I have been writing about email security for nearly 25 years (or more, depending on how you count things). Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” We had the publisher print a blank page in the book to signify how bad email security was. Well, perhaps we are still the walking wounded, although at least today we have better tools.
Most recently, I wrote a piece for SilconANGLE entitled, Fixing email security: It’s still a rocky road ahead. It begins:
The foundational protocols for making email more secure and less of a threat have been in place for almost a decade, yet they remain mostly unused, poorly implemented and largely ineffective. A recent report from Sendlayer shows just how much of a problem that is.
Thomas Roccia has written an interesting book called Visual Threat Intelligence that is both unusual and informative for security researchers of all experience levels. He is a Senior Security Researcher at Microsoft’s Threat Intelligence group, and the founder and curator of Unprotect.it, a database of malware evasion techniques.
Think of it as both a reference guide as well as a collection of carefully curated tools that can help infosec researchers get smarter about understanding potential threats (such as YARA, Sigma, and log analyzers) and the ways in which criminals use them to penetrate your networks.
For threat intel beginners, he describes the processes involved in breach investigation, how you gather information and vet it, and weigh various competing hypotheses to come up with what actually happened across your computing infrastructure. He then builds on these basics with lots of useful and practical methods, tools, and techniques.
One chapter goes into detail about the more notorious hacks of the past, including Stuxnet, the 2014 Sony hack, and WannaCry. There are timelines of what happened when, graphical representations of how the attack happened (such as the overview of the Shamoon atttack shown here), mapping the attack to the diamond model (focusing on adversaries, infrastructure, capabilities, and victims) and a summary of the MITRE ATT&CK tactics. That is a lot of specific information that is presented in a easily readable manner. I have been writing about cybersecurity for many years and haven’t seen such a cogent collection in one place of these more infamous attacks.
Roccia also does a deeper dive into his own investigation of NotPetya for two weeks during the summer of 2017. “It was the first time in my career that I fully realized the wide-ranging impact of a cyberattack — not only on data but also on people,” he wrote.
The book’s appendix contains a long annotated list of various open source tools useful for threat intel analysts. I highly recommend the book if you are interested in learning more about the subject and are looking for a very practical guide that you can use in your own investigations.
One of the most powerful pieces of malware began with the efforts of three American teens who were motivated by playing “Minecraft” in 2014. Called Mirai, it would go on to crash Germany’s largest internet provider, knock Dyn’s Domain Name System servers offline and disrupt all of Liberia’s internet connections.
In my post for SiliconANGLE today, I discuss how Mirai exposed the soft underbelly of IoT security, which often has hard-coded default passwords that make them easy to compromise and subsequently control in a DDoS attack. It is a hard problem to enumerate all of these devices, update them and change their default passwords where that’s even possible.
The class of malware called infostealers continues to evolve into a more lethal threat. These threats are software that can steal sensitive data from a victim’s computer, typically login details, browser cookies, saved credit cards and other financial information. Unfortunately, criminals continue to enhance this malware genre, and two new reports released this week document their latest efforts. I describe what is new and how to recognize this attack method in my latest post for SiliconANGLE.
When evaluating managed security service providers (MSSPs), companies should make sure that web application security is part of the offering – and that a quality DAST solution is on hand to provide regular and scalable security testing. SMBs should evaluate potential providers based on whether they offer modern solutions and services for dynamic application security testing (DAST), as I wrote for the Invicti blog this month.
Whether companies are repatriating their cloud workloads back on-premises or to colocated servers, they still need to protect them, and the market for that protection is suddenly undergoing some major changes. Until the past year or so, cloud-native application protection platforms, or CNAPPs for short, were all the rage. Last year, I reviewed several of them for CSOonline here. But securing cloud assets will require a multi-pronged approach and careful analysis of the organization’s cloud infrastructure and data collections. Yes, different tools and tactics will be required. But the lessons learned from on-premises security resources will point the way toward what to do in the cloud. More of my analysis can be found in this piece for SiliconANGLE.
We seem to be in a trust deficit these days. Breaches – especially amongst security tech companies – continue apace. Ransomware attacks now have spread to data hostage events. The dark web is getting larger and darker, with enormous tranches of new private data readily for sale and criminal abuse. We have social media to thank for fueling the fires of outrage, and now we can self-select the worldview of our social graph based on our own opinions.
In this story for SiliconANGLE, I discuss the decline of digital trust and tie it to a new ISACA survey and a new effort by the Linux Foundation to try to document and improve things.
The Securities and Exchange Commission proposed some new guidelines last year to promote better cybersecurity governance among public companies, and one of them tries to track the cybersecurity expertise of the boards of directors of these companies. Judging from a new study conducted by MIT Sloan cybersecurity researchers and recently published in the Harvard Business Review, it might work — though it also might backfire. In this analysis for SiliconANGLE, I discuss the pros and cons of these regs.
The shopping cart malware known as Magecart is still one of the most popular tools in the attacker’s toolkit — and despite efforts to mitigate and eradicate its presence, it’s the unwanted gift that just keeps on giving.
In this post for SiliconANGLE, I describe the latest rounds of attacks and ways that you can try to stop them.
Earlier this year, the Biden White House released its National Cybersecurity Strategy policy paper. Although it has some very positive goals, such as encouraging longer-term investments in cybersecurity, it falls short in several key areas. And compared with what is happening in Europe, once again the U.S. is falling behind and failing to get the job done.
The paper does a great job outlining the state of cybersecurity and its many challenges. What it doesn’t do is set out specific tasks or how to fund them. I analyze the situation for SiliconANGLE here.