The persistent, pervasive badness on the internet is made possible by the existence of a vast, self-replenishing infrastructure of botnets. Cyber criminals go to great lengths to keep their botnets running at high efficiency.
ThirdCertainty asked Tim Helming, director of product management at Domain Tools, to outline how and why botnets continue to thrive—and what the good guys are doing to deter them. Here’s a summary of our discussion:
A typical botnet is composed of tens of thousands of infected computers communicating back to a single command-and-control server, from which a human attacker issues instructions.
Botnets are routinely instructed by their human controller to:
• Spread malware and infect more computers
• Carry out phishing, ransomware, account takeover, click fraud and denial of service attacks
• Siphon crown jewel data from business networks via advanced persistent threat (APT) attacks
Domain name game
Each command-and-control server and each infected computer, or bot, has an IP address and a domain name. The good guys have perfected blacklisting tools tuned to quickly identify and cut off any IP address or domain name previously observed carrying out malicious activity.
These blacklists are fed into firewalls, email gateways and intrusion prevention systems, forming a first line of defense that automatically blocks any known bad domains and IP addresses.
So the criminals counter by registering new, replacement domains en masse. Botnets run domain-generation algorithms (DGAs) that spit out fresh domain names composed of random alphanumeric strings, by the hundreds. “This lets them register new domains in bulk,” Helming says.
Additionally, botnets also get instructed to create domain names in recognizable word or word patterns. This is done when a domain name is needed that a human victim can read to fool someone as part of a phishing or ransomware attack.
Blacklists can only do so much. They are limited to blocking domains previously observed doing bad things. So Domain Tools also has come up with a reputation scoring system that assigns a risk score to each newly created domain.
Very new domains with alphanumeric names, for instance, get an elevated risk score. So do domain names that are slight misspellings of the official domain names of legitimate websites. A decision can then be made as to whether to block a new domain that seems benign before it is put to malicious use.
“We look at things like how old the domain name is, whether the domain name makes any sense linguistically,” Helming says. “Those are intrinsic properties that can show us domains that are tightly connected to bad ones, and also one-offs that might not have that connection.”
Predicting vs. detecting
Cyber criminals can get lazy. And the good guys are striving to capitalize on that trait. For instance, it still is a common practice for criminals to use quirky, bogus information to register domains—such as Superman, 123 Anywhere Lane, Anytown, USA, 11111—and then use that name and address over and over.
But detection technology is continually improving. Machine learning is being applied to not just identify such patterns, but also correlate them to other data. The goal is to help network defenders more accurately predict whether a domain is likely to commence malicious activity long before it does.
“Prediction is where everybody is trying to get,” Helming says. “Being able to predict badness is really important and really valuable. I call it looking back to look forward.”
There’s been a scary increase in successful ransomware attacks against large organizations this year. Specifically, hospitals have found themselves at the mercy of hackers who demand ransom payments to unlock critical system files. Recently, there have been signs that these criminals have moved on to universities, too. The University of Calgary admitted to Canadian media last month that it paid a $20,000 ransom “to address system issues.”
But individuals have something new to worry about. A new report from Kaspersky Lab says its detection rate for mobile ransomware—malicious software targeting smartphones and demanding ransoms—quadrupled in one year.
It’s easy to see why phone ransomware would work. Consumers fly into a panic when their phone battery dies; imagine what it’s like to see a message saying your phone is locked, and a $100 payment is required to unlock it.
Kaspersky says some ransomware criminals simply require that mobile victims type in an iTunes gift card number to free the device. I’ve written recently about the increasing use of Apple card payments for fraud.
A combination of easy, anonymous payments and off-the-shelf copycat software tools makes mobile ransomware a new and potentially dangerous threat, both to consumers and to the companies that employ them.
The numbers tell the story: From April 2014 to March 2015, Kaspersky Lab security solutions for Android protected 35,413 users from mobile ransomware. A year later the number had increased almost fourfold to 136,532 users.
It’s unclear from the report how users encounter mobile ransomware in the first place, though at least some get it when visiting porn sites and are tricked into downloading and installing malicious software.
“The extortion model is here to stay,” Kaspersky says in its report. “Mobile ransomware emerged as a follow-up to PC ransomware, and it is likely that it will be followed up with malware targeting devices that are very different from a PC or a smartphone. These could be connected devices: like smart watches, smart TVs, and other smart products including home and in-car entertainment systems. There are a few proof-of-concepts for some of these devices, and the appearance of actual malware targeting smart devices is only a question of time.”
