Estimated reading time: 6 minutes
The issue of information security is very topical in this historical period characterized by digitization. To protect themselves, businesses and individuals can use a variety of tools that can prevent an attack, but also help manage it. In this article we talk about Automated Response Integration and the automations in the SOCaaS offered by SOD .
Although the systems used are almost always based on efficient technologies, in recent years the implementation of SOCaaS services equipped with SNYPR for the analysis of Big Data is making a difference. The dedicated SOCaaS services facilitate end users in the use of security systems, basing their operation on automatic processes that protect company devices.
What is Automated Response Integration
The term Automated Response Integration identifies a specific approach to data analysis and consequent response in a cyber defense scenario. We see it today, in particular, related to our SOCaaS on which the SNYPR tool is applied, which we have already talked about in the past.
SNYPR and Automated Response Integration
In order to understand the potential of a SOCaaS service, with the implementation of SNYPR, it is appropriate to understand first what is meant by this term. When the word SNYPR is used, it identifies that examination tool capable of analyzing Big Data and simplifying its actions . A system equipped with SNYPR can examine a huge amount of data and identify the behaviors of everyone who interacts with the platform.
There is the combination of SIEM and UEBA logs, as well as an analysis dedicated to security in real time, very useful for automating the daily operations carried out in the infrastructure.
The operation of a SNYPR tool for corporate IT is based on the analysis of thousands of information collected, thanks to artificial intelligence. These analyzes are then used to prevent and intervene on cyber threats. The fact that most of these operations are automatic brings us to the field of Automated Response Integration.
Technically it differs from other platforms in the use of threat detection algorithms that have the ability to scan systems and logins performed by other devices in real time . A traditional system simply collects data, while a SOCaaS with SNYPR implementation can also detect much more harmful threats and adapt accordingly.
The strengths of Automated Response Integration with SNYPR / SOCaaS
One of the strengths of this tool is its Security Data Lake (SDL) based security system. This condition allows companies to keep a copy of the data in the SDL and submit the scan request at any time. There is no data lock, as in traditional systems, but an open system capable of sharing information with the different devices.
As it is easy to guess, it is precisely this availability of data and the possibility of in-depth analysis, which allows us to implement an Automated Response Integration strategy with our SOCaaS.
There are various system functions in the field that are noteworthy. These include: data enrichment, distributed behavioral analysis, historical investigation, scalability and data redundancy.
This coordination of services allows to have a concrete impact for IT security , a condition evident in three areas of SNYPR competence: internal threats, persistent threats and professional use.
The professional use of SNYPR: in recent years, the most important companies have equipped themselves with a SNYPR platform to protect their data storage and analysis infrastructures. The system constantly monitors the flow of information and adapts to the best conditions in the event of cyber attacks.
Automated Response Integration for automation in SOCaaS
From a technical point of view, a SNYPR system itself guarantees excellent potential, but it is with the SOCaaS implementation that it finds its maximum protection expression in IT systems.
The analysis of threats in a company system, although it is carried out in real time, requires the intervention of specialized technicians to identify the problem. With SOCaaS, identification is linked to automated actions to deal with possible threats, without the need for third-party intervention.
There is a real integration with automated response useful to prevent and eradicate possible threats . This process is essential not only to prevent business systems from being compromised, but also to protect companies and their IT departments, which can focus on other tasks.
Automated Response Integration functionality
Playbook: the tool can launch a playbook when SNYPR threats are detected. The transcript of the events is important to understand the origin of the threat.
Query: automation can manage actions or queries on end points directly from SNYPR, in order to face the cyber attack. This feature avoids the blocking of production in the most excited moments.
UEBA: As mentioned in the previous lines, an NSYPR-based tool can import UEBA alerts. The reference formats are usually CEF, which report warnings from any type of device, significantly affecting safety.
IP control : one of the strengths of this technology is the control of domains, IPs, files and URLs, ensuring maximum versatility for any type of work activity.
DNS and Whols data : The automated response is particularly useful in storing DNS and Whols data, as it is possible to check the validity of certificates and monitor unwanted access.
Vulnerability: You can schedule a network vulnerability scan. This analysis process is especially suitable for companies that send and receive a large flow of information outside the company context.
Relying on professionals
Not all SOCaaS-based services that implement SNYPR are identical to each other, some of them offer the same technology but different intervention methods. Among the most interesting solutions is our SOCaaS. For years we have been dealing with offering IT security solutions internationally and this is a guarantee of excellence, alongside our certifications and partnerships.
Our IT security service, based on Automated Response Integration, guarantees complete monitoring of corporate infrastructures, helping the company to avoid additional costs for ordinary or extraordinary maintenance of the devices.
The implementation of SOCaaS automated systems is now essential for companies that want to protect themselves from IT docking. Real-time analysis and notification of potential threats ensure essential peace of mind in an age increasingly exposed to digital dangers.
To find out how SOD and its services can help your company, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 4 minutes
When we refer to artificial intelligence, we often refer to the great technologies that could control the world, with an obvious streak of science fiction. The reality is very different and is characterized by a technology with great potential, which is able to ensure countless advantages . Today we talk about how artificial intelligence can be implemented in monitoring.
The use of these technologies is unavoidably transversal to many sectors of the economy, but it is also usable in some aspects of everyday life. Some examples range from washing machines that, weighing the load of laundry, are able to choose the most advantageous washing program, to voice assistants that simplify our everyday life.
Very important in the corporate sector are the monitoring systems which were created precisely from these technologies which we will talk more about in a moment.
Thanks to the optimization of the computing capacity operated by artificial intelligence, it is possible to increase the efficiency of company equipment. Let’s see how.
What is artificial intelligence and how can it innovate monitoring ?
Today, artificial intelligence is declined in many ways. Perhaps the most important is processing a large amount of data then providing answers to complex questions. At the base of artificial intelligence there is the study of algorithms that deal with performing complex mathematical operations.
Artificial intelligence is a very useful tool within a company, as it is able to carry out very sophisticated and precise processing. These operations are capable of significantly improving the operations and productivity of numerous departments of the company itself.
Applied to monitoring, for example, artificial intelligence is capable of analyzing the logs coming from the network, both in terms of performance and behavior. The big step forward in the analysis and monitoring of an infrastructure consists precisely in recognizing whether certain behaviors that emerge from the logs are risky or not.
To achieve these results it is essential to have all those features that are available through artificial intelligence .
What are the advantages of using artificial intelligence for monitoring?
Artificial intelligence is able to provide companies that choose to use it countless advantages. Not only in terms of improving the performance of information systems, but also to make more efficient and improve the security of the same, preventing attacks.
This happens thanks to the analysis of the logs both from a technical and a behavioral point of view. Technical analysis highlights any ongoing problems, while behavioral analysis can prevent or immediately identify suspicious actions.
How can our monitoring system improve business efficiency?
Our monitoring system is able to improve business efficiency through numerous technical analyzes in able to be implemented not only on the entire system, but also on individual units.
The ability to analyze data in depth also allows you to improve the management of the entire IT structure and prevent overloads or attacks. Overall, the efficiency and safety of the infrastructure are increased at the same time through artificial intelligence applied to monitoring.
But there’s more: these analysis and monitoring systems are able to integrate with extreme effectiveness in complex architectures. By being able to analyze large amounts of data and being able to deduce behaviors and actions from these, efficiency in security is ensured.
Another advantage is the fact that this monitoring system does not require specific hardware. Software agents are installed on the systems to be controlled which have the sole task of sending data in the form of a log to the control system. analyses.
These systems therefore prove to be the ideal solution to keep large and small IT architectures under control, with the aim of improving efficiency and increasing overall security. In short, an application really interesting and useful of artificial intelligence in monitoring.
What are the fields of application of this technology?
We apply artificial intelligence systems to monitoring, benefiting our customers enormously. First we can collect large amounts of data, enrich it automatically and finally analyze it. The analyzes are carried out both from a technical and a behavioral point of view.
The result is a dedicated system, our SOCaaS, which makes risk mitigation extremely efficient, particularly quick intervention in the event of an anomaly and also provides regular reports.
This service is able to bring together all the features listed in the article, and to offer it as a solution for companies that want a superior security system.
Better efficiency, safety, versatility, operability, are just some of the paradigms used to define the services we make available to our customers. Our main goal is to simplify and make your company’s IT security more efficient.
Do not hesitate to contact us if you want to know more, we will be happy to answer any questions.
