In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.
In the first of a two-part blog series, The Seven Deadly Sins of User Access Controls, my colleague Jean Gordon Kocienda provided fresh insights into overly-permissive user access controls as a common underlying cause of data breaches. In this blog, I address the solutions to those “Seven Deadly Sins” with a modern twist on the antiquity typically known as the “Seven Wonders.”
Information Security professionals need to address user access control in the context of today’s complex threats, coupled with a fast changing IT landscape. Long gone are the days of only a few with a need to know and key corporate assets being housed behind the enterprise perimeter. We have shifted to an agile, data-centric environment with increasing user populations who may also be third-party suppliers or contractors needing fast access to assets that were previously off limits. And, it’s not just massive volumes of data that need protecting; it’s access to critical work streams and transactions too.
Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various malicious payloads.
The use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During this research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014. Since December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach. This behavior has been covered before which discussed some of the older campaigns as well as the hosting indicators (ASN) of the groups making use of the subdomains.
2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
If you’re an experienced malware reverse engineer, exploit developer, response specialist, intel analyst, or looking to start your career in security, Talos might be the place for you. We have a number of positions open in Columbia, Maryland; Austin, Texas; San Jose, California; and San Francisco, California. If you are open to relocation to one of those areas, have the right skills, and share some of our beliefs below then applying for one of our numerous positions might be for you.
For those not familiar with Talos, it is Cisco’s premier Threat Intelligence organization that supports all of Cisco’s security portfolio. Detecting and preventing threats that target Cisco customers is our job, and given Cisco’s security footprint and breadth of product portfolio we can engage those threats from Cloud to Core.
It does however, take a special type of individual to join Talos, so give the list below a look and see if your beliefs match up with our distinctive culture. Read More »