Thinking about threat hunting by using terms from the MITRE’s ATT&CK Matrix to frame the context and guide what you can and cannot see within your environment.

Vectra now integrates with Amazon Virtual Private Cloud (VPC) Ingress Routing and that our AI platform is currently available in the AWS Marketplace.

By analyzing data in the 2019 Black Hat Edition of the Attacker Behavior Industry Report from Vectra, we determined that RDP abuse is extremely prevalent in the real world. 90% of the organizations where the Cognito platform is deployed exhibited some form of suspicious RDP behaviors from January-June 2019.

For the second year in a row, we conducted the Vectra superhero survey at Black Hat. The survey is a quick six-question poll that helps us understand the current cloud adoption and top-of-mind concerns of attendees.

Modern ransomware has been heavily weaponized, has a sweeping blast radius and is a staple tool in the attacker’s arsenal. In a call to arms, cloud and enterprise organizations everywhere are scrambling to detect and respond early to ransomware attacks.

Tens of thousands of hackers and security researchers congregate in Las Vegas to participate in one of the largest hacker conventions in the world. Many of them are out to hack your device and put you on the infamous Wall of Sheep.

Most sessions on the internet today are encrypted. By any measure, more than half of all internet traffic uses TLS to encrypt client/server communication.

Vectra announced a close-knit development partnership with Amazon, beginning with the integration of its Cognito platform in AWS environments.

There are multiple phases in an active cyberattack and each is a perilous link in a complex kill-chain that gives criminals the opportunity to spy, spread and steal critical information in native and hybrid cloud workloads and user and IoT devices.

As the transformation of healthcare through new medical technology continues to move forward, healthcare organizations must remain mindful about what technologies are in place, how they are utilized, and when unauthorized actions occur.

Today, I am thrilled to share the news that Vectra has completed a $100 million Series E funding round led by TCV, one of the largest growth equity firms backing private and public technology companies.

Vectra customers and security researchers respond to some of the world’s most consequential threats. And they tell us there’s a consistent set of questions they must answer when investigating any given attack scenario. Starting with an alert from Cognito Detect, another security tool, or their intuition, analysts will form a hypothesis as to what is occurring.

The collection and storage of network metadata strikes a balance that is just right for data lakes and SIEMs. Metadata enables security operations teams to craft queries that interrogate the data and lead to deeper investigations.

Attackers intent on stealing personally-identifiable information (PII) and protected health information (PHI) can easily exploit gaps in IT security policies and procedures to disrupt critical healthcare-delivery processes.

When considering how to equip your security teams to identify lateral movement behaviors, we encourage the evaluation of the efficacy of your processes and tools to identify and quickly respond to the top 5 lateral movement behaviors that we commonly observe.

There is a new breed of SIEM-less security architecture that allows companies to leverage intelligent people with general IT experience to become the next-generation of security analysts.

The United States has not been hit by a paralyzing cyberattack on critical infrastructure like the one that sidelined Ukraine in 2015. That attack disabled Ukraine's power grid, leaving more than 700,000 people in the dark.

But the enterprise IT networks inside energy and utilities networks have been infiltrated for years. Based on an analysis by the U.S. Department of Homeland Security (DHS) and FBI, these networks have been compromised since at least March 2016 by nation-state actors who perform reconnaissance activities looking industrial control system (ICS) designs and blueprints to steal.

It’s me again – Cognito. As always, I’ve been hard at work with Vectra to automate cyberattack detection and threat hunting. Recently, we made an alarming discovery: hackers are using hidden tunnels to break into and steal from financial services firms!

Clearly, this is serious business if it involves bad guys targeting massive amounts of money and private information. But what exactly are we dealing with? Let’s dig into what hidden tunnels are and how I find them to uncover the answer.

While ransomware attacks like NotPetya and WannaCry were making headlines (and money) in 2017, cryptocurrency mining was quietly gaining strength as the heir apparent when it comes to opportunistic behaviors for monetary gain.

Traffic sent to and from major internet sites was briefly rerouted to an ISP in Russia by an unknown party. The likely precursor of an attack, researchers describe the Dec. 13 event as suspicious and intentional.

According to BGPMON, which detected the event, starting at 04:43 (UTC) 80 prefixes normally announced by several organizations were detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.

As enterprises migrate to the cloud, strong perimeter defenses are not enough to stop cyber attackers from infiltrating the network. Together, Gigamon and Vectra enable organizations to gain network visibility and automate threat management - providing continuous monitoring of network traffic to pinpoint cyber attacks that evaded perimeter defenses.

Chris Morales, Head of Security Analytics at Vectra joins us to discuss what challenges he sees customers facing when moving to Amazon Web Services (AWS) and how Gigamon and Vectra can help them.

In the fight against cyber-attacks, time is money. According to the Ponemon institute, the average cost of a data breach is $3.62 million. Reducing the time to detect and time contain an incident can significantly mitigate the cost of a breach, and possibly prevent it.

Maturity level and effectiveness are two of the most important measurements of SOC performance. Maturity reflects an enterprise’s development level regarding its approach to managing cybersecurity risk, including risk and threat awareness, repeatability, and adaptiveness. Effectiveness is a measurement of the SOC’s ability to detect and respond to an incident as it happens.

We conducted a survey.

We are seeing another outbreak of ransomware that appears to be a combination of previous other ransomware campaigns. As is always the case, criminal gangs learn from each other.

Petya was successful in 2016 using email attack campaigns and a ransomware-as-a-service business model. Wannacry introduced new worm propagation techniques proving highly successful in hitting thousands of systems in a short time span last month.

What just happened?

A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

Kaspersky labs reported on Friday afternoon that at least 45,000 hosts in 74 countries were infected. Avast put the tally at 57,000 infections in 99 countries. All this, during just 10 hours. Of those infected hosts, Russia, Ukraine and Taiwan were the top targets.

Confusion reigns on the origin of the term "bullseye." Some say it started when English archers showed off their accuracy by shooting arrows through the empty eye socket of a bull skull. Others contend it was a reference to a blemish in the center of a glass window pane.

This blog was originally published on LinkedIn.

Vendors who are trapped in a time warp often tout traffic flow analysis as a great way to detect and analyze behavior anomalies inside networks. I have a problem with that because it’s decades-old technology dressed in a new suit.

It seems like a new variant or victim of ransomware is in the news every day. It’s newsworthy because it works so well and causes widespread destruction.

So when the recent wave of stories hit about PetrWrap, a variation of the widely known Petya ransomware strain, it was easy to miss the significance. The “no-honor-among-thieves” narrative crowded out its true importance.

This blog was originally published onMedium.

Growing up in Kenya, I shared a one-bedroom apartment with my family. In fact, I slept in the laundry/storage room in the constant presence of family laundry and stacks of suitcases. You might say I’ve been sensitive to the invasive presence of others from an early age.

Integration decreases cost and increases effectiveness. For this reason, Vectra is adaptive by design. Everything we do considers how to help our customers be more efficient and faster at fighting attacks. Sometimes it involves determining where to deliver sophisticated threat intelligence beyond the Vectra. Working with Splunk is a great example of this integration.

According to Gartner, “The goal is not to replace traditional SIEM systems, but rather to provide high-assurance, domain specific, risk-prioritized actionable insight into threats, helping enterprises to focus their security operations response processes on the threats and events that represent the most risk to them."

Saudi officials recently warned organizations in the kingdom to be on the alert for the Shamoon 2 malware, which cripples computers by wiping their hard disks. In 2012, Shamoon crippled Saudi Aramco and this new variant was reportedly targeted at the Saudi labor ministry as well as several engineering and manufacturing companies.

During a recent analysis, Vectra Networks came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents.

As long as I can recall, enterprises have always relied on prevention and policy-based controls for security, deploying products such as antivirus software, IDS/IPS and firewalls.

But as we now know, and industry research firms have stated, they aren’t enough to adequately deal with today’s threat environment, which is flooded by a dizzy array of advanced and targeted attacks.

Shamoon is back, although we are not entirely sure it ever left.

