Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Videos

 

Q&A: The drivers behind the stark rise — and security implications — of ‘memory attacks’

By Byron V. Acohido

A distinctive class of hacking is rising to the fore and is being leveraged by threat actors to carry out deep, highly resilient intrusions of well-defended company networks.

Related: Memory hacking becomes a go-to tactic

These attacks are referred to in the security community as “fileless attacks” or “memory attacks.” The latter conveys a more precise picture: memory hacking refers to a broad set of practices, which can include fileless attacks, that constitute this go-deep form of network break-ins.

I had the chance at RSA 2019 to discuss memory hacking with Willy Leichter, vice president of marketing, and Shauntinez Jakab, director of product marketing, at Virsec, a San Jose-based supplier of advanced application security and memory protection technologies.

They walked me through how threat actors are cleverly slipping snippets of malicious code past perimeter defenses and then executing their payloads  – undetected while applications are live, running in process memory.

For a long time, memory hacking was the exclusive province of nation-state backed operatives. But over the past couple of years, memory attacks have come into regular use by common cybercriminals. Garden-variety threat actors are now leveraging memory hacking tools and techniques to gain footholds, move laterally and achieve persistence deep inside well-defended networks.

For a comprehensive drill down, please view the accompanying YouTube video of my full interview with Leichter and Jakab at RSA 2019’s broadcast alley. Here are excerpts, edited for clarity and length:

LW: Can you frame this new class of hacking?

NEW TECH: Cequence Security launches platform to shield apps, APIs from malicious botnets

By Byron V. Acohido

Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks.

The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation.

Related: The ‘Golden Age’ of cyber espionage is upon us

The nonstop intensity of these attacks is vividly illustrated by the fact that malicious bot communications now account for one-third of total Internet traffic. Cybersecurity vendors, of course, have been responding. Established web application firewall  (WAF) suppliers like Imperva, F5 and Akamai are hustling to strengthen their respective platforms. And innovation is percolating among newer entrants, like PerimeterX, Shape Security and Signal Sciences.

This week a new entrant in this field, Cequence Security, formally launched what it describes as a “game-changing” application security platform. I had the chance to sit down with CEO Larry Link to discuss what Cequence is up to, and why it believes it can help enterprises detect and mitigate bot attacks, without unduly disrupting the speed and flexibility they’d like to extract from digital-centric operations. Here are takeaways from our discussion:

The botnet problem

According to Gemalto’s Breach Level Index, 3.3 billion data records were compromised worldwide in the first half of 2018 – a 72 percent rise in the number of lost, stolen or compromised records reported in the first six months of 2017. Vulnerable online apps and services factored in as a primary target of automated botnet attacks. This activity can be seen at any moment of any day by examining the volume of malicious botnet traffic moving across the Internet.

A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command and control server.

MY TAKE: The way forward, despite overwhelming cyber threats

By Byron V. Acohido

NEW YORK CITY – Cyber Connect 2017 cybersecurity summit that just wrapped up at the beautiful Grand Hyatt located adjacent to Grand Central Station here in the Big Apple. I got the chance to be on the other side of the interview, sitting down with John Furrier and David Vellante, co-hosts of The Cube. We did it live; here’s the recorded stream.

VIDEO: Tempered Networks introduces ‘identity-based networking’

By Byron V. Acohido

Tempered Networks got its start by taking a unique approach toward locking down the industrial control systems (ICS) used at the Boeing Co.’s airplane manufacturing plants.

The problem Boeing was trying to solve at the time turns out to be much the same as the puzzle organizations of all types face today: How do you ingrain security into complex hybrid networks without completely throwing out legacy systems.

Striking that balance in the age of cloud computing and the Internet of Everything is crucial to empowering employees to securely and productively leverage modern IT systems. “Security is great, but business has to run,” says Marc Kaplan, vice president of security architecture and services at Seattle-based Tempered Networks.

ICS technologies predate the internet. So those used in manufacturing plants, utility plants and transportation systems remain a huge security challenge. The rising dominance of cloud computing and mobile devices to run modern-day networks has exposed ICS controls, in particular, to threat actors.

Boeing, for instance, found it challenging to assure security of its industrial controls while also maintaining a high pace of jetliner production. “They had to find a way to identify and separate systems from each other,” Kaplan says. The solution came in the form of an innovative protocol—called HIP, host identity protocol—developed by Ericsson and sponsored by Boeing and the U.S. Navy.

