What are the benefits to partnering with a MSSP for your cyber security requirements?
In Information Technology our businesses are often very project driven; “We need a new endpoint solution”, “We need to look at life-cycling our wireless”, “Our company needs a risk management platform”. In cyber security, this approach often leads to our clients ‘not knowing what they don’t know’. What they mean by this, is they rarely get the opportunity to take a step back and look at their cyber security in a holistic way (the people, processes and technology that make up security for them), and map themselves against common security frameworks to know where they’re strong and where they may need to work on.
To help our clients better equip themselves to respond to this issue, we’ve released version 2.0 of the Cythera Security Platform, the cornerstone of which is a cyber security health assessment.
The cyber security health assessment can be self run, or run by a Cythera team member alongside your IT team. The health assessment is administered in the form of a question and answer format, the results of which influence a risk rating, and maps your strengths and weaknesses against the NIST security framework, as well as the ASD Essential 8. This allows IT teams to understand where they are performing well, and areas of their security people, processes or technology they may need to focus on.
The assessment, which is free to use, can be run at regular intervals or once a year to compare to previous assessments, and ensure you’re improving in areas of focus. After the assessment is run, you can then access our business toolkit which provides recommended solutions in areas you want to drill down on, which include the full suite of Cytheras Protection Platform and associated offerings, allowing you to move towards an improved security posture across your business.
Our updated Security Platform also gives you access to ready-to-edit cyber policy templates and checklists, and allows you to easily enable phishing simulations and cyber awareness training for staff; items that are often lacking from Australian businesses security program.
Access your own cyber security health assessment, get started today for FREE at https://aware.cythera.com.au/free/
Part 2 : Landmark White Breach
The risk to your business in a cyber attack isn’t limited to remediation activities or solely to brand damage. It’s now often linked to a loss of trust with trading partners (with knock on revenue impacts), a breakdown of corporate culture which can lead to staff attrition and a real likelihood that your business will become insolvent. In Part 1 of this article, I gave the example of a real Australian business, Landmark White. Today Landmark White are battling through the impacts of multiple IT data breaches within their property valuation business in late 2018 and 2019.
Common Drivers To a Bad Outcome
The biggest drivers we see in organisations that lead to cyber related incidents and IT data breaches are:
A lack of cyber awareness across the organisation
Insufficient proactive security posture management
Limited security visibility within an organisation
Poorly deployed, or not fit for task protection technologies
A culture of “it won’t happen to us”
We’ve all heard the horror stories of social engineering or phishing emails that compromise the least IT literate members of your staff and leverage these to launch attacks against businesses. But cyber security is everyone’s responsibility, much in the same way physical security is the responsibility of all staff in a building. An active and ongoing cyber awareness program is critical in businesses of all shapes and sizes; it needs to be reinforced by (and from) the leadership in the organisation as being considered a high priority and it something everyone should be measured against.
Security Posture Management
Are you scanning your environment daily for vulnerabilities and are you on top of your patching and maintenance of applications, services and infrastructure? This is a crucial function within your business that isn’t just limited to penetration testing (though that is important) but about total lifecycle management and hygiene for all components in your IT stack, including third party providers if you use them.
Use frameworks like the ASD Essential 8 as a starting point to guide risk management activities, but don’t be afraid to cherry pick the best of NIST or CIS to get something that is right sized for your business too. These Frameworks should be seen as starting points, not shopping lists for compliance and risk needs that fit every business.
Many organisations collect logs and run a series of disparate systems to gain insights into their business’s IT function. In our time we have seen a litany of SIEM solutions growing dust in a corner, being ineffective at protecting businesses from delivering any insights let alone preventing an attack. The traditional SOC / SIEM approach is rapidly becoming overtaken by an integrated Managed Detection and Response (MDR) approach that couples SOC-as-a-Service and SIEM functionality with User and Entity Behaviour Analytics (UEBA), threat hunting and incident response capabilities as a turnkey outcome.
Can your organisation justify 24x7 “eyes on glass” to monitor your security environment and provide you the visibility that you need to detect threats in near real time? It’s often a collaborative approach with a managed service provider partner that makes the most financial sense for organisations.
