Yesterday, we at The State of Security recapped some notable presentations from the first day of Infosecurity Europe 2016. We now present our Day Two coverage of this year’s Infosecurity Europe conference.
Advanced Incident Investigation: Lessons Learned From APT Victims
Speaker: Lee Lawson, member of the Counter Threat Unit Special Operations, Dell SecureWorks
Throughout history, we have always had defenders and attackers. Lawson began his talk by noting there is nothing new now. We are simply allowing conflict to occur more and more online with low-risk/high-reward strategies.
If we have any chance of protecting ourselves, we need to change our focus and look at how attacks are evolving. Lawson made it clear that there’s only so much we can gain from the past. After all, hackers are constantly evolving, and if one network entry point doesn’t work, they will look for and find another one.
Once attackers gain an initial foothold, they can use three different types of attacks to achieve their ends:
- Defensive evasion
By using data, hackers can find out how they are being discovered and then work on ways to bypass those detection strategies. Hackers want to get inside your network, but many of them are willing to work very hard to know what is “normal” in order to stay hidden and evade detection once they get there.
- Living off the land
Lawson used this term to talk about how hackers can use tools that are already on a system to achieve their goals. He spoke about exploiting things like Poweshell and WMI, and he gave multiple examples on how this can actually be done.
- Hiding in virtual shadows
This concept refers to how hackers can infect a system with malware and then rename their software to imitate another legitimate file in order to evade detection. In the example Lawson provided us, what gave the hack away was the fact that the file was found in a different location.
To summarize, just as adversaries are evolving, so must we. We can’t stand still. Otherwise we will be compromised again. Our people, processes, and technology must change to reflect the reality of that threat.
Fostering an Enterprise-Wide Security Culture
Speaker: John Skipper, Director, PA Consulting
As we conduct more of our lives online, building trust around cyber security is critical for success both in the personal and business realms. However, as Skipper observed during his talk, building trust is difficult and takes many years. Not only that, but trust can be lost in an instant.
Businesses need to understand the value of building a secure culture in the workplace if they are to remain successful moving into the digital age. They need to protect their customers, Skipper reminded us, or they will risk losing them to their competitors.
It’s often said that humans are the weakest link, but if managed correctly, they can actually become a company’s strongest asset. Skipper gave the example of if you’re away on vacation, there is no good in locking all the doors if you don’t tell your kids to close the windows. We constantly need to educate our employees, contractors, and others who have access to our networks to help keep the intruders out.
Skipper then went on to talk about four principles that are key to building a security culture:
- Start at the top
Educate the decision-makers and get them to lead by example. Their support of security awareness education means little if they won’t take any action. Use those leaders to encourage the rest of the team to contribute.
- Identify and reward good behavior
This is a really difficult thing to do, noted Skipper. The only way you might know someone is doing their job correctly is if you haven’t heard of anything going wrong on their end. But how do you distinguish between hard work, a lack of information, and sheer apathy?
- Understand the employee
All employees operate at different levels. Companies need to work out who is where and then provide them with the right level of education in order to keep them engaged. For instance, if you provide low-level staff with too much information, they’ll probably just lose interest.
- Make culture change imperative
Companies need to educate senior-level folks on why cultural change is so important. They can try to use business talk and appeal to ideas like “productivity” and “revenue” to back up their points. Doing so will increase their odds of succeeding.
Skipper also went on to talk about the key components needed to build a successful security culture. One strategy that stood out for me was finding folks who understand the importance of security in each department and using them as security advocates. They, in turn, can encourage others to integrate security into their daily lives and routines. By sharing the responsibility of encouraging others to embrace security, those advocates can help a company implement a long-term security strategy.
Finally, Skipper used a couple of case studies that revolved around implementing change to help us see how the theory works in practice.
Security Culture isn’t a new concept. It’s been around for a long time, but as we conduct more and more of our personal and work lives online, it’s imperative that we adopt a security culture to help address each of our organizations’ unique threat landscapes.
Nowhere to Hide: Catching Cross-Platform, Targeted Ransomware
Speaker: Nick Kelly, Director of Product Marketing, WatchGuard Technologies
Ransomware is one of the biggest threats we are seeing in 2016, so this presentation turned out to be extremely relevant.
Kelly started off by discussing the various types of ransomware and their different approaches before moving on to a history of where ransomware started and how we got to where we are today.
Back in 1989, the AIDS Trojan was created. The virus was put on to a floppy disk and mailed out to users. Those who viewed the floppy disk were asked to send money to and off-shore account that claimed to be linked to AIDS research.
It wasn’t until 1996 until we saw something emerge again. This time it was a scientific paper by researchers warning about the potential dangers of ransomware and how we might see it evolve.
Fast forward to 2013 when we saw some real growth. Kelly spoke about the infamous Cryptolocker ransomware and then went in to detail about variants including Reveton and Cryptolocker’s evolution into CryptoWall.
After talking about mobile variants on both iOS and Android devices, Nick concluded his talk by touching on Locky ransomware. Due to the evolution of cryptocurrencies, Tor, and other sophisticated technologies, ransomware can now evade detection and can spread around the Internet quickly..
However, not all is lost. There are ways organizations can prevent themselves from falling victim to a ransomware infection. Those include the following:
Prepare – Conducting ongoing security awareness training, implementing effective patch management strategies, and running regular data back-ups are great ways to start.
Prevention – Better known as defense-in-depth. By using a range of AV software, APT blockers, and other tools, organizations can reduce their risk of falling victim to an attack.
Response – Being a victim isn’t always the end of the line, in some cases we see decryption keys released by security researchers and if you’ve backed up correctly, you may find another solution. But Nick did stress, never pay the ransom. By doing so, you are making yourself a target to other attacks, but also funding cyber criminals
There’s just one day left of Infosecurity Europe 2016! Make sure you check back tomorrow to read our coverage of some more exciting presentations and goings-on at this year’s Infosecurity Europe conference.
Are you attending Infosecurity Europe this year? If you are, please visit us at Booth #D20 to learn about all the exciting things Tripwire has planned for this year’s conference. And don’t forget to enter our security defender competition while you’re there!
Stay tuned for more coverage of Infosecurity Europe 2016!