Using Behavioral Analytics to Detect Malicious Campaigns and Targeted Attacks
|
|
- Joy George
- 6 years ago
- Views:
Transcription
1 THREAT ADVISORY Using Behavioral Analytics to Detect Malicious Campaigns and Targeted Attacks Niara Threat Advisories provide timely information regarding new attacks and information on how Niara helps companies quickly detect an attack to limit its impact and prevent it from establishing a persistent presence within the organization. For more details on Niara s capabilities or to schedule a demo to see Niara in action, contact us at info@niara.com or at What did Niara discover? Niara discovered that spoofing of sender domains was a primary infection vector in credential phishing and malicious s despite the complete absence of any suspicious payloads (e.g., known malicious attachments or URLs) in the s that would have triggered perimeter defenses or security monitoring rules. Niara categorized the spoofing of sender s into -based crime campaigns, which were directed at multiple recipients, and targeted attacks, which focused on specific individuals. This distinction is important because it enables security analysts to focus on the attacks that matter. -based crime campaigns are typically meant to probe weak spots and set the stage for future exploits, whereas targeted attacks use personalized knowledge about the target to cause more immediate damage. Through analysis performed by Niara s security research team, Niara also categorized the campaigns and targeted attacks by the TTPs (tools, techniques or procedures) used by attackers. These details help security analysts determine if their organization has been a target of these attacks to ensure that they take the proper steps for remediation. In this threat advisory, Niara also provides concrete indicators of compromise (IoCs) that can be used in conjunction with the Niara solution to combat -borne attacks. Without the visibility and attack detection made possible by Niara s security analytics, the attack would have remained undetected until significant, potentially headline-grabbing, damage had been caused. Attack Findings is still the primary attack vector for cybercriminals. In addition to malicious attachments and URLs, credential phishing is also on the rise. This means that signature- and rule-based detection, the foundation for perimeter defense, are rendered ineffective. Instead, cybercriminals are using advanced attack methods that can only be detected through security analytics such as Niara s, which includes behavioral analytics that are built using a full spectrum of machine learning techniques 1
2 By analyzing traffic for signs of maliciousness, s were clustered into campaigns, based on the common TTPs used. This threat advisory present details about of the malicious campaigns, their TTPs and why Niara s behavioral analytics are needed for rapid attack detection. All but two of the campaigns involved s sent to multiple recipients. This suggests that cybercriminals were looking to infiltrate corporate networks via broad -based crime campaigns, where attackers cast a wide net, in order to find weak spots. For example, if an employee opens an attachment or clicks on a URL from a malicious , they can be exploited and the attacker is given the ability to infiltrate corporate networks. Niara also discovered that attackers maintain intelligence about recipients and when the same campaigns occurred months apart, attackers did not target same recipients. The remaining two campaigns were more targeted, where s were sent to the same recipient but with different attachments. This threat advisory provides examples of how broad -based crime campaigns differ from more targeted attacks. Attackers used a variety of different attachments in the campaigns, with names designed to appear legitimate (e.g., DHL RECEIPT.htm, SCAN_INVOICE_ zip, invoice_ _scan.zip), increasing the likelihood that recipients would open the attachments, compromising their systems. Niara s analytics enables rapid detection of -based crime campaigns and targeted attacks by using contextual evidence and machine learning techniques. By identifying the target of an attack early on, security teams can maintain a heightened level of alertness to better protect high-value assets. By identifying campaigns that provide visibility into how cybercriminals are using TTPs to infect multiple recipients, security analysts receive actionable intelligence, which is immensely helpful as it allows organizations to quickly detect any future campaigns that use the same TTPs. Microsoft Word document attachments with embedded macros appear to be the most popular tool of choice for weaponized attachments. Technical Analysis Niara detected many distinct malicious campaigns throughout its analysis. This threat advisory provides in-depth information on the campaigns that had potential to cause significant damage. 1. PostMoney campaign 2. Locky Ransomware campaign 3. Witness campaign 4. Service-DHL campaign 5. Verify campaign 2