On Monday, Saudi Arabia warned organizations in the kingdom to be on alert for the Shamoon virus, which cripples computers by wiping their disks. The labor ministry said it had been attacked and a chemicals firm reported a network disruption. This has been dubbed Shamoon 2 by some news outlets.

Here is a simple explanation of what is likely to be happening.

The adversary is using a combination of social engineering and email phishing to infect one or a number of computers on an organization’s networks. Either downloading a file or clicking a link downloads an exploit kit.

The computers infected with the exploit kit rapidly perform port sweeps across the subnet to which hosts are connected. Using automated replication, it then attempts to move laterally via remote procedure calls (RPCs). To cover an organization’s entire network, the adversary needs to infect machines on many subnets.

Shamoon 2, like Shamoon that struck Saudi Aramco in 2012, moves extremely fast with the sole objective of destroying systems and bringing businesses to their knees.

Healthcare organizations are prime targets of cyber attackers because they are reliant on vulnerable legacy systems, medical IoT devices with weak security and have a life or death need for immediate access to information.

This blog was originally published on The Hill.

If I didn’t deal daily with the mechanics of cybersecurity, I might be captivated by Washington’s focus on whether the Russians penetrated the Democratic National Committee and why they did it. As a citizen, I follow politics and geopolitics, too.

But here’s what bothers me:

The hacking tools identified by the FBI and Department of Homeland Security are freely available on the internet. The Russians can use them. So can the Iranians, the Chinese, the North Koreans and any other nation-state which wants to penetrate the networks that serve our political parties and government. There is nothing special or even uniquely “Russian” about them. And they often work.

I am not surprised that such common tools are employed against us. We should expect it. In the cybersecurity business we know the focus should be on our ineffective defense, rather than on finding the guilty country.

Whoever got inside the DNC networks had seven months to plumb about, pilfer embarrassing material, package it for shipping and make off with it, all without detection. The DNC had no way to detect the penetration while it was happening.

Why not? After all, the technology to spot and interrupt hacking while it is in progress exists. We can literally watch hackers and their tools move around inside our networks, probing our vulnerabilities, locating our most sensitive data and setting up private tunnels to take it out of our systems.

This is a prediction made by Gartner analyst Avivah Litan in her latest blog entry, The Disappearing UEBA Market. Of course it caught our attention here at Vectra. We are not a standalone UEBA company, nor do we want to be. First and foremost, we are an AI company that empowers threat hunters. But we often find ourselves in this discussion with people who believe UEBA alone will solve the world's problems (and possibly make coffee in the morning, too).

When asked a poorly bounded question such as “What is the biggest threat to Internet security?”, the majority of quick-fire answers can likely be represented by the flags of a handful of nation states. Certainly the front-of-mind answer – identifying a cluster of hackers – represents a constant and escalating threat to business continuity and potential compromise.

Yet, if we introspectively examine the nature of our industry, we can easily argue that the biggest risk that Internet security faces is in fact our general inability to respond and counter the attackslaunched by adversaries from around the world.

It is estimated that today there are over 1 million InfoSec positions unfilled – growing to over 1.5 million by 2019 – and more than 200,000 of those vacancies are in the U.S. This global shortage of expertise and experience lies at the very heart of the InfoSec world’s ability to respond to cyber attacks – affecting vendors and consumers alike.

Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research. After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis. This post will focus on triggering a patched bug from MS16-030.

In extending the Vectra cybersecurity platform to enterprise data centers and public clouds, we wanted to do more than simply port the existing product into a virtualized environment. So, Vectra security researchers, data scientists, and developers started with a fresh sheet of paper to address the real-world challenges and threats that are unique to the enterprise data centers and clouds.

Visibility and intelligence that spans the enterprise

First, it was important to remember that the data center can be both integrally connected, yet in some ways separated from the physical enterprise. For example, attacks can spread from the campus environment to the data center environment, and security teams absolutely need to know how these events are connected. On the other hand, 80% of data center traffic never leaves the data center, making it invisible to traditional security controls.

While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

It is likely self-evident to many that the security industry’s most overused buzzword of the year is “machine learning.” Yet, despite the ubiquity of the term and its presence in company marketing literature, most people – including those working for many of the vendors using the term – don’t actually know what it means.

“Without knowledge, action is useless, and knowledge without action is futile.”-Abu Bakr

Printers present an interesting case in the world of IoT (Internet of Things), as they are very powerful hardware compared to most IoT devices, yet are not typically thought of as a “real” computer by most administrators. Over the years, many security researchers have studied and reported on printer vulnerabilities. However, the vast majority of this research focused on how to hack the printer itself in order to do things such as change the display on the printer or steal the documents that were printed. In this case, we investigate how to use the special role that printers have within most networks to actually infect end-user devices and extend the footprint of their attack within the network.

Network-based malware detection addresses increasing complexity in the malware ecosystem but doesn’t make attribution a key priority.

Conventional wisdom about malware infection paints a picture that hapless users click on something they shouldn’t, that in turn takes their Web browsers to a drive-by-download website. It then exploits a vulnerability to install a botnet agent that eventually steals all their personal data and uploads it to cybercriminals in another country.

That conventional wisdom isn’t completely wrong, but it needs some serious updating. Today’s malware infections are more typically multi-stage events, wherein a user visits a favorite website with a banner advertisement supplied by a third-party ad network that was supplied by an affiliate ad network.

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Last week was a long one. Vectra participated for the first time at Infosecurity Europe in London. Now that my feet have recovered from our very busy booth I thought I shared a few of the recurring themes I noticed at the show.

Ransomware. Definitely the threat de rigueur with vendors coming at the problem from various angles, including DNS management and client based solutions. Vectra was part of the buzz too, offering a network-centric approach with our newly announced ransomware file activity detection.

Insights from inside the kill chain. This week we are proud to announce the release of the third edition of the Vectra Post-Intrusion Report. And while there are plenty of reports from security vendors out there, this one provides something that is unique.

The ongoing Apple versus the FBI debate has me thinking more about the implications of encryption. Whether or not national governments around the globe choose to go down the path of further regulating encryption key lengths, requiring backdoors to encryption algorithms, mandating key escrow for law enforcement purposes, or generally weakening the implementations of encrypted communications and data storage in consumer technologies, the use of encryption will increase – and in parallel – network visibility of threats will decrease.

In light of Apple’s response to the FBI’s request to gain access to San Bernardino shooter Syed Farook’s iPhone, I thought I would share some of my thoughts on this. It appears that there is some confusion in the connection of this request from the FBI with the bigger government debate on providing backdoors and encryption.

Let me attempt to break this down a little in the hopes of clearing some of that confusion:

• Apple has positioned the request from the FBI to be a request to install a “backdoor” in their product. This is not correct. The FBI request is pretty specific and is not asking for a universal key or backdoor to Apple products.

• The FBI request should be interpreted as a lawful request to Apple to help construct a forensics recovery tool for a specific product with a unique serial number.

• The phone in question is an Apple 5C, and the method of access requested by the FBI is actually an exploitation of a security vulnerability in this (older) product. The vulnerability does not exist in the current generation of Apple iPhones.

In the rapidly expanding world of threat intelligence, avalanches of static lists combine with cascades of streaming data to be molded by evermore sophisticated analytics engines the output of which are finally presented in a dazzling array of eye-candy graphs and interactive displays.

For many of those charged with securing their corporate systems and online presence, the pressure continues to grow for them to figure out some way to incorporate this glitzy wealth of intelligence into tangible and actionable knowledge.

It seems that this last holiday season didn’t bring much cheer or goodwill to corporate security teams. With the public disclosure of remotely exploitable vulnerabilities and backdoors in the products of several well-known security vendors, many corporate security teams spent a great deal of time yanking cables, adding new firewall rules, and monitoring their networks with extra vigilance.

It’s not the first time that products from major security vendors have been found wanting.