Inappropriate Protection Controls
I can’t tell you how many customers we still see that run legacy AV technologies and stateful inspection firewalls and think that they are protected from cyber threats. What worked well in 2001, isn’t fit for purpose today. Many attacks sail on through email or are enabled through legacy technologies like DNS; A dedicated attacker will use any and all tricks in their inventory to get past your defences.
Building a layered security approach with next generation technologies that interoperate nicely together is critical. Technologies like Deep Learning are providing unique mechanisms to block signatureless malware and solutions like EndPoint Detect & Response (EDR) are helping detect and stop attacks in their tracks through global scale intelligence sharing and endpoint integrated protection stacks. Cloud Access Security Brokerage (CASB) solutions let you gain visibility and an ability to enforce cloud data policy no matter where you store your data or manage your workloads. Look long and hard at your IT stack and leverage what is available today and don’t be afraid to turn off what you used yesterday.
A culture change
If you think a cyber attack won’t happen to you, you may be right, but I’d wager it will only be a matter of time (if it hasn’t happened already). Our job isn’t to scare people into taking this stuff seriously, it is about helping prepare and protect our customers for the inevitable.
If you think you’re ready to start looking hard at your business and its readiness for a cyber attack, please reach out to us at Cythera. We love helping our customers protect themselves and their customers and we have solutions that fit businesses of all sizes. From our monthly subscription bundles, our professional services, to our turnkey Managed Detection & Response platform, we have a wide range of offerings to fit your business needs.
Let’s help you get started today.
Part 1: An Australian Example
Often, when we are presenting the state of the cyber security landscape and the risks that unprepared customers expose themselves and their businesses to, we get a real sense that customers nod but don’t really appreciate the gravity of the reality. Seeing statistics on a page and bridging that to a scenario that they can wrap their heads around and relate to their business is hard. Too regularly we have to see a customer being impacted themselves before they realise the magnitude of the danger to their business and their staff that a cyber attack brings.
To help bring home an actual example of a cyber attack on an Australian business which has had significant brand damage, broken trust with upstream providers and customers and created a demonstrable financial impact to their business, you don’t have to look much further than Landmark White.
By now, many of you should be aware of the difficulties facing Landmark White (LMW), one of Australia’s leading independent property valuation organisations. These difficulties have built over the past year, precipitated by a breach leaking customer valuation records that left about 37,500 unique valuation records and 1680 supporting documents sitting openly on the Dark Web in early 2019.
Despite being contacted anonymously through live chat and through the corporate Twitter account, LMW were slow to respond to initial notifications of the breach, with their Twitter channel unmanned over the Christmas holiday period. After a further email notification from the Australian Cyber Security Centre to a vulnerability on an exposed programming interface on their platforms, LMW claim to have closed the vulnerability by January 23rd.
After this breach and subsequent notification of same, LMW stopped trading on the ASX in February 2019. As a result of the incident and the publicity that it received, LMW was “suspended from receiving work from a significant number of clients which is impacting our revenues, profitability and cashflows," company secretary and CFO John Wise wrote in a letter to the ASX.
A second breach involved posting to SCRIBD that “mostly comprised PDF valuation documents and other operationally related commercial documents”. This incident LMW believe was precipitated by corporate sabotage and potentially internally generated in nature. This next breach was shortly followed by an exodus of staff from the Sydney franchise business a fortnight later. Heading into a trading halt again following this secondary breach, LMW’s market capitalisation more than halved from $39 million at the close of 2018 and to $15.3 million when shares were suspended in June 2019.
There has been much speculation that LMW directors are seeking an exit for the business with leaked emails from the acting Chief Executive Tim Rabbitt stating they “have to consider alternative options for the business including the potential sale of the whole or parts of the business”.
This is an absolutely horrific scenario and I’m sure there are many people within LMW today who would love to be able to roll back the tape and make some different decisions on how they prepared their business and their cyber security approach.
In part 2 of this article, I will spend some time discussing the biggest drivers we see related to cyber security incidents and outline some suggestions on how you might position your business to best defend itself from the potential of a cyber attack.
Last month a cross-platform assistant for creating malicious MS Office documents, named EvilClippy was released.
It allows an attacker to hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools.
Attackers can now hide malicious code from anti-virus and macro analysis tools by leveraging undocumented features in the way macros are stored within an office file.