Estimated reading time: 7 minutes
When we talk about log management we refer to a precise process which consists of the centralized collection of data that comes from different operating environments such as: devices, databases, applications and much more. Logs are produced by various system events , many of which are particularly important in the business environment.
So let’s see some important details regarding log management.
The importance of collection-in-log-management
The procedure for collecting log data is important to achieve various objectives at the company level. The main ones are: to verify the vulnerability; manage possible security problems; control access to data and applications; the monitoring in real time ; check for any malfunctions at the application level.
From a regulatory point of view, then, log management is very important at a company level as allows you to observe the most important principles concerning data protection . This is established by the “EU 95/46 / EC” directive. It is also required by the obligations established by the “ General Data Protection Regulation (RGPD or GDPR) “.
Hence, these features illustrate how important good log management is and how it can help companies prevent potentially invasive events before they occur.
This type of action corresponds to what, in jargon, is called “Privacy by Design”. According to this principle, it becomes necessary to execute the right strategies to avoid creating risks and problems related to violations.
Log management needs the correct balance between the dynamic availability of resources and the growing number of log data . In addition, from the first step of acquiring the log data, it is appropriate to consider several elements. These often generate various complexities such as, for example: the quantity of sources to be taken into account; the number of data logs created; the multiplicity of events that give life to data log ; the types of data log ; the method of acquiring the data logs ; the compliance of the data log protection systems.
Log management needs the correct balance between the dynamic availability of resources and the growing number of log data . In addition, from the first step of acquiring the log data, it is appropriate to consider several elements. These often generate various complexities such as, for example: the quantity of sources to be taken into account; the number of data logs created; the multiplicity of events that give life to data log ; the types of data log ; the method of acquiring the data logs ; the compliance of the data log protection systems.
It is therefore advisable to plan the strategies that allow you to adopt the right solutions for your log management staff. In this way, technicians will be able to intervene while respecting the requirements already mentioned.
The characteristics of a log-management infrastructure
The infrastructure for log management is formed by the union of hardware, software and network elements that are set up so that they can communicate effectively with each other. The communications between these components are made within the same network that is used for the common activities of the company.
Nevertheless, for a company it is also important to take into account the possibility of collecting data using a different network so that any spyware attacks or other incidents will alter, intercept or delete the data.
If from the logistical and architectural point of view it is not possible, in a company, to carry out this second possibility, alternative measures should be adopted such as, for example, data encryption.
Summarizing, therefore, a log management infrastructure should ensure compliance with the following requirements: maintaining information that serves to achieve the collection objective following the principles of “minimization” and “proportionality” ; ensure that data remain unalterable throughout their life span; ensure the integrity of the data collected without making changes; keep the data for a limited period of time.
The data-aggregation at the company-level
As companies grow and reach large numbers of applications within their environment, data collection becomes an increasingly important and decisive challenge.
In addition, if we take into account the difficulty of collecting sufficient data logs to be able to remain compliant, respect for privacy standards and security issues that arise from modern threats, we easily realize how the collection becomes an increasingly complex challenge.
So, at the enterprise level, the key to creating an efficient collection system is the ability to dynamically capture data in real time from all available sources. Have a solution that allows you to put your data in a central location, such as a data lake , and facilitate filtering , transformation, classification, allows you to make the log management task easier for the company.
SOCaaS and the advanced log management system
A very advanced solution is the one offered by the SOCaaS , in particular by its component SIEM , which leverages the innovation of artificial intelligence. This allows you to analyze the data collected so as to find possible suspicious data.
In addition, a qualified technical intervention is always made available at any time of the day with precise and non-distracting tasks. The intervention allows you to verify the alarm notifications that are generated by the system so as to exclude false positives , intervening to eliminate the threat and give constant reports over time .
The ever increasing data collection and the analysis of artificial intelligence allow to make the service very convenient and complete.
The potential of the SOCaaS-system for companies
As we have just seen, it is very convenient for companies to rely on a SOC service (SOCaaS). The greatest potential is represented precisely by the innovation brought about by artificial intelligence that allows you to achieve maximum results regarding the constant and continuous analysis of data so that it has the certainty of identifying possible threats in a very short time . Thanks to this system, therefore, risks will be prevented and mitigated.
An added value, then, is not having to hire specialized technicians with specific skills in identifying and verifying threats. Those who rely on this service will also be able to receive reports on the situation and notifications in case of problems.
SOCaaS, therefore, allows you to take the right precautions against those still unknown techniques and has the ability to find the link between data concerning possible attacks with still unknown systems. This is thanks to the analysis of user behavior and infrastructure intities ( UEBA ).
In addition, the structure of the system is designed to bring about constant improvement. The synergistic work between technicians and artificial intelligence allows us to identify even unconventional breach attempts.
For companies it means improving their defenses by adapting them based on the data collected previously.
SOCaaS is perfect for those companies that want to work safely using network-based infrastructures. This is a guarantee of defense against cyber attacks .
The-advantages of choosing our SOCaaS for log-management
Choosing to rely on our SOCaaS has several benefits.
The first is to save money in both the short and long term. In fact, you will avoid buying dedicated hardware and specific software . Plus, you won’t even need to hire new employees or upgrade the skills of those who already work.
Another benefit is having the professional support of technicians who update every day to have the skills to fight new types of threats. This type of assistance is priceless and it is extremely difficult to obtain within the company staff. This is also due to the current shortage of professionals in the sector.
A further advantage is to have always updated technology available . You will not have to worry and worry about always updating the software, because these, solely responsible for the collection of data for SOCaaS, are always kept to the latest version.
Do you want to get more information to learn more about the SOCaaS functionality of SOD? Contact us to find out how we can help you keep your company’s defenses up.
Cyberattacks are numerous and do not distinguish between companies and individuals when targeting a target. You’ve most likely heard the term “cyber threat” in the media before, but what exactly are we talking about? Other ways you may have heard this are “cyberthreat”, “cyberattack” or similar.
What is a Cyber Threat?
Today the term “cyber threat” is used predominantly in the world of information security.
A cyber threat is a malicious act conceived with the purpose of damaging systems, stealing data or any purpose that has the purpose of causing damage of any kind. Viruses, data breaches and DDoS attacks are included. Even if the threat is virtual, what is real is the attacker’s intent as well as the potential impact. While many cyberattacks are mere nuisances, some are quite serious. Some even potentially threaten human lives.
The potential impact that these kinds of attacks can have is often underestimated. Most of the time, the attacks are easily identifiable and do not pose much risk. Instead, other times it happens to come across some more sophisticated threats, difficult to identify, which represent a big problem even for many companies.
Cyber threats are a major concern for businesses. Cyberattacks can lead to power outages, government equipment failures, and breaches of state secrets. They can manipulate telephone and computer networks or, as in the case of ransomware, they can cripple entire systems by making data inaccessible.
Every day new companies and organizations set foot in the digital world with awareness of the risks associated with their technological infrastructures. In some cases, cyber threats are underestimated and this often means great economic and image damage for the company that has underestimated cyber threats and security.
The increase in IT-related risks is real, as are data security solutions. The best thing to do is to take the necessary safety measures right away.
Types of Cyber Threats
The types of cyber threats are numerous, and it must also be considered that they are constantly evolving. The intent of hackers is usually to secure an economic gain by carrying out sabotage, espionage or data theft operations. As a result, they can be expected to do everything possible to achieve their ends.
Virtually every cyber threat falls into one of the following ten types of risks. Hackers have an abundance of options to choose from in order to operate. Furthermore, computer literacy is all in all poor, so hackers often have an easy time, especially for small local realities.
The 10 most common types of computer threats
It is a type of software that executes a malicious command on a device or within a computer network, corrupting data or taking control of the system.
Phishing is an e-mail attack that consists of tricking the recipient into revealing confidential information or inviting him to download malware by clicking on a link in the body of the message. These are real scams, which we have talked about extensively in other articles. Often they don’t even involve great IT skills on the part of the attacker, just a little social engineering.
Vishing is a more sophisticated form of phishing in which the hacker uses VoIP technology to contact the victim, attempting to trick them. There is also a variant that instead uses text messages to attack, it is called smishing.
Man in the Middle
As the name suggests, this type of attack refers to when a hacker intervenes in a conversation posing as one of the two parties, with the aim of stealing sensitive information. What we often don’t think about is that the conversation is between two machines and therefore not immediate to monitor.
