Many times we see a threat score systems that might be match what you are looking for. Seth Bromberger manager of information security at PG&E has a more generic threat scoring system that can be used by any organization.
This system divides into broad categories like insiders, script kiddies, nation-states, terrorist groups and forces of nature, among others.
Each threat can be assigned a 0(no capability) or a 5(most capable threat).
Capability is judged through attacker's institutional knowledge, technical proficiency, group size and funding, and levels of access.
read more at: http://searchsecurity.techtarget.com/magazineContent/Researcher-Puts-Quantitative-Measurement-on-Information-Security-Threats
Sunday, April 24, 2016
Sunday, April 17, 2016
Choosing Right Data Sharing Architecture
Most of the time organization want to share data but have hard time to choosing the proper sharing architecture for them. Here are some steps that will help them make the decide on the right sharing architecture:
1. Survey the Architecture Landscape: educate the user about what are the possible architecture: Centralized, Distributed, or Hybrid. Each one offers functionality like federated query or decision support.
2. Refine the Requirements: When requirements are vague try to ask the customer to narrow down the requirements. This can be done by telling the customer that based on your requirement you architecture will give you this result and create some use cases. These use case result will help customer understand what each architecture will give them.
3. Analyze the Dependencies: Once the requirements and outcomes are derived, we would need the understand the dependency of the systems. By analyzing the structure and components of the system this will give the customer an understanding of the complexity the system offers. And with increased complexity comes increased cost of choosing this architecture.
4. Recommend an Architecture: Based on the customer requirement and budget list of at three architecture for the customers and specify what each one offers.
By following these 4 steps, organization can choose the architecture solution that will best suit their enterprise instead of investing in an architecture that costs more and does not give desired results.
Read More:https://gcn.com/articles/2012/07/17/4-steps-architecture-analysis.aspx
1. Survey the Architecture Landscape: educate the user about what are the possible architecture: Centralized, Distributed, or Hybrid. Each one offers functionality like federated query or decision support.
2. Refine the Requirements: When requirements are vague try to ask the customer to narrow down the requirements. This can be done by telling the customer that based on your requirement you architecture will give you this result and create some use cases. These use case result will help customer understand what each architecture will give them.
3. Analyze the Dependencies: Once the requirements and outcomes are derived, we would need the understand the dependency of the systems. By analyzing the structure and components of the system this will give the customer an understanding of the complexity the system offers. And with increased complexity comes increased cost of choosing this architecture.
4. Recommend an Architecture: Based on the customer requirement and budget list of at three architecture for the customers and specify what each one offers.
By following these 4 steps, organization can choose the architecture solution that will best suit their enterprise instead of investing in an architecture that costs more and does not give desired results.
Read More:https://gcn.com/articles/2012/07/17/4-steps-architecture-analysis.aspx
Sunday, April 10, 2016
Different types of NIDS
NIDS: Network Intrusion Detection system are threat catching type software that is installed on server that are the gateway between your internal system and the world wide web. These threat identifying rules/software is crucial line of defense in identifying the good guys vs bad guys. Here are some of the NIDS system on the market:
SNORT: This is the oldest NIDS system and has nearly 40,000 users and It supports Window and many types of Linux systems. However, it does not support by default multi-core machines without special configuration.
SURICATA: This younger NIDS system that works with SNORT ruleset and is funded through government. It is known for its efficiency and works will with Emerging Threats ruleset. Its mostly suited to give best performance when its run on multi-core systems.
SAGAN: open source system that runs under the nix operating system(Linux, OpenBSD, FreeBSD). Its written in C which allows it give high performance log and event analysis. Sagan structure and rules work similar to Snort IDS/IPS system so that Sagan can correlate logs from Snort IDS/IPS systems and write the findings Snort IDS/IPS databases. Sagan is also compatible with all Snort consoles. Sagan also offers automatic firewall support via Snortsam, GeoIp detection/alerting and much more.
Read more: https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
SNORT: This is the oldest NIDS system and has nearly 40,000 users and It supports Window and many types of Linux systems. However, it does not support by default multi-core machines without special configuration.