Macros are stored in Compound File Binary Format (CFBF) and EvilClippy uses a technique known as VBA Stomping to replace the compiled version of the macros with something malicious.
According to the creators of the tool it allows attackers to bypass all anti-virus solutions, however it’s worth noting that Deep Instinct’s VBA and Office deep learning models available since November last year prevent all threats produced using EvilClippy without requiring an update or cloud lookup. Anti-virus vendors cannot detect threats created with this tool statically and must update detection hash by hash (reactively) as samples are submitted by customers.
Certainly the name of the tool is a tongue in cheek play on the name of the old office97 assistant, Clippy, that proved universally unpopular with most users.
Recent In the Wild Office/macros threats
Published below a list of hashes we have prevented at customer sites related to malicious office documents.
These include threats created using EvilClippy and word and excel droppers used in a number of campaigns, including, Emotet, Fareit, Lazarus, Lockergoga and Alcaul.
Again prevented statically with Deep Instinct’s November 2018 model.
Shift from Web based vulnerabilities to Office vulnerabilities
This data published by researchers from Kaspersky illustrates the pivot from browser based attacks to office doc attacks, which is an interesting trend.
FlawedAmmy Remote Access Trojan being dropped by Excel macros – Microsoft Security advise ‘DisableMacros’
This last week we are seeing another successful campaign that uses excel macros and digitally signed files to deliver a remote access trojan. Microsoft’s security team’s only advice remains to ‘disable macros’
Cythera’s managed Protection Bundles are designed from the ground up to help your business meet emerging threats such as these, and provide you with ongoing outcome based security.
doc 00ad2bfa421242f600edc04ff9ac01bd08850e35397f055bd88e252cecb5f6dd 0e0bc96e1e419eeb6a9f54578b3e0c4f27a75646c37f4e5e05bf7d1ff3211c34 1085636bb02300e9275a9a48befc7ab6b4e7b8df6354430058e87bd9198b53ea 10ccf633e11c7ac3627042c91b06c99f7d4011b97f8928c77cc18283ba8ebbac 11cabfcef490a268346b05713d8257abe6223987ff057351d7c9d2f54d8e7126 14a8b1823d188751fb9e437808b8ecad7c29bdb3c7dd6a0949e5c2851948626d 1747cc231ecf0f5f70838e319412e74ce548958dc8db5e626544b3babb56bd57 4236042697f72d0a788466203d7734fdb493cddb8c6de52f04fd25d917f1e5c8 4ff75466b5cfae00724f67f42c8bbbe1b06edcdfbdc175d60afbe8da9dca0a5e 7e37acc9eb2f54a57af4eb5f9287b220e172bfece705d250b5844363c14e8085 830483d5c82a7f8df6135e3e3db9a2d0242981da7928e04be4450f52ab24563c 8966f0144f3d85390bfd42d7183e0362a27d0a624f3b9975782ab2844ffbbfe4 913a4217ce0e5236ccf2d911977b5a7cc565d323085271ceb5492f4306bf6306 91977393c39a5e13ba5e5f4aa0b16342d4f9bb57b84b9e03ecbb1f79a3b479c3 9a051c20ad94254fd39327a39d7abfaf5fa6d8e29b2b876e4114645aa2afbe8e a23dcebc35580e8d1cf3e5404ee62ff7fc1ec9d1d83c9ff469e60a100912b684 a2cb13a6e2fb1f290d52f4e0dbb57286832cfce1f8f7d77225d1d23c9b1b45fb aec5a1d4b49711fec45139e54c9f7ff313e9488dc5d71a4127a61c8cd256ba2b b57d08d70da6bc7c94af6e7abfbc2267b726b7166215187cd6249437b6583668 