Back-up is a must. If you ever thought that one day you finally would download and install that strange boring back-up software, today is the day. The sooner back-up becomes yet another rule in your day-to-day PC activity, the sooner you will become invulnerable to any kind of ransomware.
Use a reliable security solution. And when using it, do not turn off the advanced security features, which it most certainly has. Usually these are features that enable the detection of new ransomware based on its behavior.
Keep the software on your PC up-to-date. Most widely used programs (Flash, Java, Chrome, Firefox, Internet Explorer, Microsoft Windows and Office) have an automatic update feature. Keep it turned on, and don’t ignore requests from these applications for the installation of updates.
Keep an eye on files you download from the internet, especially from untrusted sources. In other words, if what is supposed to be an mp3 file has an .exe extension, it is definitely not a musical track but malware. The best way to be sure that everything is fine with the downloaded content is to make sure it has the right extension and has successfully passed the checks run by the protection solution on your PC.
Keep yourself informed of the new approaches cyber crooks use to lure their victims into installing malware.
Cyber crime is the fastest-growing segment of the global criminal economy, now including state-sponsored hacking from the likes of North Korea, China and Russia. According to a 2015 FBI report, cyber crime has now overtaken illegal drug activity, moving into first place.
As a result, the cyber liability insurance market is surging. Premiums are expected to top $5 billion by 2018.
More than 60 companies currently offer cyber liability coverage on a standalone basis. Much of the underwriting for cyber risks includes the company-specific details and security breach data available in the public domain through websites such as Privacy Rights.
According to Privacy Rights, nearly one billion records have been stolen from organizations of all sizes that are all running anti-virus software and firewalls. Unfortunately, anti-virus software misses as much as 30% of malware. Firewalls are perimeter traffic cops with no intranet security capabilities.
How does a savvy cyber insurance or reinsurance underwriter determine when breach-prevention measures have been taken by a given risk? How can today’s technology solutions be used to disarm the hackers and prevent cyber losses, reducing the potential for a significant claim?
Today, like never before, we face the frequent barrage of spear phishing attacks, new forms of very creative and nasty malware such as remote access Trojans (RATs), ransomware, zero-day malware (that means your antivirus doesn’t yet have a signature for the malware), not to mention the risks of malicious insiders, infected laptops coming and going behind our firewalls. In addition, many small and medium-sized businesses (SMBs) face increased scrutiny by government regulators. Cyber crime is growing at a tremendous rate – it’s become an organized, big business opportunity for criminals, projected to grow to $600 billion this year, larger than any other form of crime, according to the World Bank.
Cyber liability underwriters will want to appreciate what a network security, cyber risk management-focused, underwriting prospect looks like relative to the broader market.
All cyber liability enterprise policyholders are not equal when measuring breach prevention methods and techniques that may be deployed with an eye toward mitigating significant future losses.
You might ask – why would my smaller business be a target – we’re not Bank of America – we’re not Home Depot or TJMAXX or Anthem? Yes, they all are big targets for big hackers, but cyber criminals don’t discriminate. In fact, they find SMBs easier targets because, traditionally, your level of defenses against cyber crime might not be as advanced as those at Bank of America – which has a $400 million annual information security budget. To the cyber criminals in in the dark corners of the Internet, you’re called a “soft” target – they feel you are easier to exploit.
One piece of ransomware and you might be out of business. Some of the latest ransomware exploits will not only encrypt your laptop or desktop, but they also look for file servers and do the same, automatically. Then, you won’t have any access to your own files – or, even worse, customer records – until you pay the ransom. The FBI even recommends you pay the extortion fee. We find this all wrong. It’s completely backward. We cannot let ourselves be victims. It’s time to get more active and be one step ahead of the next attack – you are a target but you don’t have to be a victim.
It all starts with best practices. For example, if you did frequent daily backups and tested these backups, then, when you’ve been victimized by ransomware, instead of paying the extortion fee, why not wipe the infected computer, re-image it then restore the latest backup? When asked, most SMBs say “I don’t do frequent, daily, backups” or “I haven’t figured out how to wipe and re-image all of our systems in the event they get infected.” So, it’s that simple, one best practice – Backup and Restore — would save you thousands of dollars in extortion fees. You could thumb your nose at the cyber criminals instead of giving them some of your hard-earned revenue.
