Abstract Forward Podcast #1: Data Classification With Jim Danburg.

data_classification_2.jpgIn this episode, renowned governance, risk and compliance critical infrastructure security and resiliency expert Jim Danburg joins us for a candid and thought-provoking conversation on data classification, including a funny story doing a project for a CISO (chief information security officer).  More specifically, we discuss the four types of data classification vs. only three, data over-classification, data mis-classification, governance risk and compliance, data security, role based access control (RBAC), need to know policy, litigation discovery risk, the declining cost of data storage: disk vs. solid state, outsourcing data and PCI risk, mapping dependencies, the relationship between executives and data policy compliance, insider threat, bring your own device (BYOD) containerization: corporate vs. personal data with privacy implications, the secure destruction of data and hardware – and what it takes to improve all this!

Contact Abstract Forward Consulting here.

Disclaimer: This podcast does not represent the views of former or current employers and / or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

6 Pronged Approach to Data Exfiltration Detection

The best way to detect precursors to data exfiltration is to employ a six-prong detection approach applied to all risk areas as practicable. Figure 1. shows the six-pronged detection approach.

Figure 1. Six-Pronged Data Exfiltration Precursor Detection Approach [1] [2].

1) Signature Based.

Characteristics: 1) Uses known pattern matching to signify attack; 2) Former zero days, known exploits, etc.

Advantages: 1) Widely available; 2) Most antivirus is based heavily on this; 3) Fairly fast; 4) Easy to implement; 5) Easy to update.

Disadvantages: 1) Cannot detect attacks for which it has no signature – Zero days; 2) Insider threat.

2) Host Based.

Characteristics: 1) Runs on a single host; 2) Can analyze audit-trails, logs, the integrity of files and directories, etc.

Advantages: 1) More accurate than NIDS; 2) Less volume of traffic so less overhead.

Disadvantages: 1) Deployment is expensive; 2) No plan for if the host gets compromised – Real risk for organizations with more than 10 thousand employees.

3) Human Based [2].

Characteristics: 1) Has the unique experience set deriving intuition; 2) Has five senses.

Advantages: 1) Has the ability to learn multiple tools and connect the dots; 2) Can set team direction and inspire people; 3) Can think creatively; 4) Can think with the voice of the customer or recipient of a phishing e-mail.

Disadvantages: 1) Bias and ego; 2) Cannot calculate large numbers fast.

4) Anomaly Based.

Characteristics: 1) Uses statistical model or machine learning engine to characterize normal usage behaviors; 2) Requires big data and other software tools; 3) Recognizes departures from normal as potential intrusions.

Advantages: 1) Can detect attempts to exploit new and unforeseen vulnerabilities; 2) Can recognize authorized usage that falls outside the normal pattern.

Disadvantages: 1) Generally slower, more resource intensive compared to signature-based tools; 2) Greater complexity, difficult to configure; 3) Higher percentages of false alerts.

5) Network Based.

Characteristics: 1) NIDS (network intrusion detection system) examine raw packets in the network passively and triggers alerts.

Advantages 1) Easy deployment; 2) Unobtrusive; 3) Difficult to evade if done at the low level of network operation.

Disadvantages: 1) Fail Open; 2) Different hosts process packets differently; 3) NIDS needs to create traffic seen at the end host; 4) Need to have the complete network topology and complete host behavior; 5) Highly unlikely.

6) Externally Based.

Characteristics: 1) Studies show there are 258 externally measurable characteristics about network infrastructure (without any inside info).

Advantages: 1) Beaching marking – identifying mismanagement symptoms such as poorly configured DNS or BGN networks; 2) Beaching marking – identifying malicious activity which mostly includes SPAM, phishing, and port scanning; 3) One study found it to be highly reliable in predicting breaches (90% true positives in a closed limited test) [3].

Disadvantages: 1) Its low hanging fruit – easy weaknesses to spot; 2) Good I.T. audits and red teaming is similar.