It feels as though some vendor’s host-based security defenses fail on a monthly basis, while network defense appliances fail less frequently – maybe twice per year. At least that’s what a general perusal of press coverage may lead you to believe. However, the reality is quite different. Most security vendors fix and patch security weaknesses on a monthly basis. Generally, the issues are ones that they themselves have identified (through internal SDL processes or the use of third-party code reviews and assessment) or they are issues identified by customers. And, every so often, critical security flaws will be “dropped” on the vendor by an independent researcher or security company that need to be fixed quickly.

The Internet is chock full of really helpful people and autonomous systems that silently probe, test, and evaluate your corporate defenses every second of every minute of every hour of every day. If those helpful souls and systems aren’t probing your network, then they’re diligently recording and cataloguing everything they’ve found so others can quickly enumerate your online business or list systems like yours that are similarly vulnerable to some kind of attack or other.

Cybersecurity is a rapidly evolving landscape and this new year will be no different. Attackers will come up with new ways to infiltrate corporate networks and businesses, security vendors will be tasked with staying ahead of them, and governments will talk a lot, yet do very little. Here are some of the ways we see the industry changing shape over the course of 2016:

Today, Vectra researchers were again credited with discovering critical vulnerabilities that impact the security of Adobe Reader, VBScript, and Internet Explorer.

I attended the Gartner Security and Risk Management Summit in London on Sept. 14 and 15 and would like to share some key takeaways from presentations by analysts Earl Perkins, Jeremy D’Hoinne and Neil MacDonald. The following are messages that resonated with me:

Big data is around us. However, it is common to hear from a lot of data scientists and researchers doing analytics that they need more data. How is that possible, and where does this eagerness to get more data come from?

Very often, data scientists need lots of data to train sophisticated machine-learning models. The same applies when using machine-learning algorithms for cybersecurity. Lots of data is needed in order to build classifiers that identify, among many different targets, malicious behavior and malware infections. In this context, the eagerness to get vast amounts of data comes from the need to have enough positive samples — such as data from real threats and malware infections — that can be used to train machine-learning classifiers.

Is the need for large amounts of data really justified? It depends on the problem that machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should always be associated with the choice of features that are used.

Introduction

Recently, it came to our attention that HP DVLabs has uncovered at least tenvulnerabilitiesin the Belkin N300 Dual-Band Wi-Fi Range Extender (F9K1111). In response to this, Belkin released firmware version 1.04.10. As this is the first update issued for the F9K1111 and there were not any public triggers for the vulnerabilities, we thought it would be interesting to take a deeper look.

Unpacking the Update

To begin our analysis, we downloaded the firmware update from the vendor [1]. We used a firmware tool called binwalk [2]to unpack the update:

Summary

On July 6th, information spread that the Italian company known as the Hacking Team were themselves the victims of a cyber attack. In the aftermath of this leak, Vectra researchers have analyzed the leaked data, and identified a previously unknown vulnerability in Internet Explorer 11 that impacts a fully patched IE 11 on both Windows 7 and Windows 8.1.

The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability.

While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.

Today, Vectra Networks published its second edition Post-Intrusion Report that offers a first-hand look at modern threats that get past perimeter security and spread inside the network.

In the latest report, we analyzed behaviors and techniques across the entire lifecycle of real-world cyber attacks. We also looked back and saw alarming changes in the threat landscape and observed emerging trends in attack techniques.

Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.

The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.

Let’s take a look at some of these trends and what they may mean for information security.

The study shows that 62% of respondents saw more insider threats over the past year, but only 34% expect to get more budget to address the problem. Underscoring this problem, 68% feel vulnerable and less than half feel they have appropriate control over insider threats.

In big-data discussions, the value of data sometimes refers to the predictive capability of a given data model and other times to the discovery of hidden insights that appear when rigorous analytical methods are applied to the data itself. From a cybersecurity point of view, I believe the value of data refers first to the "nature" of the data itself. Positive data, i.e. malicious network traffic data from malware and cyberattacks, have much more value than some other data science problems. To better understand this, let's start to discuss how a wealth of network traffic data can be used to build network security models through the use of machine learning techniques.

The main reason behind the rising popularity of data science is the incredible amount of digital data that gets stored and processed daily. Usually, this abundant data is referred to as "big data" and it's no surprise that data science and big data are often paired in the same discussion and used almost synonymously. While the two are related, the existence of big data prompted the need for a more scientific approach– data science– to the consumption and analysis of this incredible wealth of data.

Until recently, using the terms “data science” and ”cybersecurity” in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of “data science” have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be “detectable.” For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

The recent Superfish debacle is yet another reminder that as security professionals we live in an inherently post-prevention world. Increasingly everyone must assume that despite all our best efforts, users on our networks are may already compromised. While the focus is often on the many ways that a user can be infected with malware, Superfish is a reminder that a device can be compromised before it ever comes out of the box.

As a quick recap, Superfish is software that acts as an SSL man-in-the-middle in order to control the ads a user sees while browsing the Web – it’s “adware” which pretends to provide a service you would want. To break SSL encryption without triggering a browser warning, Superfish installs a signed root certificate on the machine. More specifically, the software installs the exact same root cert on a series of laptops, and researchers (and attackers) are able to quickly extract the cert. Rob Graham at Errata Security provides a nice write-up on how he was able to do this.

Earlier today news broke that financial services firm Morgan Stanley had experienced an insider breach, which resulted in customer data being posted online. The breach was initially detected when data related to a portion of the firm’s wealth management clients was observed on Pastebin. Pastebin is a popular site for sharing text-based data, and while it is widely used for sharing code between developers, it has also long been a thriving marketplace for advertising and selling stolen data for everything from compromised user accounts, cracked passwords, credit card numbers, and in this case account data.

In the previous post, we examined the motivations and constraints that make an insider ‘malicious,’ and we saw that external and mental pressure, an opportunity to steal confidential information and rationalization of the potential theft are the factors that contribute for an insider to turn against his employer.

While these three factors are necessary triggers for becoming malicious, there is much more going on in an insider’s mind before, during and after an attack. What are the mental stages that a ‘turning’ insider goes through? And what are potential indicators for each stage?

In previous posts, we have discussed various types of insider threats that affect US government, companies and organizations in charge of critical infrastructure. We have discussed various insider attack patterns, but what are the motivations and constraints that make an insiderturn againsthis employer?

We have seen that so called ‘whistle blowers’ may act upon their own convictions and turn against their employer, but their numbers are very limited. As the majority of cases involves the theft of information and assets in an organization for own personal gain, what are the motivations and constraints in this case?

Today, we announced the new Community Threat Analysis for the Vectra X-series that puts your organizations key assets at the center of real-time investigations of Insider and targeted attacks.

2014 has been the year of the breach, and as a result companies are increasing their investment in cyber security. However, the majority of cyber security products focus exclusively on malware and external attacks, and are effectively blind to insider threats. At Vectra we believe that security should protect your most important assets regardless of whether the threat is from an external attacker or a malicious insider. You don’t get to choose your attacker, so why should your security solutions protect only against one type? Let’s take a closer look at why stopping the insider threat is crucial, and what Vectra can do to help.

While the reported $40 billion of insider threat losses for the US economy seem scary, many companies consider insider threats to be more like a ‘black swan’ event– highly visible, but extremely rare, abstract, and too hard-to-predict in order for it to constitute arealthreat. But it is the gray areas companies should be wary of.

In previous posts of this series, we described how companies are affected by malicious insider incidents, and what impact and cost these incidents might cause.Most think of highly publicized whistleblower cases such as Edward Snowden and Bradley Manning. Overall, these seem like natural disasters (e.g., earth quakes), you can take some precautions, but then you just hope it will not happen to you … and if it does, it will be disastrous (and you just have to accept it).

In addition, I often hear arguments from small and medium sized companies that they do not feel exposed to the insider threat because:

In the second post of this series, we looked at basic definitions of insider threat incidents and their impact on organizations. Now, let’s have a closer look at how malicious insider threat actions affect companies in the United States, and how companies can respond to these threats.

From the most recent consolidated data available on this subject, over 50% of organizations report having encountered an insider cyberattack in 2012, with insider threat cases making up roughly 23% of all cybercrime incidents.This percentage has stayed consistent over the prior couple of years, but the total number of attacks has increased significantly.

