ‘blob’.