JP Morgan announced they were hacked this week. What are common themes we have heard and seen before.
1. Attacks were done over a period of time. Slow, low, and and not flashy.
2. Recon discovered vulnerabilities.
3. One inside they were able to move horizontal.
4. Getting the information out went via CnC and then directed to multiple servers in multiple counties who then it to Russia. The CnC connections also changed in terms of methods. ie destination address, ports, to P2P, and etc.
How to stop it?.
1. Learn and remember from the Recon. During Recon they are just figuring out thresholds, cadence, and etc. Everyone probably block but did NOT remember or learn from it.
2. Understand what is normal behavior for you network. Horizontal movement is detectable and able to be stopped. Example, is there any reason a marketing server would be sending out financial data or customer records, or even certain types of file formats?
3. The actual attacks will not come from the same IP address as the recon. But you can learn the relationships or cadence has change for no reason.
4. Zero Day code. Today’s speeds do not allow for nothing but eyes on the screen. You will have to automate and be able inspect, analyze, and react within microsecs.
That is Barrier1
Barrier1 has now been tied into 3 SIEM platforms. They include Nitro, ArcSight, and Splunk. This combination brings the reporting depth of a SIEM and the Real Time Intelligence and Reaction of Barrier1.
DDOS has changed since the days of 1 source address sending massive amounts of information to 1 address. The techniques developed to identify and stop this style of attacks was threshold based. Even today the press releases shout out “48G DDOS attack”. IN addition the attacks are not just targeting a computer. They are targeting connections within an application, ie Layer 7. These result in low bandwidth usage- High Concurrent Connections type of DDOS attacks. So the indicators used to detect attacks were threshold based and individuals would first look to see if there was a spike in bandwidth usage. Those methods are no longer adequate and will not protect against today’s DDOS attacks. Bots have changed it. Lots of host sending small amount of packets.
Now add the element of Mutation and rapid change.
Barrier1 and our Patent Pending approach identifies, analyzes, leans, and blocks within 12 microsecs.
The Community Health Care Cyber Attack has been well publicized. Heartbleed was one of the methods used to compromise and capture the sensitive information. Not a lot has been published or released on who was affected but there will be more.
Barrier1 will be presenting at the Indiana Career & Technical Education conference in Sept. This conference is attended by a wide variety of positions that make up today’s school systems for the State of Indiana. This conference brings together IT, Educators, and Administration. After all, network security is important for all positions. The more individuals are informed and understand network security, the more secure the organization.
SSH has both a good and bad side. One of the Key features is being used to compromise networks. The ability of “Port Forwarding” allows an innocent outbound connection to a remote SSH server to become a malicious inbound connection to your own network. Therefore you can have a trusted network become the conduit or entrance method into your network. This is additional difficult to identify because SSH traffic is encrypted.
Barrier1 customers are protected.
The basis of Context-Aware is to dynamically adapts to known pattern of behavior, device profile, and data classification. Intelligent Threat Mgmt. goes deeper into All 7 OSI layers and the relationship to each aspect. In addition, to be Effective and Accurate on either system requires extreme depth in Data Analytics and Data Modeling. Bayesian alone is NOT enough.
TOR, or sometimes referred to as Onion Routing, was designed to prevent others from learning about you. It would hide your location, your habits/sites you go to on the internet, and other attributes. It proves anonymity. Like all with good intentions, the very nature of TOR can be used by Cyber Criminals. Barrier1 inspects TOR networks and protects against it as well as inspecting the traffic flowing through it.
New reports have shown the aver. length of time a new and or unpatched system lasts before being scanned or attack has dropped drastically. In the last 15 months it dropped from 40 min. to 18 min. This is not the end of this time compression. Many are now predicting and finally talking about Polymorphic. That is the ability to change code and attack vectors over a period of time to avoid detection by Point solutions. This will also compress. Predictions are now being made that new worm variants known as Flash Worms will be able to infect within 30 secs. In comparison it took Code Red and NIMDA 20+ Hrs.
Recently a new, phising scam included what appeared to be an email from AMEX. In the content it requested to check/click the box to agree to the agreement. This would launch you to a site that had been infected. This infection would have been stopped of course if the spam/email would not have gotten through but if the Web Site was check and inspected as well. URL filtering has big role and needs to be a part of an “Intelligence based solutions inspecting, analyzing, and reacting in All 7 OSI Layers Together.”