Estimated reading time: 8 minutes
The term shoulder surfing might conjure up images of a little surfer on his shirt collar, but the reality is much more mundane. shoulder surfing is a criminal practice in which thieves steal your personal data by spying on you while using a laptop, ATM, public terminal or other electronic device among other people . This social engineering technique is a security risk that can cause disaster, especially if the stolen credentials are corporate.
The practice long predates smartphones and laptops and dates back to when criminals spied on pay phone users as they entered their calling card numbers to make calls . Many years have passed, but the technique has not been lost. Thieves have evolved to observe their victims typing their ATM PINs, paying at self-service petrol pumps, or even making a purchase in a store.
A similar technique for ATM theft involves a card cloning device superimposed on the card insertion hole and a micro camera to spy on the code. The micro camera performs an act of shoulder surfing . Card cloning is essential because without a physical device the pin is useless, but in the case of account credentials on the network, all you need is user and password.
When does Shoulder Surfing take place?
shoulder surfing can happen whenever you share personal information in a public place. This includes not only ATMs, coffee shops and POS devices in general, but virtually any place where you use a laptop, tablet or smartphone to enter personal data.
Long-time shoulder surfers did not usually loom behind their victims to scrutinize information. Instead, they stood at a safe distance and interpreted finger movements as people typed numbers on the keyboard . Similarly, today’s social engineers often escape attention as they quietly observe others in public places such as airport lounges and shopping malls, bars and restaurants, on trains or subways, or wherever there are people, to tell the truth.
Indeed, today’s most sophisticated criminals are watching from further away, hidden from view. They could use binoculars, micro cameras, or the camera of their phone or tablet to scan your screen or keyboard. Not only that, they may eavesdrop as you read credit card numbers on the phone or provide other sensitive information. Criminals could also take pictures, make a video or audio record of the information and then interpret it later.
Whatever the methodology, it is clear that technology has not only helped us to be more connected and be able to afford to pay for a frappuccino with our mobile phone, but it has also exposed us to security risks. When it comes to sensitive data, especially if there is a corporate account involved that could access other people’s sensitive data, you should never let your guard down , consequences could be very serious .
As shoulder surfing commonly happens
Before suggesting some methods to prevent shoulder surfing to be put into practice immediately, let’s take a closer look at how credential theft could happen with this technique.
At the bar or in the cafeteria
You’re in a busy restaurant bar waiting for a friend. To pass the time, you connect to Instagram. Unfortunately, you don’t notice that the person stuck in line next to you is looking at your password, which happens to be the same one you use for your email and bank account.
At the ATM
You’re taking cash at an ATM. You feel safe because the man after you in line is at least 10 feet away and is even looking at his phone. In fact, he is recording your finger movements on his phone and will later decrypt them to get your PIN number.
To the airport
Your flight is delayed, so grab your laptop and kill your time by reading a couple of work emails to keep up to date. Log in to the company website to read your mail and enter your username and password. You are so calm that you don’t see the woman a few places away as she stares at the screen while you enter data.
What are the consequences of shoulder surfing?
Using your credit card information to make fraudulent purchases is just one example of the damage you could suffer if you fall victim to shoulder surfing . The more personal information a criminal captures about you, the more serious the consequences can be for your bank account and financial health.
A serious case of shoulder surfing can expose you to identity theft . A criminal could use your personal information, such as your social security number, to open new bank accounts, apply for loans, rent apartments, or apply for a job under your name. An identity thief could get their hands on your tax refund, use your name to get medical treatment, or even apply for government benefits in your name. They could also commit a crime and provide your personal information when questioned by the police, leaving you with a dirty record or arrest warrant.
Of course, if you suspect this has happened, you’ll need to go to the police immediately, block your checking accounts and notify the bank. If fraudulent actions have already been carried out in your name, you may need to prove that you are not involved.
Things get dangerous if the stolen data is from a corporate account. In fact, with the use of valid credentials, anyone could enter the company’s system and perform all kinds of actions, such as collecting additional data, placing malware, running a ransomware , steal customer data and then sell it online.
How to defend yourself from shoulder surfing
Two levels of protection can be identified, the first is proactive and is aimed at preventing credentials from being exposed to malicious people, the second is active and provides software to detect attempts to use stolen credentials.
Defend yourself proactively
If you really can’t avoid entering sensitive data on your laptop, tablet or smartphone in a public place, you should follow the countermeasures listed below.
Tip 1: Before entering any sensitive data, find a safe place . Make sure you sit with your back to the wall. This is the best way to protect yourself from prying eyes. Avoid public transport, the central armchairs of a waiting room and places where there is a lot of people coming and going.
Tip 2: Use a privacy filter. This hardware device is a simple polarized translucent sheet that is placed over the screen. It will make your screen look black to anyone looking at it from any unnatural angle . This will make it much more difficult for unauthorized people to see your information.
Tip 3: Two-factor authentication requires a user to prove their identity using two different authentication components that are independent of each other. Since this type of authentication only passes when both factors are used correctly in combination, the security measure is particularly effective. For example, this method is often used a lot in online banking. There are many services that allow you to use your mobile phone as a second authentication factor . This is done through special apps.
Tip 4: Another solution is to use a password manager . By doing so, you no longer have to enter each password individually on your computer. The password manager will do this for you after you enter your master password . This prevents unauthorized people from using your keyboard to determine the real password, provided that you properly protect your master password .
Actively defend yourself with a SOC and behavior analysis
Now let’s imagine that the corporate account credentials have been stolen. At this point only a behavior control system can trigger an alarm and therefore block the user before there is any damage.
In fact, using correct credentials, a normal traditional SIEM would not trigger any alarms. For an older generation SIEM, access would be legitimate, because the credentials are correct. The attacker would have free undisturbed access to the system and could continue with his attack plan.
With SOD’s SOCaaS service, however, abnormal access would trigger an alarm. The SOC provided is equipped with a Next Generation SIEM and a system UEBA control behavior . This means that any deviation from the user’s usual behavior would be reported.
In the case of credential theft, as happens with shoulder surfing, the access made by the attacker would therefore trigger an alarm because something is wrong . For example, the login could take place at anomalous times, in another country / IP, from a different operating system, etc.
shoulder surfing is a social engineering technique that focuses on user carelessness while entering sensitive data into a system. In the event that a user’s corporate credentials are stolen, the only really efficient thing is to have a system that analyzes user behavior and reports whenever suspicious actions are detected.
If you want to know in detail how a SOC and UEBA system can help your company defend against social engineering attacks, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 6 minutes
The cost of cybercrime has now outstripped the ability to keep up. Gartner, a multinational security and analytics company in the field of technology, predicted that world spending on cybersecurity will be 16 times lower than damage caused. To address this challenge, organizations are now turning to machine learning and artificial intelligence for cybersecurity, trying to fill in the gaps.
The vast majority of malware targets known vulnerabilities, but botnets often go unnoticed within the victim organizations for around 12 days. The problem in many cases is the scarcity of resources a arrangement.
The attack surface has expanded in recent years with the adoption of IoT devices and the spread of BYOD (Bring Your Own Device) work environments. This, combined with the increasing sophistication of the attacks and increasing the security skills gap, has overwhelmed many teams.
In response, service providers MSSP are increasingly implementing a machine learning system in their cybersecurity solutions. This is certainly an interesting field and many security chiefs are looking for a permanent solution in the fight against cybercriminals. But the question is whether the machine learning offered by artificial intelligence can add new value to the realm of security.
Threat detection and prevention
Most companies are operating with a standard security kit. Their rooms are filled with devices that claim they can detect and prevent the latest threats through signature-based detection, predefined policies or custom configurations. Sensors in this category include firewall , DLP ( Data Loss Prevention ), IPS ( Intrusion Prevention System ) and WCF ( Web Content Filter ) . An alarming consideration, as these sensors continue to be adopted in large numbers, many of them may not be configured correctly .
Furthermore, many of these devices operate in complete isolation , unable to share or correlate information or respond to threats with any kind of coordinated strategy. Consequently, controlling these devices also requires an extra layer of sensors , along with additional members of the security team. Of course, more sensors and more data require more people and given the current security skills shortage, this strategy is unsustainable in the long run.
Through a complete system such as a SOC , however, this does not happen. The collection, correlation and analysis take place in a coordinated way in a SOAR (Security Orchestration, Automation and Response) designed to be a unique workflow. Part of these tasks is done by artificial intelligence and machine learning mess and in the service of cybersecurity . The aim is to analyze user behavior and identify anomalies, as well as learn from past analyzes.
Machine learning for cybersecurity
Machine Learning (ML) is a subset of AI (Artificial Intelligence). AI and ML can enhance our human capabilities by allowing us to dig through large datasets and locate patterns behavior or signals that would be nearly impossible for humans to find. This force multiplier allows technicians at their disposal to identify unusual behaviors. Then the behavioral analysis with UEBA (User Entity Behavior Analytics) tools for safety will do the rest. Mundane and repetitive tasks can also be automated with machine learning, allowing scarce cybersecurity staff resources to focus on higher-value tasks.
UEBA and security
Machine learning and artificial intelligence are based on so-called “big data”. Their efficiency and accuracy improve with the amount of data passed to them . The important thing, however, is to collect the right data. This is where UEBA security systems come in. . The combination of accurate and essential behavioral data with machine learning is the strength of this cybersecurity system. This combination allows you to accurately monitor users, providing deep visibility into what they do on a regular basis .
Once a behavior routine has been established, when a user takes actions that the system considers abnormal , a notification is generated. The operations team is thus notified of any action outside the routines defined . If the detected activity is legitimate, analysts can simply label the activity as part of the routine . Machine learning integrates that data into subsequent data analysis for corporate cybersecurity . The crucial step is normalizing behavior , which ensures that that precise action will no longer generate notifications.
Obviously, in the early stages of system installation, the notifications will be numerous . As AI reduces these false positives by “learning”, whenever moves away from normal behavior, l and notifications become more urgent for safety.
The benefits of combining UEBA, machine learning and security
The use of machine learning together with user behavior data provides a level of proactivity to cybersecurity that is not possible when relying on traditional sign-based detection and prevention systems . This is because you are able to detect subtle changes in behavior that are difficult to detect with traditional systems. It is simply not possible to configure a system with every single permutation of rules to detect all attacks.
Detecting low-level reconnaissance activities using UEBA and machine learning is far more likely to trigger your spider senses than other methods. This provides a huge advantage, making it much more difficult for attackers to evade control by flying under any rules-based radar.
The added value
The advantages of using a UEBA security solution built on a machine learning platform for cybersecurity are many. Because their ability to manage network activity routines is refined, not only they can detect abnormal changes in behavior, but this information can become part of a proactive process , identifying and preventing certain behaviors before they occur.
But perhaps most importantly, machine learning is entering the scene at a very sensitive time for cybersecurity. The number of analysts needed to sift through the data by hand and identify threats is exceeding the number of professionals available. Removing the man from a task for which he is not particularly suitable , is free to focus on areas where it can add value, such as further developing cybersecurity protocols.
So, does machine learning add value to cybersecurity? We really believe so.
Costs and proposed solutions
In terms of costs in general, with a UEBA system maintenance is reduced and does not require the hiring of new professionals, especially if you consider the use of the service in SaaS solution.
We at SOD offer the machine learning and UEBA system, together with a SIEM Next Gen in an ideal solution for those who do not want to invest in the installation of dedicated hardware . Our SOC as a Service is designed to optimize your investment and maximize the return in terms of quality of security procedures.
To find out more, visit the service page or contact us to find out how this solution can be useful for your business. We will answer all your doubts.
Estimated reading time: 6 minutes
Despite some seasonal declines, ransomware is still a serious security threat, especially for those who underestimate it . It is often thought that to protect yourself from ransomware it is enough to have a backup copy of your data. This point of view does not take into consideration various aspects. One of them is the relationship between ransomware and NAS ( Network Access Storage ), where you often store a backup copy of the server, thinking it is enough.
Ransomware attacks are capable of rendering entire disks unusable by encrypting the file system . Network disks are at risk, which can also be encrypted, reducing the effectiveness of a backup stored on a NAS.
Definition of Ransomware
Ransomware, as we have seen in other articles, is a form of malware that encrypts the victim’s files. The attacker then demands a ransom from the victim to restore access to data against payment .