Cyber liability policy terms and conditions should reflect more favorably on “Breach Prevention”-focused organizations.
Best practices are things you do – steps you take – actions and plans, risk management and claims mitigation techniques. Within those plans, we are certain you will include which security countermeasures to budget for this year.
Seven Best Practices to Reduce Risk
Although we thought about going into details about recent security concepts, such as next-generation endpoint security or network access control, it seems more appropriate to focus on the best practices instead of the best security tools you might consider deploying.
For example, we consider encryption a best practice and not a product or tool. We are sure you’ll find many commercial and freely available tools out there. You can always evaluate those tools that you find most suited for your own best-practice model.
So let’s consider the following as MUST-DO best practices in cyber security to defend your SMB against the risk of a breach:
1) Roll out corporate security policies and make sure all your employees understand them.
2) Train employees and retrain employees in key areas – acceptable use, password polices, defenses against social engineering and phishing attacks.
3) Encrypt all records and confidential data so that it’s more secure from prying eyes.
4) Perform frequent backups (continuous backups are even better than daily backups) and have a re-image process on hand at all times.
5) Test your system re-imaging and latest backups by restoring a system to make sure the backup-restore process works.
6) Better screen employees to reduce the risk of a malicious insider.
7) Defend your network behind your firewall using network access control (NAC) – and make sure you can block rogue access (for example, the cleaning company plugging in a laptop at midnight) and manage the bring your own device (BYOD) dilemma.
More Than 95% of Breaches Happen Behind Firewalls – It’s Usually an Employee Mistake
How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone sounding important who needed “inside” information? It’s happening too frequently to be ignored. Some employees love browsing Web sites they should not or gambling online or chatting using instant messenger tools. You need to educate them about acceptable usage of corporate resources. They also usually don’t know much about password policies or why they shouldn’t open the attachment that says “you’ve won a million – click here and retire now.” It’s time to start training them.
Invite employees to a quarterly “lunch and learn” training session. Give them bite-sized nuggets of best practice information.
For example, teach them about the do’s and don’t’s of instant messaging. If you are logging e-mail for legal purposes, which in some cases is required by law (SEC requirements for financial trading firms), let them know that you are doing it and why you are doing it. Give them some real-world examples about what they should do in case of an emergency. Teach them why you’ve implemented a frequent-password change policy and why their password should not be on a sticky note under their keyboard.
Let these sessions get interactive with lots of Q&A. Give an award once per year to the best security compliant employee who has shown initiative with your security policies. If you can keep them interested, they will take some of the knowledge you are imparting into their daily routines. That’s the real goal.
Are My Best Practices Working? Time for Self-Assessment Before an Audit
Perform your own security self-assessment against these best practices recommendations I’ve listed above. Find all of the holes in your information security environment so that you can, document them and begin a workflow process and plan to harden your network. Network security is a process, not a product, so to do it right, you need to frequently self-assess against the best guidelines you can find.
Boards of directors, CEOs, CFOs and CIOs are under extreme compliance pressures today. Not only are they charged with increasing employee productivity and protecting their networks against data theft, but they are also being asked to document every aspect of IT compliance.
We recommend, whether or not an outside firm is performing IT compliance audits, that you begin performing measurable compliance self-assessments. You’ll need to review those regulations that affect your organization. In the U.S., these range from GLBA for banks to HIPAA for healthcare and insurance providers to PCI for e-tail/retail to CFR-21-FDA-11 for pharma to SOX-404 for public companies.
Some states have their own regulations. In California, for example, if there has been a breach in confidentiality due to a successful hacker attack, companies are required by law to publish this information on their Web sites. The California Security Breach Information Act (SB-1386) requires the company to notify customers if personal information maintained in computerized data files has been compromised by unauthorized access. California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information such as their Social Security number, driver’s license number, account number, credit or debit card number, or security code or password for accessing their financial account.
If you are a federal government agency, you need to comply with Executive Order 13231, to ensure protection of information systems for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems. Also, if you are a non-profit organization, you are not exempt from the reporting requirements of regulations in your industry (banking, healthcare, etc.). Please make sure to seek legal counsel if you are not sure of which regulations you’ll need to address.
The easiest thing you can do to prove you are in compliance is to document your steps of protecting data.