The origin of its name is inspired by the famous Trojan Horse of ancient Greece. Trojan is a type of malware that infiltrates a computer system by hiding its true nature. For example, it could impersonate known software and then release malicious code once inside the host device.
Ransomware is an attack that uses encryption to make information on a system inaccessible. The aim is to demand a ransom in exchange for being able to access the data again. Possibilità che a volte, in realtà, non è nemmeno assicurata.
It occurs when the attacker uses many devices to overload a target, such as a website, with requests, causing it to crash or become instabilities.
Attacks on IoT devices
This is an increasingly popular attack due to the nature of the targets. Devices such as sensors or industrial plants connected to the network are vulnerable to multiple types of cyber threats. The hacker could take control of the device and then later use it in a DDoS attack. Alternatively it could steal the information present in the device itself obtaining important data to continue the attack. Given their number of frequently out-of-date operating systems, IoT devices are a very attractive target.
Malware in mobile applications
Phones and tablets are just as vulnerable to malware as any other device. È possibile inserire malware all’interno di app, nei siti web o nelle e-mail sfruttando il phishing. Once compromised, a mobile device can provide access to personal information, location data, and financial accounts.
A recent example of this type of eventuality is Pegasus software, which is used to monitor and collect data from journalists around the world. (Source: The Guardian)
Practical defense and prevention solutions
Cyber threats are always expanding and improving. Millions of them are created every year, many of them follow the aforementioned characteristics, but others are technologically more complex and more powerful.
Fortunately, however, there are also more and more highly qualified companies in the field of IT security that offer cutting-edge tools and services that help prevent, identify and promptly block all kinds of IT attacks.
Threat detection tools
Threat detection tools are an essential part of a company’s cybersecurity technology stack. Threat detection is also the first defense against any Cyber Threat.
Specific solutions, such as the use of a SOCaaS, for example, are of vital importance for safeguarding an IT infrastructure, thanks also to the integration of the SIEM engine which includes UBA and UEBA, guaranteeing complete control also over the users.
Another useful tool is definitely ACP. Acronis Cyber Protect is a solution that integrates data protection and management to safeguard your endpoints, data and systems. Its automation capabilities provide unparalleled protection, enabling businesses to increase their productivity and reduce risk.
Vulnerability Assessment & Penetration Test (VA-PT)
Services like VA & PT are field tests that test the infrastructure in a concrete context. Our teams of white hat hackers find vulnerabilities within the system to point the finger at weaknesses to fix.
We have learned what a cyber threat is and its most common types, also discovering which solutions can be adopted in order to guarantee better corporate and employee safety.
What countermeasures has your company taken to protect your safety? If you would like more information about it, you can contact us by pressing the button below. We offer ad hoc services and solutions to strengthen corporate defenses.
Estimated reading time: 5 minutes
Every year the number of attacks that threaten the security of devices, computer systems, servers and network infrastructures is growing steadily. This is done by taking advantage of the vulnerabilities present in these systems. Among the many types of attacks, particular attention must be paid to the pass the ticket (PTT) attack.
With a pass the ticket attack it is possible to take advantage of the Kerberos network protocol, present in all major operating systems, to access a user’s session without having his login credentials. An attack of this type can be difficult to detect and is usually able to bypass the most common system access controls.
Pass The Ticket: what it is and how it works
Before understanding in detail what a PTT attack is and how it works, it is advisable to clarify the Kerberos network protocol since an attack of this type uses this protocol. Kerberos is a network protocol designed by MIT in the 1980s and became a standard IETF in 1993. It is used for strong authentication between different terminals through a symmetric key encryption system, without transmitting any passwords.
The advantage of using the Kerberos protocol lies in its strong authentication system between client and server. This makes it very effective against phishing and “ man in the middle ” attacks.
Kerberos is integrated into all major operating systems belonging to well-known companies such as Microsoft, Apple, Red Hat Linux and many more.
With a pass the ticket attack it is possible to exploit Kerberos authentication to gain access to a user account. The consequences that such an event could entail are not are to be underestimated. Among the many imaginable scenarios, for example, there could be the possibility that the compromised account enjoys high administrative privileges thus guaranteeing the hacker full access to resources.
A pass the ticket attack allows you to gain privileged access to network resources without having to use any user passwords . Here’s how: In Active Directory, a Ticket Granting Ticket (TGT) serves to prove that a user is just who he says to be. Through some tools and techniques, a hacker could collect these tickets and use them to request Ticket Granting Services (TGS) in order to access resources present in other parts of the network.
A PTT attack could involve risks even if the compromised account does not have particular administrative privileges since the hacker, through the Lateral Movement < / a>, may be able to gain access to other accounts and devices.
The difference between pass the ticket and an attack pass the hash lies in the fact that the former exploits TGT tickets that have an expiration of a few hours, while the latter uses NTLM hashes that change only in case a user decides to change his password. A TGT ticket must be used within its expiration time or renewed for a longer period of time.
How to Defend and Prevent a Pass The Ticket Attack
Keeping a network and the devices connected to it safe is a very important factor. You must always have protocols and software that are able to guarantee effective protection from all kinds of threats , with up-to-date systems that keep sensitive information safe. Enterprises can take advantage of endpoint detection and response technologies. Local detection of multiple tickets used for the same session will be possible.
Account case without-privileges
In the event of a pass the ticket attack, if the compressed account from which the TGT or TGS was stolen was a low-privilege account, the mitigation could be quite simple. Just reset the user’s Active Directory password. Such an action would invalidate the TGT or TGS, preventing the hacker from generating new tickets.
Case-account with privileges
Conversely, if the PTT attack compromised a privileged account, limiting the damage is much more difficult. In these cases, companies could respond to the attack by resetting the Kerberos TGT service to to generate a new signing key, making sure to delete the compromised key.
Next you need to drill down into Kerberos logs and Active Directory information to investigate and find out which network resources have been compromised. In this way it is also possible to understand which data may have been stolen. The technology SIEM allows organizations to assimilate, analyze and analyze this data.
Protection from attack
To ensure complete protection of an infrastructure, also preventing pass the ticket attacks, it is good to use valid detection technologies such as UEBA and SIEM. In fact, it is possible to prevent Pass The Ticket attacks by analyzing the behavior of users and entities. The solution UEBA , in these cases, would ensure the quick identification of any compromised account, blocking it in order to mitigate the damage.
Some software SIEM also allow not only to analyze traditional logs but are also able to provide an accurate analysis of security , analyzing the behavior of the network and users in order to detect promptly the presence of any threats to the infrastructure.
We have seen what a pass the ticket attack is and how companies can adopt specific solutions to intercept the dangers and anomalies of an entire IT infrastructure. This allows us to mitigate threats more effectively.
A complete solution, as we have seen, involves constant and granular communication monitoring . The solution we propose for this purpose is a SOCaaS .
If you want to know our dedicated security services, do not hesitate to contact us. You can use the button below, we will be happy to answer any of your questions.
Estimated reading time: 6 minutes
Cyber Threat Analytics applications monitor security logs and the network to promptly detect any malware infections (for example, attacks zero day ei ransomware ), the compromise of the system, the activities of “ lateral movement ”, pass-the-hash , pass-the-ticket and other advanced intrusion techniques. The use of a SOCaaS allows to extrapolate data from sources such as firewalls, proxies, VPN, IDS, DNS, endpoints, and from all devices connected to the network with the aim of identifying harmful models such as “beaconing”, connections to generated domains digitally, actions performed by robots and all anomalous behaviors.
Our system SOCaaS is equipped with artificial intelligence that enriches and transforms events SIEM , so you identify threats across your entire IT environment, including business-critical applications.
What are the-advantages at the enterprise-level?
The use of a SOCaaS. Below is a list with only some of the advantages that the use of SOCaaS can entail rapid detection of violations, reducing the impact of these. Additionally, a SOCaaS provides comprehensive threat responses and investigations, decreases monitoring and management costs, as well as compliance costs.
The use of a SOCaaS also allows you to receive quantified and non-subjective reports on threats and risks.
SOCaaS use cases
After a general overview of the advantages that the use of SOCaaS could offer to the company, let’s see in what contexts it is normally used .
A SOCaaS consists of elements that are very suitable to be applied in case of abnormal execution of applications, as well as in the analysis of bot traffic to a malicious website.