bdce87e14fac462355647a5edffc6cdb9518b395c30b3e4229345320f37033ad c53fca82bf215c1f0f994d1d6c523ca47b57e204e7bf690688ab6944676752a3 c7062cafca86f5e66928ec7081c98962ba41f0b1b73eecddb278929eedd29ff5 cfcf648d9f4f6c888b5fbb5bcd9f0a0f4adfabc80412f1a134d1c5211515ba04 d21318282e6c8d888b686fb61d87891fff4df575a8a84ea1d2784c0445409cdc dfcabffce9c3fb42e58aff39f38f325332f5219aa501799ea04735d2ecfd2d68 e17689eeda9d50c9e4549300cf91f10655ebe9d1c681f337ea175a78b55f6a0e ed1f3491ef952692e422914b44fe532392569e82b2f60bc09e829ca40479695c f0ca2bcc1a7e87af25e3608652e3fd60b7917dda6ec2d3959b1c900e02338866 f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c fb0a2cba32b1774e4356ebc797ff78c5d148b3fd475f86b2f27f3b9ed9c17ff2 fcb9a3f1e47657b24395ed82d241768c2ce1db82e48a3f2eeaa15f890e00d5b5 xls 17c484ec8a7b39f13d6d06341f26942b80cce72c68d8b8781bc92b626d259549 1c0bb461a1e6ef4828099cbf9b4bc4295ccaf0658d2942162718808609d9023f 3e114876a826bcc3d316fde247e0318ca407a3d112be71e72419c662a341e4d0 73e34961788d6ec841db517b89181a01fd2f8b943921ee7e0dba0709dbdcdda3 761dd88f174641870d799241b95dbf6c8b410d0bc895f30e508a94a716e68427 7c80a0c687c12363ce9a6ecd853f7482c30fa3b21fca689f3317cebde09c0390 7f514641d85bdd829961214ad84b22ab85da69942fd08c7b4877357447297799 87e2dac622b380b6868411bb069b312a2706d2eadb047f58605bc041d949f440 948961ee4aaedab07897f8b85b44f22b24f7274544e092f9fb3ca6abf81ae4b5 9d9db5b5989a0fb87badb28f9fc8a176234ed635d09b0a7ccca8b330ef2f24b7 a75ca621267c58c9e8eb8b55b1ff5cce300730a02bee71f03185757c479fa9f0 b691bcc1f81d08063191b9d80717bbecfdae7ba83f1237e75b1d9e052685c21f d1ed1008379f13d46d410adc34c886e8dd6624ffbdfeefe48e32f32954f210b8 f2ce43e8f451d32b98ff19814e856552cf384d3732b66a59e04f9000997d655d f2d6f5ace027e74338fd74ea8ff642c6dcc5a80c59d0e2f0282522c14507ea31 evilclippy 1581b2159f11c04fa318be2b25f26cb35806243e1130b62bbe635ac7b67cf944 50b7e9d587ab58ffba9548b7dc3d3ccc95007f0d653707a28eddc25fe768201f 21c72137c2210301312edc954cca3fcbc91fffe85b8593264a435abeed37979e e9c03dc432f00af0ecf825a714d56eb57b48fca4bccd1dc845e7ced61071f941 6066d2c77c86dcb0e802b0420b37aa8eabc0a8bd3d0e9b30aae6ced21080dbff 2e9111ce93f4a1aa0911bea14b6d37998d8f847b0d0b950204e7d25e265611d1 d2e479a6720dad2b9ff92d09a68242e8702d0c7b996bdfc84bb2820182fa19b0 e31f43f734443473bf2566d5a6f56a7a903813518d2a7735162fc008cce6d7d6 5b8c8dbf701d78d4edf4221a88e1fac0d2b9184c39bf6b1f29f8132156d0a4aa 357de9450813429f83ada806a4c60670fc5b50f8fcc2d2114e5f2715defc23ef c351b23c7bdec9e1d0d0046ea0dc043a9f2c87e68293e68317435c11c6fd89db
We help a lot of Australian businesses out with security incidents, as well as recovering from hacks and breaches. Many of them can be attributed back to human error or poor security hygiene. I thought I would share some of my top tips to help you avoid a costly hack, or brand damaging breach.
Patch Patch Patch
This is an easy one. Operating system vendors don’t just release patches for new features, they’re also patching security vulnerabilities regularly. Keep desktops and laptops up to date and enable automatic updates wherever possible. Apply the same thinking to critical applications such as Microsoft Office (Vulnerabilities in Microsoft Office have risen 121 percent over the last 6 years ), to keep ahead of problems.