Document Your Best Practices
Documentation showing that you’ve implemented best practices for risk reduction and against cyber crime will come in handy if you ever have a breach and need to defend yourself to enforce your cyber insurance policy or to keep the government regulators off your back. This kind of documentation is also good in the event someone sues your organization.
You should be able to prove that you have in place all the best policies and practices as well as the right tools and INFOSEC countermeasures for maintaining confidentiality, availability and integrity of corporate data. By frequently assessing your compliance posture, you’ll be ready to prove you “didn’t leave the keys to the corporate assets in the open.” If your network is ever hijacked and data is stolen, you’ll have done your very best to protect against this event and it will be less of a catastrophe for your organization.
Do you have a cold, warm or hot backup site in case of a critical emergency? If not, you should start planning one. If you can’t afford one, could you create a “virtual” office telecommuting situation where your organization could continue to operate virtually until you’ve resolved your emergency situation?
Knowing we are under constant attack and risk, now is the best time to begin implementing these seven best practices for network security. Hackers, malicious insiders and cyber-criminals have had their field day this year, and it’s only going to get worse – hijacking our SMB networks and placing most organizations at risk of being out of compliance, tarnishing our brands, reducing our productivity and employee morale — placing most of us in the passenger seat on a runaway Internet.
By taking a more active approach, setting measurable goals and documenting your progress along the way, you might find yourself in the drivers’ seat of cyber security.
Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016.
In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.
Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms.
That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools.
Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets.
Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars.
Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front.
Fewer are immune to attack
“Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”
Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.
The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total.
DIY kit for bad guys
Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.
“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”
Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.
Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves.
Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.
SMBs have limited defenses
“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”
One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom.
Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price.
There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.
“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”
This article was written by Third Certainty’s Jaikumar Vijayan.
Your client, ABC Corp. is going about its business and then gets this message:
The above is a typical ransomware message, according to a recent Symantec Security Response report. What’s next? Pay the “ransom” and move on? Ransomware is a type of malware or malicious software that is designed to block access to a computer or computer system until a sum of money is paid. After executing ransomware, cyber criminals will lock down a specific computer or an entire system and then demand a ransom to unlock the system or release the data. This type of cyber crime is becoming more and more common for two reasons:
1. Cyber criminals are become increasingly organized and well-funded.
2. A novice hacker can easily purchase ransomware on the black market.
According to the FBI, this type of cyber crime is increasingly targeting companies and government agencies, as well as individuals. The most common way that criminals execute their evil mission is by sending attachments to an individual or various personnel at a company. The busy executive opens the file, sees nothing and continues with his work day. However, once the file has been opened, the malware has been executed, and Pandora has been unleashed from the box!
Now that the malware has been unleashed, a hacker can take over the company’s computer system or decide to steal or lock up key information. The criminals then make a “ransom”demand on the company. The ransom is usually requested in bitcoins, a digital currency also referred to as crypto-currency that is not backed by any bank or government but can be used on the Internet to trade for goods or services worldwide. One bitcoin is worth about $298 at the moment. Surprisingly, the amounts are generally not exorbitant (sometimes as nominal as $500 to $5,000 dollars). The company then has the choice to pay the sum or to hire a forensics expert to attempt to unlock the system.
The best way companies can attempt to guard against such cyber crime attacks is by educating employees on the prevalence and purpose of malware and the danger of opening suspicious attachments. Employees should be advised not to click on unfamiliar attachments and to advise IT in the event they have opened something that they suspect could have contained malware. Organizations should also consider backing up their data OFF the main network so that, if critical data is held hostage, they have a way to access most of what was kidnapped. Best practices also dictate that company systems (as well as individual personal devices) be patched and updated as soon as upgrades are available.
Finally, in the event you are a victim of a ransom attack, you would need to evaluate it constitutes a data breach incident. If the data hijacked is encrypted, notification is likely not necessary (as the data would be unreadable by the hacker). However, if the data was not encrypted, or you cannot prove to the authorities that it was, notification to clients or individuals is likely necessary.
Cyber extortion is more prevalent than most people realize because such events are not generally publicly reported. To protect against this risk, we recommend that companies employ best practices with respect to cyber security and that they consider purchasing a well-tailored cyber policy that contains cyber extortion coverage. Such coverage would provide assistance in the event a cyber extortion threat is made against the company, as well as finance the ransom amount in the event a payment is made.