Google Drive Abused in Malware

Even the programing language, golang, created by Google and used by Dropbox and Sendspace have been seeing Malware exploits since 2012. The Malware checks personal folders and uploads documents with common file extension. This allows the use of refresh tokens to bypass the storage service authentication process. This is especially useful information. This activity generally is found during the Reconnaissance steps.

Barrier1 would catch this process through the file structures, the files mobility, and lack of authentication process. All would have specific attributes that would be added to the dbase and thus would be remembered when the official cyber-attack takes place.

Barrier1 -Intelligent Threat Management platform has a Key element, it Learns and Remembers.

DNS is an Intregal part of a Breach

DNS plays a major role in network traffic. So, if one could possibly take control or change DNS, would be a major step in a cyber breach. That is what a DNS Changer does. Some are considered a Trojan due to their ability to hide and yet they are part of an overall scheme of Malware.

DNS changer modifies setting without user knowledge nor with consent. Once modified, they direct you to a compromised DNS server or service. That usually is in a foreign country. Without sensors to notify and with the worldwide speed of internet connections, you would never know. That is, without a continuous eye on the logs 24×7. Even by that time it would be too late. So, traffic is redirected without knowledge. Very similar to man-in-the-middle.

Now that DNS redirection has occurred, Trojans are dropped on to the system via Malware. Once installed, they simply modify DSN setting, force request on to criminal operated DNS servers, replace logs, and controls and redirects network traffic.

Barrier1 via sensors will detect 1. DNS setting changes, and 2. DNS traffic to Unusual or Non authorized locations. Then if in automatic mode, Barrier1 would block and then alert.

APT’s methods are the same as a Classic Intelligence Cycle

APT’s really have been around since the 1990′s and early 2000′s. They were originally found on government networks. Now the succssfull process has found its way outside of the government.

The process of APT’s is the same as used by Classic Intelligence Cycle.
- Recon
- Planning and Direction
- Collection
- Processing
- Analysis and Production
- Dissemination

That is the Barrier1 process.
Barrier1 identifies and stops APT’s in real time.

Barrier1 protects against Poodle

Reports are out that SSL has a vulnerability now being known as “Poodle”. This vulerability begins with SSL 3.0 or older versions. However, even though SSL-VPN was upgraded to TLS, TLS is still vulenrable. The key is that a hacker must intercept the traffic. Thus, a man-in-the-middle is used. The interception of traffic forces an error. The next natural reaction is to attempt to connect with a downgraded version of SSL. So, TLS which was meant to improve the security of SSL now downgrades itself to ensure a connection by using SSL. The end result is a breach.

Barrier1 would identify the man-in-the-middle and the change of going from TLS to SSL. If the customer does not want SSL 3.0 Barrier1 would identify the hand shake of TLS and stop/block the connection.

Why would anyone allow SSH Traffic from China through?

Why would anyone allow SSH Traffic from China through and head to downstream agencies? There is no good answer. Beware that larger entities that claim to be looking out for your interest might not be.

Correlation is NOT Analytics

Moving into the world of data and using data to determine and or make decisions needs to be an understood. The attributes, technology needed, and the roles they play all play key roles and must be understood by the security staff. This is key for the design criteria of being more Effective, Accurate, Faster, and Affordable.

In Big Data, as defined by Wkikipedia, correlation is a broad class of statistical relationships involving dependence. It is a tool for Anlytics. It is a start towards analytics but not the end game. Correlation will NOT deliver the predictive outcome. It proves just an insight.

SSDP and UPnP DDOS attacks have something in common

During the last several months we have been reporting on and seeing reports of DDOS attacks using Universal Plug and Play. The real part of the UPnP that is now being used on its own is a protocol called SSDP or simple service discovery protocol. SSDP was designed in the 1990′s as a way for client’s software to work with PC’s, servers, and services using port 1900 or 5000. It is still being used today in Windows 8.

Barrier1 utilizes all known protocols associated with networking. By known the “correct” behaviour and on board Analytics, Barrier1 can identify and block the never before seen events that can be an attack.

Intelligence Threat Mgmt. vs Context Data

The goal of any system is to be more Effective and Accurate. In the world of polymorphic events or simply stated, events that change rapidly, it requires a cordinated approach to analytics.

Context Data is the correlation of events.

Intelligence Threat Mgmt. is understanding complex events and how they interact and relate. It is the ability to adapte to a changing set of events, continous learning, reasoning and overcoming obsticles.

What is Automated Threat Management?

After many of the large breaches like Target, Home Depot, Dairy Queen, and etc. point out that Cyber Security will have to be automated. Protection from Cyber Threats and breaches have become too fast and too interwoven that humans can no longer be Effective, Accurate, and Fast. Users want an internet experience that delivers continuous and uninterrupted connections so a system has to keep up. Automation is putting the pieces together and making a decision to allow or block. Intelligent adds to the Effectiveness and Accuracy of the decision.

Shellshock and DDOS are teaming up

The last several years, Barrier1 has been stating that Cyber Attacks are now a process. Here is another recent example. Hackers have team up Shellshock and DDOS. The component used in this collaboration are not new. The uses and position in the process are new. A shellshock file has in its payload the ability to launch a DDOS. “Kaiten” malware is an old IRC controlled DDOS. In addition this combination has added advanced detection capabilities. What is old is now new.