SURICATA: This younger NIDS system that works with SNORT ruleset and is funded through government. It is known for its efficiency and works will with Emerging Threats ruleset. Its mostly suited to give best performance when its run on multi-core systems.
SAGAN: open source system that runs under the nix operating system(Linux, OpenBSD, FreeBSD). Its written in C which allows it give high performance log and event analysis. Sagan structure and rules work similar to Snort IDS/IPS system so that Sagan can correlate logs from Snort IDS/IPS systems and write the findings Snort IDS/IPS databases. Sagan is also compatible with all Snort consoles. Sagan also offers automatic firewall support via Snortsam, GeoIp detection/alerting and much more.
Read more: https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
Sunday, April 3, 2016
YARA oh YARA!
YARA is is robust tool that is used to find suspicious file/directories in your systems and is compatible with per-base regular expression.
There are two sections in a YARA rule Strings and conditions.
There three different types of strings:
- Hexadecimal Strings: usage of hexadecimal to describe the string. By using hexadecimal you can also use wildcard operator (?) and jumps(where the pattern in know and the length of pattern)
-Text Strings: text strings from ASCII which are used to make the criteria.
-Regular Expression: YARA uses its own regular expression engine similar to PCRE.
Conditions: Returns a Boolean value based on the criteria specified in String section.
YARA can be integrated with:
- PEiD to check what packer was used to make the malicious exe file.
- PE(Portable Executable) files which will allow it look for certain string in an http send and request.
- WMI tool that will allow YARA to scan more than one process.
Read more : http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
There are two sections in a YARA rule Strings and conditions.
There three different types of strings:
- Hexadecimal Strings: usage of hexadecimal to describe the string. By using hexadecimal you can also use wildcard operator (?) and jumps(where the pattern in know and the length of pattern)
-Text Strings: text strings from ASCII which are used to make the criteria.
-Regular Expression: YARA uses its own regular expression engine similar to PCRE.
Conditions: Returns a Boolean value based on the criteria specified in String section.
YARA can be integrated with:
- PEiD to check what packer was used to make the malicious exe file.
- PE(Portable Executable) files which will allow it look for certain string in an http send and request.
- WMI tool that will allow YARA to scan more than one process.
Read more : http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
Sunday, March 27, 2016
What is FAIR?
FAIR is a risk assessment tool that creates a threat model based on past experiences, current trends, and value of current assets. It is able to identify the risk by using penetration testing and security exercises that have the same on par with today's threat and deliver a well versed risk analysis.
Here are some other features of FAIR:
-Intelligence Gathering: in the form of human and non-human
-Business Process Mapping:identify critical business process to be used in threat modeling/planning
-Asset Mapping: value of current asset and cost to replace it
-Vulnerability and Exposure Analysis: finding a list of vulnerabilities from various points and identifying the countermeasures
-Threat Modeling: identify the threat and its success rate to attack the asset.
-Data Flow Protection Analysis: Analysis of all communication : data, voice, image, and physical to find any incorrect data flow.
-Risk Modeling: Based on the risk liability and frequency assign a quantitative value to that risk
-What-If Modeling: Analyzing future landscape of organization (like merger) in order to aid organization decision making.
Read More: http://www.optimalrisk.com/Cyber-Security/FAIR-Methodology
Here are some other features of FAIR:
-Intelligence Gathering: in the form of human and non-human
-Business Process Mapping:identify critical business process to be used in threat modeling/planning
-Asset Mapping: value of current asset and cost to replace it
-Vulnerability and Exposure Analysis: finding a list of vulnerabilities from various points and identifying the countermeasures
-Threat Modeling: identify the threat and its success rate to attack the asset.
-Data Flow Protection Analysis: Analysis of all communication : data, voice, image, and physical to find any incorrect data flow.
-Risk Modeling: Based on the risk liability and frequency assign a quantitative value to that risk
-What-If Modeling: Analyzing future landscape of organization (like merger) in order to aid organization decision making.