[1] Dash, Debabrata. “Introduction to Network Security”. PowerPoint presentation. 2017.
[2] Photo of public figure Bruce Schneier by Per Ervland. https://www.schneier.com/ 2018.
[3] Liu, Yang; Sarabi, Armin; Zhang, Jing; Naghizadeh, Parinaz; Karir, Manish; Bailey, Michael; and Liu, Mingyan. “Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents” 2015. Pg. 1.

Decryption Options For 3 Ransomware Types

ransomware-main.pngRansomware is on the rise and is going after more victims with little to no defenses, small to medium-small sized businesses and even quiet non-profits. Here are a few tools with a valid track record of stopping and removing 3 common types of ransomware.
1) LockCrypt is a ransomware discovered in June 2017 but is still active in various mutations. It spreads by brute forcing Remote Desktop Protocol credentials – a key port (3389) that should be obviously locked. A prominent example of this exploit occurred in December 2017 when an employee opened an email which was maliciously sent from another co-worker’s account. This was merely an attempt to trick the person to click on the malicious attachment which was appended to the letter. Once it was opened, the ransomware download began after which 48 out of 500 servers of North Carolina County were compromised with LockCrypt (Ugnius Kiguolis, Spyware.com, 12/11/17).

As per Bitdefender, this ransomware family has several sub-variants with the following specific extensions, the first (.1btc) is decryptable with this free Bitdefender tool and the others may be decryptable with the free Trend Micro Malwarebytes Ransomware File Decryptor tool (check for updates).

  1. .1btc (decryptable and included in this version of the tool)
  2. .lock (decryptable, not included in our tool)
  3. .2018 (decryptable, not included in our tool)
  4. .bi_d (not decryptable)
  5. .mich (decryptable, not included in our tool)

2) The five-year-old ransomware Trojan-Ransom.Win32.Rakhni has received a facelift recently which now allows it to decide whether or not to install its traditional ransomware or to drop a cryptominer.

The malware is delivered through spam campaigns where the email comes with a PDF attached which the receiver is prompted to save and then enable editing. When the victim attempts to open the document he or she is presented with an executable that portrays itself as an Adobe Reader plugin and it asks the person to allow it to make changes to their computer (Doug Olenick, SC Magazine, 07/06/18).

According the Kaspersky labs, the current injection chain on this newer exploit is largely the same as before. However, the malware moves along a rather complex path before it decides which form it will take. During the process it will check to make sure the device is not a virtual machine, it will check for and disarm an AV software and also Widows Defender and finally erase most of the footprints made during the malware installation.

The executable, which is written in Delphi and has its strings encrypted, then presents a message box that states the PDF could not be opened, basically to keep the victim from thinking anything negative is about to happen (Doug Olenick, SC Magazine, 07/06/18).

It first checks that the device has one of the substrings:

  1. \TEMP
  2. \TMP
  3. \STARTUP
  4. \CONTENT.IE
  5. Registry check

It then checks to see if the registry contains checks that in the registry there is no value HKCU\Software\Adobe\DAVersion and if it finds this is so it creates HKCU\Software\Adobe\DAVersion = True (Doug Olenick, SC Magazine, 07/06/18). As of Feb 2018 Kaspersky Labs has a free decryption tool (since updated) to get rid of most variations of this infection.

3) Thousands of LabCorp’s servers were impacted by the SamSam ransomware attack on 07/13/18, a CSO online report confirmed (Steve Ragan, 07/19/18). Early information indicates that the company contained the spread of the infection and neutralized the attack within 50 minutes – great. However, before the attack was fully contained, 7,000 systems and 1,900 servers were negatively impacted; 350 were production servers (Steve Ragan, CSO Online, 07/19/18. This is a growing trend in the healthcare sector that reached 15% in 2016 (Fig1. Greg Slabodkin, Health Data Management, 04/11/18).

