1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

7/29/2018

0 Comments

Fileless Cyberattacks: They're Getting More Widespread and They're Working

 
Fileless Cyberattack

Fileless Cyberattacks: They're Getting More Widespread and They're Working

Reports from Ponemon Institute and McAfee Labs have shown that fileless cyberattacks are getting more widespread and they're working.

What Are Fileless Cyberattacks?

Fileless cyberattacks, also known as zero-footprint attacks, refer to cyberattacks that are meant to evade detection by avoiding to install at one stage or another malicious software (malware) on the victims’ computers.

McAfee Labsreported that there’s a significant shift by some cyberattackers toward exploiting trusted Microsoft’s proprietary programs, rather than installing external malware, to attack computers or office computer networks.

In the Ponemon Institute’s study “The 2017 State of Endpoint Security Risk”, researchers found that 77% of successful cyberattacks in 2017 used fileless techniques. The study found that fileless attacks are almost 10 times more likely to succeed than file-based attacks.

The terms “fileless” and “zero-footprint” are misnomers. Fileless cyberattacks don’t mean that they’re exclusively fileless at every stage. For instance, the attack may start with the opening of a malicious file to a spam email and once the infection starts though, the attackers may shift to fileless techniques.

Attackers can also gain access to victims' computers by compromising the victims' computers filelessly at the beginning of the attacks, for instance, by exploiting a security vulnerability that's unpatched and then once access is achieved, external malware is then installed.

Fileless cyberattacks aren’t also necessarily “zero-footprint” because fileless cyberattacks do leave traces on the victims’ computers if one knows where to look.

There’s, however, justification to the name “fileless cyberattacks” as these attacks don’t exhibit the usual symptoms normally associated with malware infection on the computer disk. As they’re asymptomatic, they’re hard to detect and as such, traditional anti-virus solutions can’t detect them.

Instead of installing the malware into the computer disk, what a fileless attack does is embed the malware in scripts or install the malware into the computer memory and never gets copied to the disk, thereby bypassing endpoint security measures such as anti-virus, which typically rely on file input/output to detect threats.

Examples of Fileless Cyberattacks

Below are examples by which attackers infect victims’ computers filelessly:

1. Fileless Cyberattacks via Microsoft’s Windows PowerShell

One of the ways by which attackers infect victims’ computers filelessly is via Microsoft’s Windows PowerShell.

Microsoft’s Windows PowerShell is Microsoft’s task automation and configuration management framework. Available on Windows 7 onward, Microsoft PowerShell allows full access to Microsoft COM (Component Object Model) and Microsoft Windows Management Instrumentation (WMI). Attackers can access Windows features using Microsoft PowerShell.

One preventive measure in protecting Microsoft PowerShell from fileless cyberattacks is by setting it to "Restricted". According to McAfee Labs, attackers can easily get around this restriction by performing “remote execution of a script by directly executing it in memory to bypass endpoint security.”

System administrators bypass the Microsoft’s Windows PowerShell restriction, in the same manner, to execute commands on office computer networks from a remote location via the internet.

2. Fileless Cyberattacks via Microsoft’s Remote Desktop Protocol (RDP)

Another way by which attackers infect victims’ computers filelessly is via Microsoft’s Remote Desktop Protocol.

Microsoft’s Remote Desktop Protocol, just like Microsoft’s Windows PowerShell, is a proprietary software developed by Microsoft. And just like PowerShell which is primarily used by system administrators, Remote Desktop Protocol is also used by systems administrators to access other computers or office computer networks from a remote location via the internet.

Attackers gain access to victims' computers via Microsoft’s Remote Desktop Protocol by simply guessing their way past weak passwords or by using popular password cracking tools. McAfee Labsreported that thousands of these Remote Desktop Protocol login details (specifically for Windows XP through Windows 10 and Windows 2008 and 2012 Server) are sold online between $3 to $19.

Once attackers gain access to your organization’s computer network via Remote Desktop Protocol, they can do anything with it such as install any malware of their choice.

In both fileless cyberattacks via Microsoft Windows PowerShell and Microsoft Remote Desktop Protocol, once attackers gain access into victims’ computers, they’re viewed as system administrators, masking the identity of the attackers, allowing them to hide in plain sight.