3 PostMoney Campaign This campaign was unique because there was only a single recipient i.e., Niara s analytics classified this as a potential targeted attack. The used in the attack did not have any attachments. Instead the attacker researched the target in advance, and sent a spoofed to a CFO that appeared to come from the organization s CEO. The , which requested a reply, appeared legitimate. Niara detected this targeted attack by applying its multi-dimensional analytics modules to traffic and bubbled it up to the security analysts who prevented any further progress. If the desired outcome of the attack happened as planned, the attacker would have sent another with information about an account to transfer money into. Cybercriminals have been successful with these types of campaigns, costing organizations more than $2.3 billion in losses over the past three years 1. For example, attackers used a very similar tactic at Snapchat to gain access to employee payroll information 2. There have also been instances of human resources and finance employees at many organizations being tricked into revealing employee W2 information because of a spoofed message from the CEO 3. Figure 1: The PostMoney campaign. Locky Ransomware Campaign In this campaign, attackers used malicious s as a vector to compromise systems by installing malware from the Locky Ransomware family. Locky Ransomware encrypts all the files on a compromised system. Figure 2: The Locky Ransomware campaign. 1 FBI: CEO Fraud Skyrockets 270%, Tara Seals, InfoSecurity, 8 April 2016, 2 Snapchat Employee Data Leaks Out Following Phishing Attack, Jon Russell, TechCrunch, 29 Feb Phishing Victims Muddle Tax Fraud Fight, KrebsonSecurity, March
4 Attackers sent the malicious s to all recipients on the same day, which is very typical in a malicious campaign. The s had very similar subject lines (e.g., attn: invoice j ) but with some variance in the invoice number in an attempt to add authenticity to the s. Each recipient was sent two document attachments with the same name (e.g., invoice_m_ ). In addition, all s were sent using the X-mailer MIME::Lite (F2.77; T1.30; A2.06; B3.08; Q3.08) and appeared to come from the same sender. Unbeknownst to the recipients, the Bartallex macro was embedded in in the attachments and when the attachments are opened, Bartallex downloads the Locky Ransomware malware, which drops an executable file called ladybi.exe, onto the now compromised system. Once this occurs, all the files on the system become encrypted and the below message appears, informing the user that her/his files have been encrypted and to follow a set of instructions in order to decrypt the information. Figure 3: Message displayed to a user after the ladbi.exe executable used in the Locky Ransomware campaign has encrypted all files on a compromised system. The compromised systems were also communicating with a command and control (C&C) server. Example communications between the C&C server and the compromised systems are shown below. Figure 4: Download of an executable used to communicate between an external C&C server and a compromised system in the Locky Ransomware campaign. 4
5 Figure 5: Traffic generated by the downloaded executable being used in the Locky Ransomware campaign. Witness Campaign In this campaign, attackers attempted to compromise systems by installing malicious code that belongs to the Pony malware family. Their goal was to steal credentials and install a backdoor to establish a more persistent presence on the endpoint. The Witness campaign, a name inspired by its accompanying attachment (witness_supboena.doc), was the largest campaign with respect to the number of malicious s sent. Lasting over 2 days, it was sent to 335 employees at a single enterprise. Figure 6: The Witness campaign. 5
6 All the s were sent from the same domain and had the same attachment, named witness_subpoena.doc. In an attempt to social engineer employees, the attackers used the name of the company in the subject lines of the followed by the string witness subpoena. For example, employees at a hypothetical company called Acme would have received s with Acme witness subpoena as the subject line. This personalization by the attackers led to a significant number of employees opening the and the attachment. A quick search on VirusTotal using the MD5 sum of the witness_subpoena.doc attachment revealed that a number of companies were impacted by this campaign. The image below, obtained from VirusTotal, shows some of the companies who received the malicious s and provides a glimpse into the extent of the campaign. Figure 7: Example companies affected by the Witness campaign. When the attachment witness_subpoena.doc is opened, a Windows executable called idd3.exe is dropped into the %temp% directory on the user s machine. The executable, which has an MD5 sum of d3c6ed4d9231fb71eba89c9579ee3dc4 belongs to the well-documented Pony malware family. A VBA macro, embedded within witness_subpoena.doc, starts the Windows executable. The image below shows the VBA macro invoking the Shell() function with the path to the dropped executable as the parameter. Figure 8: The VBA macro used in the Witness campaign. Once idd3.exe is executed, it attempts to download another executable called services.exe, from a number of C&C domains. At the time of the investigation, the domains appeared to have been deactivated. However, using other tools, Niara s security researchers determined that services.exe, which had an MD5 sum of 68fd262867c60fb4cf4dd e, was a backdoor and belonged to the Papra malware family. The image below shows the results of idd3.exe attempting to download services.exe. 6