Fig. 1.
Ransomeware Health.pngAs per Jessica Davis of HealthcareITnews, “SamSam is the virus that shut down the Allscripts platform for about a week in January 2017 and is known to use brute force RDP (remote desktop protocol) attacks to breach a system and spread. The variant is also responsible for taking down Hancock Health, Adams Memorial and the government systems of Atlanta — among a host of others” (HealthcareITNews.com, 07/20/18).

The ransom note it displays is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment (Christopher Boyd, Malwarebytes Labs, 05/01/18).

Fig 2.
samsam-ransomware-infected-file-sensorstechforum-com-sorry-for-files-html-virus
The virus has been updated a couple of times. Currently, it appends one of the following file extensions (Julie Splinters, spyware.com, 06/23/18):

  1. .weapologize;
  2. .AreYouLoveMyRansFile;
  3. .breeding123;
  4. .country82000;
  5. .disposed2017;
  6. .fucku;
  7. .happenencedfiles;
  8. .helpmeencedfiles;
  9. .howcanihelpusir;
  10. .iaufkakfhsaraf;
  11. .mention9823;
  12. .myransext2017;
  13. .noproblemwedecfiles;
  14. .notfoundrans;
  15. .prosperous666;
  16. .powerfulldecryp;
  17. .supported2017;
  18. .suppose666;
  19. .VforVendetta
  20. .Whereisyourfiles;
  21. .wowreadfordecryp;
  22. .wowwhereismyfiles;
  23. .loveransisgood.

Different variants of the virus might drop different versions of ransom notes. However, at the moment victims might receive one of these ransom notes in:

  1. 0009-SORRY-FOR-FILES.html,
  2. IF_WANT_FILES_BACK_PLS_READ.html,
  3. 000-PLEASE-READ-WE-HELP.html,
  4. 000-No-PROBLEM-WE-DEC-FILES.html,
  5. READ-FOR-DECCCC-FILESSS.html,
  6. HELP_DECRYPT_YOUR_FILES.HTML,
  7. 001-HELP_FOR_DECRYPT_FILE.html,
  8. 006-READ-FOR-HELLPP.html,
  9. PLEASE_READ_FOR_DECRYPT_FILES_[Number].html,
  10. PLEASE-README -AFFECTED-FILES.html.

SamSam is the newest and most powerful of the three types of ransomeware mentioned above. There is no known decryption tool or fix for data that you don’t already have your data backed up. Yet it is known to uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and similar tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through the network and do damage (Dark Reading, 06/20/18, Ajit Sancheti). Stay tuned here for updates regarding a stable decryption tool for SamSam.

Chinese Hackers Stole About 614GB of Data from Unnamed U.S. Navy Contractor

A series of cyber attacks backed by Chinese government hackers earlier this year infiltrated the computers of a U.S. Navy contractor, allowing a large amount of highly-sensitive data on undersea warfare to reportedly be stolen. Likely by A People’s Liberation Army unit, known as Unit 61398, which is filled with skilled Chinese hackers who pilfered corporate trade secrets to benefit Chinese state-owned industry. The breaches, which took place in January and February 2018, including secret plans to develop a supersonic anti-ship missile for use on US submarines by 2020, according to American officials.

Fig. 1. U.S. Navy Submarine.
Navy Image

This data was of a highly sensitive nature despite it being housed on the contractor’s unclassified network – putting it here was mistake and exacerbated vulnerabilities. A contractor who works for the Naval Undersea Warfare Center in Newport, R.I. — a research and development center for submarines and underwater weaponry — was the target of the hackers, the Post reported. While the unnamed officials did not identify the contractor, they told the newspaper that a total of 614 gigabytes of material was taken. Included in that data was information about a secret project known as Sea Dragon, in addition to signals and sensor data and the Navy submarine development unit’s electronic warfare library. The Washington Post said it agreed to withhold some details of what was stolen at the request of the U.S. Navy over fears it could compromise national security.