In other cases, SOCaaS identifies unusual DNS queries, a possible remote command and control activity, analyzes the spikes in bytes to external destinations and then also checks the traffic, relating it in an application / port context.
Other scenarios in which the use of SOCaaS is ideal are the detections of exploits, sessions of unusual duration, but also connections to IPs or blacklisted domains and anomalous activity in general.
Finally, it can also detect targeted SPAM attacks and phishing attempts.
By analyzing threat indicators it is possible to detect correlated behaviors on multiple data sources, to also detect all those threats that usually go unnoticed. Multiple threat indicators occurring in a scheme and involving similar entities tend to present a greater risk of posing a real threat.
The Threat Models define these patterns and combine threat policies and indicators to detect related behaviors across multiple data sources, identifying threats that may go unnoticed. Below are some of the more common Threat Models that are included in the use of a SOCaaS
Lateral Movement Detection
This Threat Model detects the possible scenarios of “ lateral movement “, used by attackers to progressively spread across a network in search of key resources and data. The signs of such an attack can be varied and we can divide them into three categories: Abnormal authentication, suspicious privileges, abnormal process.
Abnormal authentication is usually detectable by some clues. For example if an account accesses a host that has never been reached before. Or if explicit credentials are used on multiple hosts, or if a suspicious authentication type / process is detected.
Concerning suspicious privileges, here are some indicators detectable with the use of a SOCaaS:
- abnormal provisioning activity
- suspicious escalation of privileges
- abnormal access to network share objects
An abnormal process is detected in this way through the use of a SOCaaS: an unusual process code, or the suspicious creation of scheduled tasks. Alternatively, suspicious changes to the registry settings may be detected.
Detection of compromised hosts
This model is employed in the use of SOCaaS to detect hosts showing signs of infection and compromise by relating host and network based anomalies to the same entity.
A possible alarm is given by anomalies in outgoing traffic . This occurs when traffic goes to random domains or known malicious hosts. In other cases, however, an abnormal number of domains contacted is another alarm bell detectable through the use of a SOCaaS.
anomalies in the endpoint are found when rare processes or suspicious use of ports or protocols by the process itself are found. One possibility is also to detect an unusual agent.
APT detection using a SOCaaS
Detection APT detects attacks on health care networks , where the attacker’s aim is usually to obtain a unauthorized access to a network with the intention of remaining undetected for an extended period.
This includes phishing attempts , detection of a network scan or circumvention of controls. In the delivery phase, however, traffic to random domains, an anomaly in DHCP traffic or traffic destined to known malicious hosts may be identified.
During an exploit , the indicators can be: the detection of activity from terminated accounts, anomalous DNS traffic, but also a suspicious authentication process. Another possible indicator identifiable with the use of SOCaaS is an anomaly in the speed of the network.
Through the use of a SOCaaS, cases of data exfiltration can also be detected. The signals in this case are l ‘Unauthorized upload of data over the network.
Detection model Phishing using SOCaaS
This model is able to detect possible phishing attempts towards users within the organization . We’ve talked about it in other articles as well, and here are some indicators of this type of attack. A wake-up call is definitely the detection of known phishing campaigns. It is also not uncommon for spear phishing attacks to be detected.
The use of a SOCaaS is also able to identify possible phishing attempts or persistent phishing campaigns, thanks to the comparison with emails from senders / domains / IP addresses known in the blacklists. As usual, beware of suspicious email attachments, but the use of a SOCaaS could automate, at least in part, the checks.
It is then possible to identify outbound traffic anomalies , for example that towards random domains, which is also a possible phishing signal. Classic traffic to malicious hosts, an abnormal number of rare domains accessed, can also be indicators.
Host / Account Enumeration on LDAP
Usually used to identify potential assets or account enumerations on the network by malicious entities.
Running suspicious processes
- Abnormal process / MD5 detected
- Use of possible sets of AD (Active Directory) enumeration tools
- Detected use of malicious tools and utilities
- Possible AD accounts / enumeration privileges
- LDAP or SMB service count
- Abnormal number of Kerberos service ticket requests
- Port scanning
- Accounts accessing a host for the first time
- Using never-before-seen accounts on the network
- Abnormal number of failed authentication requests
Reconnaissance followed by potential exploitation
This threat model aims to identify successful network reconnaissance attempts, followed by indicators of exploitation.
- Scanning ports from external hosts
- Enumerating hosts from external hosts
- Possible count of AD accounts / privileges
- Enumeration of LDAP services
- Unsolved number of Kerberos service ticket requests
- Spikes in traffic LDAP
- Enumeration of SMB services
Anomalies in processes
- Detection of abnormal processes or MD5
- Suspicious creation of scheduled tasks
- Suspicious changes to registry settings detected
We have seen what are the major SOCaaS use cases, taking a look at some of the most common threat models that it includes in its protection system. For information on malware threat patterns and threat identifiers visit this article.
Using a SOCaaS is a solid and highly valuable business solution, ask us what it can do for your business, we will be happy to answer any questions.
Estimated reading time: 7 minutes
When we talk about “left of boom” or “right of boom” we are referring to a concept that may appear superficial. Instead, it is a powerful tool that offers the ability to analyze security conflicts from both a offensive and a defensive perspective. In a hypothetical timeline of an attack, what is left of boom refers to what happens first. Similarly, what is on the right is what happens next.
In common parlance, the term “bang” is very often used instead of “boom”, but the meaning remains the same. In essence, it is the event itself around which the previous and subsequent period is analyzed.
So, “left of boom” is the set of events that occur before the attack . “Right of boom”, on the other hand, is the set of events following the “boom”. This is the essential difference between the two terms. If defensive stocks can detect events in the “left of boom” period, solutions can be found and adopted to predict when the “boom” will happen.
For an inexperienced person in cybersecurity, these concepts regarding the timeline of a cyber attack may not even be considered, for this reason many companies prefer to use a SOCaaS.
Left of Boom
A good penetration tester can detect some “left of boom” events, but they often miss out on gathering threat intelligence. Sometimes it is unable to distinguish concepts such as “security engineering, vulnerability discovery and remediation” from “automated prevention control”.
There is actually no real good prevention tool, more security checks are detection checks. Some of these controls integrate automated response mechanisms that prevent the succession of unpleasant events.
A web application that prevents XSS or SQLI attacks is really useful for detecting invalid inputs and responds by discarding the content before the injection can occur.
A firewall designed to block ports simply detects unwanted traffic in relation to the protocol used for the connection and the number of the port you want to access, interrupting and resetting the connection request.
These examples tie in well with the concept of “right of boom”. The prevention checks detect the “boom”, the event, and respond immediately, stemming the possible damage. “Left of boom” and “right of boom” are so close in the timeline that they are hardly distinguishable, until you do a careful analysis of the events.
This is one of the reasons why IT security professionals love prevention checks. They work quickly to fix errors before the hackers achieve their goals, limiting the damage.
A SOCaaS in these cases is one of the best solutions to adopt to protect the integrity of a computer system.
Right of Boom
Generally the shorter the distance between the “right of boom” and the response time to a threat, the lower the consequences of a possible cyber attack. Obviously this is only a logical consideration, it does not apply as an absolute rule.
For some breaches, the timeline between the event and the complete elimination of the threat is questionable, as detection occurred after the hacker achieved his goal. If the hackers they manage to infiltrate the system but are stopped in time, causing no damage to the infrastructure. In this second case, therefore, there is no “boom” we are talking about.
An example of right-of-boom
To better explain the concept of “right of boom” we could take a common “malware” as an example. Malware is generally developed to mass attack many devices, without much discretion. By “right of boom” we refer to that period of time that has passed since the malware infection occurred.
If you have read the other articles published by us you will have learned how hackers use these types of infections for the purpose of collect sensitive information , which is resold to a third party. If the “right of boom” is shorter than the time it takes the hacker to sell this information, the damage can be contained.
The best security systems manage to shorten the “right of boom” time by managing to gather information on attackers in the “left of boom”. This can be achieved by implementing countermeasures based on the threat model. These tools allow you to scan entire infrastructures, observing new threat indicators days or even weeks before attacks are deployed.
As we’ve seen in other articles, attacks don’t always happen quickly. In fact, the hackers involved are more likely to act in a slow first period just to gather the information needed to launch the attack. In the “right of boom” period, useful tools such as cyber threat intelligence and a threat hunting team come back < / a>.