7 Figure 9: C&C server communications in the Witness campaign. Service-DHL Campaign In this campaign, attackers attempted to install a RAT (remote access Trojan) from the well-documented NetWire malware family. This malware has been used in both targeted attacks and crime campaigns. The RAT has many malicious capabilities such as stealing credentials and taking screenshots. The figure below depicts the campaign. The campaign targeted the organization over a month, with attackers sending two malicious s to 29 unique recipients within the organization. Some received an that contained an HTML file called DHL RECEIPT.html, while the remainder received an that contained a ZIP file called 1.zip. Figure 10: The Service-DHL campaign. The ZIP file consists of a malicious document file called DHL details 140.doc with an MD5 sum of bffe075f13e9711b6e8abc7da0fb22c7. When the document is opened, a macro executes and downloads an executable called filess.exe, which communicates over TCP with a C&C server named kelessb.ddns.net. The commands executed by the macro are shown below. 7
8 Figure 11: Commands used in the Service-DHL campaign showing the download of a file that communicates with a C&C server. Verify Campaign In this campaign, attackers sent s to unsuspecting employees, informing them of incorrect and missing details in their accounts with Bank of America. The s, which appeared to have legitimately come from the Bank of America, contained an attachment called Verify.html. When victims opened the attachment, they were taken to the page, pictured below, and asked to provide personal info Figure 12: HTML page that was used in the Verify campaign to collect victim s personal information. 8
9 After a victim fills out the information and submits the form, the information is sent to an attacker-controlled IP ( ) hosted in Iran. The below image of the POST request shows the details being sent to the attacker-controlled IP. Figure 13: POST request showing information sent to attackers in the Verify campaign. How Did Niara Help? Machine learning serves as the foundation for Niara s behavioral and discrete analytics, which analyzes security information and contextual evidence to paint a complete picture about users and hosts. Behavioral analytics also incorporates analyst-provided feedback to adapt the uniqueness of a local environment, automatically determining normal behavior baselines and identifying irregular behaviors. Discrete analytics provide the global intelligence, identifying anomalies that are irrefutably the result of malicious intent, regardless of the company. When discrete analytics do not generate a high confidence security alert, the data is tagged with the analytics results, which is then used as input for other analytics. For example, behavioral analytics determined the historical baselines of the volume of incoming s for each user and surfaced the anomalies created by unusual volumes sent by attackers. In another example, a discrete analytics module processed the individual s to find signs of domain spoofing and tagged the with the findings of the model so it could be used for other analytic modules. A large number of behavioral and discrete analytics were applied to these s and were automatically summarized into user profiles that showed the anomalies and more reliably attributed malicious intent. 9
10 The features used by Niara s machine learning analytics models to cluster the s into campaigns are listed below: 1. Levenshtein distance as the initial pivot 2. Uniqueness of XMailers used in the s of the campaigns 3. Volume of s 4. Similarity in the names of the attachment included in the s 5. Duration of campaigns 6. Country where the was sent from 7. Similarity in subject lines of s What Should You Do? TTPs (Tools, Techniques or Procedures) for Campaigns Look for the following TTPs to determine if attackers are targeting your organization with any of the campaigns or targeted attacks listed in this threat advisory. TTP Witness Locky Services-DHL PostMoney Verify subject <company_name> witness_subpoena attn: invoice j-<random_number> Your parcels arrived at our postoffice (shipment # 140(4)) company acquisition Added security to your debit card Attachment type CDF V2 CDF V2 zip, HTML N/A HTML Campaign duration 2 days 1 day 1 month 1 day 1 day Attachment name witness_subpoena.doc invoice_<character>-<random_number>.doc 1.zip DHL RECEIPT.html N/A Verify.html Sender domain(s) dhlawfirm.net uahoo.co.uk hom .co.uk lyndachase.com services-dhl.cn servises-dhl.com N/A upsidedownyogagames.com onlinebank- ingx3xrqdh2t- JXW7SV1ET@ kqhbjbankofamerica.com Sender IP(s)