Enable Two Factor
Many successful cyber security incidents start with an account being stolen or ‘phished’. One way to help stop these attacks being escalated is to have a second factor of authentication beyond just your username and password. This means that even if an account is stolen, the attacker can have a difficult time accessing the second login which may be a token or application that runs on a users smartphone. Two factor can be enabled selectively such as when a user is outside your corporate network. Some 2fa vendors to consider are Authy https://authy.com/ and Okta https://www.okta.com/ .
Bake security into your culture and people
Cyber security is not just about technology and processes, it’s also about your people and the way they go about their day to day business. As a successful cyber attack can shut down your business or irrevocably damage your brand, It’s key that management and executive set a good example as this attitude then flows throughout the organisation. Ongoing cyber awareness training to make staff more conscious of potentially malicious behaviour will improve the cyber-hygiene of your business, with more mature organisations now also including cyber security training into staff onboarding.
Accounts that are stolen or included in breaches often end up being sold on the dark web for use in other attacks. There are resources available for you to check if key staff accounts have been included in previous breaches. https://haveibeenpwned.com/ allows you to search for staff email accounts, and any that are discovered should have passwords reset and even enabling two factor authentication on.
Have a plan
There’s a common theme with many of the companies we assist with security incidents; They didn’t plan for one. They often have a health and safety plan, and even a terrorism plan! This doesn’t need to be war and peace, and can be a single pager on roles and responsibilities, as well as who to contact including any cyber security partners you work with to assist in responding to incidents. If you have any regulatory bodies or government agencies you liaise with make sure to include any reporting structures that may need to take place here. The Australian Office of the Information Commissioner has a good guide on data breach plans . Make sure you’re also familiar with the Notifiable Data Breach Scheme .
Engage a security partner
There’s lots of talk about the increasing skills shortage in cyber security. And let’s face it, cyber security is probably not part of your core business so you’re constantly going to be playing catch up with a rapidly changing landscape. By partnering with a cyber security specialist you’re also subscribing to the ongoing skills and herd intelligence to help you plan and protect your business and brand from being the next headline. Just make sure they’re a specialist and not someone who’s also trying to sell you phones systems and printers.
Australia’s emerging enterprises are facing the same security risks and suffering the same incidents the big end of town are, but with much less capability to respond and protect themselves from a rapidly changing space. By baking security into your businesses DNA, and partnering with strategic cyber security specialists, you’re setting yourself up for success.
Businesses with multiple locations have been stringently handcuffed to costly, complex private networks such as MPLS for years. It’s been an unavoidable cost and it’s compounded if you operate in isolated areas throughout Australia.
Even though MPLS is costly, it’s been extremely effective at securely transporting data around the world for decades. MPLS acts like a private toll road which ensures your information can travel securely from point A to B without crossing paths with anyone else’s information. On the downside, even though it’s a private road, MPLS can still get congested and there are speed limits in place to stop you going too fast. Businesses can increase the speed limit and add more lanes to the tollway but this simply pushes up the price.
Regardless, MPLS is fast becoming obsolescent. Many businesses are now utilising cloud applications like Office 365, Salesforce and 1000’s of other cloud delivered applications which can be accessed from any location using an internet connection. This has enabled employers to offer flexible working arrangements because employees can now access these applications from home or remote locations without an MPLS connection.
There are security risks with this approach as hackers can get between users and unprotected internet connections with a well targeted attack. This is one of the reasons why businesses have been unwilling to completely remove MPLS or private networks when utilising cloud applications.
Another reason is because the internet can’t provide guarantees around speed or availability. In other words, businesses are hesitant to push all corporate traffic including voice and video solely over an unmanaged internet connection.
So where does this leave us?
Well, some businesses run a combination of networks including MPLS and Internet. Certain applications are delivered over the internet using VPN overlays, and others still use MPLS. This approach works, but it’s obviously tricky – especially when managing a sprawling application set and a conga line of security devices spanning data centres operated by your business and third parties. Business also need to establish various security policies for all the networks they operate.
Cythera has a different approach which allows business to completely remove MPLS. It’s called Secure Network Fabric and utilises technology from Cato Networks. Secure Network Fabrics utilises intelligent SD-WAN controllers and a carrier grade backhaul network with points of presence across Australia and extending around the world to securely route application traffic. All you need is an internet connection. Secure Network Fabric includes a fully integrated, cloud delivered security stack including Next Generation Firewall (NGFW), Intrusion Prevention System (IPS) and detailed reporting to monitor performance and user behaviour. Secure Network Fabric is also optimised for voice and video and includes support for desktop and mobile users.