Stability and security

“Essentially, it’s an overlay, so an environment can keep running the systems it ran before,” he says. It’s an identity-based network, an architecture that “rides above” an established system, without changing fundamental system attributes.

Related article: Critical infrastructure attacks remain clear and present danger

It was an important breakthrough, since most industries are reluctant to make wholesale changes to legacy systems that are working. In today’s banking sector, for example, “these systems run very old code, and for good reason,” Kaplan says. “They’re very stable; the upgrading is a high risk.

Marc Kaplan, Tempered Networks vice … more

VIDEO: Why the NIST framework is so fundamental to network security

By Byron V. Acohido

Put aside the cyber threats, which continue to worsen. All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do in order to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) .

I recently sat down with Edric Wyatt, security analyst at CyberScout to discuss the first step any organization—of any size and in any sector—can take to become more security mature: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is proactive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective, proactive steps … more

VIDEO: Why the rising use of biometric authentication is driving states to regulate privacy

By Byron V. Acohido

Using biometrics to verify one’s identity is no longer something you’d expect to see only in a Hollywood depiction of a dystopian future. Biometric identification has been in practical use for a while now, and the technology is getting more sophisticated every day.

As you might expect, privacy concerns have arisen along the way. And now the legal ramifications are getting more complicated.

Washington state last month passed House Bill 1493: pioneering legislation forbidding businesses from obtaining or selling biometric information without the consent of the individual. Gov. Jay Inslee is expected any day to sign the new law, which is directed at concerns about the use of biometric identifiers to commit identity fraud.

I recently sat down with Robert Capps, vice president of business development at NuData, to discuss these developments. Based in Vancouver, British Columbia, NuData supplies systems that help ecommerce companies and banks detect and prevent online identity fraud. It does this by studying nuances of how an individual interacts with his or her computing device, such as how he or she types on, touches and even holds his or her computing device. Here are a few takeaways from our conversation:

Biometric identifiers defined. These are unique physical or behavioral characteristics of individuals, including fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves. Heartbeats can even be used to authenticate users for access not just to secure locations but also in a wide variety of digital services.

Usage becoming commonplace. It’s no longer that unusual for online services to request data referring to your physical traits in lieu of just a username and password. And government agencies are increasingly using biometric identifying technologies to keep places, like airports, secure.

“They’ll use facial recognition, gait analysis—how you walk,” Capps says. “These data points are also used in places like casinos looking for cheats and criminals walking into those facilities. … more

VIDEO: How CIA cyberweapons are increasingly being used to hack banks, credit unions

By Byron V. Acohido

When WikiLeaks released details about the CIA’s arsenal of hacking tools last month, it was like Christmas arrived early for hackers who specialize in cracking into the business networks of financial services companies.

Mandiant, the forensics division of malware detection vendor FireEye, affirmed as much in its M-Trends 2017 report, issued shortly thereafter. The Mandiant report disclosed how cyber criminals have quickly embraced CIA-type tools to juice up their banking system attacks.

I spoke to Bob Thibodeaux, chief information security officer, at Seattle-based DefenseStorm, about this. DefenseStorm provides a security service for community banks and credit unions that monitors network traffic—specifically event log data—for malicious activities.

“What we are seeing with the leak of the CIA’s attack tools are that cyber criminal elements are actually taking advantage of the knowledge of those tools for their attacks,” Thibodeaux told me. “We are seeing them actually using the kinds of tactics that the government actors are using to exploit financial firms, specifically.”

These cutting-edge attacks are showing up in banking systems in southeast Asia, according to Mandiant. But it may be only a matter of time before use of similar tactics, leveraging the CIA leak, spread to banks in other regions. “The attackers are using tools that Windows system administrators would use to actually stay on the network, monitor traffic, figure out how the banking process works, and then steal tens to hundreds to millions of dollars,” Thibodeaux says.

Community banks and credit unions in the United States are likely to be targeted because they are less well-defended than the big multinational banks.

It is all too typical for a small bank or credit union to rely on basic network defense systems, even though malicious probes and communications with criminal command-and-control servers are nonstop.

Unfortunately, it’s not going to get any easier for smaller banks and credit unions to play catch-up, much less neutralize cyber attacks over … more