The result is $2.9 trillion in employee fraud losses globally per year, with $40 billion in losses due to employee theft and fraud in the US in 2012 alone.The damage and negative impact caused by insider threat incidents is reported to be higher than that of outsider or other cybercrime incidents.

Interestingly, in contrast to outsider attacks on networks, insider cyberattacks are under-reported. Only a few cases make it into public media or are even known to insider threat experts. Reasons for such under-reporting are insufficient damage or evidence to warrant prosecution, and concerns about negative publicity.The risk of revealing confidential data and business processes during investigations may be another reason why many companies don’t report and prosecute insider threat incidents.

In the previous post of this blog series, we discussed highly publicized whistleblower cases such as Chelsea Manning and Edward Snowden. While government agencies are ramping up their protections of data and infrastructure against these cases, what danger do malicious or negligent insiders constitute for organizations, including corporations and small businesses, and what kind of insider threats exist? Is your organization safe?

Let’s first look at a more formal definition of the malicious insider. According to the computer emergency response team (CERT) at CMU, a malicious insider is a current or former employee or contractor who deliberately exploited or exceeded his or her authorized level of network, system or data access in a way that affected the security of the organization’s data, systems, or daily business operations.

Insiders leaking information about secretive government practices and decision-making have had their impact on public opinion and United States policies in recent years, but are these leaks for the benefit of society, or do they push a hidden agenda? The most prominent example is Edward Snowden who leaked significant amounts of classified information from the National Security Agency (NSA) about its practices. On September 23, Edward Snowden received the Swedish human rights award, also referred to as the alternative Nobel prize, for his revelations in 2013. Snowden, who “blew the whistle,” got rewarded “for his courage and skill in revealing the unprecedented extent of state surveillance violating basic democratic processes and constitutional rights.”

On June 6th, Forbes reporter Kashmir Hill wrote about an NSF researcher who misused NSF-funded supercomputing resources to mine Bitcoin valued between $8,000 and $10,000. The article points to a student at London Imperial College and a researcher at Harvard University who are also alleged to have used their University’s computers to mine a similar virtual currency called Dogecoin.

As a CISO, your first reaction might be that inappropriate uses of your organization’s resources should be stopped, but this is probably not your highest priority. Someone using your computer(s) and network to mine virtual currency is a bit like someone charging his or her electric car from a power outlet on your home. Yes, they are using your electricity without permission or reimbursing you. However, they aren’t stealing something of high value and threatening your life or livelihood. Still, this is something we probably want to know about and stop if we can.

In infosec, the concept of “zero trust” has grown significantly in the last couple of years and has become a hot topic. A zero-trust architecture fundamentally distrusts all entities in a network and does not allow any access to resources until an entity has been authenticated and authorized to use that specific resource, i.e. trusted.

Since the early days of Vectra, we’ve been focused primarily on host devices. After all, hosts are the entities that generate the network traffic the Cognito platform analyses in looking for attacker behaviors.

In a previous blog, we spoke about the importance of security enrichments in your network metadata. These serve as the foundation for threat hunters and analysts to test and query against hypotheses during an investigative process.

Imagine having a security tool that thinks the way you teach it to think, that takes action when and how you have trained it to act. No more adapting your work habits to generic rules written by a third party and wondering how to fill in security gaps that the rules did not tell you about.

Recently, Vectra published the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which covers the period from January through June 2018. While there are plenty of threat-research reports out there, this one offers unique insights about real-world cyberattacker behaviors found in cloud, data center and enterprise networks.

In my last blog, I spoke about a financial customer performing pen testing and how I helped the blue team detect the red team as it carried-out an attack. I’m back again today with another story from the trenches.

This time, I’ve been working with a customer in the manufacturing sector who recently deployed me. As before, this customer prefers to remain anonymous to keep cybercriminals in the dark about their newly developed security capabilities. To stay on top of their game, they routinely run red team exercises.

This blog was originally published on LinkedIn.

The security industry is rampant with vendors peddling anomaly detection as the cure all for cyber attacks. This is grossly misleading.

The problem is that anomaly detection over-generalizes: All normal behavior is good; all anomalous behavior is bad – without considering gradations and context. With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.

Earlier this week I was at TEISS hosting a round table session titled “Artificial Intelligence – Fancy maths or a pragmatic answer to cyber security gaps and challenges?”

We explored human, threat, and technical dimensions to the current drivers and role of AI in cybersecurity. Here's a summary of our group's discussion.

Sen. John McCain, chairman of the Senate Armed Services Committee, held a hearing today with top intelligence officials on Russian cyber-attacks, after many remarks by President-elect Donald Trump called into question conclusions by U.S. intelligence community that Kremlin-backed hackers meddled in the 2016 election.

Mind the gap

87% of U.K. senior IT and business professionals believe there is a shortage of skilled cybersecurity staff, the same percentage of UK security leaders also want to hire CISSP credentialed staff into their teams. Nothing of real surprise in that there’s a gap; let’s fill it with demonstrable high calibre professionals, right? Well, not quite. That skills gap also includes a “CISSP” gap. With 10,000+ UK security positions out there but just over 5,000 UK CISSPs, the math simply doesn’t add up. We should also consider that credentials like CISSP demonstrate excellent existing domain knowledge but does not help hiring managers understand soft skills, attitudes and other characteristics that combine to form the overall “talent and capabilities” of a candidate.

A pragmatic approach is therefore to hire on traits such as adaptability, collaboration and innovation alongside evidence of requisite technical capabilities. After all, in a rapidly changing digital landscape you’re hiring for tomorrow’s battle not yesterday’s, so agility is essential. Today’s security teams need to be ready to handle the new risks, challenges and the increased pace of change that Internet of Things (IoT) [Read more on IoT security], cloud, mobility and social media all bring to the security challenge. The talent pool is limited, as are organisations' overall cyber security resources. It’s time to develop and support from within and broaden recruitment methodologies for those hard-to-fill open positions.

IDS has been around for decades and has long been a cornerstone of network security. But over the years, IDS was gradually absorbed by IPS, and IDS simply became thought of as a deployment option of IPS.

However, this subservient role of IDS in relation to IPS introduces a subtle but important compromise – detection takes a backseat to prevention. Because IPS is deployed in-line with network traffic, performance concerns are paramount. Prevention cannot slow the speed or flow of business, and that meant detections must be near-instantaneous.

The need to block threats within milliseconds locks IDS/IPS into using signatures for detections. While signatures can detect a wide variety of threats, they rely on the fast-pattern-matching of known threats.

Today’s cyber attackers are patient, as they infiltrate and steadily persist within an organization’s network over time. These long-term attacks require ongoing communication to orchestrate the various phases of attack.

By understanding how attackers conceal their communications, we can rob attackers of the persistence and coordination that makes modern attacks so successful.

For years, security professionals have become increasingly aware of the limitations of signatures. And yet for all this awareness, the industry is still focused on making signatures faster instead of addressing the fundamental problem.

Threat feeds deliver signatures faster and faster and malware sandboxes generate new signatures for newly discovered malware. Nonetheless, attackers continue to evade them and are wining at an ever-increasing rate.

As cyber attacks increase in frequency and complexity, organizations continue to invest in prevention-centric technologies to secure their network perimeter. However, prevention-centric technologies are less than perfect. They protect networks from known threats using a combination of security rules, signatures and reputation lists.

A critical component of today’s network perimeter security is the file-based sandbox.They were created to analyze suspicious files on isolated hosts – many with different operating systems – in a contained environment.

Updated June 3, 2015 11:00 AM(see details)

Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.

Keeping data from getting out into the wild or being damaged by cyber attackers is what keeps CISOs, the executive team and boards of directors up at night. To protect organizations, cybersecurity needs to be automated and real-time, it needs to learn contextually like we do and it needs to monitor for threats at every corner of the network in a way that organizations can afford without sacrificing coverage.

Periodically, articles are published highlighting the difficultyauthorities have investigating illegal activity on the Internet when the perpetrators make use of the anonymity that Tor provides.