11 Locky Ransomware Campaign Provided below are the Snort rules that analysts can use to detect presence of the Locky Ransomware malware. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: Locky Malware Downloading Exe ; content: GET ; content: /34gf5y/r34f3345g.exe ; sid:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: Locky Malware Downloading Exe ; content: POST ; content:! User-Agent ; content: /main.php ; content: Cache-Control: no-cache 0d 0a 0d 0a ; sid:2;)s Attachments Used in Campaigns The list below shows the names of the attachments that were used in the campaigns. Note that the names appear legitimate, making it more likely that the attachment gets opened, resulting in compromised systems. a. -xxxxx pdf b. 1.zip c pdf d. PMC.docx e. DHL RECEIPT.htm f. NoCallerID doc g. PP html h. SCAN_INVOICE_ zip i. SCAN_INVOICE_ zip j. a. SCAN_INVOICE_ zip k. b. SCAN_invoice_ zip l. c. SCAN_invoice_ zip m. d. SCAN_invoice_ zip n. e. Verify.html o. f. copy_invoice_ zip p. g. invoice_ _scan.zip q. h. invoice_ _scan.zip r. i. invoice_ _scan.zip 11
12 Mailers Used in Campaigns The below list shows the names of the mailers that were used in the campaigns. a. Dtkaabo 8 b. Enxccjy gkjdb 7.0 c. Foxmail 4.2 [cn] d. Fpmt 5 e. Fqogwti swkjhsi 1.6 f. Isgxjfg dgxggc 0.6 g. Microsoft Office Outlook 11 h. Microsoft Outlook 14.0 i. Microsoft Outlook Express j. Microsoft Outlook Express k. a. Microsoft Outlook Express l. b. Microsoft Outlook Express m. c. Microsoft Outlook Express n. d. Microsoft Windows Live Mail o. e. Microsoft Windows Live Mail p. f. Microsoft Windows Live Mail q. g. Microsoft Windows Mail r. h. Pegasus Mail for Windows (4.41) s. i. Wuzdvrbej 8 t. j. MIME::Lite (F2.77; T1.30; A2.06; B3.08; Q3.08) Niara Searches Below are the searches that can be used within Niara to determine if your organization is under attack by any of these campaigns. PostMoney Campaign conversation_tags: _domain_spoofing AND src_internal:no and dest_internal:yes and src_ip: Locky Ransomware Campaign Src_internal:no and dest_internal:yes and _xmailer:mime::lite (F2.77; T1.30; A2.06; B3.08; Q3.08) and conversation_tags: _domain_spoofing Src_internal:yes and dest_internal:no and http_method:get and http_url:/34gf5y/ r34f3345g.exe Src_internal:yes and dest_internal:no and http_method:post and not http_user_ agent:* and http_url:*/main.php 12
13 Witness Campaign Src_internal:no and dest_internal:yes and conversation_tags: _domain_spoofing and _attach_filename:*doc Src_internal:yes and dest_internal:no and http_method:get and http_url:/wp-content/plugins/cached_data/services.exe Src_internal:yes and dest_internal:no and http_method:get and http_url:/services. exe Services-DHL Campaign conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND _sender_domain:servises-dhl.com conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND _sender_domain:services-dhl.cn conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND src_ip: conversation_tags: _domain_spoofing AND src_internal:no AND dest_internal:yes AND src_ip: Verify Campaign Src_internal:yes and dest_internal:no and http_method:post and http_ host: Src_internal:yes and dest_internal:no and http_method:post and http_url:/cgi-bin/ die and not dest_port:80 About Niara Niara s security analytics platform automates the detection of attacks that have bypassed an organization s perimeter defenses and dramatically reduces the time and skill needed to investigate and respond to security events. The solution applies machine learning algorithms to data from the network and security infrastructure to detect compromised users, entities, and malicious insiders, reduce the time for incident investigation and response, and speed threat hunting efforts by focusing security teams on the threats that matter. For more information, visit NIARA, NIARA INC., the NIARA logo and PETASECURE are trademarks of Niara Incorporated. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Niara s technology and products are protected by issued and pending U.S. and foreign patents
RSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationOne Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious
One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious Email - Ron Weiss, Incident Response Team lead Disclaimer: The information in this presentation is based on lessons
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationWHITEPAPER. Protecting Against Account Takeover Based Attacks
WHITEPAPER Protecting Against Account Takeover Based Email Attacks Executive Summary The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues
More informationGTIC Monthly Threat Report June 2017
GTIC Monthly Threat Report June 2017 Trickbot mac1 Phishing Campaign Name GTIC Monthly Threat Report June 2017 Owner Classification Status NTT Security GTIC TICT Aaron Perkins UNCLASSIFIED-EXTERNAL APPROVED
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationCisco Advanced Malware Protection (AMP) for Endpoints Security Testing
Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing 7 September 2018 DR180821E Miercom.com www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Test Summary... 4 3.0 Product Tested...