Users are shown instructions on how to pay a fee to obtain the decryption key. Costs can range from a few hundred euros to thousands, payable to cybercriminals in Bitcoin.
Once the malware gets executed, it’s almost always too late. In fact, often the victim does not notice until the ransom demand is made or when the entire disk has been completely encrypted.
How ransomware works
There are several ways that ransomware can take to access a server. One of the most common delivery systems is phishing . Some attachments arrive at the victim’s computer in an e-mail message, masked from a harmless file.
Once executed, these software masquerading as harmless files can take control of the victim’s computer, especially if they have social engineering tools built in which trick users into allowing administrative access . Tracing back to the server isn’t as complicated as it might seem.
Some other more aggressive forms of ransomware, such as NotPetya , exploit security holes to infect computers without the need to trick users.
There are several things malware could do once it has taken over the victim’s computer, but by far the most common action is to encrypt some or all of the files it has access to. If you want to get into the technical, here’s more information on how encryption takes place.
The most important thing to know is that at the end of the process, files cannot be decrypted without a mathematical key known only to the attacker . The victim is presented with a ransom note and explained that without a payment, the files will remain inaccessible.
Regardless of the requests and how the ransomware is unleashed in the first place, the thing to note is that there is no data that can be saved. So, if your customers’ data is on a server, they can be involved in such an attack.
If the ransomware encrypts file systems and not just individual files, the problems could multiply.
Ransomware, NAS and backups
One of the ways to mitigate the risk is to have a backup available with which to restore the data without having to surrender to payment. The best practices for management backups do not want there to be backups on the same machine, so it is possible that they are kept on network disks, always accessible from servers. But in fact those disks are part of the machine, as they are accessible.
These disks, called NAS (Network Access Storage), are great solutions for managing files on a network, but they can become as useless as the server in the event of a ransomware attack. If the attack encrypts the file systems, it is possible that finding the remote folders on the NAS encrypts those as well, rendering the backup unusable.
The targets of a ransomware
There are several ways attackers choose which organizations they target with ransomware attacks. Sometimes it’s a matter of opportunity – for example, attackers might target universities because they tend to have smaller security teams and a disparate user base that share many files, making it easier to penetrate their defenses.
On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For example, government agencies or medical facilities often need immediate access to their files. .
Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise hidden , and these organizations are often particularly sensitive to a data exfiltration threat.
However, it has been noted that some ransomware is capable of spreading itself on the network . In fact, no one is completely safe, especially if the data stored on the servers is sensitive.
Ransomware and NAS: how to manage backups
As we have seen, ransomware is no small threat to the data stored on corporate servers. Now let’s see what precautions you can take to protect your data and servers.
Do not use NAS for backups
Se il ransomware arriva a un NAS, quasi certamente lo cifrerà rendendo il backup inaccessibile. Evitare questo problema è facile: usare il cloud!
The server provider should offer the ability to store machine backups on the cloud . This means that the backups are not always reachable by the server and therefore the software is unable to encrypt them.
This is the standard of our VPS service . In case of compromise, in fact, it is sufficient to restore the virtual machine to an earlier state through one of the backups stored in the cloud .
Alternatively, you can backup on premise , ie locally, physically in the company. Using the Acronis Backup service you can perform a backup on an external disk not connected to the network.
Another solution, hybrid of the previous ones, is to create a backup through Acronis and store it in the cloud and not locally. You maintain the advantage of having a remote backup that is not connected to the server constantly.
Finally, it is correct to mention that there is another solution, the precautionary solution. With the use of our service SOC and thanks to the use of latest generation analysis systems, it is possible to immediately identify a malware or an attack ransowmare and block it before it does damage.
Whether it is adopting best practices for backup and storing them remotely, or adopting a SOC to protect this aspect and many others in the field of IT security , SOD is available to discuss the situation and find a solution tailored to the needs of your company.
Contact us to ask for information, we will be happy to answer any questions.
Estimated reading time: 6 minutes
As the cybersecurity threat landscape becomes increasingly sophisticated, service providers, such as SOD, need to take additional precautions to protect their customers’ networks. An information management system and monitoring SIEM is an excellent choice in this respect.
This system, in fact, helps mitigate cybersecurity threats from two different angles, all from a single interface . The SIEM monitoring system collects information from multiple sources: network data, threat information feeds, compliance regulations, firewalls, etc. Next, uses that data to power features designed to help IT administrators respond to threat events in real time.
Advantages of SIEM monitoring
In contrast to individual security control systems such as asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from various systems – even very and offering unprecedented visibility into events occurring in the system.
SIEM is not a threat detection system in and of itself, but enhances the security tools already in use by providing real-time insights to work from . In particular, SOD uses a Next Gen SIEM in a SOAR ( Security Orchestration, Automation and Response ) which also includes advanced behavioral analysis tools ( UEBA ).
If you put high-quality log files into a SIEM tool, you receive high-quality insights into network security . This information can help improve network security protocols.
Unfortunately, many administrators treat SIEM implementation as a solution to be set up and then forgotten. To experience the full benefits of managing information and security events , you need to implement a set of best practices to optimize your solution, starting with security logging.
The logs of a SIEM
How does security monitoring fit into SIEM implementation best practices ? If you look at the SIEM in its main components, it is a log management system .
All the information that a SIEM tool collects is in the form of logs, or records of events occurring within an organization’s IT infrastructure and network.
Examples of logs collected by SIEM include, but are not limited to: Firewalls, routers, wireless access points, vulnerability reports, partner information, antivirus and antimalware.
However, as SIEM tools have a very broad reach and constantly collect log data from all parts of the system, can be a bit complicated and impractical to implement . SIEM best practices help avoid pain points along the line of operation. This way you use SIEM as effectively as possible right from the start.
1. Start calmly
The most common mistake made in implementing SIEM monitoring is trying to do too much too soon . Before you even start looking for a SIEM solution, in fact, it is best to define the scope of your SIEM implementation and think about what you want SIEM to do for your network and infrastructure.
We start by isolating the objectives , taking stock of existing security protocols and brainstorming how these protocols fit into the future SIEM implementation. You can also segment anything you want to monitor into groups and define how you want to monitor them. This helps ensure that you have a clear plan for logging.
Once an initial planning has taken place, the SIEM system does not yet have to be implemented across the entire IT infrastructure. It is better to proceed piecemeal.
You should then test the SIEM monitoring solution on a small section of the system to see how it works. Only then are key security vulnerabilities identified that should be addressed immediately and proceed with implementation in subsequent segments.
Setting up SIEM monitoring step by step, rather than running everything right away, will help ensure that logging works in harmony with the rest of the IT section .
2. Think about the requirements
SIEM monitoring can help the company demonstrate compliance with security regulations and audits, but only by knowing what these standards are in advance . Before committing to a SIEM system, you create a list of HIPAA, GDPR, HITECH and any other IT regulations that you need to comply with. The list is then used to compare the required regulations with the solutions that are put into practice.
Not only does this narrow down the list of standards, it will force you to consider how much log data you actually need. Keeping the correct amount to be compliant, also aligns with best practices of SIEM logging and monitoring .
Obviously, the solutions and protocols to follow are not the same for everyone and need to be adapted according to the position of the individual company. For this particular aspect, SOD can help your company both in gathering the information necessary to identify which standards to follow, and in the standards verification once implemented.
3. Fix the correlations
SIEM correlation streamlines its implementation, allowing you to configure the system according to the specific needs of their customers. SIEM works by collecting data from multiple sources and then filtering, analyzing and correlating it to determine if it deserves to be reported as a security alert.
For this it is essential to correlate the rules and set alarm thresholds based on the type of data and their origin . It is important to remember, in fact, that SIEM is designed to find connections between events that would not otherwise be related to each other.
Setting up a SIEM monitoring system is a delicate but fundamental operation to improve the security system for a particular company.
4. Collect data efficiently
Through a SIEM monitoring system it is possible to collect such an amount of data that it could become complicated to manage. It becomes important to choose in a balanced way which data to use in order to optimize the right amount without losing the advantage of having the entire system under control .
Among the data that it is better not to leave out are: Successful permissions and failed attempts, changes to user privileges, application errors and performance problems, opt-in and in general all the actions made by users with administrative privileges.
The following are excluded: information whose collection is illegal, banking information or credit card data, encryption keys, passwords and personal data .
5. Have a plan in case of a detected threat
Choosing the right SIEM solution and employing logging best practices is only part of the job. You need to have an action plan in case of cyber threat .
For the company that relies on a MSSP as SOD, this means making sure that monitoring is only the first part of the service provided. Ideally, SIEM monitoring is the first piece of a well-designed SOAR that puts in place professional operators, alert notifications and a recovery plan in accordance with the type of data put at risk .
In this respect, the SOC as a Service we offer covers most of the eventualities.
Monitoring is a fundamental part of the corporate security system and a SIEM is one of the ways to put it into practice. However, we must not stop at the collection of information, we must know how to treat, enrich and analyze it.
SOD offers comprehensive services that implement SIEM monitoring systems. The implementation obviously implies a “calibration” of the systems and of the correlations between the data in order to always offer the most suitable solution.
If you would like more information about our products, do not hesitate to contact us, we will be happy to answer your questions.
Estimated reading time: 5 minutes
Cyber Threat Hunting is a proactive security search across networks, endpoints and datasets to hunt down malicious, suspicious or risky activities that have escaped detection by existing tools.
There is a distinction between malware detection and cyber threat hunting . Threat detection is a passive approach to monitoring data and systems to identify potential security problems. However, it is a necessity and can help a threat hunter . Instead, proactive threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and classify potential risks before the attack .
Security personnel cannot afford to believe that their security system is impenetrable. Must always remain vigilant for the next threat or vulnerability . Rather than sitting around and waiting for threats to strike, cyber threat hunting develops hypotheses based on knowing the behaviors of threat actors and validating those hypotheses through active research in the environment .
With threat hunting, an expert doesn’t start with an alarm or indicators of compromise (IOC), but with deeper reasoning. In many cases the threat hunter’s efforts create and concretize the alarm or the IOC.
This aggressively assumes that a breach has occurred or will occur at the company. Security officers hunt down threats in their environment rather than rely on automatisms.
Threat hunting practice
For companies that are ready to take a more proactive approach to cybersecurity , which tries to stop attacks before they get too deep, adding threat hunting protocols to their security program is the next logical step.
After consolidating endpoint security and incident response strategies to mitigate the now unavoidable known malware attacks, companies can begin to take the offensive . This means digging deep and finding what hasn’t been detected yet. This is precisely the purpose of cyber threat hunting.
As mentioned earlier, threat hunting is an aggressive tactic that starts from the premise of the “assumption of violation”. Attackers are already inside an organization’s network and are secretly monitoring and moving into it.
This may sound far-fetched, but in reality, attackers can be inside a network for days, weeks, and even months . In the meantime, they prepare and execute attacks as advanced persistent threats, with no automatic defense detecting their presence . Cyber threat hunting stops these attacks by looking for covert indicators of compromise (IOCs) so they can be mitigated before the attacks reach their goals.
The key elements of a threat hunting
The goal of the threat hunt is to monitor daily activities and traffic across the network and investigate possible anomalies to find any undiscovered malicious activity that could lead to a complete breach . To achieve this level of proactive detection, threat hunting incorporates four equally important components.
To be successful in hunt for threats, companies must commit to a proactive, full-time approach that is continuous and evolving. Instead, a responsive, ad hoc implementation, “ when we have time “, will be self-defeating and will only lead to minimal results.
Most companies already have comprehensive endpoint security solutions with automatic detection. Threat hunting works in addition to these and adds advanced technologies . The aim is to find anomalies, unusual patterns, and other traces of attackers that shouldn’t be in systems and files.
The new cloud-native endpoint protection (EPP) platforms that leverage big data analytics can capture and analyze large volumes of non-data filtered on endpoints, while behavioral analytics and artificial intelligence can provide broad, high-speed visibility into malicious behaviors that seem normal at first.
3. Highly qualified and dedicated staff
The threat hunters are a race of their own. These experts know how to use the security technology deployed by companies. In addition, also combine the aspiration to go on the offensive with intuitive problem-solving skills to uncover and mitigate hidden threats.