Last week saw another such article appear in The Wall Street Journal, highlighting an operation that took down more than four hundred Web sites accessible only via Tor, which are essentially Tor “services”, arrested 17 people and confiscated plenty of Bitcoins associated with running these web sites. These web sites are referred to as “darknet marketplaces” and basically connect purveyors of illegal goods (e.g., drugs, guns) and services (e.g., contract killings) with people seeking these things. An August article in Wired spent more time detailing how the FBI goes about fighting the demand side of the problem – by infecting machines belonging to potential seekers of such goods and services via drive-by-downloads.

Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.

The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses.

PAA enables SOC teams to monitor and defend against these types of attacks. In addition to our extensive models that detect command-and-control channels, this make the Cognito platform a powerful tool to combat evolving malware attacks against enterprises.

The Cognito threat detection and response platform from Vectra now seamlessly integrates AI-based threat hunting and incident response of Chronicle Backstory, a global security telemetry platform, for increased context during investigations and hunts and greater operational intelligence.

That’s why we are happy to announce the integration of Vectra Cognito automated threat detection and response platform with the Swimlane security orchestration, automation and response (SOAR) platform.

The integration of the Cognito network detection and response platform with the Forescout device visibility and control platform provides inside-the-network threat detection and response, a critical layer of defense in today’s security infrastructure.

The integration between the Cognito automated network detection and response platform and Check Point Next Generation Firewalls empowers security staff to quickly expose hidden attacker behaviors, pinpoint specific hosts involved in a cyberattack and contain threats before data is lost.

Acquiring a company is a massive undertaking and requires significant amount of planning and ideally flawless execution. Time is of the essence. The quicker an integration materializes, the faster the time to value.

The combination of network detection and response (NDR), endpoint detection and response (EDR) and log-based detection (SIEM) allows security professionals to have coverage across threat vectors from cloud workloads to the enterprise.

The rationale behind choosing a managed security services provider (MSSP) can be numerous, but one of the primary reasons is to overcome the cybersecurity skills shortage. Finding the right talent in cybersecurity and retaining skilled professionals once they’ve been trained is very difficult.

The time of separated networks – when you could safely keep tools for manufacturing, transportation, utilities, energy and critical infrastructure apart from your IT environment – is long gone.

Earlier this month, the Gartner Market Guide for Intrusion Detection and Prevention Systems (ID: G00385800)*, written by Gartner researchers Craig Lawson and John Watts, was published. The guide describes the market definition and direction of requirements that buyers should look for in their IDPS solution as well as the top use-cases that drive IDPS today.

As a security leader, you need the most effective way forward to protect your most valuable assets, make security an integral part of your business and supporting your digitalization journey full on, and inspire the trust of the employees, customers and partners who work with you.

Preventing a compromise is increasingly difficult but detecting the behaviors that occur – from command and control to data exfiltration – are not.

The SOC visibility triad consists of network detection and response (NDR), endpoint detection and response (EDR) and log-based detection (SIEM).

In a previous blog, we wrote about the benefits that come with Zeek-formatted metadata. This blog builds on that thread by discussing why our customers come to us as an enterprise solution to support their Zeek deployments.

Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR.

Microsoft unveiled the Azure Virtual Network TAP, and Vectra announced its first-mover advantage as a development partner and the demonstration of its Cognito platform operating in Azure hybrid cloud environments.

2018 Black Hat survey: It’s about time and talent

We love Black Hat. It’s the best place to learn what information security practitioners really care about and what is the truth of our industry. Because we want to always be relevant to customers, we figured Black Hat is an ideal event to ask what matters.

Vectra® was recently positioned as the sole Visionary in the Gartner 2018 Magic Quadrant for Intrusion Detection and Prevention Systems (IDPS). I’m pretty ecstatic about that.

Over the years, intrusion detection systems (IDS) have converged with intrusion prevention systems (IPS) and the two are now known collectively as IDPS. This convergence occurred as the security industry focused more on preventing external threat actors.

Over lunch last week, a customer who recently deploy our Cognito™ platform told me that his SIEM sales person said “We can do what Vectra does with our analytics package. I simply looked at him and said, “No body, no murder – no they can’t.”

He was puzzled, so I explained.

Many security teams are overwhelmed with the scale and ferociousness of digital threats. Threats are sneakier and more damaging, and security operations centers (SOCs) are being worn down investigating and stomping out incidents.

The U.S. Computer Emergency Readiness Team (US-Cert) issued a warning last week stating HTTPS interception weakens TLS security. As the use of encryption for privacy has increased, the security industry has responded by intercepting and decrypting SSL sessions to perform deep-packet inspection (DPI).

This blog was orignially published on ISACA Now.

In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear. Kevin Maney of Newsweek vividly summarized the pending transformation of employment and the concerns it raises in his recent article "How artificial intelligence and robots will radically transform the economy."

In the Information Security (InfoSec) community, AI is commonly seen as a savior – an application of technology that will allow businesses to more rapidly identify and mitigate threats, without having to add more humans. That human factor is commonly seen as a business inhibitor as the necessary skills and experience are both costly and difficult to obtain.

As a consequence, over the last few years, many vendors have re-engineered and re-branded their products as employing AI – both as a hat-tip to their customer’s growing frustrations that combating every new threat requires additional personnel to look after the tools and products being sold to them, and as a differentiator amongst “legacy” approaches to dealing with the threats that persist despite two decades of detection innovation.

The rebranding, remarketing, and inclusion of various data science buzzwords – machine intelligence, machine learning, big data, data lakes, unsupervised learning – into product sales pitches and collateral have made it appear that security automation is the same as AI security.

Reports of successful hacks against Internet of Things (IoT) devices have been on the rise. Most of these efforts have involved demonstrating how to gain access to such a device or to break through its security barrier. Most of these attacks are considered relatively inconsequential because the devices themselves contain no real data of value (such as credit card numbers or PII). The devices in question generally don't provide much value to a botnet owner as they tend to have access to lots bandwidth, but have very little in terms of CPU and RAM.

In February 2014, journalist Martin Wolf wrote a piece for the London Financial Times[1] titled Enslave the robots and free the poor. He began the piece with the following quote:

“In 1955,Walter Reuther, head of the US car workers’ union, told of a visit to a new automatically operated Ford plant. Pointing to all the robots, his host asked: How are you going to collect union dues from those guys? Mr. Reuther replied: And how are you going to get them to buy Fords?”

The frenetic pace at which artificial intelligence (AI) has advanced in the past few years has begun to have transformative effects across a wide variety of fields. Coupled with an increasingly (inter)-connected world in which cyberattacks occur with alarming frequency and scale, it is no wonder that the field of cybersecurity has now turned its eye to AI and machine learning (ML) in order to detect and defend against adversaries.

The use of AI in cybersecurity not only expands the scope of what a single security expert is able to monitor, but importantly, it also enables the discovery of attacks that would have otherwise been undetectable by a human. Just as it was nearly inevitable that AI would be used for defensive purposes, it is undeniable that AI systems will soon be put to use for attack purposes.

In the last blog post, we alluded to the No-Free-Lunch (NFL) theorems for search and optimization. While NFL theorems are criminally misunderstood and misrepresented in the service of crude generalizations intended to make a point, I intend to deploy a crude NFL generalization to make just such a point.

You see, NFL theorems (roughly) state that given a universe of problem sets where an algorithm’s goal is to learn a function that maps a set of input data X to a set of target labels Y, for any subset of problems where algorithm A outperforms algorithm B, there will be a subset of problems where B outperforms A. In fact, averaging their results over the space of all possible problems, the performance of algorithms A and B will be the same.

With some hand waving, we can construct an NFL theorem for the cybersecurity domain: Over the set of all possible attack vectors that could be employed by a hacker, no single detection algorithm can outperform all others across the full spectrum of attacks.

Despite the recent explosion in machine learning and artificial intelligence (AI) research, there is no singular method or algorithm that works best in all cases.

In fact, this notion has been formalized and shown mathematically in a result known as the No Free Lunch theorem (Wolpert and Macready 1997).

Deep learning refers to a family of machine learning algorithms that can be used for supervised, unsupervised and reinforcement learning.

These algorithms are becoming popular after many years in the wilderness. The name comes from the realization that the addition of increasing numbers of layers typically in a neural network enables a model to learn increasingly complex representations of the data.

There are numerous techniques for creating algorithms that are capable of learning and adapting over time. Broadly speaking, we can organize these algorithms into one of three categories – supervised, unsupervised, and reinforcement learning.

Supervised learning refers to situations in which each instance of input data is accompanied by a desired or target value for that input. When the target values are a set of finite discrete categories, the learning task is often known as a classification problem. When the targets are one or more continuous variables, the task is called regression.

“The original question ‘Can machines think?’ I believe to be too meaningless to deserve discussion. Nevertheless, I believe that at the end of the century, the use of words and general educated opinion will have altered so much that one will be able to speak of machines thinking without expecting to be contradicted.” – Alan Turing

Can machines think?

The question itself is deceptively simple in so far as the human ability to introspect has made each of us intimately aware of what it means to think.

"We man compare a man in the process of computing a real number to a machine which is only capable of a finite number of conditions..." - Alan Turing

It is difficult to tell the history of AI without first describing the formalization of computation and what it means for something to compute. The primary impetus towards formalization came down to a question posed by the mathematician David Hilbert in 1928.

Random forest, an ensemble method

The random forest (RF) model, first proposed by Tin Kam Ho in 1995, is a subclass of ensemble learning methods that is applied to classification and regression. An ensemble method constructs a set of classifiers – a group of decision trees, in the case of RF – and determines the label for each data instance by taking the weighted average of each classifier’s output.

The learning algorithm utilizes the divide-and-conquer approach and reduces the inherent variance of a single instance of the model through bootstrapping. Therefore, “ensembling” a group of weaker classifiers boosts the performance and the resulting aggregated classifier is a stronger model.

The European Union (EU) General Data Protection Regulation (GDPR) is set to come into force on 25 May 2018. However, many IT, security and compliance leaders in the EU and globally still have a long way to go before they can truly describe themselves as "GDPR-ready." Artificial intelligence (AI) can make valuable contributions toward GDPR preparations and operational compliance.

Cisco recently announced the term “intent-based networking” in a press release that pushes the idea that networks need to be more intuitive. One element of that intuition is for networks to be more secure without requiring a lot of heavy lifting by local network security professionals. And a featured part of that strategy is Cisco ETA:

"Cisco's Encrypted Traffic Analytics solves a network security challenge previously thought to be unsolvable," said David Goeckeler, senior vice president and general manager of networking and security. "ETA uses Cisco's Talos cyber intelligence to detect known attack signatures even in encrypted traffic, helping to ensure security while maintaining privacy."

Risky business

There is some startling data in the 2017 Verizon Data Breach Investigation Report. What stood out to me as most concerning is that more breaches occurred in healthcare this year than last year. After reviewing the report, I see three key trends.

1. The real threat is already inside healthcare networks in the form of privileged access misuse
2. When healthcare organizations are hit from the outside, it is usually ransomware extorting them for money
3. The growth in healthcare IoT is overwhelming and dangerous

Whether the task is driving a nail, fastening a screw, or detecting a hidden HTTP tunnel, it pays to have the right tool for the job. The wrong tool can increase the time to accomplish a task, waste valuable resources, or worse. Leveraging the power of machine learning is no different.

Vectra has adopted the philosophy of implementing the most optimal machine learning tool for each attacker behavior detection algorithm. Each method has its own strengths.

Sometimes science fiction becomes less fantastic over time than the actual reality. Take the film Ghost in the Shell, for example, which hits the big screen this week. It’s an adaptation of the fictional 28-year-old cult classic Japanese manga about human and machine augmentation.

We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

The results of the Brexit referendum caught many by surprise because pollsters suggested that a “stay” vote would prevail. And we all know how that turned out.

History repeated itself on Nov. 8 when U.S. president-elect Donald Trump won his bid for the White House. Most polls and pundits predicted there would be a Democratic victory, and few questioned their validity.

The Wall Street Journal article, Election Day Forecasts Deal Blow to Data Science, made three very important points about big data and data science:

• Dark data, data that is unknown, can result in misleading predictions.
• Asking simplistic questions yields a limited data set that produces ineffective conclusions.
• “Without comprehensive data, you tend to get non-comprehensive predictions.”

Incidents of fraud, theft and abuse enacted by rogue insiders present organisations with the ultimate in targeted threats. These are executed against themfrom highly motivated actors, operating with a high degree of internal organisational knowledge and comparative ease of access. Such threats have the ability to create sizable risks in relation to digital assets and are also the most challenging to manage.

Security leaders have to understand their organisation’s context and operations in order to strike a balance between protection, control and creating value.

Users tied up in complex and over-controlling systems are unable to perform. Too light a touch sees key assets and resources too easy to misuse, alter or steal. Blending layers of organisational, physical and technical policy and management can provide a meaningful way of reducing internal cyber attacks, but no solution can be perfect. Organisations must also enable themselves to identify and recognise illegitimate internal actions and make timely interventions.

Time is a big expense when it comes to detecting cyber threats and malware. The proliferation of new malware variants makes it impossible to detect and prevent zero-day threats inreal-time. Sandboxing takes at least 30 minutes to analyze a file and deliver a signature – and by then, threats will have spread to many more endpoints.

Security breaches did not stop making headlines in recent months, and while hackers still go after credit card data, the trends goes towards richer data records and exploiting various key assets inside an organization. As a consequence, organizations need to develop new schemes to identify and track key information assets.

The biggest recent breach in the financial industry occurred at JP Morgan Chase, with an estimated 76 million customer records and another 8 million records belonging to businesses stolen from several internal servers. At Morgan Stanley, an employee of the company’s wealth management group was fired after information from up to 10% of Morgan Stanley’s wealthiest clientele was leaked. Even more sensitive was the largest health-care breach thus far: at Anthem, over 80 million records containing personally identifiable information(PII) including social security numbers were exposed. Less well-known, but potentially more costly in terms of damage and litigation is thealleged theft of trade secrets by the former CEO of Chesapeake’s Energy (NYSE: CHK).

Recent research from Kaspersky has revealed a massive criminal campaign that was able to infiltrate more than 100 different banks and steal upwards of $1 billion from the affected institutions. Kaspersky dubbed this operation the Carbanak APT due to a connection between the malware used in the attacks and the now infamous Carberp banking botnet.

In the previous posts, we have examined the insider threat from various angles and we have seen that insider threat prevention involves the information security, legal and human resources (HR) departments of an organization. In this post, we want to examine what information security departments can actually do to detect ongoing insider threats, and even prevent them before they happen.

The literal needle in the haystack

Overall, insider threats represent only a small proportion of employee behavior. And while only the ‘black swan’ incidents become public knowledge, minor incidents such as theft of IP or customer contact lists will add up to major costs for organizations.

In addition, insiders are by default authorized to be inside the network and are both granted access to and make use of key resources of an organization. Given the large pile of access patterns visible in an organization’s network, how is one to know which ones are negligent, harmful or malicious behavior?

Over the past decade, cyber operations have become intertwined with geopolitical conflict. In recent asymmetric campaigns, state-sponsored threat groups have mapped critical infrastructure, disrupted systems, held information hostage, and stolen state secrets as a form of warfare.

If you’re joining me for the first time, I want to introduce myself. I am Cognito, the AI cybersecurity platform from Vectra. My passion is hunting-down cyberattackers – whether they’re hiding in data centers and cloud workloads or user and IoT devices.

Cybersecurity analysts are overwhelmed with security events that need to be triaged, analyzed, correlated and prioritized. If you’re an analyst, you probably have some incredible skills but are being held back by tedious, manual work.

Attacks never really go away

Many enterprise organizations are currently evaluating the Vectra Cognito platform, and over the past weeks, several customers detected WannaCry attacker behaviors. Just because the headlines stopped, doesn’t mean that the attack did.

WannaCry was first reported by the media in May of this year and we had customers who detected and responded to outbreaks within minutes. A couple of days after the initial impact, it was reported that stopping the WannaCry command and control server limited the effectiveness of WannaCry in the wild. While that may have been be true, organizations are still detecting instances of WannaCry within their enterprise networks. While this is a smaller scale than the attack in May, it is important that enterprises continue to monitor their networks for what is proven to be a fast propagating ransomware attack with the potential to cause damage very quickly.

Vectra AI last week published the 2017 Post-Intrusion Report, which covers the period from January through March. While there are plenty of threat research reports out there, this one offers unique insights about real-world cyber attacks against actual enterprise networks.

Most industry security reports focus on statistics of known threats (exploits and malware families) or give a post-mortem look back at breaches that were successful. The first one looks at threats that network perimeter defenses were able to block and the second lists attacks that were missed entirely.

Vectra Threat Labs analyzed the WannaCry ransomware to understand its inner workings. They learned that while the way it infects computers is new, the behaviors it performs are business as usual.

WannaCry and its variants behave similarly to other forms of ransomware that Vectra has detected and enabled customers to stop before experiencing widespread damage. This is a direct benefit of focusing on detecting ransomware behaviors rather than specific exploits or malware. Many of WannaCry’s behaviors are reconnaissance and lateral movement on the internal network, within the enterprise perimeter.

This blog was originally published on LinkedIn.

To know SIEM is to love it.And hate it.

Security information and event management (SIEM) is a ubiquitous cybersecurity tool. It’s used by probably every security analyst who works in a security operations center (SOC).

On the cybersecurity website ThirdCertainty.com, Byron Acohido makes some very important points about the use of encryption by hackers to avoid detection tools and the need to detect these attacks. This is a water cooler discussion at Vectra headquarters. Encrypted traffic is an easy hiding place for attackers and difficult for organizations to deal with.

However, trying to monitor this traffic by decrypting first, performing deep-packet inspection, and then encrypting again at line-rate speeds is problematic, even with dedicated SSL decryption, especially in the long term. There are several factors at play here.

With an increasing global desire for privacy, more traffic is encrypted by default. It is becoming a standard for cloud applications. The Sandvine Internet Phenomena Report states that encryption doubled last year in North America.

This is actually great news, especially for consumer privacy. Enterprises have a strategy to encrypt everything. With this encryption however, attempts to perform SSL decryption mean there will be large volumes of encrypted data to process.

Security researchers with Vectra Threat Labs recently uncovered a critical vulnerability affecting all versions of Microsoft Windows reaching all the way back to Windows 95. The vulnerability allows an attacker to execute code at system level either over a local network or the Internet. As a result, attackers could use this vulnerability both to infect an end-user from the Internet, and then spread through the internal network.

Vectra and Microsoft collaborated during the investigation of this issue, and Microsoft has delivered a fix as part of Security Bulletin MS16-087, which is available here.

The vulnerabilities, CVE-2016-3238 (MS16-087), and CVE-2016-3239, stem from the way users connect to printers in the office and over the Internet. This vulnerability could enable a relatively unsophisticated attacker to incorporate IoT devices as part of an attack and quickly infiltrate and spread through a network without detection. While this blog provides an overview of the vulnerability, you can read the in-depth technical analysis here. In addition, a video summary of the vulnerability is available here.

The vulnerability in question centers around the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print.

They obliged and in doing so bought into a view of Caesar as superior to them. Caesar exploited this to good effect: he acted as the leader of the pirates, he practiced combat exercises with them and even read them poetry.

Eventually, Caesar’s associates returned with the silver and he was let go. He vowed to return to collect his money and kill the pirates and he went to great lengths to make good on his promise.

Caesar kept his cool, survived the hostage situation, and recovered his belongings because he had a plan and a strategy.

A quick no-frills solution to ransomware inside the enterprise

Ransomware is clearly the scourge of 2016. Every week there is a new and notable enterprise-level outbreak of this insidious class of malware – crippling and extorting an ever widening array of organizations.

For a threat that is overwhelmingly not targeted, it seems to be hitting large and small businesses with great success.

The malware infection can come through the front door of a failed “defense-in-depth” strategy or the side door of a mobile device latched to the corporate network on a Monday morning.

The Internet of Things (IoT) is beginning to have a huge impact on our daily lives, and it will grow by orders of magnitude. However, the multitude of IoT devices with zero, limited or outdated security could produce disastrous results. It will be a formidable task to secure every small IoT device or toy. Security solutions that watch device behavior and identify anomalies might be our only hope.

The IoT is on the rise...

The genesis of IoT goes back to the early ’90s when PARC chief scientist Mark Weiser came up with the vision of Ubiquitous Computing and Calm Technology. In this vision, computing becomes “your quiet, invisible servant” and disappears from conscious actions and the environment of the user.

The Dyre family of banking malware is back in the news after researchers recently observed that the malware incorporated tricks to avoid detection in malware sandboxes. Previously, Dyre was most notable for targeting high-value bank accounts, including business accounts, and incorporating sophisticated social engineering components to overcome the 2-factor authentication used by most banks.

In this latest twist, the Dyre malware aims to identify when it is being run in a malware sandbox by counting the cores of the machine on which it is running. The trick, in this case, is that many malware sandboxes will run as a virtual machine with only a single processor and single core in order to conserve resources. Malware sandboxes have to analyze a very large number of files, so each virtual machine often gets provisioned with a bare minimum of resources in order to run as many VMs as possible.

Each of the publicized breaches over the past 15 months have been followed by the same question: “How did these attackers go undetected for several weeks or months?” The 80 million Americans covered by Anthem, whose personally identifiable information (PII) was stolen, are now asking this very question.

Let me liken this attack to a recent experience in my own life. After finding a small pile of what looked like sawdust on our hardwood floor of our guest room, it was like the “oh-crap” moment a CXO experiences when a 3-letter agency informs them that their organization’s crown jewels have been discovered in Kazakhstan. “Oh crap, we have termites.” Just likeSony Entertainment called in the FBI or Anthem called in a forensics agency, we called the termite guy.

Yesterday Anthem became the latest company to suffer a massive, high-profile data breach that almost certainly will become the largest data breach to date in the healthcare industry. Attackers were able to infiltrate the network and steal personal information for over 80 million customers. The stolen data included a variety of Personally Identifiable Information(PII) including Social Security numbers, contact details as well as employment and income information.

This is a particularly dangerous combination of data that is worth significantly more on the black market than stolen credit card numbers. Unlike a credit card, which can be easily cancelled and replaced, a full identity can be used for long-term fraud such as taking out loans in the victim’s name. Employment information is particularly sought after when selling an identity. The one silver lining is that it does not appear that medical records and other Personal Health Information (PHI) were exposed in the breach.

Researchers at Symantec have recently disclosed the presence of a highly sophisticatedmalware platform known as ‘Regin’. This new strain of malware instantly joins Stuxnet, Flame, and Duqu on the list of some of the most advanced malware ever seen. And like the other members of this elite state-sponsored fraternity, Regin malware appears to be purpose-built for espionage with the ability to quietly infect, spread, and persist within a targetnetwork for long periods of time.

The recent discovery of Shellshock, the bash shell bug, has something in common with the discovery of Heartbleed earlier this year. Both vulnerabilities existed for many years before they were discovered – over two years for Heartbleed and over 22 years for Shellshock. Both affect a very large number of computer and communications systems. Both have induced a gut-wrenching panic.

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before you patch the affected systems. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle. That doesn’t mean there is nothing you can do to catch them.

Today, Vectra AI participated in Juniper Networks announcement on the expansion of Spotlight Secure threat intelligence platform. Part of the technology expansion includes an open API that enables the Vectra X-series to communicate detection of in-progress cyber attacks to Juniper’s Spotlight Secure platform.

The integration enabled by this open API delivers three important benefits:

• The ability to block the attack;
• A single pane of glass; and
• The flexibility and choice to deploy best-of-breed solutions

Reading Steve Ragan's write-up on the recent Community Health Systems breach in CSO online took me back to my blog post on Heartbleed on the Inside from May 1, 2014 that included this cautionary note.

"It's only a matter of time – actually, it's probably already happening – before we see targeted attacks that utilize Heartbleed as one of the weapons in the attackers' arsenal to acquire key account credentials and use those credentials to get to the crown jewels."

As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.

One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.

Salespeople. They're charismatic, they're informative, and if they're good, they'll convince you that what they have is exactly what you need. I remember being tasked with finding a new corporate travel solution by a former manager. When information I found online looked promising, or was too vague, I'd request a sales demo. During the meeting, I would experience total clarity. What a perfect solution. This is exactly what we need. I'm not an easy sell, am I? The assurance salespeople provide is comforting, but the thing is, not all solutions are an ideal fit, and a salesperson isn't in the business of helping you find an ideal fit.

Meaningful information security metrics seem to come in as many shapes and sizes as there are CISAs, CISMs, and CISSPs brave enough to weigh in on the subject. There are plenty of risk and security frameworks available to help guide a security team to a reasonable answer to nearly any question posed regarding the appropriate allocation of resources required to reduce a given business risk to a specific level.

If you are an SE like me, then you have probably experienced a 'priority one' incident response with your customer. Things are on fire and you call in all the reinforcements you can. If you are an IT or security guy, then you have probably placed the call for help. Either way, you will understand.

A lot has been said about the global impact of Heartbleed. First, we had all the descriptions of Heartbleed – my favorite one was on xkcd. Then we saw warnings that we would need to change our password on public websites. That was followed by a warning that, since the private keys of certificates could be retrieved by exploiting Heartbleed, we should change our passwords now, wait for Web sites to change their certificates and then change our passwords again.

What has received far less attention is the fact that many of our common enterprise products (e.g., routers, firewalls, web proxies) inside our infrastructure are also susceptible to Heartbleed. Bulletins from Cisco, Juniper Networks and Blue Coat indicate widespread use of OpenSSL, the software in which the Heartbleed bug exists, in these products. Even industrial control systems from companies like Siemens have this vulnerability, which Arik Hesseldahl wrote about recently on Re/code.net. And, unlike public-facing web sites, many of which have already undergone updates to fix the bug, the availability and deployment of patches for all your infrastructure systems hits you in unexpected ways, including the need to upgrade to the newer versions of software than you are probably running, necessitating testing cycles before you can deploy it.

A customer recently shared her perspective in the growing security white noise – a term she uses to describe the increasingly high volume of alerts coming out of the defense in depth security. To punctuate her point, she pulled up a recent Wall Street Journal blog with an example from Gartner analyst Avivah Litan of a client who receives over 135,000 security alerts a day. As Avivah aptly stated, "It becomes like the car alarms going off in a parking lot – no one takes them seriously because generally there are too many false car alarms."

Looking back at the Bloomberg BusinessWeek coverage of the Target breach, the article focused on multiple security alerts of the malware used to initiate the attack. While these alerts were marked as high priority, it is easy to imagine that an enterprise the size of Target may have been receiving hundreds or thousands of security alerts of varying priority that created white noise.

In talking to customers, I am frequently reminded of the fact that people's understanding of how malware is built and delivered hasn't kept up with the changing landscape over the past few years. While most people expect actual targeted attacks to evolve through multiple stages, much of the run-of-the-mill botnet malware no longer infects a system in a single stage either.

The first quarter of every year in the security business brings every imaginable retrospective of all the bad things that happened the prior year. This year is no different. As I read this year's crop of reports (this required several cups of coffee), I was struck by the fact that much of the focus continues to be on malware families, which I call "the race to win the naming game," and the number of zero-day threats found.

Target, Neiman Marcus, Michael’s. There’s no doubt that the retail sector is under attack, but prominent retailers are not alone. Criminals are targeting banks, healthcare providers, government agencies and even high schools—anyone with high-value data or a reputation to protect. Whether your business is big or small, chances are that hackers have already penetrated your network.

But what do you do?

A new Gartner report, “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” advises: “All organizations should now assume that they are in a state of continuous compromise.” The challenges outlined are the insufficiency of blocking and prevention capabilities to protect against motivated, advanced hackers.

According to NIST, “No enterprise can completely eliminate cybersecurity risk. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, ZTA can reduce overall risk exposure and protect against common threats.”

The United States has not been the victim of a paralyzing cyber-attack on critical infrastructure like the one that occurred in the Ukraine in 2015. That attack disabled the Ukrainian power grid, leaving more than 700,000 people helpless.

But the United States has had its share of smaller attacks against critical infrastructure. Most of these attacks targeted industrial control systems (ICS) and the engineering personnel who have privileged access.

Hey everyone. For my first blog, I want to share a story about my role on the blue team during a recent red team exercise.

But first, I want to introduce myself to those of you who might not know me. I am Cognito, the artificial intelligence in the Vectra cybersecurity platform. My passion in life is hunting-down cyber attackers – whether they’re hiding in data centers and cloud workloads or user and IoT devices.

Earlier this month Vectra announced plans to leverage the capabilities of VMware NSX to accelerate the detection and mitigation of hidden cyber attackers in virtualized data centers.

Vectra currently applies artificial intelligence to automatically detect attacker behaviors inside virtualized data centers. Vectra also integrates with endpoint and network response tools to automate the workflow.

Cybersecurity is a rapidly evolving landscape and 2017 will be no different. Attackers will leverage artificial intelligence and find new ways to infiltrate corporate networks and businesses using adaptive attacks. Encrypted traffic will increasingly blind legacy security technologies, while ransomware gets smarter, and more targeted. Also watch for geo-political changesthat act as a catalyst forincreased cyber attacks involving nation states.

In previous research from the Vectra Threat Labs, we learned that seemingly innocuous vulnerabilities can become serious problems in the context of the Internet of Things(IoT). IoT is the unattended attack surface, and more IoT devices means bigger clone armies.

The recentpublic release of source code for malware named "Mirai" has proven exactly that. Mirai continuously scans the Internet for IoT devices using factory default usernames and passwords, primarily CCTV and DVRs.

Sitting at the edge of the network and rarely configured or monitored for active compromise, the firewall today is a vulnerable target for persistent and targeted attacks

Researchers from Vectra Threat Labs recently performed an in-depth analysis of vulnerabilities found in a common Belkin wireless repeater. Today in an article on Dark Reading, Vectra CTO Oliver Tavakoli digs into why seemingly innocuous vulnerabilities can become serious problems in the context of the Internet of Things (IoT). Read the full article here.

Of particular importance to security teams, IoT is not only bringing far more devices into the network, but they are also devices that very rarely get patches and updates. This means that vulnerabilities can be left unaddressed for months or even years. Likewise, these devices are unlikely to be protected by signatures and will almost assuredly be unable to run client-based security.

A scary 70 percent of critical infrastructure organization suffered security breaches in the last year, including water, oil and gas, and electric utilities. An almost equally high number of 64 percent anticipate one or more serious attacks in the coming year.

In the previous posts of this series, we highlighted insider threat risks for US companies and how they respond to them. While the insider threat in government agencies and big companies is a known problem with somewhat implemented mitigation strategies, less is known about the insider threat to critical US infrastructure, such as water purification or nuclear power plants. To illustrate the nature of the threats, let me provide two examples from a Department of Homeland Security report –the Insider Threat to Utilities report.

A few things ring true of today's working world. First is that no one in the year 2014 should have to work in a cubicle. Defenders will say "it's been this way for years," or "you'd be surprised by how common it is." That doesn't make working in a small felted cubby any less ridiculous. In the brief time I occupied one it was best used for sleeping on the job, and I've discovered that's a terrifying idea when sitting in a room full of your peers.

While meeting with a customer last week, we looked through the detections report to see if some of the new algorithms we released had produced detections. I noticed the lines for all categories of detections dropped precipitously and then increased nearly as rapidly two days later. Nearly as fast as I pointed my finger at the screen, he said, "Yeah, that's the weekend."