More informationwith Advanced Protection
with Advanced Email Protection OVERVIEW Today s sophisticated threats are changing. They re multiplying. They re morphing into new variants. And they re targeting people, not just technology. As organizations
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationCloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
More informationWhat can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco
What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco Increasing Digital Traffic Creates a Greater Attack Surface Global IP Traffic
More informationPhishing in the Age of SaaS
Phishing in the Age of SaaS AN ESSENTIAL GUIDE FOR BUSINESSES AND USERS The Cloud Security Platform Q3 2017 intro Phishing attacks have become the primary hacking method used against organizations. In
More informationTHE ACCENTURE CYBER DEFENSE SOLUTION
THE ACCENTURE CYBER DEFENSE SOLUTION A MANAGED SERVICE FOR CYBER DEFENSE FROM ACCENTURE AND SPLUNK. YOUR CURRENT APPROACHES TO CYBER DEFENSE COULD BE PUTTING YOU AT RISK Cyber-attacks are increasingly
More informationThe Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It
The Credential Phishing Handbook Why It Still Works and 4 Steps to Prevent It Introduction Phishing is more than 20 years old, but still represents more than 90% of targeted attacks. The reason is simple:
More informationTABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...
The Guide TABLE OF CONTENTS Introduction: EMAIL IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN EMAIL DEFENSES... 4 Today s Top Email Fraud Tactics...5 Advanced Malware...8 Outbound
More informationEvolution of Spear Phishing. White Paper
Evolution of Spear Phishing White Paper Executive Summary Phishing is a well-known security threat, but few people understand the difference between phishing and spear phishing. Spear phishing is the latest
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationSectigo Security Solution
Sectigo Email Security Solution 2018 Sectigo. All rights reserved. Email hacking is a commonly used malicious tactic in our increasingly connected world. Business email compromise (BEC), or email account
More informationCisco Cloud Security. How to Protect Business to Support Digital Transformation
Cisco Cloud Security How to Protect Business to Support Digital Transformation Dragan Novakovic Cybersecurity Consulting Systems Engineer January 2018. Security Enables Digitization Digital Disruption,
More informationSecurity & Phishing
Email Security & Phishing Best Practices In Cybersecurity Presenters Bill Shieh Guest Speaker Staff Engineer Information Security Ellie Mae Supervisory Special Agent Cyber Crime FBI 2 What Is Phishing?
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationBest Practices for Scoping Infections and Disrupting Breaches
2017 SPLUNK INC. Best Practices for Scoping Infections and Disrupting Breaches Analytics-Driven Security Alain Gutknecht Staff SE alain@splunk.com 2017 SPLUNK INC. The Ever-Changing Threat Landscape 100%
More informationTHE EVOLUTION OF SIEM
THE EVOLUTION OF SIEM Why it is critical to move beyond logs BUSINESS-DRIVEN SECURITY SOLUTIONS THE EVOLUTION OF SIEM Why it is critical to move beyond logs Despite increasing investments in security,
More informationRANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise
RANSOMWARE PROTECTION A Best Practices Approach to Securing Your Enterprise TABLE OF CONTENTS Introduction...3 What is Ransomware?...4 Employee Education...5 Vulnerability Patch Management...6 System Backups...7
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationEBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.