4. Threat intelligence
Having access to evidence-based global intelligence from experts from around the world (e.g. Miter Att & amp; ck ) further improves and accelerates hunting for existing threats. Hunters are aided by information such as attack classifications for identifying malware and threat groups , as well as advanced threat indicators.
The abilities of a threat hunter
The Threat Hunting Report from Crowd Research Partners confirms the importance of certain capabilities for threat hunting. When asked to rank the most important skill, the survey found that:
69% chose threat intelligence
57% chose behavior analysis
56% chose automatic detection
54% chose machine learning and automated analysis
The profile of a threat hunter
Threat hunters look for attackers who manage to break through vulnerabilities that a company might not even know exist . These attackers spend a considerable amount of time planning and performing the reconnaissance, acting only when they know they can successfully penetrate the network without warning. They also inject and build malware that has not yet been recognized or use techniques that do not rely on malware at all, to provide a persistent base from which to attack.
What does it take to outsmart even the smartest attackers?
A cyber threat hunter is relentless and can find even the smallest trace of what attackers have left behind. In general, threat hunters use their skills to undo the small changes that occur when attackers make their moves within a system or file.
The best threat hunters rely on their instincts to sniff out the stealth moves of the most dangerous attacker.
Are you a threat hunter? Contact us!
SOD is looking for a SOC / ICT analyst to add to the team. If you think you’re the right person, visit this page to view the detailed job posting.
Estimated reading time: 6 minutes
Cyber Security is the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks. It is also known as Information Technology Security and Electronic Information Security . The term applies in a wide variety of contexts, from business to mobile computing and can be divided into a few common categories.
We can divide cyber security into several areas of interest which I list briefly below. In almost every situation listed, SOD has a dedicated service.
Cyber Security areas of interest
network security is the practice of protecting a computer network from intruders, whether it is targeted attacks or generic malware .
application security focuses on keeping software and devices free from threats. A hacked application may be providing access to data that it was designed to protect. Robust security begins in the design phase , well before a program or device is deployed. This is why analyzing the code of an app is essential before it is released.
operational security includes processes and decisions in the management and protection of resources and data. The permissions that users have when accessing a network and the procedures that determine how and where data can be stored or shared all fall within this scope.
Disaster recovery and business continuity define how an organization is able to respond to a cyber security incident or any other event that causes data loss . Disaster recovery policies dictate how the organization restores its operations and information to return to the same operational capacity as before the event. business continuity is the plan the organization resorts to as it tries to operate without certain resources.
The human part of cyber security
End User Education addresses the most unpredictable factor in cybersecurity: people . Anyone can accidentally introduce a virus into an otherwise secure system by not following security best practices. For example, teaching users to delete suspicious email attachments and not insert unidentified USB drives is vital to the security of any organization .
In this area, particular importance should be given to scams, phishing and in general social engineering, which relies on the element usually more weak computer system: the operator.
The scope of cyber threats
The global cyber threat continues to evolve at a rapid pace, with a increasing number of data breaches every year . A report from RiskBased Security revealed that 7.9 billion documents were exposed to data breaches in the first nine months of 2019. This figure is more than double (112%) of the number of documents exposed in the same period the previous year.
I medical services , retailers and government agencies have experienced the most breaches , with malicious criminals responsible for most accidents. Some of these industries are more attractive to cybercriminals because they collect financial and medical data, but all companies using networks can be targeted for their customers’ data, corporate espionage, or to attack customers .
What governments do
With the scale of the cyber threat set to continue to grow, the International Data Corporation predicts global spending on cyber security solutions will reach a record $ 133.7 billion by 2022 . Governments around the world have responded to the growing cyber threat with guidance to help organizations implement effective cybersecurity practices.
In the United States, the National Institute of Standards and Technology (NIST) has created a cyber security framework , to combat the proliferation of malware code and aid early detection. The framework recommends continuous, real-time monitoring of all electronic assets .
The importance of system monitoring is resumed in the “ 10 steps to cybersecurity “, a guide provided by the UK government’s National Cyber Security Center . In Australia, the Australian Cyber Security Center (ACSC) regularly publishes guidance on how organizations can counter the latest cybersecurity threats.
In Italy we have the national framework for cyber security which provides tutorials, guides and European standards on cyber security .
MSSP and cyber security services
A Managed Security Service Provider (MSSP) provides monitoring and management in outsourcing for security devices and systems. In practice it takes care of all cyber security measures for the company requesting the services.
SOD is an MSSP and the services offered include protection and monitoring of various sectors of the corporate IT department.
Our verification services include vulnerability and penetration testing , as well as the analysis of safety procedures . With the SOC as a Service service we provide the potential of a Security Operation Center , relieving the company of installation and management costs. The SOC adopts latest generation technologies such as SIEM Next Gen and UEBA , which introduce analysis by an AI for motoring logs and users .
SOD uses security operations centers to provide 24/7 services designed to reduce the number of operational personnel that a company must manage, while still guaranteeing levels of cyber security excellent.
But defense fronts don’t stop at software and machines, must also include the most unpredictable element: the end user . That’s why our offer for companies also includes people-oriented services, as we will see shortly.
End user protection
End user protection is a crucial aspect of cyber security . After all, it is often the end user who accidentally loads a malware or other form of malware on their device .
As suggested earlier, the security protocols set up by SOD analyze software in real time. Through behavioral analysis systems we can monitor both the behavior of a software and the user . In the case of an attack based on lateral movement , for example, abnormal accesses and requests by a user can be indicators of an attack in progress.
But we don’t stop there, we can test the company against techniques of social engineering , phishing and physical tampering. Thanks to the ethical hacking services and consequent report, we are able to identify the company’s weak points and suggest effective strategies to mitigate the risks. In the case of phishing, we also organize ad hoc training based on the weaknesses highlighted in the report.
Through the physical security service, in addition to the IT vulnerability testing services, we put ourselves in the play the bad guys and try to carry out physical attacks . For example, we try to enter corporate buildings that should be protected, we try to reach network infrastructures and install potentially harmful hardware, etc.
Thanks to a team of ethical hackers and trained and trained operators, we test every aspect of cyber security before a risk becomes a problem .
If you want more information about our services or have any questions, don’t hesitate to contact us.
Estimated reading time: 9 minutes
Spam seems to reach every single email account we use , no matter how careful we are or what the address provider is. How do spammers get all of our email addresses? Can we do something to hide our email address from common spammer techniques?
Unfortunately, there’s not much you can do to stop spammers from bombarding you with emails. There are some tips that will help protect you, but spammers will probably find your email address anyway .
The problem is not so much the unwanted advertisement message, but rather what it means that you received a message. How did you react? Did you delete it? Did you click on any links? Have you flagged it as spam? Any action could bring useful information to attackers without you noticing.
Let’s face it more clearly and start with a question: where do spammers find our e-mails?
Spammer techniques for retrieving e-mail addresses
Nobody gives their email to a website and expects it to end up in the hands of a scammer. Yet it’s not uncommon for someone to find their inbox full of unsolicited spam emails.
The simplest of the techniques spammers use to collect large lists of active email addresses is through stolen account databases. These password thefts happen with frightening regularity. Companies like Adobe, LinkedIn, eHarmony, Gawker, Last.fm, Yahoo !, Snapchat and Sony have all been compromised in recent years .
Leaked databases are normally considered a security threat because they often display account names and passwords. However, generally show email addresses as well. Spammers can download these leaked databases and add the millions of email addresses to their lists . Spammers know that most of these email addresses should be active , so these databases are excellent for them.
This is probably how most spammers are finding email addresses to send spam. There really isn’t much you can do to protect yourself from a spammer who gets your address this way.
A site like Have I been pwned? can tell you if the information of your account may have been spread .
You can protect yourself from password theft by using different ones, unfortunately, you must always use the same email address everywhere , it would be unthinkable to have an address for each service used.
Link in mail messages
If you receive spam emails, you should avoid clicking on the links in the email . If you find an “Unsubscribe” link in an email from a legitimate company, it’s probably safe to click it. A real company doesn’t want to spam and potentially run into anti-spam laws, so they will simply remove you from their list.
However, if you see an “Unsubscribe” link (or, even worse, a “Buy Now!” link) in an email that looks very unprofessional and scam, the spammer will not necessarily remove you from his lists .
This is where things get more complex. They will notice your click and their systems will identify your email address as active . They know you’re there, and you may see larger amounts of spam after clicking the link.
The same goes for uploading images in spam emails. Do not click the “Upload images” button, or spammers will know that you have opened the email . Even if you don’t see an image in the message, there may be a small tracking pixel that allows the spammer to identify you if you upload the asset.
This is why most email clients don’t automatically upload images.
E-mail scraping, search for unencrypted e-mails on the net
Another spammer technique to retrieve addresses from the network is to scrape them ( scraping ) from the unencrypted data on the network. There are software out there that read files on the net and find those that contain e-mails and save them. A bit like Google’s crawlers do when they crawl a site, but with malicious intent.
You may have seen a comment where someone leaves their address to be contacted. The bot that scans the network will save similar addresses.
The spammer adds this address to his spam lists et voilà , spam is served . This is why eBay provides a temporary email address where you can be reached rather than including your real email address. This technique is probably less common now that spammers have huge leaked account databases to work with.
Spammers can also try to acquire valid email addresses by browsing other places that are publicly available, such as whois records for a domain . These records show an email address associated with the person or organization that registered the domain name.
Purchase of email addresses
Another spammer technique, definitely for lazy hackers, is to buy addresses from databases that provide them.
Unscrupulous people sell email lists to spammers for a low price. These addresses were often distributed on CD in the past , and may still be, but the leaked account databases have probably eliminated some interest in this market.
Spammers can also simply exchange their mailing lists with each other, making sure other bad guys get their hands on your address once it happens the first time.
Please be aware that this technique is not entirely illegal. When we subscribe to a service, we often have the possibility to provide our e-mail address to third parties for advertising purposes. Some users accept without reflection and without verifying whether it is an obligation to subscribe to the service or not. .
I personally happened to be contacted by a person who, with no intent to spam, but to make up the number, had bought my address from a contact resale agency, divided by areas of interest. If he had been a spammer, he could have used a similar service.
How to protect your address
Spammers can also obtain email addresses in other ways but the methods listed above are some of the most common.
There isn’t much you can do to prevent your email address from being leaked and receiving spam.
- – you can avoid putting your e-mail address on the web in plain text form
- – never click on a link
- – don’t upload a image in a suspicious email.
However, your address will almost certainly end up in the hands of a spammer at some point.
Actually, you don’t have to worry so much about whether the address is in circulation, but about how the address is used, especially if it is active.
Spammer techniques of using addresses
Once a scammer obtains your email address, it is very likely that they will use it to take advantage in any way possible . The better he is, the greater the risks.
Many will send you spam emails, with the hope of collecting private information such as credit card numbers . They will try to trick you into believing that you have won something, or that they have a profitable item for sale. Hackers may also use your email to steal your identity and send messages to your contacts . Remember the techniques of Zombie Phishing ?
Other scammers will use your personal information to try to access your other accounts . Most people reuse the same passwords for different accounts, which means that hackers who have access to one account can easily infiltrate the others.
This is why using the same passwords around the web is highly discouraged and not secure at all.
One of the reasons why you should never actively interact with spam messages is that interactions send hackers an important piece of information: the address is active, someone uses it on their device.
An active address, once discovered, is a perfect target for more specific attacks than phishing , and since all addresses are at risk, even corporate ones, from phishing you can easily get to a double extortion ransomware .
In the latter case, the threat of a DDoS attack may already come from mentioned zombie phishing technique, and it could all have started with some spam message.
The computers that will basically send requests to the server to perform the DDoS attack could themselves be part of a botnet created as a result of techniques used by spammers .
Phenomenology of an attack
As a first spammer technique, company addresses are retrieved . This can be done through scraping or database buying on the dark web. Next, to check which addresses are active , a couple of spam campaigns are sent. Nothing harmful, fake newsletters with an obvious Unsubscribe message, or a tracking pixel.
Note: A tracking pixel is usually a very small transparent image that is uploaded from a remote server. Just check how many times it has been downloaded and by whom to understand which addresses are active and which are not .
As a result, the contact database will have shrunk to a list of active addresses , in which users have been inattentive enough to click on a link from a suspicious email.