Read More: http://www.optimalrisk.com/Cyber-Security/FAIR-Methodology
Sunday, March 20, 2016
Becoming a Cyber Intelligence Analyst
What is the role of Cyber Intelligence Analyst? What type of skills are needed? What should be provided by the analyst?
Analyst have dig thru a lot of information and noise to get intelligence. Once the intelligence is obtained they need to deliver a report. Usually a common method used is the Bottom Line Up Front(BLUF) which lets the readers find what the report is about in about 10 seconds. Also, in the report should be important details gathered from the intelligence system and lastly an opinion from the analyst.
Skills Needed:
-Technical Writing: this skill is developed over time
-Analysis Skill: This skill can be sharpened by being able to understand human psychology and being able to think like an attacker. and asking questions like: How will the attacker attack? what is the process? what is the goal? what are the tools?
Traits of Good Analyst:
Being a technical expert in your field and identify what Intel is good and what Intel is bad.
Have knowledge about your customers/organization.
Be able to grab info from other resources like blog, books, and threat feeds.
Analyst can use any source of information such as Firewall logs, Intrusion Detection System logs, digital forensic analysis, the reverse engineering of malware, open source Internet searches, honeypots, and more.
Able to process large amount of data think critically.
Source: http://www.tripwire.com/state-of-security/security-data-protection/developing-cyber-intelligence-analyst-skills/
Analyst have dig thru a lot of information and noise to get intelligence. Once the intelligence is obtained they need to deliver a report. Usually a common method used is the Bottom Line Up Front(BLUF) which lets the readers find what the report is about in about 10 seconds. Also, in the report should be important details gathered from the intelligence system and lastly an opinion from the analyst.
Skills Needed:
-Technical Writing: this skill is developed over time
-Analysis Skill: This skill can be sharpened by being able to understand human psychology and being able to think like an attacker. and asking questions like: How will the attacker attack? what is the process? what is the goal? what are the tools?
Traits of Good Analyst:
Being a technical expert in your field and identify what Intel is good and what Intel is bad.
Have knowledge about your customers/organization.
Be able to grab info from other resources like blog, books, and threat feeds.
Analyst can use any source of information such as Firewall logs, Intrusion Detection System logs, digital forensic analysis, the reverse engineering of malware, open source Internet searches, honeypots, and more.
Able to process large amount of data think critically.
Source: http://www.tripwire.com/state-of-security/security-data-protection/developing-cyber-intelligence-analyst-skills/
Sunday, March 13, 2016
Recorded Future Helping Organization in Cyber World
The web is complex and is divided into three layers:
One needs to look at these goals first for their Company first in order to avoid immediate issues:
- turn intelligence objectives into intelligent decisions
- Apply Open Source Intelligence(OSINT) to prioritize threats
- save time and money by using threat intelligence capabilities
Read more:
https://www.recordedfuture.com/finance-threat-intelligence-goals/
- World Wide Web: Surface layer, public, easily accessible
- Deep Web: Not searchable, dynamic, private, ephemeral
- Dark Web: Custom protocols, legal issues
One needs to look at these goals first for their Company first in order to avoid immediate issues:
- Direct risk (targeted or named; institutional vulnerabilities)
- Indirect risk (vendor, service, or technology dependencies)
- Actors, campaigns, tools, or tactics that targeted your company or sector
- Internal inquiry (leadership, corp communications, or technical areas)
- Affecting multiple companies in your sector
- Affecting a large company or leader in your sector
- Affecting a direct peer (by market size, holdings, or geography)
- Mass campaign (widespread, significant volume, or high level of success)
- Has, or expected to have, significant media attention (inquiries expected)
- New or significant actors, campaigns, tools, or tactics
- turn intelligence objectives into intelligent decisions
- Apply Open Source Intelligence(OSINT) to prioritize threats
- save time and money by using threat intelligence capabilities
Read more:
https://www.recordedfuture.com/finance-threat-intelligence-goals/
Sunday, March 6, 2016
Strategic ,Operational, Tactical Matrix
We all know three roles in the intelligence area: Strategic, Operational and Tactical. Lets us explore more about what the goal for each of these role and some of the attributes attached to each role:
Strategic:This role is more involved around the big picture, planning and making organizational decisions with future in mind. Here you only want to know about what are the current threats or is there a threat present in location where we are going to open a new office.