EBOOK Stopping Email Fraud How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats www.proofpoint.com EBOOK Stopping Email Fraud 2 Today s email attacks have
More informationATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS INTRODUCTION Attivo Networks has partnered with McAfee to detect real-time in-network threats and to automate incident response
More informationThreatConnect Learning Exercises
ThreatConnect Learning Exercises The following exercises will teach you some of the important features within the ThreatConnect platform. You will learn various ways of adding intelligence data into ThreatConnect,
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationProtecting Against Account Takeover Based Attacks
Protecting Against Account Takeover Based Email Attacks Executive Summary The onslaught of targeted email attacks such as Business Email Compromise, spear phishing, and ransomware continue uninterrupted,
More informationSOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING
REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS A WEBSHELL? A WebShell is a piece of code or a script
More informationPanda Security 2010 Page 1
Panda Security 2010 Page 1 Executive Summary The malware economy is flourishing and affecting both consumers and businesses of all sizes. The reality is that cybercrime is growing exponentially in frequency
More informationHow Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong
How Enterprise Tackles Phishing Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong Hackers turning to easy marks - Social engineering Phishing was the #1 threat vector (> 50%) for Office
More informationEBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.
EBOOK Stopping Email Fraud How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats www.proofpoint.com EBOOK Stopping Email Fraud 2 Today s email attacks have
More informationENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE
ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE TABLE OF CONTENTS Overview...3 A Multi-Layer Approach to Endpoint Security...4 Known Attack Detection...5 Machine Learning...6 Behavioral Analysis...7 Exploit
More informationIncident Play Book: Phishing
Incident Play Book: Phishing Issue: 1.0 Issue Date: September 12, 2017 Copyright 2017 Independent Electricity System Operator. Some Rights Reserved. The following work is licensed under the Creative Commons
More informationAUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response
AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller
More informationEFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave
EFFECTIVELY TARGETING ADVANCED THREATS Terry Sangha Sales Engineer at Trustwave THE CHALLENGE PROTECTING YOUR ENVIRONMENT IS NOT GETTING EASIER ENDPOINT POINT OF SALE MOBILE VULNERABILITY MANAGEMENT CYBER
More informationHow WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security
How WebSafe Can Protect Customers from Web-Based Attacks Mark DiMinico Sr. Mgr., Systems Engineering Security Drivers for Fraud Prevention WebSafe Protection Drivers for Fraud Prevention WebSafe Protection
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationBehavioral Analytics A Closer Look
SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2 Patterns
More informationPhishing Activity Trends Report August, 2006
Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account
More informationSymantec Advanced Threat Protection: Endpoint
Symantec Advanced Threat Protection: Endpoint Data Sheet: Advanced Threat Protection The Problem Virtually all of today's advanced persistent threats leverage endpoint systems in order to infiltrate their
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationTrustwave SEG Cloud BEC Fraud Detection Basics
.trust Trustwave SEG Cloud BEC Fraud Detection Basics Table of Contents About This Document 1 1 Background 2 2 Configuring Trustwave SEG Cloud for BEC Fraud Detection 5 2.1 Enable the Block Business Email
More informationTHE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION
BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationOUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER
OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER HOW TO ADDRESS GARTNER S FIVE CHARACTERISTICS OF AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER 1 POWERING ACTIONABLE
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationTHE CLOUD SECURITY CHALLENGE:
THE CLOUD EMAIL SECURITY CHALLENGE: CLOSING THE CYBERSECURITY SKILLS GAP THROUGH AUTOMATION THE EMAIL SECURITY CHALLENGE Email remains at the heart of the business communications landscape. While nobody
More informationFighting Phishing I: Get phish or die tryin.