Finally, to these selected addresses, is sent a real phishing message containing malware or a request to intervene on a seemingly legitimate web page . For example, the request to reset your credentials via the attached link.
The unsuspecting user, thinking he is doing a safe thing, follows the link, enters the credentials and gives them to the spammer . At this point the attacker has gained access to an account. From that moment on, the risks are much more and much more damaging.
How to defend against spammer techniques
Let’s take a few steps back. The whole chain of events that led the hacker to gain access to an important account went through spam and phishing messages.
In some of the passages, the attack could have been avoided . The ability to recognize a suspicious message and then ignore it is the first weapon available to a user. SOD can help your business with this .
Through a ethical phishing service, we first test the resilience of users . Once any weak points have been identified, a training course ad hoc is constructed to provide adequate proactive defense tools to all employees.
SOC as a Service
Not always being aware users is enough , and a careless mistake could cost a company a lot of sensitive data. For this reason, we can also implement a service SOCaaS for the mitigation of risk and damage following an attack.
In this scenario, a system consisting of next generation SIEM and protocols UEBA implemented by an artificial intelligence, they monitor the network in search of any anomaly . Any suspicious behavior is identified and analyzed by technicians to see if it can actually become a threat or not.
If you would like more information on how SOD can help you raise your company’s cybersecurity level, don’t hesitate to contact us.
Estimated reading time: 6 minutes
Out of nowhere, someone replies to an email conversation dated months ago. This is a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity. This email seems very relevant, but beware, it could be zombie phishing .
Indeed, something is wrong, the topic discussed has been over for months and now there is a strange error message in the body of the email. This is a sneaky tactic: revive a long dead email conversation.
Not the usual phishing
The Cofense ™ Phishing Defense Center ™ (PDC) spotted a large Zombie Phishing campaign in 2018. The scam , like almost any phishing attack, is carried out through compromised email accounts.
Scammers take over an email account and respond to long-closed conversations with a phishing link or malicious attachment (e.g. malware or a keylogger ) . Since the email subject is usually relevant to the victim, a curiosity-driven click is very likely to occur . In fact, let’s not forget that the original conversation was already present in the messages received, it is easy to think that it is a follow up or similar.
These Zombie Phishing attacks appear to use automatically generated infection URLs to evade detection. No two links are alike, and they are hidden behind “error” messages without too many frills in the body of the message. This scenario provides a pattern of apparent legitimacy for the users who are victims.
The zombies in computer science
In the computer industry, a zombie is a compromised computer connected to the network. The compromised state could be due to a hacker, virus, malware, or trojan horse .
The infected machine performs malicious tasks under a remote direction. Zombie computer botnets are often used to spread email spam and launch denial-of-service (DoS) attacks.
Types of attack
Here are some observed patterns of Zombie Phishing carrying malicious links . A distinguishing factor was the use of two distinct graphic templates containing button or link error messages.
The message reads something like “Incomplete message” or “Inability to show the whole message”. The link or button invites you to click to see the original message. Obviously the click only involves the installation of a malware or other similar events . Note that no two identical links have been identified, a sign that probably a bot was generating the addresses.
Another common factor is the use of domains with the
.icu TLD. This is probably a factor that varies considerably over time. Here are some of the domains found in the first analysis of 2018:
These zombie phish attacks have been observed to use official organizational logos to add legitimacy to the fake login pages. A common practice in phishing techniques that we have already seen in other articles.
Landing pages are designed to look like a legitimate online portal, including a company logo and even a favicon. In these cases the ultimate goal is the theft of the victim’s credentials .
Furthermore, any victim who visits the malicious website is “tagged” using the host’s IP address as an identifier and, after entering the credentials, is directed to the same spam website seen by other victims. This is often done via obfuscated links using URL shorteners (such as
If the same host tries to visit the phishing link again, the fake login page is skipped and you are forwarded directly to the spam page. This markup and URL shortener obfuscation helps attackers keep a low profile and continue their campaign unabated.
The conversation hijacking tactic is by no means new and is now living a new life with zombie phishing . Scammers have hijacked compromised email accounts to distribute malware and phishing emails as replies to conversations that have been concluded for years now.
This technique is still popular because it makes victims much more likely to click on links and download or open files. The threshold of attention against classic phishing attacks is lowered when messages are brought into conversations already in their inbox .
A couple of years old example of this was the botnet Geodo . Basically it is insertion into existing email threads ( conversation hijacking ) to deliver malicious documents. These, in turn, download a sample of Geodo or other malware such as Ursnif , which according to Key4Biz was the most widespread in Italy in June 2020.
However, the effectiveness of this tactic can greatly depend on the content of the conversations . A reply to an automated advertising email is less likely to cause an infection than a reply to a help-desk support thread.
There have been several Geodo zombie phishing campaigns consisting of replies to automated advertising emails. This is an indication that, in some cases, campaigns consist of indiscriminate replies to all emails in a mailbox. Since the volume of these conversation hijacking is still relatively low, the small reach of these emails is probably limited by the number of ongoing conversations .
Certain account types are therefore more likely to attract the direct attention of threat actors and induce them to invest additional effort and time in developing unique phishing campaigns for those accounts.
Defense from zombie-phishing
Here are some quick tips to avoid losing your credentials in a Zombie Phishing attack:
- Beware of email subjects that may seem relevant but come from old conversations
- Beware of any error message in the body of the message
- Don’t trust attached documents just because they’re replying to a conversation
- Hover your mouse over buttons or links in suspicious messages to check for suspicious domains
It has been observed that these campaigns have gotten smarter . To combat this and other forms of phishing, employee training is key.
A properly trained workforce is what it takes to defend your organization against Zombie Phishing attacks.
SOD offers a full service in this regard . We begin by attacking the company in a controlled manner, testing any weaknesses in employee safety or behavior. Subsequently, specific training is designed to remedy the gaps and fully train the staff.
To keep defenses high, our SOCaaS includes the analysis of user behavior, logs of connected machines and the network in a to immediately identify phishing attempts.
Estimated reading time: 10 minutes
Social engineering is the term used for a wide range of malicious activities performed through human interactions. It uses psychological manipulation to trick users into making security mistakes or provide sensitive information. Then, with that information, the hacker is able to successfully carry out targeted attacks, such as data theft, a ransomware or a ‘ interruption of services.
Social engineering attacks usually occur in stages . The perpetrator first investigates the intended victim to gather the necessary background information , such as potential entry points and weak security protocols, required to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide incentives for subsequent actions that violate security practices, such as disclosing sensitive information or granting access to critical resources.
What makes social engineering particularly dangerous is that it relies on human error rather than vulnerabilities in software and operating systems . Mistakes made by legitimate users are much less predictable, making them more difficult to identify and thwart than a malware-based intrusion.
Note that the target of a social engineer is not necessarily a network or software . Being able to enter a building evading security, and then installing a device or stealing documents, are actions that still fall under this type of attack.
The techniques of social engineering
Social engineering attacks come in many different forms and can be carried out wherever human interaction is involved . The following are five most common methods of digital social engineering attacks.
Baiting (from “bait”)
As the name suggests, baiting attacks use a false promise (a decoy , indeed) to whet the victim’s greed or curiosity. They lure users into a trap that steals their personal information or installs malware on their systems.
The most infamous form of baiting uses physical media to disperse malware . For example, attackers leave the bait (typically infected keys) in conspicuous areas where potential victims are certain to see them (e.g. bathrooms, elevators, the parking lot of a targeted company). The decoy has a legitimate look, like a label indicating the content, like the company’s payroll. The clue that reveals what it should contain may change, of course, but has the potential to be potentially very interesting .
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic installation of malware on the system.
Lure scams don’t necessarily have to be done in the physical world. Forms of online baiting consist of enticing advertisements leading to malicious sites or encouraging users to download a malware-infected application. Here it leads to the phishing techniques, which we will see shortly.
Defense notes : to defend against these social engineering attacks, as well as paying close attention to what is connected to your computer, it does not hurt to have an efficient antivirus and anti-malware system. For the company, a new generation SIEM system and UEBA help in detect suspicious user behavior and greatly reduce the risk of malware infection.
Scareware (from “to scare”)
Scareware consists of bombarding victims with false alarms and fake threats . Users are tricked into thinking their system is infected with malware, prompting them to install software that has no real benefit (other than the perpetrator) or is malware itself. Scareware is also called deception software ( deception software ), rogue scanner software and fraudware .
A common example of scareware is the legitimate-looking popup banner that appears in your browser as you browse the web , displaying text such as “ Your computer may be infected with spyware programs harmful “. In other cases, the popup offers to install the tool (often infected with malware) for you, or directs you to a malicious site where your computer is infected.
Scareware is also distributed via spam email which distributes bogus warnings, or offers users to buy useless / harmful services. Social engineering is often very imaginative and manages to find ever new ways to deceive. Always be alert.
Defense notes : In case you suspect that the received message is really legitimate, it is best to seek a solution actively , i.e. without using the links suggested by the message same. For example, we received a message from a service announcing that our account has been compromised. If in doubt, you can contact the support of the service directly from their site to ask for clarification. Avoid using the links suggested by the suspicious message at all costs .
Pretexting (from “to pretend”)
In this social engineering attack, an attacker gains information through a series of cleverly constructed lies . The scam is often initiated by an perpetrator who pretends to need sensitive information from a victim in order to perform a critical task.
The attacker usually begins by establishing trust with his victim by impersonating colleagues, police, bank and tax officials, or others who have a right to know authority . The hacker asks questions that are apparently necessary to confirm the victim’s identity, through which he collects important personal data.
Many types of information are collected using this technique, such as identity card numbers, personal addresses and telephone numbers, telephone records, staff vacation dates, bank records, and even security information relating to a physical facility.
Any information, however harmless it may seem, could later be used for a second attack. Even the name of a security guard hired by the company could already be enough to build trust and ask for a tear to the rule when asking for the access code to automatic doors.
Phishing (from “to fish”)
As one of the most popular types of social engineering attacks, phishing scams are email and text message campaigns that aim to create a sense of urgency , curiosity or fear in the victims . Then it prompts them to reveal sensitive information, click links to malicious websites, or open attachments that contain malware.
An example is an email sent to users of an online service notifying them of a policy violation that requires immediate action on their part, such as a mandatory password change. Includes a link to a website, nearly identical in appearance to its legitimate version, which prompts the user to enter their current credentials and new password . After submitting the form, the information is sent to the attacker.
Since identical, or nearly identical, messages are sent to all users in phishing campaigns, detecting and blocking them is much easier for mail servers that have access to threat-sharing platforms.
Defense note : While it is true that in some cases we have become accustomed to not giving weight to these kinds of messages, it is also true that social engineers have become increasingly clever. There is no need to let your guard down. Instead, it is very useful to always be wary of messages that require credentials.
These attacks leverage the fact that it’s easy to fool some users, whether out of distraction or naivety. The best defense is employee training through a ethical phishing service and subsequent targeted training.
Spear phishing (from “spear, and “to fish”)
This is a more targeted version of phishing in which an attacker chooses specific individuals or businesses . They then tailor their messages based on their victims’ characteristics, job positions, and contacts to make their attack less obvious. Spear phishing requires a lot more effort from the author and can take weeks and months to complete. They are much harder to detect and have better success rates when done skillfully.
A spear phishing scenario could involve an attacker who, impersonating an organization’s IT consultant, sends an email to one or more employees. It is worded and signed exactly as the consultant normally does, thus fooling recipients into thinking it is an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
How to defend against social engineering attacks
Social engineers manipulate human feelings, such as curiosity or fear, to carry out patterns and lure victims into their traps. Therefore, it is essential to be cautious whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across digital media wandering around. Being alert can help protect you from most social engineering attacks that happen online.
Additionally, the following tips can help you improve your vigilance in relation to social engineering attacks.
- Do not open emails and attachments from suspicious sources . If you don’t know the sender in question, you don’t need to reply to an email. Even if you know them and are suspicious of their message, cross-check and confirm the news from other sources , such as over the phone or directly from a service provider’s website. Even an email that appears to come from a trusted source may have been initiated by an attacker.
- Use multi-factor authentication . One of the most valuable pieces of information attackers look for is your user credentials . Using 2-factor authentication helps ensure the protection of your account in case of system compromise. There are free applications for all types of mobile devices that allow you to implement this type of authentication.