The Cythera Secure Network Fabric removes the need for an expensive, complicated MPLS networks whilst delivering enterprise-grade, unified security controls and granular network visibility.
To find out more - visit https://www.cythera.com.au/secure-network-fabric
Buying IT security can be a complicated process.
Today, there are literally thousands of security vendors who all claim to have the latest and most secure security product on the planet to help defend your businesses from cyber-attack. But which ones do you pick?
Businesses must work with technology partners, vendors and industry peers to make the best security technology decisions, but this takes time, money and plenty of people from all areas of your business. To compound this problem businesses are confronted with countless industry terms, buzzwords and acronyms to make decision making even more complicated. Do you need a SIEM, EDR, MDR, EPP, NGAV, CASB, SOC, DLP or maybe even UBA? What’s more, the security solutions can often be in search of a problem which may not exist in your business but because of slick, fear based selling tactics businesses can make poor security technology investments which don’t solve the most critical problems.
Businesses also face confusing information from technology partners and vendors who can claim they work in unison with other technology vendors under consideration. However, when you scratch the surface they don’t work in unison or can’t easily be integrated into a single cohesive solution.
Finally, businesses are now regularly seeking consumption-based procurement options for security technology. Options include per user pricing, monthly payment plans and annuity-based cloud licensing which avoids infrastructure obsolescence. Many of these options have been available for years with other IT solutions but for some reason security has lagged. As such, businesses are stuck with large, up-front capital investments which are infrastructure heavy and may struggle to defend against new and emerging threats for the duration of the designated investment period.
To help address these problems, the team from Cythera developed the Cythera Security Platform - Protection Bundles. The bundles utilise a combination of class-leading managed security technology to defend against common and advanced security threats. The bundles are cloud delivered, easy to set up and billed on a monthly basis, per user. No longer do businesses need to complete complex, time consuming market assessments, technology testing and procurement processes. Cythera has already scoured the market for the best security technology, rigorously tested it in a production environment and developed an easy-to-consume, subscription based commercial model with low upfront costs.
Cythera has developed a platform which helps business save time, money and important resources while improving the security posture for the life of the subscription service.
For more information or pricing visit https://www.cythera.com.au/protection-bundles
This week while on-boarding a new customer, before we could even start we needed to help them recover from a compromise they had received before coming to us.
A user had suffered a phishing attack and had their Office365 email credentials stolen. Email phishing is the act of sending emails purporting to be an entity (such as Google) or an individual (such as your CEO), often using a crafted email with graphics and text from legitimate emails included to fool users into entering login information or opening an attachment. The attacker can then use the stolen credentials to gain access to your organisation, or use malware the user clicks on to gain a control channel into your environment.
In this case, the malicious actor had utilised a common method to compromise a business; They had taken control of the email account of a trusted business partner, and had then sent our client an email with a Dropbox link purporting to contain a legitimate looking business proposal.
This method is highly successful because when we receive an email from a known or trusted user, we tend to bypass our usual scepticism and control when it comes to clicking links or opening files. In this case, our client actually replied to the email and asked if it was legitimate. He got a reply ‘Yes it is, I need you to respond to it urgently’. As the business partners email had been compromised, the hacker could reply themselves in an attempt to validate the email. The client then opened the file which prompted him to login to Office365 to access to file, and his credentials were then stolen.
So how can we better protect ourselves from these sorts of problems? Email filtering won’t always help here as the emails actually coming from a seemingly legitimate user. But secure DNS and web filtering (such as what we deliver with our DNSProtect and WebProtect portions of our protect platform), would have helped prevent the user from inputing their details into a phishing site by blocking the phishing page from displaying in the clients browser. Not reusing passwords across accounts is another good practice to limit your exposure to any compromise should it take place. Additionally if the Dropbox link had instead contained malware, ransomware or a remote access tool (commonly called a RAT to security operators), an endpoint protection agent such as MalwareProtect and EndpointProtect would keep you safe.