Why “Right and Left of boom” concepts are important
If we put ourselves in the hacker’s perspective, the concept of “right of boom” and “left of boom” can help to decide which course of action is best to take.
Suppose a hacker has two methods of breaking into a computer system. If one of the two methods could be detected in the “left of boom” period, while the other one in the “right of boom”, it is obvious that the hacker will prefer the second. In fact, this would guarantee more probabilities successful attack.
Similarly, between two methods that can be detected “right of boom” we choose the one that has the most chance of being detected late . The longer it takes from boom to detection, the greater the chances of success. This kind of reasoning is important in determining which tactic has a broader timeline.
Thinking in this light is not easy at all, requires advanced knowledge from the security expert. It also requires having to consider all those hypotheses that could potentially determine the success of the hacker.
A hacker is able to predict whether, using certain tactics, he would be able to reach the goal faster than the expert trying to detect attacks. The “boom” is the first contact, in the set of intrusion tactics used to illegally access a computer system. The remaining tactics are placed before and after it.
Speed and stealth usually cancel each other out. In fact, very often you can be faster by sacrificing some stealth.
Speed and stealth don’t get along very well when it comes to cyber attacks. Being stealthy, avoiding leaving traces, requires more attention and therefore inevitably also more time. However, if the aim of a hacker is not a single goal but a series of multiple goals, to be fast can be effective.
To defend against attacks, Indicators of Compromise (IOCs) can be collected to remedy existing vulnerabilities and to introduce new detection controls, making the computer system more secure.
It is important to understand the timeline concept of attacks, and we have seen how the concepts of “left of boom” and “right of boom” affect the response mechanisms to intrusion threats.
The concepts we’ve seen in this article, while they don’t add anything concrete to a system’s defense or attack techniques, offer a point of view. In the constant struggle between hackers and security operators, having a winning strategy means not only having efficient tools, but also planning in detail every detail, before and after attacks.
To find out how a SOCaaS can help you monitor your business infrastructure and catch the “left of boom” clues, do not hesitate to contact us, we will be able to answer every question and offer you a solution for your company.
Estimated reading time: 4 minutes
Today, facing an attack in a corporate SOC is very similar to being under attack without knowing which direction the blow is coming from. The threat intelligence can keep you informed of security issues. However, in many cases, this information is only provided when you are already under attack, and is rarely very useful except in retrospect. It would take a different approach to data analysis, and that’s exactly what we propose with predictive cybersecurity .
In cybersecurity, threat intelligence is still relied upon as a fundamental defensive tool. Unfortunately, threat intelligence only covers a subset of threats that have already been found, while attackers constantly innovate . This means that new malware executables, phishing domains and attack strategies are created all the time.
Threat intelligence has a strong value for reactive incident response. It helps when pivoting through an investigation, identifying intent or other useful data, and providing additional investigative assistance. But it has limited value for detection, as threat actors avoid reusing their attack infrastructure from one target to another.
If the clues you see are different from those known from previous attacks, what can you do to move forward with effective detection? A legitimate question, for which predictive cybersecurity perhaps has an answer.
… what if you could know what is going to hit?
SOCaaS: predictive cybersecurity
Eyes on opponents rather than past attacks
The SOCaaS solution offered by SOD brings predictive cybersecurity capabilities to cybersecurity. The solution maps adversaries , instead of threats, and analyzes their actions to predict the behavior and the tools used in their attacks.
The analytical engine translates behavioral patterns into profiles of adversary attack infrastructures , which indicate as ( trojan, phishing or other forms of attack ) and where ( branches, customers, partners, peers, industry and geographies ) < strong> attackers are planning to target your company .
This provides a preemptive attack map, which identifies opponents based on their attack phase and current position within the extended business landscape . But not only that, in fact, information about the opponent, typical attack patterns and possible countermeasures that can be taken in advance are also identified. This way you can cancel the threat before it materializes .
Predictive cybersecurity: understand what’s going to happen first
Our SOCaaS provides predictive detection capabilities against internal and external threats with the combination of user, entity and adversary behavior analysis. Our Next-Gen SIEM uses an analytics-driven approach to threat detection. SOC provides visibility in the crucial early stages of an attack. That is when cyber actors are targeting, planning and preparing the infrastructure for an attack.
With this level of predictive visibility, the team can prevent attacks and systematically contain those in progress. Predictive cybersecurity allows defenders to tune their systems against the attack infrastructure. In fact, it is possible to build blacklists that include the IP addresses and the host names of the instances used for the attack . Other measures include fortifying corporate systems against the specific malware that is used to target them, rendering the attack powerless when it occurs.
Opponent Behavior Analysis extends the capabilities of Next-Gen SIEM by continuously providing updated analysis of opponent information and behavior . This encompasses the entire attack infrastructure for dynamic and proactive threat protection.
SOCaaS automatically translates the pre-attack behavior of opponents into actions or countermeasures that can be taken against phishing, compromise of corporate email, ransomware, fraud and many other common threats.
Correlate breaches from the same adversary / campaign into a cohesive threat, even if different pieces of attack infrastructure are used for each event.
Prevention and preventive defense
Preemptively blocking an opponent’s entire attack infrastructure, such as newly created phishing domains, for preemptive defense.
Strengthen vulnerable resources
Focus and secure the most vulnerable parts of your infrastructure based on information that identifies which areas are possible targets.
The information provided by SOCaaS is used to add more context to existing threats, as well as provide information on attacks that have not yet been implemented or are in the early stages, such as reconnaissance. This allows for direct action against evolving threats and a more robust defense.
Relying on luck to catch threats is madness, as the recent SolarWinds attack . Make your fortune with SOD’s SOCaaS solution, making sure you see threats before they happen and are “lucky” enough to counter them.
Estimated reading time: 5 minutes
threat intelligence data provides companies with relevant and timely insights they need to understand, predict, detect and respond to cybersecurity threats . Threat intelligence solutions collect, filter and analyze large volumes of raw data related to existing or emerging sources of threats. The result is threat intelligence feeds and management reports. Data scientists and security teams use these feeds and reports to develop a targeted incident response program for specific attacks .
Everyone from fraud prevention to security operations to risk analysis benefits from threat intelligence . Threat intelligence software provides interactive, real-time views of threat and vulnerability data.
The advantage offered to security analysts and experts is obvious and serves to easily and quickly identify threat actor patterns . Understanding the source and target of attacks helps business leaders put in place effective defenses to mitigate risks and protect themselves from activities that could negatively impact the business.
cyber threat intelligence can be classified as strategic, tactical or operational. Strategic concerns the capabilities and general intent of cyber attacks . Consequently also the development of informed strategies associated with the fight against long-term threats. That Tactic is about the techniques and procedures that attackers might use in day-to-day operations. Finally, threat intelligence Operational provides highly technical forensic information regarding a specific attack campaign.
The threat intelligence cycle
Threat Intelligence Solutions collect raw data on actors and threats from various sources. This data is then analyzed and filtered to produce feed and management reports that contain information that can be used in automated security control solutions . The main purpose of this type of security is to keep organizations informed about the risks of advanced persistent threats, zero- day and exploits, and how to protect yourself from them.
The Cyber Threat Intelligence Cycle consists of the following stages.
Planning: The data requirements must first be defined.
Collection: Collect large amounts of raw data from internal and external threat intelligence sources.
Processing: Raw data is filtered, categorized and organized.
Analytics: This process transforms raw data into streams of threat intelligence using structured analytics techniques in real time and helps analysts identify Indicators of Compromise (IOC). < / p>
Dissemination: Analysis results are immediately shared with cybersecurity professionals and threat intelligence analysts.
Feedback: If all questions are answered, the cycle is over. If there are new requirements, the cycle starts over from the planning phase.
Common indicators of impairment
Enterprises are under increasing pressure to manage security vulnerabilities, and the threat landscape is ever-changing. threat intelligence feeds can help with this process identifying common indicators of compromise (IOC) . Not only that, they can also recommend the necessary steps to prevent attacks and infections. Some of the more common indicators of compromise include:
IP addresses, URLs and domain names: An example would be malware targeting an internal host that is communicating with a known threat actor.
Email addresses, email subject, links and attachments: An example would be a phishing attempt which relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command.
Registry keys, file names and hashes of files and DLLs: An example would be an attack from an external host that has already been reported for nefarious behavior or is already infected.
Which tools for threat intelligence
The growing increase in malware and cyber threats has led to an abundance of threat intelligence tools that provide valuable information to protect businesses.