- Be wary of attractive offers . If an offer seems too tempting , think twice before accepting it as real. Use Google to check the topic and quickly determine if you are dealing with a legitimate offer or a trap.
- Update your antivirus / antimalware software . Make sure automatic updates are turned on. Check periodically that updates have been applied and scan your system for possible infections.
If your company has an IT department, these recommendations should be standard security measures.
Security services for companies
When you think about the data that your company holds and manages, you are never too cautious in defense. Social engineering relies on the fact that an employee hacks more easily than a computer , which is often true.
In addition to the cyber protection measures listed above, it is good that all employees are aware of the risks and potential threats.
SOD offers a series of services that go in this direction. The first and perhaps most important is ethical phishing in which we try to attack the company with phishing techniques . We find out what the weak points are and organize internal training to provide the right tools for staff.
We also have the classic Vulnerability Assessment and Penetration Test for testing cybersecurity systems. Addons are applicable to this service to cover a greater number of areas. There is a specific addon for app analysis and code review , but also one where we try to hack the company with physical attacks . We will test the physical security of the company, the ability to enter buildings, access to network controllers and more.
Finally, to keep networks under control, the SOCaaS service allows you to monitor the entire network, identify suspicious actions (with behavior analysis via artificial intelligence), unauthorized installations, breach attempts and much more.
Data security in the company is really important, contact us to find out how we can help you!
Estimated reading time: 5 minutes
A Zero-Day attack (also known as 0-day) exploits a software vulnerability unknown to security officers and the software vendor. Hackers can exploit the weakness, as long as it is not mitigated, through Zero-Day exploit or, indeed, attack.
The term “zero-day” originally referred to the number of days after the software was released. A “zero-day” software, therefore, meant a program obtained by forcing a developer’s computer before release. The term was then applied to the vulnerabilities that this practice allows to exploit. Once the vendor becomes aware of the vulnerability, they usually patch or recommend solutions to mitigate it.
Software often has vulnerabilities. These are unintentional flaws, or code problems that could hypothetically be exploited.For example, there may be a flaw that allows a cybercriminal to access otherwise secure data. Programmers are often on the lookout for these vulnerabilities and when they discover them, they analyze them, produce a patch to fix them, then distribute that patch in a new version of the software.
However, this is a time-consuming process. When the flaw becomes known, hackers around the world can start trying to exploit it.
If a hacker manages to exploit the vulnerability before the developers find a solution, this exploit then becomes known as a Zero-Day attack.
Zero-day vulnerabilities can take almost any form, because they can manifest themselves as any type of vulnerability in software. For example, they can take the form of missing data encryption, SQL injection, buffer overflows, missing permissions, bugs, or problems with password security.
This makes these vulnerabilities difficult to find before they are exploited in zero-day attacks. This, in some ways, is good news: it also means that hackers will have a hard time finding them. But also that it is difficult to defend against these vulnerabilities effectively.
How to protect yourself
We have seen how difficult it is to protect yourself from the possibility of a zero-day attack, because it can take many forms. Almost any type of security vulnerability could be exploited as a zero-day if a patch is not produced in time. Also, many software developers intentionally try not to disclose the vulnerability publicly in the hope that they can distribute a patch before any hacker discovers the vulnerability.
There are a few strategies that can help you defend your business against zero day attacks:
Stay informed on Zero-Day attacks
Zero-day exploits aren’t always advertised, but occasionally we hear about a vulnerability that could potentially be exploited. If you stay tuned to the news and pay attention to releases from your software vendors, you may have time to put security measures in place or respond to a threat before it is exploited. A good way to do this is to follow your suppliers’ newsletters. At the bottom of this page you will find the form to subscribe to the SOD one.
Keep your systems up to date
Developers are constantly working to keep their software up to date and secure to prevent the possibility of exploits.When a vulnerability is discovered, it is only a matter of time before they produce a patch. However, it is up to you and your team to make sure your software platforms are always up to date. The best approach in this case is to enable automatic updates, so that the software is updated routinely, and without the need for manual intervention.
Use additional security measures
Make sure you’re using security solutions that protect you from a zero-day attack. SOD offers a solution that includes a set of tools that allow you to raise your defenses significantly. SOCaaS is a real security operations center for your company. Using state-of-the-art tools such as SIEM and UEBA and thanks to granular control over the monitored network, every attack attempt is identified in the shortest possible time.
Each type of data produced by the interconnected systems in the infrastructure is collected, normalized and analyzed for anomalies. This means that not only are you checking for known indicators of compromise (IOC), but suspicious operations and behavior of facility users are also monitored. In this way, it is also possible to identify attack attempts that are normally very difficult to detect, such as those involving Zero-Day Attacks, but not only. In fact, through the SOCaaS service, it is possible to identify compromised accounts, the violation of protected data, lateral movement attacks, phishing, etc.
The security of a company’s IT system is a very important topic that we care a lot about. The compromise or loss of sensitive data can cost a lot from both an economic and a reputational point of view. Do not neglect this important aspect for the safety of your business, contact us to tell us about your situation, we will be happy to show you how we can help you.
The IT world continues to evolve and the same goes for industry acronyms. One of these is the term MSSP which, in a sense, is the evolution of MSP. The two abbreviations mean: Managed Service Provider (MSP) and Managed Security Service Provider (MSSP). The latter, in general, could be considered as an organization that provides outsourced security services to other organizations. This definition is very vague and somewhat obvious. So what is an MSSP?
Definition: what is an MSSP?
An MSSP offers Security-as-a-Service, ensuring that organizations, end users and systems have the security, protection and compliance with the necessary compliance requirements. In reality, MSSPs have been around for a while, but have recently gained more attention and focus as the cybersecurity landscape continues to evolve rapidly. End users are more aware of the threats and consequences they face if they are not proactive.
Let’s take a step back, let’s examine what an MSP is, to better distinguish it from an MSSP. In simple terms, a managed service provider (MSP) is an organization commissioned by a customer to perform various IT services. MSPs typically partner with their clients for annual or multi-year periods, receiving recurring income for ongoing services.
An MSP can help a client at any stage of their IT cycle, including:
– the creation of policies and programs
– discover potential solutions
– implementation of solutions
– performance monitoring
MSPs can also manage ongoing IT services, such as updating systems and making configuration changes to suit business needs. These line-of-service elements can include help desk support, network and application management and monitoring, hardware repair, and more. These services are generally outlined and agreed upon in a Service Level Agreement (SLA).
What is it that distinguishes MSSPs from MSPs? The extra “S” in MSSP indicates that these are more security focused than a typical MSP. While MSPs often offer other IT services and something related to security, MSSPs focus solely on security. However, even in this case, they could include a fairly large set of services in addition to security.
For example, the MSSP technology offering may include the implementation, configuration and / or management of the following technologies:
– Intrusion Prevention Systems (IPS)
– Filtering of web content
– Anti-virus, anti-spam, firewall
– Vulnerability scanning
– Patch management
– Data loss prevention
– Information on threats
In addition, MSSP services may include:
– Policy development and risk management
– Search for the solution
– Search and requisition of solutions and tools
– Implementation of the solution
– Configuration management
– Security updates
– Reporting, review and compliance
– Training and education
An MSSP may offer a broad and generalized range of security capabilities and services, or it may specialize in one or a few areas of interest. Another thing that differentiates between MSP and MSSP are the NOCs and SOCs.
MSPs often establish their own network operational network (NOC) from which they monitor and administer customer operations, MSSPs instead establish a security operations center (SOC), which is responsible for protecting the infrastructure (networks, applications, database, server, etc.).
Why choose an MSSP?
Now that we know what an MSSP is, we need to understand why such a service should be chosen.
The reason is to be found in the digitalization of the business, which is the biggest driver of company growth in recent years. As companies become more and more interconnected through technology, the opportunities grow, but with them so do the security threats. In this case, executives and boards of directors are looking to transform their companies into power centers of the digital age and are taking a closer look at their position on security.
But this is where things get real: the solutions are complicated, and building your own cybersecurity department 24/7 takes time, money and people. On the other hand, a single data breach can seriously damage the value of your company and cost you a considerable economic loss.
This is why outsourcing your company’s entire IT security solution to a Managed Security Service Provider (MSSP) is an increasingly common decision. This cybersecurity-as-a-service model is popular with businesses, regardless of size. This is because cyber defense is becoming so complex and takes so long that companies have no choice but to outsource security services to follow best practices.
We at SOD provide exactly this type of security services, through various modalities. In addition to the typical services of an MSP, such as VPS, Super Cloud, etc., we are able to cover every need for corporate security through our SOCaaS which implements various solutions including UEBA, SIEM, Vulnerability Assessment & Penetration Test, Active Protection, Log Management, IT Monitoring Service, Management Services, GDPR and Privacy.
If you are interested in knowing how SOD can help your company in improving applied cybersecurity, you can get in touch with us, we will be happy to answer questions and propose a solution suitable for the situation.
Ransomware commonly comes up with an email that tricks users into trusting a malicious file. Many of the most recent data breaches have been completed because a user has been the victim of such an attack in the previous period. Threats such as ransomware, which focus on user compromise, are causing more and more companies to adopt user and entity behavior analysis (UEBA) in their security operations center (SOC). The new functions of the SOC service, including long-term search, are oriented towards the increasing offer of additional tools for the optimal management of corporate security.
We continue to innovate our platform to increase the power of SOC in fighting ransomware and other threats. In our latest release, we have added even more machine-learning and context-aware detection capabilities that enable security analysts to tackle the most sophisticated attacks. Furthermore, the latest updates bring an ever greater ease of use for security architects.
Long-term search for the security analyst
The service introduces a number of innovations to reduce detection and response times for security analysts and threat seekers.
Improved detection of sophisticated threats
– Long-term search helps analysts discover hidden threats by providing a search capability on archived data. The search is scalable and does not affect SIEM performance.
– Analytics Sandbox helps break down false positives by providing an online QA environment to test and validate use cases.
– Persona-based threat chains detect advanced threats more accurately, including the dynamic relationship between users, hosts, IP addresses, and email addresses. Analysts benefit from greater visibility into the progression of an attack. This feature combines suspicious activity from a single user into a single priority alert, instead of separate and unrelated alerts.
– Relative Rarity offers analysts a broader context on how rare an event is compared to all other events in their environment.
– Viewing security alerts using the MITER ATT&CK Threat Framework helps analysts prioritize risk and reduce response times.
Reduction of response times
– Improved case management allows for better management, sharing and investigation of alarms, allowing operators to respond more quickly.
– New EDR integrations improve incident response by providing additional endpoint data from CarbonBlack Defense, Tanium, Symantec DLP and others.
– Better search views improve the analyst experience by reducing detection and response times. They help analysts easily identify compromised accounts, data exfiltration, and associated hotspots.
Why long-term search is so important
With a global dwell time of around 60 days on average, threat hunting continues to be an important part of cybersecurity resilience. However, searching through the data history usually takes a long time.
Many vendors are unable to dynamically scale a quick search through archived data without significant effort. The latest features of our SOCaaS provide this possibility for threat hunters with long-term search on an almost unlimited scale. With long-term research, organizations can reduce the time it takes to investigate and find threats that are already in their environment.
Analysts need to continually query the data to see if there are new threats. For example, an analyst might learn from a trusted source that their industry has been targeted. At this point we need to investigate a new indicator of compromise that has just been discovered to verify if an attacker is already inside.
Through long-term search, SOD’s native SOCaaS SIEM allows threat hunters to be proactive, making historical data research fast and convenient.
By introducing new technologies into our SOC service, we are offering more and more security for our customers.
We take care of your data by verifying not only that it is not safe now, but also that it has not been breached in the past. In case we suspect a new threat, we know how to spot it.
If you have any questions, contact us, we will be happy to answer all your questions.
The practice of shadow IT is the use of computer systems, devices, software, applications and services without the explicit approval of the IT department. In recent years, it has grown exponentially with the adoption of cloud-based applications and services.
While shadow IT could improve employee productivity and drive innovation, it can also introduce serious security risks to the organization due to data breaches, potential compliance breaches and more.