3. PowerGhost

PowerGhost is a cryptocurrency mining malware – a malicious software that hijacks the processing power of victims’ computers. Kaspersky Lab first identified this malware.

This malware spreads across large corporate networks infecting both workstations and servers by using a number of fileless techniques, including Mimikatz, a hacking tool designed to siphon a Windows user's password out of the computer's memory.

PowerGhost propagates itself across the local network by launching a copy of itself via Microsoft’s Windows PowerShell and via the now-notorious EternalBlue exploit – a spy tool believed to be developed by the US National Security Agency (NSA) and leaked by the hacking group Shadow Brokers in April 2017. On March 14, 2017, a month before Shadow Brokers leaked the EternalBlue code, Microsoftreleased a security update or patch fixing the security vulnerability exploited by EternalBlue.

Prevention against Fileless Cyberattacks

As shown in the above-mentioned examples, attackers use a number of techniques for fileless attacks. Here are some of the preventive measures against fileless attacks:

  • Keep all your software up-to-date.

By keeping your software up-to-date, your organization’s computer network won’t be vulnerable against EternalBlue exploit.

  • Use complex passwords and two-factor authentication to prevent attackers’ entry.
  • Eliminate unlimited login attempts by timing out IPs or blocking or locking out users that have too many failed login attempts.
  • To prevent attackers’ entry via Microsoft’s Windows PowerShell, consider using Constrained Language Modeto limit PowerShell to basic functionality. This makes many fileless attacks via Microsoft’s Windows PowerShell unusable.

When you are looking to boost staff awareness and better protect your applications and infrastructure, get in touchand we will be happy to help.

0 Comments

7/15/2018

0 Comments

How to Prevent Departing Employees from Departing with Your Organization’s Data

 
employees departing with corporate data

How to Prevent Departing Employees from Departing with Your Organization’s Data

  • 85% said they took data they’ve created themselves and feel that is the right thing to do.
​The practice of departing employees departing with their employers’ data has recently been highlighted in the latest case that sprung from one of the biggest tech companies Apple.
 
A special agent at the Federal Bureau of Investigation (FBI) recently filed a criminal complaint before the US District Court for the Northern District of California against a former Apple employee, alleging that the former Apple employee who worked as a hardware engineer on the company’s autonomous vehicle development team stole trade secrets from the company. 
 
According to the FBI special agent, because of the former employee's role on Apple’s autonomous vehicle development project, he was granted broad access to secure and confidential internal databases containing trade secrets and intellectual property for the project.
 
After returning from a paternity leave, the said employee, according to the FBI special agent, resigned saying that he plans to move back to his home country and he also plans to work with another company also working in the field of autonomous vehicle technology.
 
The said employee turned over all Apple-owned devices and Apple's security then disabled his remote network access, badge privileges, network access and other employee accesses.
 
The criminal complaint revealed that data from Apple’s security team showed that days prior to his resignation, the former Apple employee’s network activity increased exponentially compared to the prior two years of his employment. On the evening two days prior to his resignation, the employee was shown via CCTV footage entering the autonomous vehicle software and hardware labs and leaving the building less than an hour later carrying a large box.
  
The criminal complaint also disclosed that in an interview with Apple security attorney and Apple employee relations representative, the accused former employee of Apple admitted downloading data to a non-Apple device, one that's owned by his wife, because he has "interest in platforms and wanted to study the data on his own." The accused also admitted to FBI agents of taking files from Apple’s autonomous vehicle development project and transferring the files to a non-Apple digital device, owned by his wife.
 
Files recovered from the non-Apple device included a 25-page document containing schematics for one of the circuit boards that form Apple's proprietary infrastructure technology for its autonomous vehicle development project. 
 
FBI agents arrested the said Apple's former employee at the San Jose International Airport as he was about to leave the country. 

Prevalence of Departing Employees Stealing or Leaking Corporate Data ​

The case filed against a former Apple employee is just one of the many cases of departing employees departing with their employers’ data.

In 2014, a Federal Court of Australia found sufficient evidence that a former employee of Leica Geosystems Pty Ltd copied 190,000 files from the company’s computers the day before he resigned. The files copied by the former employee included numerous source codes representing the core of the company’s intellectual property. The Federal Court of Australia ordered the said employee to pay AUD$50,000 to his former employer as fine for his misconduct.

In 2015, an employee of BlueScope, after learning she was to be terminated, downloaded 40 gigabytes of company documents. The company filed legal actions in the Federal Court of Australia and Singapore to stop the information falling into the hands of its competitors. BlueScope and the former employee reached a confidential settlement. The Federal Court of Australia, meanwhile, permanently restrained the BlueScope’s former employee from using the data that’s in her possession.

A survey conducted by Biscom showed the prevalence of departing employees departing with their employers’ data. The Biscom survey showed the following alarming findings:
  • 1 in 4 respondents said they took data when forced out of their job or when voluntarily leaving a company.
  • 15% of respondents said they’re more likely to take company data if they’re fired or laid off.
  • 85% said they took data they’ve created themselves and feel that is the right thing to do.
  • 25% reported taking data that they didn’t create when leaving a company.
Employee stealing corporate data

Data Leak Prevention

data theft and data leak prevention

1. Limit Employee Access to Data

Only give employees access to data needed to get their jobs done. For instance, engineers don’t need access to CRM systems.

2. Encrypt Critical Corporate Data

Ensure that critical corporate data, whether data is in-transit, at-rest and in-use, must be encrypted. Encryption ensures that even when there’s data breach, the data will remain useless.

3. Establish Regular IT Audits

While automated, preventative controls are the best defense, no technology is perfect. Establishing regular IT audits performed by an independent third-party will help you detect any outliers and detect data leaks and internal fraud early on. Such audits generally include

4. Require Appropriate Authentication for Critical Content

Accessing critical content must require not just a username and password but also multi-factor authentication. When critical content is being accessed, it also helps that approval must be secured first or an alert must be given to a compliance officer.

5. Regularly Monitor Network Activities

Unusual volume of downloaded data and non-office hours data access are examples of network activities that should be monitored. Said network activities are red flags for unauthorized activities and should be checked.

6. Keep Critical Data Offline

Don't store information vital to your organization, especially trade secrets, on any device that connects to the internet.

7. In-Person Data Security and Privacy Training

One of the means, though not a cure-all approach, of preventing departing employees from stealing corporate data is by providing an in-person data security training the moment the employee is hired.

One training session isn't enough. It's best to regularly remind employees about safeguarding company’s data by implementing a regular, formal cybersecurity awareness training. In addition to the in-person data security and privacy training, a confidentially or non-disclosure provision has to be included in the employment contracts.

8. Don’t Give Employees Administrator Privileges

Don’t give employees administrator rights for the company-supplied computers or devices. Giving them administrator privileges allows them to install malicious software (malware) that could lead to unauthorized access to information vital to your organization.

​When you need help with either establishing regular IT Audits or performing data leakage assessments, help is a phone call away. Contact us today and protect your business.
0 Comments

7/12/2018

0 Comments

DDoS Attacks: Protecting Your Business from Critical Disruption

 
GitHub DDoS attack

DDoS Attacks: Protecting Your Business from Critical Disruption

In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.

How big? 1.35 terabits of traffic was hitting GitHubeach second.

Still, GitHub was not without its defenses.

Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.

Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.

If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.

A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.

They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.

GitHub had been targeted before, with an attack lasting for six days in 2015.

A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.

Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.

These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.

Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.

Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:

Get to know the symptoms

Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.

There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.

As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.

However, certain other clues will tip you off:

  • Your server delivers a 503 because of service outages
  • Your employees / colleagues may notice slowness or connectivity issues if you depend on the same system for your internal software
  • Excessive requests from one IP
  • Unusually large amounts of traffic without reason and at odd times

The earlier you’re able to spot the warning signs, the sooner you can start to act.

Have a plan

Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.

Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.

Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.

Know how to prioritize

You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.

Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.

Pay attention to your network security

Conducting security audits on your network on a regular basis is an effective way to keep your system protected.

Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?

A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.

Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.

Turn to the professionals

Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.

Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.

Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.

Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.

0 Comments

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit