Forescout Cyber Roundup
January 11, 2019
The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- DARPA Funds Hardware Cybersecurity that Turns Circuits into Unsolvable Puzzles (January 7, 2019)
- Three Ways the Navy Wants to Protect its Weapons from Cyberattacks (January 8, 2019)
- Ransomware, Phishing Attacks Top New HHS List of Cyberthreats in Healthcare (January 2, 2019)
- Ex-UBS Employee Charged with Data Theft on Trial in Switzerland (January 7, 2019)
- NSA will Release a Free Tool for Reverse Engineering Malware (January 6, 2019)
Summary: A new project at the University of Michigan is exploring a hardware security model as an alternative to the traditional ‘patch and pray’ model focused on patching software vulnerabilities.
Why it matters: As part of the Department of Defense (DoD), the Defense Advanced Research Projects Agency (DARPA) hasn’t been impacted by the shutdown as severely as other agencies and it’s exciting to see this DARPA-funded project, known as Morpheus, emerge as a promising step forward for U.S. cybersecurity. To date, most defensive actions have been reactive, largely because of software vulnerabilities, unpatched, unmanaged or unidentified devices and legacy systems. This new approach, however, shifts the focus from software to hardware. Similar but distinct from address space layout randomization (ASLR)—a memory protection process for operating systems that randomizes the location where system executables are loaded into memory—the idea is to move, delete and replace the data attackers are seeking before they have the time to steal it. Think of it as a complex magic square, but right as bad actors are about to solve the puzzle, all of the numbers get rearranged or replaced with a new set of numbers altogether. While this is certainly a step in the right direction, it’s not the silver bullet this article might lead you to believe—even the most exotic magic square of squares was eventually solved. Quantum computing, although not yet mainstream, will undoubtedly break software-based encryption, but will also likely harness the power and speed needed to outpace hardware-based security as well. It’s only a matter of time before nation-states leverage such advanced technology for ill-intent. China has invested heavily in quantum and made significant quantum breakthroughs—and many in the U.S. are worried that China may win the quantum computing race. China recently landed a rover on the far side of the moon, a technical first in the space domain, and a reminder of China’s ambitions to outpace the U.S. and other nations across all domains. While China continues its advances, the National Institute of Standards and Technology (NIST) cryptography projects remain on pause during shutdown and some Transportation Security Agency (TSA) employees have quit altogether. Nearly half the staff of the new Cybersecurity and Infrastructure Security Agency (CISA) have been furloughed. Not only may federal employees be inclined to seek employment elsewhere, but foreign actors may also be more inclined to launch attacks knowing that there are fewer cyber personnel working to thwart attacks.
Summary: Following an October Government Accountability Office (GAO) report and a newly passed law creating the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Navy is now taking action to better secure and defend U.S. weapons systems.
Why it matters: Artificial Intelligence (AI), deception tactics and dynamic reconfiguration are the three core research areas the Navy will focus on—industry-wide pillars of strong cybersecurity. The use of AI in the military has been a point of debate. Last year, thousands of AI experts pledged not to aid in the development of AI-operated robots, arguing that even with a human in the loop, it’s just too risky to use AI for lethal force. Until that particular debate is settled, it’s likely that the Navy will turn to AI for other cyber purposes, coupling the innovation with advances in automation and machine learning to reduce the manual and resource-intensive burden currently on the shoulders of the understaffed human cyber workforce. It’s also yet to be seen how deception tactics will be employed by the Navy, but as evidenced by the Navy’s deception operations prowess during the Cold War, there’s no doubt the Navy will take action to conceal and defend its networks, systems, and data just as they did with their ships and sailors just a few decades ago. The third research area, dynamic reconfiguration, is the ability to automatically log into switches, routers, firewalls and networking gear, then run commands that change the firewall rules, network topology and access control lists—command lines that would normally be run by a networking gear admin manually. NIST Special Publication 800-53 describes dynamic reconfiguration as “changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises.” While the benefits are significant—and it’s hard to put a price tag on the defense of American lives and $1.6 trillion of weapons—there are also challenges. Technical security policies must be negotiated and enforced across the entire enterprise, solutions must be carefully tuned to avoid consuming excessive resources, and all changes must be monitored and audited for impacts to both availability and security and to ensure transparency. What’s needed is a proven and effective approach to microsegmentation—a way to reconfigure the network to identify, isolate, and secure vulnerable devices. Solutions like Forescout’s CounterACT 8 can help you dynamically reconfigure your network and provide device visibility across your enterprise.
Summary: In last week’s roundup, we noted HHS’s release of new Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. Aimed to help the industry identify ways to reduce risk from cyberthreats, the guidance also points to email phishing attacks, ransomware attacks and attacks against medical devices as the greatest cyberthreats facing the healthcare industry.