Why users practice shadow IT
One of the main reasons employees apply shadow IT is simply to work more efficiently. A 2012 RSA study reported that 35% of employees believe they need to bypass their company’s security policies just to get their job done right. For example, an employee may discover a better file sharing application than is officially allowed. Once you start using it, the use may spread to other members of your department.
The rapid growth of cloud-based consumer applications has also increased the adoption of shadow IT practices. The days of packaged software are long gone; Common applications such as Slack and Dropbox are available with a simple click, and corporate data is easily copied beyond work applications to employee personal devices, such as smartphones or laptops, especially in BYOD (Bring Your Own Device) working conditions .
Shadow IT: Security Risks and Challenges
The point is that if the IT department is not aware of the use of an application, they cannot support or guarantee that it is secure. Industry analyst firm Gartner predicted, in 2018, that by 2020, one-third of successful attacks businesses experience focus on their shadow IT assets.
While it is clear that the practice will not go away, organizations can minimize risks by educating end users and taking preventative measures to monitor and manage unauthorized applications.
Not all shadow IT is inherently dangerous, but some features like file sharing and storage and collaboration (for example, Google Docs) can cause sensitive data leaks. This risk goes beyond applications alone: the RSA study also reports that 63% of employees send work documents to their personal email to work from home, exposing data to networks that cannot be monitored.
In times like the one we are experiencing, in which teleworking is encouraged and, in some cases, the only possible solution, it is essential to have an eye for the applications in use on employees’ computers.
Benefits of Shadow IT
Despite the risks, shadow IT has its advantages. Getting IT approval can take time that employees can’t afford to waste.For many employees, approval is a productivity bottleneck, especially when they can get a fix in minutes.
Having IT behaving like an Orwellian “Big Brother” doesn’t always help productivity. Discerning cases of positive shadow IT can be the best compromise. Finding a middle ground can allow end users to research solutions that work best for them. This gives IT time to control user data and permissions for applications. If end users do not need to request new solutions, the IT department has been given time to focus on more critical tasks.
Whatever the reason why shadow IT occurs, if the IT department is unaware of it, the risk of breach is high. What the corporate cyber security departments should do is implement automated traffic and behavior control systems.
The solution offered by a SOC as a Service is the most complete in this respect. It allows you to keep an eye on all the devices in the system and also monitor user behavior.
Thanks to the Nextgen SIEM and UEBA systems, in fact, the collection of usage data is easy and manageable in real time. The data collected is enriched and aggregated to give analysts the most complete view possible and allow rapid intervention. Meanwhile, the UEBA system checks that there are no anomalous behavior by users or suspicious outgoing data traffic.
Shadow IT, while not usually a malicious attack, is a practice that should be discouraged and, as it is risky, stopped in the bud.
Classic cyber threat defense tools and systems are rapidly becoming obsolete, and there are ways to overcome them. What remains confidently common among cyber criminals attempting an attack is the intent of the attack itself. Indeed, knowing that there are systems capable of detecting indicators of compromise (IOC), it is natural that competent hackers will try not to leave traces traceable to standards. User and Entity Behavior Analysis (UEBA) offers a more comprehensive way to make sure your business has world-class IT security. At the same time, it helps detect users and entities that could compromise the entire system.
A definition of User Entity Behavior Analytics
User and Entity Behavior Analysis or UEBA, is a type of cybersecurity process that takes note of standard user behavior. In turn, the system detects any abnormal behavior or cases where there are deviations from the “normal” patterns mentioned above. For example, if a particular user regularly downloads 10MB of files every day, and suddenly downloads 1GB, the system would be able to detect this anomaly and immediately alert operators. The behavior may be legitimate, but it’s worth checking out.
The UEBA system uses machine learning, algorithms and statistical analysis to know when there is a deviation from established patterns. Next, it shows which of these anomalies could result in a potential and real threat. Additionally, UEBA can aggregate report and log data, as well as analyze file, stream and packet information.
With a UEBA all users and entities of the system are tracked. In this way the system focuses on insider threats, such as dishonest employees, compromised ones and people who have access to the system and then carry out targeted attacks and fraud attempts, as well as the servers, applications and devices that work inside. of the system.
It is the unfortunate truth that today’s cybersecurity tools are rapidly becoming obsolete. Now the most skilled hackers and cyber criminals are able to bypass the perimeter defenses used by most companies. A few years ago you were sure if you had web gateways, firewalls, and intrusion prevention tools. This is no longer the case in the complex threat landscape, and is especially true for large companies that have proven to have very porous IT perimeters that are also very difficult to manage and supervise.
The key point? Preventive measures are no longer sufficient. Firewalls will not be 100% infallible and attackers will enter the system at one point or another. That’s why detection is just as important: when hackers successfully enter your system, then you need to be able to quickly detect their presence to minimize damage.
How does it work?
The premise of the system is actually very simple. You can easily steal an employee’s username and password, but it is much more difficult to mimic the person’s normal behavior once inside the network.
For example, let’s say you manage to steal John Smith’s password and username. However, it is almost impossible to act exactly like Mario Rossi once inside the system, unless extensive research and preparation is also done in this direction. Therefore, when Mario’s username is logged into the system and his behavior is different than typical, that’s when the UEBA alarms start ringing.
Another related analogy would be the theft of a credit card. A thief can steal your wallet and go to a luxury store and start spending thousands of dollars. But, if the spending pattern on that card is different from that of the thief, the fraud detection department will recognize the anomalous expenses and block suspicious purchases, either by sending you an alert or asking you to verify the authenticity of a transaction. .
What can UEBA do?
UEBA is a very important component of modern IT security and allows you to:
1. Detect insider threats: It is not too far fetched to imagine that an employee, or perhaps a group of employees, could disobey, steal data and information using their login. UEBA can help you detect data breaches, sabotage, abuse of privileges and policy violations by staff.
2. Detect Compromised Accounts: Sometimes, user accounts are compromised. It could be that the user has unintentionally installed malware on his machine, or that sometimes a legitimate account has been forged. UEBA can help eliminate compromised users before they can do any damage.
3. Detect Brute Force Attacks: Hackers sometimes target cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute force attack attempts, allowing you to block access to these entities.
4. Detect permission changes and super user creation: Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that have been granted unnecessary permissions.
5. Detect Secure Data Breach: If you have secured data, it’s not enough to keep it safe. Know when a user accesses this data if they have no legitimate business reason for doing so.
UEBA and SIEM
Security Information and Event Management, or SIEM, is the use of a complex set of tools and technologies that provides a complete view of the security of your IT system. It leverages event data and information, allowing you to see normal patterns and trends, and to warn of anomalies. UEBA works the same way, only it uses information on user (and entity) behavior to verify what is normal and what is not.
SIEM, however, is based on rules, and competent hackers can easily circumvent or evade these rules. Furthermore, the SIEM rules are designed to immediately detect threats that occur in real time, while the most advanced attacks are usually carried out over months or years. The UEBA, on the other hand, is not based on rules. Instead, it uses risk scoring techniques and advanced algorithms that allow it to detect anomalies over time.
One of the best practices for cybersecurity is to use both SIEM and UEBA to have better security and detection capabilities.
How a UEBA should be used
UEBA was born out of the need to identify the harmful behavior of users and other entities. UEBA tools and processes are not intended to replace legacy monitoring systems, but should instead be used to complement them and improve a company’s overall security. Another great practice is to take advantage of the storage and calculation capabilities of big data, using machine learning and statistical analysis to avoid receiving an avalanche of unnecessary alarms and being overwhelmed by the large volume of data. generated.
UEBA uses machine learning and algorithms to strengthen security by monitoring users and other entities, detecting anomalies in behavior patterns that could be indicative of a threat. By taking a proactive approach to security and gaining greater visibility into user and entity behavior, today’s businesses are able to build stronger security systems and more effectively mitigate threats and prevent breaches.
SOAR (Security Orchestration, Automation and Response) technology helps coordinate, execute and automate activities between people and tools, enabling companies to respond quickly to cyber security attacks. The aim is to improve their overall security position. SOAR tools use playbooks (strategies and procedures) to automate and coordinate workflows which may include security tools and manual tasks.
How does SOAR help in the security field?
1. Combining security orchestration, intelligent automation, incident management and interactive investigations in a single solution.
2. Facilitating team collaboration and enabling security analysts to take automated actions on tools across their security stack.
3. Providing teams with a single centralized console to manage and coordinate all aspects of their company’s security.
4. Optimizing case management, increasing efficiency by opening and closing tickets to investigate and resolve incidents.
Why do companies need a SOAR?
Modern companies regularly face many challenges and obstacles when it comes to fighting cyber threats.
A first challenge is represented by an ever increasing volume of complex security threats. Furthermore, the security tools involved very often struggle to talk to each other, which is in itself a nuisance.
Such a large amount of data and software can only mean a large number of security alerts. In fact, there is too much threat intelligence data to allow teams to manually classify, prioritize, investigate and target threats. Furthermore, the work of security officers involves very specific skills and with increasing demand it is increasingly difficult to find a sufficient number of security officers to carry out the work.
SOAR helps companies address and overcome these challenges by enabling them to:
– Unify existing security systems and centralize data collection to achieve full visibility.
– Automate repetitive manual activities and manage all aspects of the accident life cycle.
– Define incident analysis and response procedures, as well as leverage security playbooks to prioritize, standardize and scale response processes in a consistent, transparent and documented way.
– Quickly and accurately identify and assign the severity levels of incidents to safety alarms and support the reduction of alarms.
– Identify and better manage potential vulnerabilities in a proactive and reactive way.
– Direct each security incident to the analyst best suited to respond, while providing features that support easy collaboration and monitoring between teams and their members.
Below I wanted to list some practical examples of how a SOAR comes into action in certain situations.
Enrichment and Phishing Response: Activating a Playbook. Automation and execution of repeatable activities such as triage and involvement of interested users. Apply an extraction and control of indicators to identify false positives, then request activation of the SOC for a standardized response at scale.
Endpoint Malware Infection: Extracting threat feed data from endpoint tools and enriching that data. Cross-reference between recovered files and hashes with a SIEM solution, notify analysts, clean up endpoints, and update the tools database.
Failed User Login: After a predefined number of failed user login attempts, evaluating whether a failed login is genuine or malicious, a SOAR can activate in various ways. First of all by putting into practice a playbook, involving users and then analyzing their answers, then also the expiring passwords and finally closing the process.
Indicators of Compromise (IOC): Take and extract indicators from files, track indicators through intelligence tools and update databases.
Malware Analysis: Verify data from multiple sources, extract and delete malicious files. A report is then generated and checked for malice.
Cloud Incident Response: This is done through the use of data from cloud-focused threat detection and event logging tools. The data is then unified between the cloud and on-premises security infrastructures, correlated thanks to a SIEM. The indicators are then extracted and enriched, to then check for the presence of malice. A final step of human control to the analysts who review their information update the database and close the case.
The benefits of a SOAR
Basically, a SOAR implements working methods and protocols of action in the system for fighting against cyber threats of a company. This significantly improves operational efficiency and accelerates incident detection as well as response times, which are effectively standardized.
A SOAR increases analysts’ productivity and allows them to focus on improving security instead of performing manual tasks.
By exploiting and coordinating the existing security technology investments in a company, it is possible to make a real difference.
SIEM has existed for quite some time, but it is not yet well understood. Also, the fact that technology has evolved significantly in recent years doesn’t help shed some light. Today we see where we are, trying to understand the Next Generation SIEM and the managed systems offered as services that make use of the latest generation SIEM (SOCaaS, for example). Let’s see what all this means for companies.
Being a fundamental part of the SOCaaS offered by SOD, it seems appropriate to explain in detail what a Next Generation SIEM is and what its functions are.
A brief history of SIEM
Before examining what a Next Generation SIEM is, it is right to briefly review the history of this technology and its beginning.
The term Security Information and Event Management (SIEM) was coined in 2005 by Mark Nicolett and Amrit T. Williams of Gartner. The word is the merger of Security Event Management (SEM) and Security Information Management (SIM).
Its original definition given by the creators of the term is: a technology that supports the detection of threats and the response to security incidents, through the collection in real time and historical analysis of events from a wide variety of sources of contextual data.
SIEM was born out of the need to address the huge number of alarms issued by intrusion prevention systems (IPS) and intrusion detection systems (IDS) that were overwhelming IT departments. By helping organizations aggregate events and better analyze those within the network, SIEM has helped organizations improve threat detection. It has also led organizations to take a more proactive approach to security. Preventive security technologies are no longer sufficient on their own.
The difficulties of SIEMs in the early years
Eager to improve their cybersecurity situation, many enterprise-wide organizations have rapidly adopted SIEM technology. Over the years, however, inherited problems have emerged from the past:
1. The datasets were inflexible, so some SIEMs were unable to process the required data, which meant their effectiveness was limited
2. They were difficult to maintain and manage, which added complexity and drained staff resources
3. SIEMs produced a high number of false positives, creating even more work for the security teams
4. With the advancement of technology, SIEMs have struggled to keep up with the evolution of threats and therefore the IT risk for companies has grown
The Next Generation SIEM arrives
Many advanced threats are now polymorphic rather than static. That is, they are able to constantly modify their behavior to evade detection. As such, Next Generation SIEM systems must not only process more data, but also become much more capable of recognizing new patterns within them.
Given the difficulties and limitations of inherited SIEM systems, many thought they would disappear over time. But this did not happen, SIEM still remains a key technology used by companies. However, technology has had to evolve.
While SIEM once relied on only a handful of data sources, the “Next Generation” of SIEM systems was developed to process a greater volume and variety of data, as well as correlating it in a timely fashion.
Gartner reported that the SIEM market is continuously growing. One reason for this growth is that Next Gen SIEM systems are now used by midsize organizations, not just large enterprises.
What are the capabilities of Next Gen SIEM?
Next Gen SIEMs, sometimes referred to as analytical SIEMs or SIEM 3.0, have brought new capabilities to organizations and their security teams.
– Allow faster integration into a corporate infrastructure through an open architecture to cover cloud, on-premise and BYOD resources
– Include real-time visualization tools to understand the most important and high-risk activities
– Use scenario and behavior analysis to “photograph” well understood scenarios and highlight significant changes in behavior
– Integrate and use Threat Intelligence information from customized, open source and commercial sources
– Provide a flexible framework that allows for the implementation of a tailored workflow for key organizational use cases
– Measure status against regulatory frameworks (e.g. PCI DSS) for prioritization and risk management
Security Orchestration, Automation and Response
Security Orchestration, Automation and Response (SOAR) is a growing security area that Next Gen SIEM vendors are exploiting to contribute and take advantage of the latest features. In its essence, SOAR has two fundamental aspects:
1. It allows to bring more data to a Next Gen SIEM for analysis
SOAR is helping SIEM technology to become smarter and big data oriented, thus enabling security teams to make faster and better informed decisions. Broader intelligence means more reliable threat identification and fewer false positives.
2. Help automate incident response
Another important way SOAR is influencing the evolution of SIEM Next Gen is to help standardize incident analysis and response procedures. The goal is to partially or completely automate response activities in order to reduce the potential harm and inconvenience that breaches can cause. Such response activities could include blocking compromised user accounts and blocking IP addresses on a firewall.
By automating routine actions, SOAR helps security teams become more efficient and frees them up time to focus on threat hunting and patch management.
User Behavior Analysis (UEBA)
Another important feature of Next Generation SIEMs is the use of User and Entity Behavior Analytics (UEBA). UEBA does not track security events or monitor devices, but instead focuses on monitoring and analyzing the behavior of an organization’s users.
UEBA can be extremely useful in helping organizations identify compromised accounts, as well as insider threats. It works using advanced machine learning and behavioral profiling techniques to identify anomalous activity such as account compromise and abuse of privileges. By not using rules-based monitoring, the UEBA is more effective in detecting anomalies over time.
The challenges for a modern SIEM
Despite unquestionable advances in detecting complex cyber threats, SIEM Next Gens can still, if not used and maintained properly, generate a large number of alerts. For organizations without IT resources and dedicated security personnel, researching these alerts to distinguish true network security problems from false positives can be extremely complex and time-consuming.
Even when real threats are identified, knowing how to respond to them can be just as challenging.
Getting the most out of SIEM to help address growing security challenges will also depend on better trained personnel who can use the systems more effectively and validate alarms. For organizations that lack in-house knowledge or skills, it therefore makes sense to work with an external vendor who can cover or augment security capabilities.
A full SOCaaS service, including Next Generation SIEM and UEBA for threat hunting, is the ideal choice. Not only does it save time in terms of validating and checking alarms, but also in economic terms, not having to face installation costs and staff training.
If you are interested in learning more, do not hesitate to contact us, we will answer your questions.
A SIEM solution in IT is one of the essential components of a SOC (Security Operation Center). Its task is to collect information and analyze it in search of anomalies and possible breaches in the system. But the defense process hasn’t always been that simple. What we now call SIEM, Security Information and Event Management, is the union of two different types of cyber security tools.
SIM and SEM: the origins
Before the arrival of a complete SIEM solution in computing, security was heavily focused on perimeter security and did not keep the internal network adequately controlled. The first solutions developed in the 90s were basic and basically dealt with security information management (SIM) or security event management (SEM). They were solutions available as tools that had to be deployed on-site in the data center to be protected. This limited scalability, because adding capacity required the purchase of additional equipment.
These early solutions were also built on proprietary databases that forced customers to use technology from a single vendor. If you wanted to move your data to another system, the process was long and complicated. It should also be noted that archiving was more expensive, so only the most valuable data was collected. Furthermore, although the SIM and SEM solutions contained all the data necessary for the defense, the search and alarm were rudimentary. Additionally, they depended on experienced security analysts to research, understand and interpret what they found in the data.
SIEM origins in computer science
As data became more sensitive and technology more powerful, SIEM systems (SIM + SEM) became capable of ingesting, processing and storing a great deal of data. Next-generation SIEM IT solutions are able to use signature-based alerts to identify threats in collected data. However, only those alerts that have identified indicators of compromise (IOC) of a certain threat can be identified in this way.
To be clear, if the type of attack to which a system is subjected has not been cataloged in a series of IOCs, a first generation SIEM is not able to detect it. The main drawback of those systems was the very limited ability to detect unknown cyber threats.
To give a practical example: it was possible to use a rule like this: “give a warning if a user enters 10 consecutive wrong passwords“. In theory this could be used to detect brute force password attacks. But what if the attacker only tried 9 passwords in a row? Or what if the alarm was given for a very forgetful user?
Next Gen SIEM (NGS)
A next generation SIEM is built on a large data platform that provides unlimited scalability and is hosted in the cloud. A next gen SIEM includes log management, advanced threat detection based on behavior analysis and automatic incident response, all on a single platform.
This eliminates the problems that old on-premises systems were prone to. Not having to install anything and being able to send the necessary data to the cloud quite simply, the computing power of the local machine is not compromised and the SIEM can manage all the data safely.
How a SIEM proceeds in cyber threat analysis
1. Data Collection: An IT SIEM solution collects data from across the organization using agents installed on various devices, including endpoints, servers, network equipment and other security solutions. Next generation SIEM includes support for cloud applications and infrastructure, business applications, identity data and non-technical data feeds.
2. Data enrichment: Enrichment adds further context to events. SIEM will enrich data with identity, resources, geolocation and threat information.
3. Data storage: The data will then be stored in a database so that it can be searched for during investigations. The next generation SIEM exploits open source architectures and big data architectures, exploiting their scalability.
4. Correlation and Analysis: SIEM solutions use several techniques to draw actionable conclusions from SIEM data. These techniques vary greatly.
5. Report: A SIEM, particularly a next generation SIEM, gives you the ability to quickly search for data, allowing you to dig through alerts and search for threat actors and indicators of compromise. The displayed data can be saved or exported. It is also possible to use out-of-the-box reports or create ad hoc reports as needed.
What a SIEM is used for
Threat hunting and investigation
The ability to perform threat hunting on a SIEM is critical to understanding the true patterns of attacks based on access, activity and data breaches. By developing a detailed and contextual view of attacks, security analysts can more easily develop policies, countermeasures and incident response processes to help mitigate and remove the threat.
Response in case of an accident
An effective response to incidents is essential to intervene more quickly and reduce the residence time of the threat. For this, a SIEM provides an incident response playbook with configurable automated actions. A SIEM is able to integrate with third party solutions for security orchestration (SOAR) or individual case management.
Defense against insider threats
The reason why insider threats are such a big problem is because it’s not about entering the perimeter, but about exploiting insider positions. They can be your employees, contractors or business associates. It may be they themselves wanting to exploit their location, or their account may have been hacked.
With all kinds of internal threats, the attacker tries to stay hidden, gathering sensitive data to exploit. This could cause significant damage to the company, its position in the industry and its relationship with consumers or investors. By using a SIEM, you avoid this risk.
Cyber threat detection
Your organization is likely to have at least one sensitive data repository. Cybercriminals thrive on looting this data for financial gain. Many breaches begin with a simple phishing email against an organization’s target. Simply clicking on an attachment can leave malicious code behind. A SIEM will allow you to monitor advanced cyberthreat patterns such as phishing, beaconing and lateral movement.
For many industries, adherence to compliance standards is critical. A SIEM can help by providing reports focused on data compliance requests. Integrated packages covering all major mandates, including PCI DSS, SOX, and ISO 27001, are a standard feature of SIEMs as well.
Next Generation SIEM
A next generation SIEM is not just a cloud hosted system. It also makes use of the implementation of AI and Machine Learning to increase the defense of the IT system.
We will see it in a future article, but it is right to specify that the SOCaaS offered by SOD makes use of the latest generation technology offered by Next Gen. SIEM systems. Contact us to find out more about it and talk to experts who can dispel all your doubts.
During a cyber attack, hackers have only one goal in mind. This goal could be accessing a developer’s machine and stealing a project’s source code, analyzing emails from a particular executive, or extracting customer data from a server. All they have to do is log into the machine or system that contains the data they want, right? Not exactly. Actually, it’s a little more complicated than that. To achieve their goal, hackers are likely to break into a low-level web server, email account, or employee device, to name a few. From that node, they will move sideways (hence the name network lateral movement) to achieve their goal.
In fact, when attackers compromise a resource on a network, that device is almost never their final destination. In addition, the initial compromise rarely causes serious damage and may go unnoticed. Only if the security teams are able to detect a lateral movement before the attackers reach their intended goal, it is possible to prevent the data breach.
In this article, we will look at some of the more common types of network lateral movement and identify ways in which we can detect the attack and defend ourselves.
Understanding the network lateral movement
Lateral movement occurs when an attacker takes possession of a resource within a network and then extends its reach from that device to others within the same network. Let’s see it with an outline to help us understand better.
The perimeter of the infrastructure to be penetrated is represented with a horizontal line. The upper half represents what is outside the net, while what is below the line represents what is inside. In order for an attacker to enter the network, it must move vertically, ie from the outside to the inside (also called North-South traffic). But once a foothold has been established, it is possible to move sideways or horizontally, ie within the same network (called East-West traffic) to reach the final goal of the attack.
Approaches to the Lateral Movement
Overall, there are two common methods by which a hacker applies the lateral movement.
First approach: The attacker performs an internal scan to find out what other machines are on the network. In particular, it scans open ports that are listening and machines that suffer from vulnerabilities. At that point, the attacker can abuse these weaknesses to move sideways to another resource.
The second approach to the lateral movement exploits stolen credentials, and is the more common of the two. In this type of attack, the hacker could use an email phishing technique to infect a machine that interfaces with a particular server. Then he can use his login to recover passwords via a keylogger or other similar tools. At this point, he can use whatever credentials he was able to obtain to impersonate the user who was the victim of the phishing and log in to another machine. Once you have established access to that computer, you can repeat the tactic looking for additional credentials and / or privileges to exploit. In this way, the attacker can make their way and create remote connections to the target device.
In both cases it is difficult to identify the attack, because it does not occur through software or application malfunctions.
How to defend yourself
A lateral movement often manifests itself through anomalous network activity. For example, it is suspicious that a machine, which normally communicates with a few others, starts scanning the entire network. The same is true if that machine tries to connect to open ports, to interact with services and credentials with which it normally has no contact, or to use a username that has never been used before.
The list of alarm bells goes on and on. The key thing to understand is that a lateral movement involves machines doing something out of their routine, without proper authorization from IT.
This is what gives organizations the ability to detect this type of attack. Implementing log file monitoring is a first step in defense. Ideally, the data should be constantly analyzed for anomalies and possible breaches.
