Stay updated on recent news and the latest industry trends, and read expert commentary written by the AttackIQ team.
I am pleased to announce that AttackIQ has been selected as one of the ten founding members of the MITRE Engenuity Center for Threat Informed Defense (CTID).
This is a new series of blogs where I’m going to be writing about “Predicting Attack Behavior”, discussing the anatomy of specific attack categories like ransomware and discussing past and current behavior of such attack categories for the purpose of predicting future behavior and building defensive strategies.
Some of you might be familiar with “The Pyramid of Pain”, first introduced in 2013 by security professional David J Bianco when he was focused on incident response and threat hunting for the purpose of improving the applicability of attack indicators.
As the Cybersecurity industry and the talent pool within it is in such high demand, AttackIQ has had a number of customers that have moved from one company to the next, and, as they have moved, have brought AttackIQ as a platform to their new teams as a fundamental decision system to accelerate and improve the security program. In this blog, I talk to one of our customers to review their use case of AttackIQ.
The recent audit report detailing numerous breaches of NASA’s Jet Propulsion Laboratory in the last 10 years was released this month. It’s interesting for a few reasons that I’ll go over in this blog but is also a reminder of the importance of basic cyber security hygiene. What we learned about NASA’s JPL network from the audit report exposed many security practices that in all honesty, many organizations also lack. From AttackIQ’s observations, many security organizations focus on adding more mature security technologies and capabilities before they have ensured basic security hygiene is in place and as a result attackers don’t need to use sophisticated methods to breach the network and move laterally. Because basic defensive capabilities are missing, basic attack techniques are successful.
I am sure that every one of you has heard of IoCs, or Indicators of Compromise. They are the forensics that security investigators look for so they can identify the characteristics of the malicious activity that has already occurred. Some examples of IoCs are:
For the second year in a row, AttackIQ’s observations and analytics have provided the Verizon DBIR team a redacted dataset from our cloud analytics to help find common patterns and observations from emulated attack behavior. Last year, we contributed to a section of the Verizon 2018 Data Breach Investigations Report called “Beaten paths,” where we provided redacted data on what phase in the attack chain most security controls stop the attacker. This year our contributions were again related to attacker paths, but this year the section is called “Unbroken chains,” related to observations of attack paths and event chaining. This is a relatively new section in the DBIR report, and new support has been added to the Verizon VERIS schema that now helps describe this behavior.
Last week, I came across an interesting paper from the Workshop on the Economics of Information Security (WEIS), held in Boston on June 3 and 4, 2019. It examined the cost of the different strategies that organizations use to patch software vulnerabilities across their enterprise.
CIOs, CISOs, SecOps, and IT teams of many organizations are often asked about their specific defensive capabilities. “How well would we handle Locky Ransomware or EternalBlue?”
Most are unable to reliably and objectively provide data-driven answers. Evaluating your own security maturity can help you understand your current capabilities and drive towards a more mature security program, providing your organization with further capabilities.
In this blog post, I’ll review a simplified set of maturity levels that can help you evaluate your security program and discuss how AttackIQ can enable your organization to grow more mature at each level.
I am routinely asked what the key areas of success are for an Enterprise to evaluate a security validation platform that can objectively validate their security controls, produce the proper evidence and enable strategic business decisions. To answer that important question, I’ve put in place 5 keys to success in evaluating a security validation platform that will drive a data-driven security strategy. Additionally, I will be expanding on these 5 areas in future blogs.
Unless you have been living under a rock somewhere, you would have heard about docker containers. Just like in 1956, the advent of the shipping containers that revolutionized freight transport, docker containers have changed the way modern software is packaged and deployed. Unlike a virtual machine, which abstracts out the entire software including the operating system, containerized applications and their related components run on top of a single operating system. Since it doesn't
need to replicate the operating system for each application, containers are lightweight but still retain all the benefits of process isolation and more. Each containerized application has a private namespace with private network interfaces and IP addresses, and it can mount its own file systems. The picture below is a simplified view of how a dockerized container sits on top of a host operating system.
I woke up on Saturday morning with a Wired Article on my doorstep titled “A Mysterious Hacker Group is on a Supply Chain Hijacking Spree”. Well, it wasn't literally on my doorstep, but rather it popped up on my phone up and came in the form of an email from Carl Wright, our CSO. A few minutes later, I see comments from Brett Galloway, our CEO.
Last week I covered the licensing implications of open-source software (OSS). There is another critical aspect of open source that we need to be vigilant of, and that is vulnerability management. Unlike commercial software, where critical fixes are made available and pushed to the enterprise, the users of open-source software are responsible for keeping track of vulnerabilities and updating relevant components as soon as new fixes are released.
Earlier this week, as I was scanning the Wall Street Journal, this headline caught my eye: “Norsk Hydro Repairs Systems and Investigates After Ransomware Attack.” Norsk Hydro is one of the world’s largest aluminum makers, headquartered in Oslo with more than 35,000 employees in 40 different countries. On March 19, they were hit by a ransomware attack that disrupted most of their production and forced them to switch to manual operations.
Like many of you, I was excited to see the Mitre Evaluations posted. I quickly navigated to attackevals.mitre.org and started to click on the cards to check out how the different security vendors fared. I expected to see different areas of the Mitre ATT&CK matrix light up based on the detection by a given security vendor. To my surprise, the matrix looked the same for all of the vendor cards. On further reflection, I realized that this is to be expected, as the ATT&CK matrix displayed the tactics, techniques, and procedures (TTP) exercised by the APT3 group, and, obviously, the same emulation was run on all the different vendor products.
I may be showing my age as I recall the days when malware was primarily spread by depositing infected files on a computer system. This spawned the antivirus software industry, whose basic technique was to scan your disks and sniff around your system for files containing signatures identifying them as malicious entities. Analogous to our living world, antivirus software became the predators hunting down malware like prey before they could cause lasting damage to our systems, our networks, our companies, and even our countries.
RSA 2019 was an incredible conference for AttackIQ. We had many reasons to be excited, as this year we celebrate the 5th Anniversary of AttackIQ and yet the first time we had a booth on the show floor! We commemorated these milestones with an incredible booth display to demo our platform, numerous technical partnerships to announce and our new CEO, Brett Galloway leading the way! I couldn't have been more proud of AttackIQ as one of its co-founders.
I have been attending RSA for more than 15 years. It's an intense, long week but a rare opportunity to meet with many strategic security leaders and professionals all in one concentrated location. It can be very productive if planned right. Here are a few tips that have helped make my time worthwhile at RSA over the years.