Operational:This role is all about making decision based on the intelligence you have at hand and explain why the decision was made in such as way. In order to make decision you need to prioritize the task at hand, have enough context about the task(in order to answer any questions) and then take proper action.
Tactical: This role is the most technical of the of them all and belongs to the security team members. In this role the team members are responsible of maintaining and looking to see what is the new item in security realm. This role is also responsible of finding out or feeding the security system with indicators in terms of IP, Hash, and emails titles etc.
Here is a matrix that summaries each of these roles:
Read more :http://www.isightpartners.com/2015/04/thoughts-from-rsa-improving-it-all-strategic-operational-tactical-with-cyber-threat-intelligence/
Strategic:This role is more involved around the big picture, planning and making organizational decisions with future in mind. Here you only want to know about what are the current threats or is there a threat present in location where we are going to open a new office.
Operational:This role is all about making decision based on the intelligence you have at hand and explain why the decision was made in such as way. In order to make decision you need to prioritize the task at hand, have enough context about the task(in order to answer any questions) and then take proper action.
Tactical: This role is the most technical of the of them all and belongs to the security team members. In this role the team members are responsible of maintaining and looking to see what is the new item in security realm. This role is also responsible of finding out or feeding the security system with indicators in terms of IP, Hash, and emails titles etc.
Here is a matrix that summaries each of these roles:
Read more :http://www.isightpartners.com/2015/04/thoughts-from-rsa-improving-it-all-strategic-operational-tactical-with-cyber-threat-intelligence/
Sunday, February 28, 2016
Ethics in Cyber Security
When performing research in the cyber security world we often find it hard to identify the proper ethical route and most times question ourselves. But there are some reports present that can help guide us to make the proper ethical decision:
Belmont Report:
-Try to make every effort to respect the person
-Try to get the most benefit with the least harm.
-Everyone should be done justice when spreading the merit
Menlo Report:
-includes all of the three principles from Belmont Report
-Talks about respecting the law and the interest of the public
There is also a program called CREDS that is aimed at looking at and assessing a research project based on some ethical principles. By taking these measures and following certain guidelines researchers in the Cyber Security world can perform research in proper ethical format that not only brings benefits to the world, but is able to do without causing harm.
Read More:
https://www.predict.org/Default.aspx?tabid=157
Belmont Report:
-Try to make every effort to respect the person
-Try to get the most benefit with the least harm.
-Everyone should be done justice when spreading the merit
Menlo Report:
-includes all of the three principles from Belmont Report
-Talks about respecting the law and the interest of the public
There is also a program called CREDS that is aimed at looking at and assessing a research project based on some ethical principles. By taking these measures and following certain guidelines researchers in the Cyber Security world can perform research in proper ethical format that not only brings benefits to the world, but is able to do without causing harm.
Read More:
https://www.predict.org/Default.aspx?tabid=157
Sunday, February 21, 2016
Information vs Intelligence
IP address, exe files, and phising email are observable. We can join these observable and play around with them in order to gain information and then turn that into intelligence. This can be done by tracing IP address to its host and allow exe files to be played with in a test environment.
Most of the time people say intelligence feed is IOC feed. For example, if we find an indicator that is linked with malware X and that this malware is present in our system is good information, but it still cannot answer these questions:
Read more: http://www.isightpartners.com/2015/04/information-vs-intelligence-there-really-is-a-difference/
Most of the time people say intelligence feed is IOC feed. For example, if we find an indicator that is linked with malware X and that this malware is present in our system is good information, but it still cannot answer these questions:
- If an indicator is detected, what role does the identified observable play in the overall threat?
- Does it signify the delivery of a new attack or does it signify the exfiltration of data following a successful compromise?
- How sophisticated is the malware or tools used?
- What is the motivation of the Actors behind the malicious activity?