Fighting Phishing I: Get phish or die tryin. Micah Nelson and Max Hyppolite bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media
More informationArbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA
Arbor Networks Spectrum Wim De Niel Consulting Engineer EMEA wdeniel@arbor.net Arbor Spectrum for Advanced Threats Spectrum Finds Advanced Threats with Network Traffic Unlocks Efficiency to Detect, Investigate,
More informationARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE
ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE Vectra Cognito HIGHLIGHTS Finds active attackers inside your network Automates security investigations with conclusive
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationPhishing Activity Trends
Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received rose to 24,853 in, an increase of over 1, from February but still more than
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationSOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD
RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD OVERVIEW Information security has been a major challenge for organizations since the dawn of the
More informationKASPERSKY FRAUD PREVENTION FOR ENDPOINTS
KASPERSKY FRAUD PREVENTION FOR ENDPOINTS www.kaspersky.com KASPERSKY FRAUD PREVENTION 1. Ways of Attacking Online Banking The prime motive behind cybercrime is making money and today s sophisticated criminal
More informationLet s Talk About Threat Intelligence
Let s Talk About Threat Intelligence IBM SECURITY SUPPORT OPEN MIC #20 Slides and additional dial in numbers: http://ibm.biz/openmic20 January 26, 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR
More informationAdvanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection
Advanced Threat Defense Certification Testing Report Symantec Advanced Threat Protection ICSA Labs Advanced Threat Defense December 8, 2015 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,
More informationAutomated Context and Incident Response
Technical Brief Automated Context and Incident Response www.proofpoint.com Incident response requires situational awareness of the target, his or her environment, and the attacker. However, security alerts
More informationPhishing. Eugene Davis UAH Information Security Club April 11, 2013
Phishing Eugene Davis UAH Information Security Club April 11, 2013 Overview A social engineering attack in which the attacker impersonates a trusted entity Attacker attempts to retrieve privileged information
More informationA YEAR OF PURPLE. By Ryan Shepherd
A YEAR OF PURPLE By Ryan Shepherd WHOAMI DETECTION and RESPONSE Investigator for Countercept Threat Hunter PURPLE Team Consultant Offensive Security Certified Professional (OSCP) Crest Registered Intrusion
More information9 Steps to Protect Against Ransomware
9 Steps to Protect Against Ransomware IT Support Analyst Task Overview Security Manager Security Dashboard Self Service log Secur Devices With Vulnerabilities Critical Important/High Moderate/Medium 40
More informationADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY
ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY OUTLINE Advanced Threat Landscape (genv) Why is endpoint protection essential? Types of attacks and how to prevent them
More informationSobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.
Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection
More informationStreaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV
Streaming Prevention in Cb Defense Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV 2 STREAMING PREVENTION IN Cb DEFENSE OVERVIEW Over the past three years, cyberattackers
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationThe Cognito automated threat detection and response platform
Overview The Cognito automated threat detection and response platform HIGHLIGHTS Finds active cyberattackers inside cloud, data center and enterprise environments Automates security investigations with
More informationMCAFEE INTEGRATED THREAT DEFENSE SOLUTION
IDC Lab Validation Report, Executive Summary MCAFEE INTEGRATED THREAT DEFENSE SOLUTION Essential Capabilities for Analyzing and Protecting Against Advanced Threats By Rob Ayoub, CISSP, IDC Security Products
More informationATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK INTRODUCTION Attivo Networks has partnered with Cisco Systems to provide advanced real-time inside-the-network
More informationProtecting Your Enterprise Databases from Ransomware
Protecting Your Enterprise Databases from Ransomware 1 Protecting Your Enterprise Databases from Ransomware Protecting Your Enterprise Databases from Ransomware Ransomware is no longer the new kid on the
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationProtecting from Attack in Office 365
A hacker only needs one person to click on their fraudulent link to access credit card, debit card and Social Security numbers, names, addresses, proprietary information and other sensitive data. Protecting
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More informationIPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions
IPS Effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of defense that helps you protect