A Navy spokesperson told Fox News in a statement the service branch will not comment on specific incidents, but cyber threats are “serious matters” officials are working to “continuously” bolster awareness of. There are measures in place that require companies to notify the government when a cyber incident has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Cmdr. Bill Speaks said. “It would be inappropriate to discuss further details at this time.”

Fig 2. China’s first domestically manufactured aircraft carrier returns to port in Dalian after sea trials on 05/18/2018.

chinese-aircraft-carrier
Military experts fear that China has developed capabilities that could complicate the Navy’s ability to defend US allies in Asia in the event of a conflict with China. The Chinese are investing in a range of platforms, including quieter submarines armed with increasingly sophisticated weapons and new sensors, Admiral Philip Davidson said during his April nomination hearing to lead US Indo-Pacific Command. And what they cannot develop on their own, they steal – often through cyberspace, he said. “One of the main concerns that we have,” he told the Senate Armed Services Committee, “is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”

Chinese government hackers have previously targeted information on the U.S. military, including designs for the F-35 joint strike fighter which they copied. Last year, South Korean firms involved in the deployment of the U.S. Army’s Terminal High-Altitude Area Defense, or THAAD, missile defense system, the Wall Street Journal reported at the time. No matter how fast the government moves to shore up its cyber defenses, and those of the defense industrial base, the cyber attackers move faster.

Compiled from Jennifer Griffin at Fox News, The Post, The Wall Street Journal, Independent News, and Huff Post. Edited and curated by Jeremy Swenson of Abstract Forward Consulting.

Review of the 2018 Verizon Data Breach Report

The 11th edition of the DBIR (Data Breach Investigation Report) was released this month. It analyzed more than 53,000 cybersecurity incidents and over 2,200 data breaches across the globe. Here is a summary of its key findings:
Ransomware continues to be a top cybersecurity threat, according to the report. Ransomware is found in almost 39 % of malware attacks – double the amount in last year’s analysis. “Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.” This comes as no surprise to many city and state officials that have battled with ransomware takeovers recently. Systems in the city of Atlanta were offline for several days last month following a ransomware attack. Government offices and municipal systems have also been targeted in Baltimore, North Carolina, San Francisco, and others yet to come forward – the government does not like to admit their errors.

The report also shows that attacks on public sector organizations continue to focus on espionage. 43 % of public sector attacks were motivated by espionage. Of those attacks, 61 % were carried out by state-affiliated actors. Privilege misuse and error by insiders account for a third of breaches. Small businesses represent 58 percent of data breach victims. Over 50% of the attacks on public sector organizations were accomplished using backdoors in software, which arguably makes the case for why putting backdoors in software is a bad idea even if a government plans to use it for its own purposes – the government is far behind the private sector in incubating innovation here. Using phishing techniques to get data from individuals remains the most popular method as individuals continue to be the weakest link when it comes to security.

Fig 1. Data Breach Causes, Verzion 2018
Using stolen credentials topped the list of causes for data breaches (See Fig 1. for the other top causes). A common saying is “it’s easier to ask the employee for their password than try to guess it”, so social engineering continues to be a very useful tactic for hackers. For most employees, the only security protection system is their password. If a cyber-criminal obtains it, they can easily bypass most of the company’s security controls.

Attribution is probably one of the most difficult tasks in cyber-crime which already has more challenges than most people realize, with misdirection and lack of digital footprints to help lead to the cyber-criminal. This is likely due to several virtual machines and botnets used to facilitate the attack across several nations – all of which are likely unfriendly to the United States. Specifically, 73% of cyber-attackwere caused by outsiders. Organized crime rings are very likely using hackers as a service because 50% of cyber-attacks were attributed to organized crime. 12% was attributed to nation-states – APT (advanced persistent threats) who have unlimited funds.

Specific to Healthcare: The healthcare industry is rife with error and misuse. In fact, it is the only industry that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry—it accounts for 85 % of all malware in healthcare.