Read more: http://www.isightpartners.com/2015/04/information-vs-intelligence-there-really-is-a-difference/
Sunday, February 14, 2016
China Disrupts Peace Palace
During a hearing st Peace Palace on July 9, 2015 China was able to use exploit Adobe Flash on Peace Palace website to deliver a message to Philippines and the world that the area around Philippines belongs to China.
China was able to accomplish this by using Google Frame Helper executable file and attaching a malicious DLL file dbghelp.dll.
You can read more about the story By visiting:
https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/
China was able to accomplish this by using Google Frame Helper executable file and attaching a malicious DLL file dbghelp.dll.
You can read more about the story By visiting:
https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/
Wednesday, February 3, 2016
BackEngery and KillDisk Attacks
As you might have heard from news that Ukraine has lost power during December 24th and 25th in 2015. And the reason behind this outage was due to malware called BlackEngery. BlackEngery was not something that was developed overnight but actually started coming out in 2014 when it was spotted in some government systems.
BlackEngery attack method was simple: they would send an email with an email address looking like it is coming from the Ukrain parliament and that email would have an attachment. This attachment is similar to a Microsoft excel document which will tell you to run a macro. And when you run this macro you wil be infected by the BlackEnergy malware. BlackEngery malware intention is to corrupt some files that will make the system un-bootable. Also, attacker can combine this BlackEnergy with another malware called wiper that will erase any trails that might be left by the attack.
It was good thing that we were able to encounter of see this attack and some of the damage it can cause. We need to use this attack as an example as a means of building a strategy or intelligence in order to prevent loss of power in any country.
read more: http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/
Sunday, January 31, 2016
Open DNS Smarter Cloud Proxy: Umbrella
There are many types threats like malware, viruses, and phishing. But sometimes these types of threats reside on server that has both bad and good domains. One way to avoid these types of threats is to block these connection is by routing all of these connection through a proxy server that will filter these threats. However, with attacks using different protocols and strategies it fools the proxy and is able escape.
Open DNS has a solution, Umbrella, for this problem with the first security based intelligent Proxy. The Umbrella uses a security graph to locate the connection that have threats like the one mentioned above and block them right away. If Umbrella does have a doubt about any connection it will flag it and have it go through some more rigorous checks and Umbrella is able to do all this without sacrificing performance.
Read more at: https://www.opendns.com/enterprise-security/threat-enforcement/features/intelligent-proxy/
Sunday, January 24, 2016
Agriculture Sector is not save from Cyber threats
You might think that Agriculture sector is more of labor intensive work, but that has changed with the recent advancement of technologies. Nowadays you have satellite guided tractors and algorithm driven planting services. Climate Corp, owned by Monsanto, was hacked in 2014 and many of the employee's confidential information was exposed. Not only that farmers have to worry about manipulation of of data, the same data that helps them tell the soil condition and the possible crop production based on past data. in 2014, Only about 1 out of 20 farmers know that their company where they store data doe shave security breach plan.
Monsanto has now turned to government and other cyber security firms to get help and knowledge to prevent these types of attacks again.
Website:
http://www.homelandsecuritynewswire.com/dr20150220-u-s-farming-sector-increasingly-vulnerable-to-cyberattacks
Monsanto has now turned to government and other cyber security firms to get help and knowledge to prevent these types of attacks again.
Website:
http://www.homelandsecuritynewswire.com/dr20150220-u-s-farming-sector-increasingly-vulnerable-to-cyberattacks
Wednesday, January 20, 2016
computer threats for 2016
- Extortion attack: Here the hackers puts forth demands and if they are not met the hacker would release the information to public.
-Manipulation of Data: Here if the attacker gets access of the system and starts to change data.
-Chip-and-PIN Innovations: Now that USA is starting to have chips on card to help secure the in person transaction. But that can give rise of fraud using cards on phones and online transactions.
-The Rise of ioT Zombie BotNet: Many of items can be attached to your ioT network and if that network is attacked all of those devices would be under the hacker's command.
-Backdoor attacks: Attackers might even break thru via firewall and create a back door as means of enetring your system.
Here is the link that contains more details about the above attacks:
Subscribe to:
Posts (Atom)