These tools come in the form of both open source and proprietary platforms. These provide a variety of cyber threat defense capabilities, such as automated risk analysis , private data collection , threat intelligence quick search tools, reporting and sharing this information among multiple users, curated alerts, vulnerability risk analysis, dark web monitoring, automated risk mitigation, threat hunting and much more.
We talked about one of these tools in a other article : the Miter Att & amp; ck . This is a very useful tool for learning about hacker attack techniques and behaviors. This is thanks to the information gathered by threat intelligence and the consequent sharing. A framework like this is very efficient for creating defensive mechanisms that make it possible to secure corporate infrastructures.
Artificial intelligence and threat intelligence
As we saw earlier, gathering information from various sources is just one of the steps. These must then be analyzed and subsequently processed into control protocols, to be really useful for security.
For this type of work of analysis, definition of baseline behaviors and data control, we are increasingly relying on artificial intelligence and deep learning. A Next Generation SIEM , flanked by a UEBA solution are perfect for this type of protection.
The control of the behavior of entities within the perimeter carried out by the UEBA is able to identify any suspicious behavior, based on the information collected and analyzed by the SIEM.
The defenses we have named are the primary value of a corporate security plan. Adopting specific solutions, implementing threat intelligence and therefore an active search for threat indicators, offers a strategic advantage. The company can take a step ahead of criminals, who can only leverage the surprise effect against their victims. Precisely for this general situation, every company should be in a position not to be caught by the off guard. Implementing proactive solutions is now necessary.
The threat intelligence is therefore a defense weapon behind which to protect the most important resources in order to work in peace.
If you want to know how we can help you with our security services, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 8 minutes
The term shoulder surfing might conjure up images of a little surfer on his shirt collar, but the reality is much more mundane. shoulder surfing is a criminal practice in which thieves steal your personal data by spying on you while using a laptop, ATM, public terminal or other electronic device among other people . This social engineering technique is a security risk that can cause disaster, especially if the stolen credentials are corporate.
The practice long predates smartphones and laptops and dates back to when criminals spied on pay phone users as they entered their calling card numbers to make calls . Many years have passed, but the technique has not been lost. Thieves have evolved to observe their victims typing their ATM PINs, paying at self-service petrol pumps, or even making a purchase in a store.
A similar technique for ATM theft involves a card cloning device superimposed on the card insertion hole and a micro camera to spy on the code. The micro camera performs an act of shoulder surfing . Card cloning is essential because without a physical device the pin is useless, but in the case of account credentials on the network, all you need is user and password.
When does Shoulder Surfing take place?
shoulder surfing can happen whenever you share personal information in a public place. This includes not only ATMs, coffee shops and POS devices in general, but virtually any place where you use a laptop, tablet or smartphone to enter personal data.
Long-time shoulder surfers did not usually loom behind their victims to scrutinize information. Instead, they stood at a safe distance and interpreted finger movements as people typed numbers on the keyboard . Similarly, today’s social engineers often escape attention as they quietly observe others in public places such as airport lounges and shopping malls, bars and restaurants, on trains or subways, or wherever there are people, to tell the truth.
Indeed, today’s most sophisticated criminals are watching from further away, hidden from view. They could use binoculars, micro cameras, or the camera of their phone or tablet to scan your screen or keyboard. Not only that, they may eavesdrop as you read credit card numbers on the phone or provide other sensitive information. Criminals could also take pictures, make a video or audio record of the information and then interpret it later.
Whatever the methodology, it is clear that technology has not only helped us to be more connected and be able to afford to pay for a frappuccino with our mobile phone, but it has also exposed us to security risks. When it comes to sensitive data, especially if there is a corporate account involved that could access other people’s sensitive data, you should never let your guard down , consequences could be very serious .
As shoulder surfing commonly happens
Before suggesting some methods to prevent shoulder surfing to be put into practice immediately, let’s take a closer look at how credential theft could happen with this technique.
At the bar or in the cafeteria
You’re in a busy restaurant bar waiting for a friend. To pass the time, you connect to Instagram. Unfortunately, you don’t notice that the person stuck in line next to you is looking at your password, which happens to be the same one you use for your email and bank account.
At the ATM
You’re taking cash at an ATM. You feel safe because the man after you in line is at least 10 feet away and is even looking at his phone. In fact, he is recording your finger movements on his phone and will later decrypt them to get your PIN number.
To the airport
Your flight is delayed, so grab your laptop and kill your time by reading a couple of work emails to keep up to date. Log in to the company website to read your mail and enter your username and password. You are so calm that you don’t see the woman a few places away as she stares at the screen while you enter data.
What are the consequences of shoulder surfing?
Using your credit card information to make fraudulent purchases is just one example of the damage you could suffer if you fall victim to shoulder surfing . The more personal information a criminal captures about you, the more serious the consequences can be for your bank account and financial health.
A serious case of shoulder surfing can expose you to identity theft . A criminal could use your personal information, such as your social security number, to open new bank accounts, apply for loans, rent apartments, or apply for a job under your name. An identity thief could get their hands on your tax refund, use your name to get medical treatment, or even apply for government benefits in your name. They could also commit a crime and provide your personal information when questioned by the police, leaving you with a dirty record or arrest warrant.
Of course, if you suspect this has happened, you’ll need to go to the police immediately, block your checking accounts and notify the bank. If fraudulent actions have already been carried out in your name, you may need to prove that you are not involved.
Things get dangerous if the stolen data is from a corporate account. In fact, with the use of valid credentials, anyone could enter the company’s system and perform all kinds of actions, such as collecting additional data, placing malware, running a ransomware , steal customer data and then sell it online.
How to defend yourself from shoulder surfing
Two levels of protection can be identified, the first is proactive and is aimed at preventing credentials from being exposed to malicious people, the second is active and provides software to detect attempts to use stolen credentials.
Defend yourself proactively
If you really can’t avoid entering sensitive data on your laptop, tablet or smartphone in a public place, you should follow the countermeasures listed below.
Tip 1: Before entering any sensitive data, find a safe place . Make sure you sit with your back to the wall. This is the best way to protect yourself from prying eyes. Avoid public transport, the central armchairs of a waiting room and places where there is a lot of people coming and going.
Tip 2: Use a privacy filter. This hardware device is a simple polarized translucent sheet that is placed over the screen. It will make your screen look black to anyone looking at it from any unnatural angle . This will make it much more difficult for unauthorized people to see your information.
Tip 3: Two-factor authentication requires a user to prove their identity using two different authentication components that are independent of each other. Since this type of authentication only passes when both factors are used correctly in combination, the security measure is particularly effective. For example, this method is often used a lot in online banking. There are many services that allow you to use your mobile phone as a second authentication factor . This is done through special apps.
Tip 4: Another solution is to use a password manager . By doing so, you no longer have to enter each password individually on your computer. The password manager will do this for you after you enter your master password . This prevents unauthorized people from using your keyboard to determine the real password, provided that you properly protect your master password .
Actively defend yourself with a SOC and behavior analysis
Now let’s imagine that the corporate account credentials have been stolen. At this point only a behavior control system can trigger an alarm and therefore block the user before there is any damage.
In fact, using correct credentials, a normal traditional SIEM would not trigger any alarms. For an older generation SIEM, access would be legitimate, because the credentials are correct. The attacker would have free undisturbed access to the system and could continue with his attack plan.
With SOD’s SOCaaS service, however, abnormal access would trigger an alarm. The SOC provided is equipped with a Next Generation SIEM and a system UEBA control behavior . This means that any deviation from the user’s usual behavior would be reported.
In the case of credential theft, as happens with shoulder surfing, the access made by the attacker would therefore trigger an alarm because something is wrong . For example, the login could take place at anomalous times, in another country / IP, from a different operating system, etc.
shoulder surfing is a social engineering technique that focuses on user carelessness while entering sensitive data into a system. In the event that a user’s corporate credentials are stolen, the only really efficient thing is to have a system that analyzes user behavior and reports whenever suspicious actions are detected.
If you want to know in detail how a SOC and UEBA system can help your company defend against social engineering attacks, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 6 minutes
A logic bomb, also called slug code , is a piece of code inserted into an application, virus or malware that implements a malicious function after a certain time limit or under conditions specifications.