These defenses are not infallible. Security teams that simply rely on log files limit the scope of their defensive position, for example, due to log files collected only from particular applications. You might decide to monitor a certain service for credential theft, but attackers might not use that particular service to perform a lateral movement. This means that any malicious actions that do not use the monitored services will not be detected promptly.
In addition to this, hackers know the types of protocols that security personnel tend to monitor, making their task even more complex. Attackers can use this knowledge to model their attack campaigns in order to have a better chance of going unnoticed. It is one of the reasons why the MITER ATT & CK database was created to collect known techniques and raise the defenses.
The advantage of a SOCaaS
It is not enough for organizations to seek lateral movement using log files or an EDR tool. It is necessary to turn attention to the network as a whole. In this way it is possible to see all network traffic, establish a baseline of normal network activity for each user and device, and then monitor any unusual actions that could be indicative of attacks. It is known as anomaly detection, and is more comprehensive and often easier than examining each log file for out-of-the-ordinary events.
The problem with anomaly detection is that many of these irregularities are benign, and a lot of time is spent analyzing them. What is needed to separate harmful lateral movement from benign network anomalies is an understanding of the aspect of harmful behavior.
This is where a complete system that uses both behavioral analysis tools and professional security technicians comes into play.
The SOCaaS offered by SOD includes a Security Data Lake (SDL) for data collection and various tools for data analysis. One of these is the UEBA, particularly suitable for the detection of social threats, as it analyzes user behavior through AI using their actions as a source of data.
With these and other tools that make up the SOC, you can actively reduce the risk of attacks on your corporate data. If you are interested in learning more about SOD SOCaaS, I invite you to visit the dedicated page or contact us directly.
Mitre Att&ck is a global knowledge base of adversary tactics and techniques based on real observations of cyber attacks. These are displayed in arrays organized by attack tactics, from initial system access and data theft to machine control. There are arrays for common desktop platforms (Linux, macOS and Windows) and for mobile ones.
What is MITRE ATT&CK ™ and what does it mean?
ATT&CK stands for “adversarial tactics, techniques, and common knowledge” and that is: tactics, adversary techniques and common knowledge. Let’s try to go deeper.
Tactics and techniques are a modern way of thinking about cyber attacks. Rather than looking at the results of an attack – an indicator of compromise (IoC) – security analysts should look at the tactics and techniques that indicate an attack is in progress. Tactics represent the goal you want to achieve, while techniques represent how an opponent plans to achieve it.
Common knowledge is the documented use of tactics and techniques used by opponents. Essentially, common knowledge is the documentation of the procedures used by the attacker. Those familiar with cybersecurity may be familiar with the term “tactics, techniques and procedures” or TTP. This same concept has been used by ATT&CK ™, replacing the term procedure with common knowledge.
Who is MITRE and what is the goal of ATT&CK ™?
MITRE is a US government funded research organization based in Bedford, MA, and McLean, VA. The company was spun off from MIT in 1958 and was involved in a number of top secret commercial projects for various agencies. These included the development of the FAA’s air traffic control system and the AWACS radar system. MITRE has a substantial cybersecurity practice funded by the National Institute of Standards and Technology (NIST).
A curiosity: the word Mitre means nothing. Apparently one of the first members, James McCormack, wanted a name that meant nothing but was evocative. Some mistakenly think it means Massachusetts Institute of Technology Research and Engineering.
ATT&CK’s goal is to create a comprehensive list of known opponent tactics and techniques used during a cyber attack. Open to governmental, educational and commercial organizations, it should be able to gather a wide, and hopefully comprehensive, range of attack phases and sequences. MITRE ATT&CK aims to create a standard taxonomy to make communications between organizations more specific.
How is the ATT&CK ™ matrix used?
The matrix visually organizes all known tactics and techniques in an easy to understand format. Attack tactics are shown above, and individual techniques are listed below in each column. An attack sequence would involve at least one technique per tactic, and a complete attack sequence would be constructed by moving from left (Initial Access) to right (Command and Control). It is possible to use more techniques for a single tactic. For example, an attacker might try both a Spearphishing Attachment and a Spearphishing Link as initial login tactics.
Here is an example of a matrix:
In this matrix there are all the phases of an attack sequence. It is organized so that the tactics are ordered from right to left according to the attack sequence. Under each tactic the corresponding techniques, some of which contain sub-techniques. The two techniques mentioned above are actually sub-techniques of phishing which are part of the first step in the sequence (first column on the left).
It is not necessary for an attacker to use all eleven tactics at the top of the matrix. Rather, the attacker will use the minimum number of tactics to achieve his goal, as it is more efficient and provides less chance of discovery. In this attack (illustrated in the diagram below), the adversary performs initial access to the CEO’s administrative assistant credentials using a Spearphishing link delivered in an email. Once in possession of the administrator’s credentials, the attacker searches for a Remote System Discovery of the Discovery phase.
Let’s say they’re looking for sensitive data in a Dropbox folder that the admin also has access to, so there’s no need to increase privileges. The collection, which is the last stage, is done by downloading the files from Dropbox to the attacker’s machine.
Note that if you are using behavior analysis, a security analyst could detect the attack in progress by identifying abnormal user behavior.
And that’s exactly what a SOC should do, here, roughly, how the attack could be mitigated: suppose the administrator clicked a link that no one in the company has ever clicked before, then the administrator logged in a particular Dropbox folder at an unusual time. During the final phase of the attack, the attacker’s computer entered the Dropbox folder for the first time. With behavioral analysis, these activities would be flagged as suspicious user behavior.
To consult ATT&CK
To consult this resource just visit his site and you will find yourself in front of the matrix of which I published a screenshot a little while ago. Suppose we want to consult the Spearphishing Link technique. By clicking on it, the corresponding page will open containing in-depth information about it, such as a description of the technique, what sub-techniques exist, examples of procedures that include it and suggestions for risk mitigation.
Basically all the information necessary to know and defend oneself appropriately from each technique is available.
The advantages of a resource like MITRE ATT&CK are truly remarkable. Cyber security teams have a valuable ally at their disposal, to which they can add dedicated tools for its consultation.
While it is almost certain that attackers are adapting as defenders deploy new skills, it is also true that ATT&CK provides a way to describe the new techniques they develop.
In today’s article, we’ll explain what a Security Operations Center (SOC) is and help determine if a SOC-as-a-Service (SOCaaS) solution is right for your business. Just because you have to manage cybersecurity doesn’t mean your business has to deal with cybersecurity. In fact, your core business could be pretty much anything else.
Proper management of IT security, however, is essential to allow your company to grow and to obtain the certifications for data processing required by law. Having the right cybersecurity skills available at the right time is critical to your success, but you have no idea when that time will be.
Choosing the right technology, people and processes to build a modern security operations section is one of the biggest challenges for IT security managers.
What is a SOCaaS and what it can do for you
Before understanding what the management challenges are, it is good to understand what a SOC is. It performs the following functions:
Plan, configure and maintain your security infrastructure.
With a SOC it is possible to configure the technology stack (endpoint, SaaS applications, cloud infrastructure, network, etc.) to identify the relevant activity and eliminate unnecessary data. Monitor data sources to ensure the ecosystem is always connected.
Detect and respond
In addition, it is possible to monitor the incoming alarm activity. Investigate alarms to determine if it is a true security issue or a false alarm. If something is a real security threat, you can evaluate the magnitude of the situation and take response actions.
The activity of a certain event can be examined to determine if there are any signs of impairment that may have eluded the automated controls. The most common scenario is to review the history of an IP address or file that has been determined to be malicious.
Storage of log files
Another possibility is to securely collect and archive log files, for up to seven years, for compliance with regulations. The team will need to provide this critical data for forensic analysis in the event of a security situation.
Measure performance indicators
Obviously it is possible to monitor the KPIs (performance indicators). In detail it is possible to measure and report the KPIs to demonstrate to the executive team how the SOC is working.
The challenges of implementing your own SOC
Finding, training and retaining cybersecurity professionals is expensive
The skills needed to manage IT security tasks are in high demand. Unfortunately, the shortage is bound to get worse before it gets better. According to the International Certification Organization (ISC), the number of vacant positions worldwide was over 4 million professionals in 2019, up from nearly three million the previous year.
Training personnel with a broad IT background in cybersecurity skills is an option, but retaining these people is expensive. Their replacement, when eventually taken elsewhere, starts a cycle that usually ends up being more expensive than expected, especially compared to SOCaaS.
Also, people who work well in this industry usually want to explore new topics and take on new challenges. You will need to find other related projects or roles to rotate SOC staff to keep them engaged. This also helps build their skills, so they are ready to respond and act promptly when needed.
Cyber security is a team sport
It is important to have a diverse set of skills and a team that works well as a team. Security threats evolve rapidly, proper investigation and responses require people who understand endpoints, networks, cloud applications, and more. Often you end up being a SOC manager, a sysadmin and a threat hunter, depending on the day and what happens in your environment.
This means that you will need a team that is constantly learning, so that you have the right skills when you need them. People who do well in this industry thrive in a team environment where they can learn and challenge each other. For this, you need a workflow that regularly brings together several SOC analysts.
Think of it this way: you wouldn’t put a football team on the pitch that didn’t train together. Your SOC team collides with an opponent who plays as a team every day. To be successful, you need professionals who have a lot of playing experience to build their skills both in the single position and as a team.
A team of SOC analysts who do not do regular training will not be ready when hit by a well-trained opponent. It is difficult to get this experience in a small organization.
A SOCaaS is the immediate answer to this need. The team that will take care of your IT security is trained and stimulated every day by ever new challenges, having to deal with different infrastructures every day.
24/7 coverage is a necessity
Letting an opponent be free to bait for hours, days or weeks makes it infinitely more difficult to contain and remove threats. The adversary knows they have limited time to do as much damage as possible, as in the case of ransomware, or to overshadow ports, as in the case of data extrusion.
You will have the best chance of recovery if you can investigate and respond within minutes. A solution that provides 24 × 7 coverage is therefore essential.
In computer security there are no “working hours” for one particular reason: an attack could come from anywhere on the globe, consequently you cannot rely on conventional hours. This is the result of the spread of the network as an instrument of worldwide connection, we can only deal with it adequately. A SOCaaS relieves the company using it from keeping a division open 24/7.
Managing suppliers and integrating tools is quite expensive
Cyber security is complex and technology evolves rapidly. There will be more and more technologies that need to work together, which requires maintaining the skills to implement, update and configure each component and train your staff on new versions and features. If you have your own SOC, you also need to manage these supplier relationships, licensing, and training.
The bottom line is that building the skills you need requires a lot of low-level tasks and extensive daily work. For organizations that can support it, the effort makes sense. For most organizations, the task is best left to a partner who can provide this service, allowing you to get all the benefits of a high-end SOC without the expense and distraction of building it yourself.
If budget is not an issue and you have enough staff to focus on building and maintaining a 24 × 7 SOC, then it may make sense to go this route. If you are constrained on one of these two fronts, then SOCaaS will be the best approach.
In summary, SOCaaS allows you to:
1. Spend time managing security, not technology and vendors
2. Have a predictable expense. No surprise budget requests
3. Obtain security information from other organizations
4. Manage alarms more efficiently and with more predictable results
5. Be agile and keep up with the IT needs of your evolving organization
6. Stay abreast of today’s security tool innovations.
If your company wants to know more about Secure Online Desktop SOCaaS solutions, contact us for a non-binding consultation. We will show you all the advantages and clear up any doubts regarding this solution.
ICON_PLACEHOLDEREstimated reading time: 6 minutes Dal nulla, qualcuno risponde a una conversazione email datata m… https://t.co/NSU5rxuh4s
Estimated reading time: 7 minutes La minaccia di un attacco DDoS su larga scala è sufficiente per convincere le o… https://t.co/qxhGVKI7HQ
Estimated reading time: 6 minutes Is the threat of a large-scale DDoS attack enough to convince organizations to… https://t.co/sqrHurgPdr
ICON_PLACEHOLDEREstimated reading time: 6 minutes Out of nowhere, someone replies to an email conversation dated… https://t.co/kXIx3FPWfm
L'hacking etico e la salvaguardia del patrimonio aziendale https://t.co/SLncmaZ1ci