Last week we listened in to a Gartner webinar on the Top Security Trends and Takeaways for 2013 that was led by Earl Perkins, research VP. Perkins took a comprehensive look at the shifting challenges and opportunities within the cybersecurity field.
While the presentation covered an array of trends – from BYOD to cloud security – Perkins’ overview of security intelligence piqued our interest most. While he only spent a few minutes discussing the topic, he adeptly outlined the benefits of security intelligence in regards to protecting both your informational and operational security. Specifically, Perkins made note of the industry’s emerging capabilities when it comes to evaluating reduced sets of intelligence and integrating that intelligence with day-to-day business data. The collection and use of data allows businesses to more efficiently allocate their limited IT and monetary resources, while supporting their cybersecurity infrastructure at the same time.
At the end of the webinar, Perkins fielded a question regarding the effectiveness of honeypots and honeynets. He said that while honeypots have been traditionally seen as “fairly incapable,” they are evolving in effectiveness and will likely play a valuable role in the future data monitoring arena. Perkins expects honeypots to be a supporting piece in the overall trend of active defense, in which businesses build a situational awareness of their cybersecurity threats.
We always enjoy hearing from Gartner on cybersecurity and are especially looking forward to their research on honeypots and active defense. Thank you to Earl Perkins for leading a great webinar and pointing out some important trends!
Today we announced Scout 4, with a new kernel-level Stealth Agent and an enhanced analysis engine. These new features enable active defense solutions against in-progress attacks while significantly reducing dwell time - the time available for attackers to operate on the network and cause damage.
The new agent-based sensor architecture enables CT Scout 4 to support rapid and flexible deployment options that enable customers to implement active defenses and reduce attack dwell time. Deployed on both physical and virtual devices, the Stealth Agent provides great flexibility in deploying next-generation honeynets that not only help detect unknown threats, but also provide the intelligence on attacker means and motives necessary for implementing effective active defense countermeasures. The Stealth Agent can also be deployed directly on production systems as part of active defense strategies to accelerate countermeasures.
To learn more, see the full press release here.
What We’re Reading this Week
There are numerous options out there for enterprises looking to boost their cyber defenses – from downloadable freeware to seemingly impenetrable premium solutions, the array of options can seem endless. Though useful and important, nothing will keep today’s motivated cyber attackers from getting through. By now, many organizations have accepted this sobering truth, and have shifted their focus from keeping attackers OUT, to finding out what they are doing once they get IN. What motivates them? And how are they going to try to get what they’re after? We’ll examine this, and other topics that caught our attention this week, in today’s news bulletin.
5 Hot Security Defenses That Don't Deliver
In this InfoWorld article, Roger Grimes writes, “We’d all love a magic bullet to stop hackers.” Truer words have never been spoken, and as a security consultant of more than 25 years we can all believe Grimes when he says one doesn’t exist yet. Despite this, week after week companies hype solutions that claim to be a cure-all for many cybersecurity issues plaguing businesses. One by one, Grimes tackles five of these well-known security defenses that he says just don’t cut it: two-factor authentication, biometrics, heuristics, “super-secure” programs and data analytics. Grimes writes that each of these has value, but don’t comprehensively cover all angles necessary to protect an organization’s most valuable assets. It’s time for a different approach – one that focuses on gathering the intelligence needed to detect, assess and respond to attacks as they’re happening.
Forging A Public – Private Partnership for Cybersecurity
In this Washington Technology article, Elizabeth Hight cites McAfee’s 2013 Threat Predictions Report that states “cyber threats have more than kept pace and...this year will [bring] an even more sophisticated assault on businesses, private citizens, and government organizations.” Organizations no longer need to just be prepared for an attack, they need strategies in place to handle attacker behaviors that could cripple systems and corrupt data once inside the network. She opines that the public and private sector are in a unique position to share information and combat this problem.
Recent Breaches More Likely To Result In Fraud
For our final article for this week’s news bulletin, we would like to highlight an article by Robert Lemos in Dark Reading. Contrary to what many people would like to hope, not everything can immediately return to ‘normal’ once a breach is discovered. For some – particularly those whose information was compromised – their problems are just beginning. According to research conducted by the Javelin Security, Risk & Fraud Group, a victim whose data is stolen in the past year will have a 1-in-4 chance of becoming a fraud victim – that’s up from 1-in-10 chance in 2010. More importantly, the piece calls attention to a very sobering fact – “The bad guys are getting better at using the information obtained from breaches to commit fraud,” said Alphonse R. Pascual, senior analyst in Javelin’s Security, Risk & Fraud Group. “They are getting better at mining the data, and they are getting better at selling it.” As major companies like LinkedIn, eHarmony and Twitter with immense amounts of data continue to experience data breaches, the need for an active cybersecurity defense has never been greater.