Why it matters: With a new phishing attack launched against the healthcare industry almost every week, reported healthcare internet crimes cost victims nearly $1 million in 2017—a fraction of the actual cost when you consider that many breaches go unreported. Data breaches and phishing remain among the top three internet crime types and despite the volume of attacks and the fact that healthcare data breach costs remain highest among other industries—and those breaches are often initiated by phishing attacks—healthcare still lags behind other industries in phishing resiliency. Rapid7 recently released the results of a simulated phishing attack of 45 CEOs: over the course of just two weeks, 75% of the targets had been successfully phished. What’s most interesting about the detailed results is that 63% of users who were phished in one of the first two simulations did not fall for the final and most sophisticated campaign, which implies that those who fall victim once are less likely to be phished a second time. Combating phishing attacks is immensely difficult, largely because of the inherent and unmanageable nature of human curiosity. Education, training, and frequent simulation are critical to improving any organization’s defense posture, but with attacks expected to rise in 2019 and beyond, it’s likely that both public and private sector organizations will look to personnel accountability and penalties as a means to prevention. And, we’ll likely see increased scrutiny and a more rigorous interview and candidate assessment process. Because the responsibility of cybersecurity can’t only reside with security teams, even the most qualified and experienced candidates may also be required to have a certain level of security savviness.
Summary: There have been a number of cyber-related trials, indictments and lawsuits in recent months. In this particular case, where an ex-employee allegedly stole client data and sold it to German tax authorities, many are questioning whether the accused is a whistleblower or a thief.
Why it matters: This isn’t the first time we’ve seen a data-masking and theft case like this—a similar incident dates back to 2007 when another employee, Sina Lapour, copied data by hand to avoid detection. While both stories focus more on very disparate tax views held by Switzerland and Germany, it also highlights the increasing number of arrests and indictments against cybercriminals in recent months. In Germany, a man has recently admitted to responsibility for one of the country’s biggest data breaches. Late last year, the FBI indicted two Iranian men behind the devastating SamSam ransomware attack. And more recently, although not a distinctly cyber-related arrest, Huawei CFO Meng Wanzhou was arrested in Canada after U.S. suspicions that the company was aiding Iran and violating international sanctions. These are but a few examples in recent months—and might lead one to believe that the war on cybercrime is improving, but the reality is that when one bad actor is apprehended, another rises in his or her place. And, recent research shows that while the clearance rate (i.e., the number of cases where at least one person was arrested) for property crimes was 18% and 46% for violent crimes, the clearance rate for cybercrimes was less than 1%. Put simply, it’s pretty easy for cybercriminals to hide in the shadows online, but even if they fail to fully cover their tracks, there just isn’t a very high probability of being arrested and charged. Because attribution—the ability to identify the attacker with certainty—is so difficult, many argue that it’s more important to focus on understanding the tactics and technology behind an attack. After mitigation and recovery, it’s important to, as much as possible, reverse engineer (see #5 below) the entire attack to understand everything from the point of entry to software vulnerabilities and infrastructure weaknesses. That’s not to say that attribution isn’t important. When it comes to larger, more comprehensive and strategic attacks from nation-states, accurate attribution can help the U.S. deter and thwart future attacks by means not limited to cyber alone. Following the passage of the 2017 Countering America’s Adversaries through Sanctions Act, the U.S. has imposed a number of sanctions on foreign adversaries in response to cyberattacks and espionage—from the 2018 sanctions on two Russian companies to the recently reimposed 2015 sanctions against Iran. From a global socio-economic perspective, attribution is very important, as it enables the U.S. and other nations to take action to curb cyberattacks without breaking the threshold of physical war.
Summary: Often accused of keeping helpful security information isolated within the walls of the agency, the National Security Agency (NSA) has developed a reverse engineering tool, GHIDRA, which it plans to release at RSA 2019 for free public use.
Why it matters: There are a number of tools and course offerings for reverse engineering malware, but the Interactive Disassembler (IDA) is among the most popular and effective tools on the market for cyber forensics. The tool is incredibly powerful—especially if you’re lucky enough to be trained by Chris Eagle, author of The IDA Pro Book—as it handles some of the challenges and frustrations of mapping out compiled binary code across multiple languages, while also reverse engineering scripts. However, IDA comes at a cost upwards of $1,000, which makes this free NSA tool that much more enticing—and more likely to take root in organizations in both the public and private sectors. Although it will be available to the public, the NSA has not yet released a public statement or details to indicate if the tool will be open source. We expect, however, that the agency will make it open source so that they can obtain valuable public feedback from cyber experts outside of the agency. Putting the tool in the wild would also expose the technical details of the tool to malicious actors, so there is some risk, but if the tool gains widespread use among U.S. Cyber Defenders, there’s a greater probability of better understanding large volumes of malware. That kind of threat intelligence information sharing—a common point of debate between government and private sector—would, in turn, allow cyber personnel across industries to take preventive defensive actions to stop further spread of current forms of malware, and also enable them to take strategic defensive actions to combat future strains of malware.