More informationAd Hoc to Coordinated
White paper Ad Hoc to Coordinated A Practical Process for Incident Response www.proofpoint.com If you re a security analyst working in incident response, you face a deluge of security alerts every day
More informationZero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection
Zero Trust on the Endpoint Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection March 2015 Executive Summary The Forrester Zero Trust Model (Zero Trust) of information
More informationSOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM
RSA NETWITNESS EVOLVED SIEM OVERVIEW A SIEM is technology originally intended for compliance and log management. Later, as SIEMs became the aggregation points for security alerts, they began to be more
More informationVectra Cognito. Brochure HIGHLIGHTS. Security analyst in software
Brochure Vectra Cognito HIGHLIGHTS Finds active attackers inside your network Automates security investigations with conclusive answers Persistently tracks threats across all phases of attack Monitors
More informationCognito Detect is the most powerful way to find and stop cyberattackers in real time
Overview Cognito Detect is the most powerful way to find and stop cyberattackers in real time HIGHLIGHTS Always-learning behavioral models use AI to find hidden and unknown attackers, enable quick, decisive
More informationSymantec Ransomware Protection
Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway
More informationSecurity and Compliance for Office 365
Security and Compliance for Office 365 [Proofpoint has] given us our time back to focus on the really evil stuff. CISO, Global 500 Manufacturer Like millions of businesses around the world, you may be
More informationSymantec Protection Suite Add-On for Hosted Security
Symantec Protection Suite Add-On for Hosted Email Security Overview Malware and spam pose enormous risk to the health and viability of IT networks. Cyber criminal attacks are focused on stealing money
More information2018 Edition. Security and Compliance for Office 365
2018 Edition Security and Compliance for Office 365 [Proofpoint has] given us our time back to focus on the really evil stuff. CISO, Global 500 Manufacturer Like millions of businesses around the world,
More informationPhishing Activity Trends
Phishing Activity Trends Report for the Month of September, 2007 Summarization of September Report Findings The total number of unique phishing reports submitted to APWG in September 2007 was 38,514, an
More informationAre we breached? Deloitte's Cyber Threat Hunting
Are we breached? Deloitte's Cyber Threat Hunting Brochure / report title goes here Section title goes here Have we been breached? Are we exposed? How do we proactively detect an attack and minimize the
More informationPHISHING ATTACK TARGETING UNIVERSITY STUDENTS MAY 2016
PHISHING ATTACK TARGETING UNIVERSITY STUDENTS MAY 2016 Page 1 of 5 PURPOSE OF THE ALERT The information contained within this alert is based on the reports received by Action Fraud and the National Fraud
More informationSandboxing and the SOC
Sandboxing and the SOC Place McAfee Advanced Threat Defense at the center of your investigation workflow As you strive to further enable your security operations center (SOC), you want your analysts and
More informationIBM Security Network Protection Solutions
Systems IBM Security IBM Security Network Protection Solutions Pre-emptive protection to keep you Ahead of the Threat Tanmay Shah Product Lead Network Protection Appliances IBM Security Systems 1 IBM Security
More informationManaged Endpoint Defense
DATA SHEET Managed Endpoint Defense Powered by CB Defense Next-gen endpoint threat detection and response DEPLOY AND HARDEN. Rapidly deploy and optimize endpoint prevention with dedicated security experts
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationCognitive Threat Analytics Tech update
Cognitive Threat Analytics Tech update Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark CTA CTA CTA Cognitive Threat Analytics
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationIncident Response Agility: Leverage the Past and Present into the Future
SESSION ID: SPO1-W03 Incident Response Agility: Leverage the Past and Present into the Future Torry Campbell CTO, Endpoint and Management Technologies Intel Security The Reality we Face Reconnaissance
More informationIntro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead
Intro to Niara no compromise behavioral analytics Tomas Muliuolis HPE Aruba Baltics Lead THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days median time from compromise to discovery PREVENTION & DETECTION
More informationPRODUCT OVERVIEW. Extend your security intelligence from local network to global cyberspace
PRODUCT OVERVIEW Extend your security intelligence from local network to global cyberspace What is a Threat Intelligence solution? ESET s Threat Intelligence service provides global knowledge on targeted
More informationFast Incident Investigation and Response with CylanceOPTICS
Fast Incident Investigation and Response with CylanceOPTICS Feature Focus Incident Investigation and Response Identifying a potential security issue in any environment is important, however, to protect
More information