In total, there were 750 incidents and 536 with confirmed data disclosed. The top three patterns include: miscellaneous errors, crimeware, privilege misuse – 63 % of all incidents within healthcare. Breach threat actors breakdown: 56 % internal, 43 % external, 4 % partner, 2 % multiple parties. Breach actor motives are: 75 % financial, 13 % fun, 5 % convenience, Data compromised: 79 % medical, 37 % personal, 4 % payment.

The full report is available here.

Abstract Forward Consulting can help you review the issues in this report to build stronger security and process controls. Contact us here to learn more.

Jeremy Swenson, MBA, MSST

AbstractFwdHzTag300

New Consulting Site: www.Abstractforward.com Is Up

My new website, updated and stylistic, is up at: https://www.abstractforward.com/
AbstractForward New WebsiteThe site will serve as my corporate site going forward while the old site: https://www.jeremy-swenson.com/ will serve as a more personal blog.

If we can be of service to you in any way please contact us here.

Respectfully,

Jeremy Swenson, MBA, MSST
CEO & Principal Consultant: Abstract Forward Consulting, LLC
Speaker / Writer / Futurist

Abstract Forward Consulting Now Open For Business!

AbstractFwdHzTag300

In 2016 Mr. Swenson decided to go back to graduate school to pursue a second masters degree in Security Technologies at the University of MN’s renowned Technological Leadership Institute to position himself to launch a technology leadership consulting firm. This degree was completed in 2017 and positions Swenson as a creative and security savvy Sr. consultant to CIOs, CTOs, CEOs, and other business line leaders. His capstone was on “pre-cursor detection of data exfiltration” and included input from many of the regions CIOs, CISOs, CEOs, and state government leaders. His capstone advisor was technology and security pioneer Brian Isle of Adventium Labs.

Over 14 years, Mr. Swenson had the honor and privilege of consulting at 10 organizations in 7 industries on progressively complex and difficult problems in I.T. including: security, proj. mgmt., business analysis, data archival and governance, audit, web application launch and decommission, strategy, information security, data loss prevention, communication, and even board of directors governance. From governments, banks, insurance companies, minority-owned small businesses, marketing companies, technology companies, and healthcare companies, he has a wealth of abstract experience backed up by the knowledge from his 4 degrees and validated by his 40,000 followers (from LinkedIn, Twitter, and his blog). Impressively, the results are double-digit risk reductions, huge vetted process improvements, and $25+ million on average or more in savings per project!

As the desire for his contract consulting work has increased, he has continued to write and speak on how to achieve such great results. Often, he has been called upon to explain his process and style to organizations and people. While most accept it and get on board fast, some aren’t ready, mostly because they are stuck in the past and are afraid to admit their own errors due to confirmation bias. Two great technology leaders, Steve Jobs (Apple) and Carly Fiorina (HP) often described how doing things differently would have its detractors. Yet that is exactly why there is a need for Abstract Forward Consulting.

With the wind at our backs, we will press on because the world requires better results and we have higher standards (if you want to know more reach out below). With a heart to serve many organizations and people, we have synergized a hybrid blend of this process and experience to form a new consulting firm, one that puts abstract thinking first to reduce risk, improve security, and enhance business technology.

Proudly announcing: Abstract Forward Consulting, LLC.

Company Mission Statement: We use abstract thinking on security, risk, and technology problems to move business forward!

Company Vision: To be the premier provider of technology and security consulting services while making the world a better and safer place.

Main service offerings for I.T. and business leaders:

1) Management Consulting

2) Cyber Security Consulting

3) Risk Management Consulting

4) Data Governance Consulting

5) Enterprise Collaboration Tools Consulting

6) Process Improvement Consulting

If you want to have a free exploratory conversation on how we can help your organization please contact us here or inbox me. As our business grows, we will announce more people and tactics to build a tidal wave to make your organization the best it can be!

Thanks to the community for your support!

Founder and CEO: Abstract Forward Consulting, LLC.

Jeremy Swenson, MBA MSST (Master of Science In Security Technologies)