These “bombs” are often used via viruses, worms and Trojans to better manage your time and do maximum damage before you are noticed . They perform actions such as corrupting or altering data, reformatting a hard drive, and deleting important files.
In this article I want to explain what a logic bomb is and offer some suggestions for preventing damage.
What is a logic bomb virus?
A logic bomb is often embedded in a virus or otherwise in an executable file. It consists of malicious code that triggers an attack when specific conditions are met. Conditions can be positive (something that happens) or negative (something that doesn’t happen). In the first case an example is that of opening a program, however, an example of a negative condition is a user who does not log in.
Logic bombs are often installed by someone with high level access, such as a sysadmin. Such a person can wreak havoc by setting these codes on multiple systems and programming them to “explode” simultaneously when a certain event occurs. For example, they could trigger when a certain employee is removed from the salary database, ie when he is fired.
The term slag code refers to manipulated code that makes an otherwise safe program malicious. The logic bomb time versions are the most common ones and use the passage of a certain amount of time as a positive condition.
Whatever the name used, the method of attack is clearly the same: the code remains dormant in the infected software until it is triggered . Common attacks involve data corruption, file deletion and hard drive wiping .
How does it work
How a logic bomb works depends on who designed it. Each logic bomb is unique, which is why they are difficult to track . They are usually customized to be as undetectable as possible. They are often disguised to look like a typical computer virus or embedded in other types of malware such as worms . Worms and viruses are different, but logic bombs don’t care about the distinction – they can cause damage through both.
Is a logic bomb actually malware? Since they are part of other programs, no, but they usually have malicious intent. This is why slag codes are so difficult to detect. Furthermore, being “only” code, potentially insertable anywhere, mitigating the risk is more complicated.
The best thing to do, as an end user who might be involved in a logic bomb attack, is to keep an eye out and ask your company’s IT experts to do the necessary checks if in doubt. The risk is to unintentionally trigger the bomb trying to find it.
Examples of attacks
Logic bombs can subtly change a snippet of code so that it appears technically normal to an automated threat detection system, while it would appear highly suspicious to the human eye. In 2016, a freelance programmer voluntarily caused a recurring spreadsheet malfunction at a subsidiary of the Siemens company. The subsidiary continued to hire him to solve the problem he had caused himself (Source). In this case, the employees did not suspect anything until a lucky coincidence forced the malicious code to come out.
Even companies can use logic bombs to hack their customers . In 2005, Sony was embroiled in a scandal for releasing CDs that triggered a logic bomb when inserted into a computer. The slag code contained on the CDs installed a rootkit that blocked the PC’s ability to copy CDs. (Source)
Another high-profile case occurred in the early 2000s, when a UBS Global employee, angered by a salary dispute, planted a logic bomb that caused more than $ 3 million worth of damage . A clear sign that a very small code snippet can cause a great deal of damage. (Source)
In 2013, a time bomb attack in South Korea wiped out the hard drives of several banks and broadcasting companies. The group responsible for the attack put the time bomb inside a piece of malware that ended up infecting over 32,000 systems . The bombs all exploded together, causing chaos across the country. (Source)
Where did they come from and how to prevent logic bombs
As we have also seen in the examples, logic bombs are typically distributed within a closed network, such as that of a company or branch. One of the likely sources is a disgruntled employee with administrator access , so careful monitoring of staff outbound activities should reveal any suspicious activity . But that’s not all, logic bombs can also be placed in email attachments and suspicious file downloads , so users should be vigilant when choosing which files to download.
As we saw when we talked about phishing and social engineering , the most hackable part of a system are often the users. This is why a preventive campaign is always an excellent choice. Taking care of the staff also means offering specific training through ethical phishing services.
In addition to prevention, it’s good to limit administrative privileges to a select group of employees so that someone is less likely to cause serious damage to your network with a logic bomb. This preventative method also reduces the number of suspects in the event of an attack, making belonging to that specific group of employees in itself a deterrent against internal attacks.
The solution proposed by SOD
Where prevention fails and hackers win, it is the ideal field for implementing advanced monitoring and analysis systems.
SOD offers, for example, a SIEM system in the SOC as a Service solution. The SIEM constantly collects information on what is happening in the network . This information is then enriched with contextual metadata to standardize and manage it better. Already this is capable of triggering alarms if some suspicious events occur. But if this were not enough, the SOC also has a “ User and Entity Behavior Analysis ” (UEBA) tool that analyzes user behavior and, thanks to the interaction of an AI, is able to identify suspicious behavior. .
If you want to know more about the SOC service we offer, or if you have any questions about how SOD can help you keep your business safe, don’t hesitate to contact us. We will be happy to answer any questions.
Estimated reading time: 4 minutes
ransomware gangs have been targeting businesses in recent times, demanding larger payments than they can extort from consumers. The plan was very successful. According to the new data, 70% of the attacked companies paid the ransom to get their data back. Avoiding ransomware is a necessity, these figures implicitly prove it. If such a large number of companies pay, it is because the risk is too great in terms of reputation and collateral economic losses.
Researchers from IBM Security’s X-Force interviewed executives of 600 companies of all sizes and found that organizations affected by ransomware choose to pay in most cases.
Data shows that 20% of compromised organizations paid ransoms of more than $ 40,000 and 25% paid between $ 20,000 and $ 40,000. These numbers are much higher than that. that consumers typically pay, which is usually around $ 500-1,000, depending on the variant of the ransomware.
When targeting businesses, hacking groups aim to paralyze organizations by encrypting financial data , customer databases, sales data and other vital information .
Avoid ransomware – the risks of attacks
In the past year, a number of organizations have been hit by severe ransomware attacks, including hospitals, universities and others. For example, the San Francisco Municipal Transportation Authority was hit by a ransomware attack during the weekend of Thanksgiving, a very important holiday in the US. The attack paralyzed desktops within the agency and forcing officials to shut down the automatic ticket machines. Needless to say, this attack resulted in a huge loss of assets and a ransom demand.
Getting malware into public organizations isn’t as difficult as you might think, and is often done with a single email .
In their attacks on networks, cybercriminals seek out the servers that keep the business running and encrypt critical assets rather than working on enterprise-wide endpoints.
The access point is usually a phishing email with a malicious attachment, sent to the mailbox of a employee . In most cases, the attachment is a Microsoft Office document asking the victim to enable macros . Clicking the macro enable button is often a trivial matter for those uninformed users who just want to get rid of the warning at the top of the document . The malware runs as soon as the user allows the macros to run. The ransomware can also arrive through any other attachment or through exploit kits which facilitate infection without any special action on your part.
The amount of money businesses have paid to get their data back shouldn’t come as a surprise considering the alternative. As is increasingly the case, the attack doesn’t just put key the data until payment of the requested amount. The threat continues with the release of data if you do not agree to pay a second ransom. In the end two ransoms will be paid and in any case there is no certainty that the data will not be disclosed. (It is said double extortion attack).
Many organizations keep these attacks under wraps to avoid public humiliation and loss of customer confidence . Data from the IBM survey shows that 29% of executives in large corporations would pay more than $ 50,000 to retrieve financial data.
Law enforcement, including the FBI, and security experts advise ransomware victims not to pay, for a variety of reasons. First, there is no guarantee for the attacker to deliver the decryption key. Second, the ransomware’s profits help fund other cybercrime operations.
How to defend yourself to avoid ransomware
Phishing remains one of the key methods by which a ransomware attack is attempted. With the recent increase in remote working, it is imperative to reiterate the importance of being careful when opening emails and attachments . If employees are suspicious of something, they should report it.
Organizations should also make sure they have a good patching strategy and apply the latest security updates . This prevents cybercriminals from taking advantage of known vulnerabilities to distribute malware.
Regularly updating backups should be a priority , because if the worst happens and your organization falls victim to a ransomware attack, your network can be restored without paying the ransom.
SOD provides solutions for the situations listed through the SOCaaS service. You can ensure the protection of a Security Operation Center without having to invest in its initial funding .
The system controls the actions of the computers connected to the network using an artificial intelligence. As soon as a suspicious, even legitimate, action is detected, the technicians are alerted who can investigate the nature of the fact . The new generation SIEM systems and behavioral analysis via UEBA , work together to offer 360 ° security.
SOD also provides intelligent anti-ransomware backup systems via Acronis Cyber Protect Cloud . With this tool at your side, business and customer data are safe. Any attack attempt is identified and mitigated immediately, meanwhile, thanks to dynamic backups, the data is immediately restored .