The Pitfalls Behind and Ahead: Part 2
I recently published a blog looking at armoring malicious binaries at a high level. Armoring malware is an effective and widely available means of evasion and obscuring the true intent of a threat. The sample referenced below is an armored Zeus bot binary file, which demonstrates how the art of armoring malware can help an intruder manipulate the detection capabilities of numerous host-based security tools.
Before Armoring After Armoring
Armoring tools are readily available to e-criminals across the Internet. With some simple research over a couple of hours, I found 16 web forums and more than 50 armoring services and tools for sale. To give you a sense for the maturity of the market, all of these tools came with customer ratings, akin to what you might see on consumer websites such as Amazon or eBay, regarding the integrity of the provider/seller.
These tools and services are also accompanied by service level agreements and terms of service (e.g., if you upload one of your tools using a purchased armorer to Virus Total you would be banned from further use and updates offered by the seller). In upcoming blogs, I will dive into this topic, looking at the depths and layers behind the detection gap and the two sides of the sword for both offense and defense and how they continue to define the arms race between e-crime capabilities and security solutions.
Invasive network, workstation and server attacks aren’t unique to this side of the pond. And, despite advancements in security technology there is still a significant detection gap, with cyber attackers outpacing cyber defenses.
To help meet the growing need in the UK and European market for new approaches and solutions to help companies close that detection gap CounterTack announced its first international partnership with Preventia, a leading IT security specialist, boutique integrator and professional services provider in London.
This partnership marks CounterTack’s first major move into the internal cyber security marketplace. In addition to deploying CounterTack’s CT Scout for monitoring and protecting its own network and systems, Preventia will offer CounterTack’s full suite of products in the UK and to its existing customer base. Preventia’s customers include some of the UK’s largest and most prestigious companies, including leading banks, gaming companies, and retailers.
Preventia will be exhibiting at Infosecurity Europe April 23 – 25, 2013 at Earls Court Exhibition Centre in London. Stop by Stand E22 to learn more about CounterTack’s full suite of products available through Preventia.
What We’re Reading this Week
According to the Verizon Data Breach Report there was a significant increase in the number of cyber-attacks in 2012. Despite massive investments in cybersecurity, this increase is further proof of the expanding detection gap and underscores the great need for fundamental and far-reaching change. These startling numbers illustrate increasing danger, not only to enterprise organizations, but also to industrial giants, governments and countries alike. Fortunately, we have seen a marked shift in the response from Washington and government entities around the world. Cyber security is on the tip of everyone’s tongues, from President Obama listing it as a top priority in Chinese relations to the President of Estonia penning a cybersecurity op-ed in the New York Times. With that, we bring you CounterTack’s first weekly news bulletin. In these bulletins, we’ll look back at the week to highlight and analyze key headlines, trends and developments across the information security industry that caught our attention:
Cybersecurity Lobbying Doubled in 2012
Major, highly publicized attacks in 2012 – from NBC to LinkedIn – spurred many lawmakers (Republicans and Democrats alike) into action as they sought new ways to protect companies from increasingly sophisticated attackers. So it’s not surprising that lobbying activity on cyber security also surged by nearly 50 percent in 2012. Julianne Pepitone of CNN Money, reports that “a total of 1,968 lobbying reports mentioned the word ‘cybersecurity’ (or variations of the term) several times in 2012.” That's up from just 990 reports in 2011. She also notes that part of the reason lobbying spiked last year is that cyber security has proven to be a bipartisan issue, capturing the attention of a wide variety of lawmakers. And rightly so – the stakes have never been higher. Take, for example, the Cyber Intelligence Sharing and Protection Act (CISPA), just passed by the House of Representatives this week. Approximately 270 enterprise organizations filed lobbying documents on CISPA since its introduction last year.
Obama Budget Signs Cybersecurity as a Top Priority
Air Force General Robert Kehler was recently quoted as saying, “Lock your doors. Someone from halfway around the world is trying to get into your network looking to steal what you are developing.”
The government estimates that American businesses have lost more than $400 billion to cyber attackers, and U.S. intelligence officials recently indicated that cyber attacks have supplanted terrorism as the number one security threat facing the United States today.
This week, President Obama proposed increased spending to protect U.S. organizations and networks from cyber attacks by nearly 21 percent for 2014 – or $4.7 billion. According to Reuter’s Andy Sullivan, this is a sign that “the government aims to put more resources into the emerging global cyber arms race.”
Cybersecurity: A View from the Front
The final article of our bulletin this week is from Toomas Hendrik Ilves, the current President of Estonia. Back in 2007, Estonia was potentially the first publicly known target of a politically motivated cyber attack, and has been ahead of the game ever since. In this op-ed for the New York Times, Ilves offers his unique perspective as a leader in both politics and the unified global effort against cyber attacks. We encourage everyone to take a few minutes to read this fascinating piece, but here’s one section that particularly stood out:
“Cybersecurity needs to be taken seriously by everyone. We continue to think of cyberthreats in military or classical warfare terms, when in fact cyber can simply render the military paradigm irrelevant. The whole information and communication technologies (ICT) infrastructure must be regarded as an ‘ecosystem’ in which everything is interconnected. It functions as a whole; it must be defended as a whole.”
Roger Grimes recently published an article in InfoWorld, “No Honeypot? Don't Bother Calling Yourself a Security Pro,” that argues honeypots should be a pivotal part of any company’s security strategy. He notes that honeypots “can easily capture zero-day exploits, freshly minted malware, and roaming APT hackers,” which are some of the key drivers behind the Detection Gap problem. Despite that, Grimes notes that many businesses have yet to even use them.
So, what’s the holdup? I think many organizations have shied away from honeypots because of perceived difficulties in setting them up and operating them. Traditionally, honeypots also have required highly skilled security professionals to monitor them, scaring off some potential adopters. Also, some organizations mistakenly believe that multilayered firewall, intrusion prevention, antivirus and other defenses provide adequate protection.
Five years ago, I regularly taught a 5-day course on using honeypot technology for advanced intrusion detection, analysis, and response. Back then, only the government could afford to employ such tactics, and those users found honeypot technologies to be invaluable in detecting zero-day and other “undetectable” threats within those applications. Of course, in those days, government was believed to be the only target of advanced persistent threats (APTs). Unfortunately that is no longer the case.
Today’s situation is much different. Advanced threats are pervasive, driven in part by a thriving dark-side economy. It seems like every week we read another report of a successful attack on a large – or even small – commercial enterprise.
The good news is that next-generation honeynet solutions are much more accessible to organizations that are facing the challenges of the Detection Gap. A product like CT Scout, which offers an enterprise-ready platform for next-generation honeynet deployments, is being used by leading enterprises worldwide, to gain critical intelligence on advanced threats and harden their defenses.
Roger Grimes and I are in agreement – if you are not yet running a honeypot, it’s time to.
On the heels of the RSA Conference last week, our entire CounterTack team is still buzzing with excitement about the show. The week was a whirlwind of dynamic presentations and panels, thought provoking discussions and demos, first-looks at the latest innovations across the security industry, and most importantly for us, a time to connect and engage with our customers, partners and peers.
From the “passers-by” our booth who ended up staying and diving deep into our real-time demos, to the conversations about CounterTack overheard in restaurants and clear across the show floor, to the lines wrapping around the booth during our book signing events with acclaimed security authors Sean Bodmer and Stuart McClure – the excitement and enthusiastic response around our next-generation cyber defense solutions was palpable this year.
From numerous discussions held throughout the week, it’s clear the Detection Gap problem persists – and continues to widen for many organizations. But you don’t need to go it alone. CounterTack is committed to helping you address your biggest cyber defense challenges with our game-changing solutions based on our newly patented Deep System Inspection technology:
- CT Scout: deep system cyber intelligence for next-generation honeynets and advanced malware analysis
- CT Sentinel: deep system cyber defense for production systems
If we had the pleasure of speaking with you during RSA and you requested additional information or some follow up, our team is beginning to reach out as we speak. If not, we invite you to stay current on the latest developments in next-generation cyber defense, including insights from our Cyber Counterintelligence Lab, right here on our blog.
Welcome to Day 1 of RSA Conference 2013!
During your time at the show, make sure to stop by the CounterTack booth (#2533) and see demonstrations of newly announced Deep System Inspection solutions:
- Next-generation honeynets
- Advanced attack analysis
- Production system monitoring
Additionally, you'll learn about new cyber counterintelligence research that led to the successful detection of "Red October."
Don't miss today's book signing event featuring Sean Bodmer, author of Reverse Deception: Organized Cyber Threat Counter-Exploitation today at 1:00 p.m.
And after you check out our demo, you’ll be automatically entered to win a Vespa scooter – come see it at the booth!
We're pleased to announce that CounterTack has joined forces with Cymbel Corporation, a provider of next-generation defense-in-depth for information security, to provide next-generation enterprise cyber defense solutions to the market.
Today’s highly motivated and persistent cyber attackers specifically target enterprise organizations’ trade secrets, source codes, sales proposals and other valuable corporate information. Despite massive investments and continuing advancements in security technologies, the detection gap persists, with cyber attacker innovations outpacing cyber defenses.
With this partnership, Cymbel is leveraging CounterTack’s patented Deep System Inspection products to enhance its unique Zero Trust approach that protects critical enterprise assets while cost-effectively meeting compliance requirements. CounterTack’s Deep System Inspection products monitor file, network and process activities deep within the operating system layer. The company’s patented monitoring and intelligence gathering technology provides a new dimension of visibility into the multitude of previously undetectable attacks, including the problematic custom targeted attacks.
Read more about this new partnership here.