Avoiding ransomware can be relatively easy – just pay attention to every operation you perform on your computers. Unfortunately, sometimes this is not enough. This is the time when having invested in a quality safety system will make a difference.
For questions or requests do not hesitate to contact us, we will be happy to answer your questions and propose a solution tailored to your needs.
Ransomware commonly comes up with an email that tricks users into trusting a malicious file. Many of the most recent data breaches have been completed because a user has been the victim of such an attack in the previous period. Threats such as ransomware, which focus on user compromise, are causing more and more companies to adopt user and entity behavior analysis (UEBA) in their security operations center (SOC). The new functions of the SOC service, including long-term search, are oriented towards the increasing offer of additional tools for the optimal management of corporate security.
We continue to innovate our platform to increase the power of SOC in fighting ransomware and other threats. In our latest release, we have added even more machine-learning and context-aware detection capabilities that enable security analysts to tackle the most sophisticated attacks. Furthermore, the latest updates bring an ever greater ease of use for security architects.
Long-term search for the security analyst
The service introduces a number of innovations to reduce detection and response times for security analysts and threat seekers.
Improved detection of sophisticated threats
– Long-term search helps analysts discover hidden threats by providing a search capability on archived data. The search is scalable and does not affect SIEM performance.
– Analytics Sandbox helps break down false positives by providing an online QA environment to test and validate use cases.
– Persona-based threat chains detect advanced threats more accurately, including the dynamic relationship between users, hosts, IP addresses, and email addresses. Analysts benefit from greater visibility into the progression of an attack. This feature combines suspicious activity from a single user into a single priority alert, instead of separate and unrelated alerts.
– Relative Rarity offers analysts a broader context on how rare an event is compared to all other events in their environment.
– Viewing security alerts using the MITER ATT&CK Threat Framework helps analysts prioritize risk and reduce response times.
Reduction of response times
– Improved case management allows for better management, sharing and investigation of alarms, allowing operators to respond more quickly.
– New EDR integrations improve incident response by providing additional endpoint data from CarbonBlack Defense, Tanium, Symantec DLP and others.
– Better search views improve the analyst experience by reducing detection and response times. They help analysts easily identify compromised accounts, data exfiltration, and associated hotspots.
Why long-term search is so important
With a global dwell time of around 60 days on average, threat hunting continues to be an important part of cybersecurity resilience. However, searching through the data history usually takes a long time.
Many vendors are unable to dynamically scale a quick search through archived data without significant effort. The latest features of our SOCaaS provide this possibility for threat hunters with long-term search on an almost unlimited scale. With long-term research, organizations can reduce the time it takes to investigate and find threats that are already in their environment.
Analysts need to continually query the data to see if there are new threats. For example, an analyst might learn from a trusted source that their industry has been targeted. At this point we need to investigate a new indicator of compromise that has just been discovered to verify if an attacker is already inside.
Through long-term search, SOD’s native SOCaaS SIEM allows threat hunters to be proactive, making historical data research fast and convenient.
By introducing new technologies into our SOC service, we are offering more and more security for our customers.
We take care of your data by verifying not only that it is not safe now, but also that it has not been breached in the past. In case we suspect a new threat, we know how to spot it.
If you have any questions, contact us, we will be happy to answer all your questions.
Classic cyber threat defense tools and systems are rapidly becoming obsolete, and there are ways to overcome them. What remains confidently common among cyber criminals attempting an attack is the intent of the attack itself. Indeed, knowing that there are systems capable of detecting indicators of compromise (IOC), it is natural that competent hackers will try not to leave traces traceable to standards. User and Entity Behavior Analysis (UEBA) offers a more comprehensive way to make sure your business has world-class IT security. At the same time, it helps detect users and entities that could compromise the entire system.
A definition of User Entity Behavior Analytics
User and Entity Behavior Analysis or UEBA, is a type of cybersecurity process that takes note of standard user behavior. In turn, the system detects any abnormal behavior or cases where there are deviations from the “normal” patterns mentioned above. For example, if a particular user regularly downloads 10MB of files every day, and suddenly downloads 1GB, the system would be able to detect this anomaly and immediately alert operators. The behavior may be legitimate, but it’s worth checking out.
The UEBA system uses machine learning, algorithms and statistical analysis to know when there is a deviation from established patterns. Next, it shows which of these anomalies could result in a potential and real threat. Additionally, UEBA can aggregate report and log data, as well as analyze file, stream and packet information.
With a UEBA all users and entities of the system are tracked. In this way the system focuses on insider threats, such as dishonest employees, compromised ones and people who have access to the system and then carry out targeted attacks and fraud attempts, as well as the servers, applications and devices that work inside. of the system.
It is the unfortunate truth that today’s cybersecurity tools are rapidly becoming obsolete. Now the most skilled hackers and cyber criminals are able to bypass the perimeter defenses used by most companies. A few years ago you were sure if you had web gateways, firewalls, and intrusion prevention tools. This is no longer the case in the complex threat landscape, and is especially true for large companies that have proven to have very porous IT perimeters that are also very difficult to manage and supervise.
The key point? Preventive measures are no longer sufficient. Firewalls will not be 100% infallible and attackers will enter the system at one point or another. That’s why detection is just as important: when hackers successfully enter your system, then you need to be able to quickly detect their presence to minimize damage.
How does it work?
The premise of the system is actually very simple. You can easily steal an employee’s username and password, but it is much more difficult to mimic the person’s normal behavior once inside the network.
For example, let’s say you manage to steal John Smith’s password and username. However, it is almost impossible to act exactly like Mario Rossi once inside the system, unless extensive research and preparation is also done in this direction. Therefore, when Mario’s username is logged into the system and his behavior is different than typical, that’s when the UEBA alarms start ringing.
Another related analogy would be the theft of a credit card. A thief can steal your wallet and go to a luxury store and start spending thousands of dollars. But, if the spending pattern on that card is different from that of the thief, the fraud detection department will recognize the anomalous expenses and block suspicious purchases, either by sending you an alert or asking you to verify the authenticity of a transaction. .
What can UEBA do?
UEBA is a very important component of modern IT security and allows you to:
1. Detect insider threats: It is not too far fetched to imagine that an employee, or perhaps a group of employees, could disobey, steal data and information using their login. UEBA can help you detect data breaches, sabotage, abuse of privileges and policy violations by staff.
2. Detect Compromised Accounts: Sometimes, user accounts are compromised. It could be that the user has unintentionally installed malware on his machine, or that sometimes a legitimate account has been forged. UEBA can help eliminate compromised users before they can do any damage.
3. Detect Brute Force Attacks: Hackers sometimes target cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute force attack attempts, allowing you to block access to these entities.
4. Detect permission changes and super user creation: Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that have been granted unnecessary permissions.
5. Detect Secure Data Breach: If you have secured data, it’s not enough to keep it safe. Know when a user accesses this data if they have no legitimate business reason for doing so.
UEBA and SIEM
Security Information and Event Management, or SIEM, is the use of a complex set of tools and technologies that provides a complete view of the security of your IT system. It leverages event data and information, allowing you to see normal patterns and trends, and to warn of anomalies. UEBA works the same way, only it uses information on user (and entity) behavior to verify what is normal and what is not.
SIEM, however, is based on rules, and competent hackers can easily circumvent or evade these rules. Furthermore, the SIEM rules are designed to immediately detect threats that occur in real time, while the most advanced attacks are usually carried out over months or years. The UEBA, on the other hand, is not based on rules. Instead, it uses risk scoring techniques and advanced algorithms that allow it to detect anomalies over time.
One of the best practices for cybersecurity is to use both SIEM and UEBA to have better security and detection capabilities.
How a UEBA should be used
UEBA was born out of the need to identify the harmful behavior of users and other entities. UEBA tools and processes are not intended to replace legacy monitoring systems, but should instead be used to complement them and improve a company’s overall security. Another great practice is to take advantage of the storage and calculation capabilities of big data, using machine learning and statistical analysis to avoid receiving an avalanche of unnecessary alarms and being overwhelmed by the large volume of data. generated.
UEBA uses machine learning and algorithms to strengthen security by monitoring users and other entities, detecting anomalies in behavior patterns that could be indicative of a threat. By taking a proactive approach to security and gaining greater visibility into user and entity behavior, today’s businesses are able to build stronger security systems and more effectively mitigate threats and prevent breaches.
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF