Thoughts From The Nest

What we're gonna do right here is go back, wayback...

Ben Marte on July 29, 2018

In 2012 I started dabbling with CMSs and as a Front End Developer whose backend expertise is dropping tables making a site with tons of features out of the box was glorious but the hindrance of using a CMS that no one tells you that you ignore is the constant updating and how vulnerable they are to hacks.

Because of this (version control anyone? and many other reasons) I stopped using CMSs but I still had a few sites I no longer updated running on a CMS (no it’s not wordpress 💩), anyways recently said CMS got hacked and since I didn’t keep the CMS up to date my sites were affected by said hack 😑.

Since I value my videogaming time, I updated the CMS hoping that would make the problem go away quickly (it didn’t 🙄) so now I had to invest some time to fix the issue (bye bye videogames 🤬).

I download my site files, backed up the database and scanned the files with an antivirus and it was going to be impossible time consuming to fix since the site had a ton of 💩 PHP files that were infected with malicious code. (Hackers: 1 Ben: 0)

Since my last backup was non-existant 🤦‍ lost to data corruption 😉 I was faced with deciding to either decommission the sites or find a way to fix them.

Going back

I decided I was not going to let the Hackers win but I didn’t have any usable source files, so what to do? 🤔 Enter the waybackmachine or as I call it my backup solution 😂.

The waybackmachine had a few snapshots of my site 😬 so now it was a matter of finding a way to get a hold of one of the snapshots and I would have the static source files of my site. After a bit of googling I found Github user hartator (you da real MVP son 🙌) made the wayback-machine-downloader a small ruby app that can download waybackmachine snapshots.

Now I was faced with another problem do I really wanna install 💩 Ruby to do this? NOPE. Luckily the wayback-machine-downloader has a dockerfile which means I can just run this app in a docker container and get my site files 👌 which is what I ended up doing.

The wayback-machine-downloader worked flawlessly. With a working copy of my static site files I could get my site working again (Hackers: 1 Ben: 1), but no I already missed my gaming session invested too much time and figured lets go one step further and lets fix it for good and port the site to my preferred static site generator Hugo.

Hugo All The Things Sites

Since I already have Hugo (if you don’t read here) installed on my computer I just need to create a new Hugo site by running this command in my terminal:

hugo new site mySiteName

Once the site was generated I had to create a theme for my site which I did by running the command:

hugo new theme myThemeName

This generates all the files necessary to theme your site so now all that was left to do was getting my static files into Hugo theme partials.

So once I’m done copying over my html to the partials and run my site locally I am greeted by this:

Upon further inspection using my browsers dev tools ❤️ we can see we have a few broken asset links no big deal, since we are using the files we downloaded from the wayback-machine-downloader and copied the HTML markup into Hugo which has a different file structure than the files we downloaded we need to fix the paths to our assets in Hugo.

After using our dev tools we know the problem is our file references in our old files they were under a assets folder, Hugo keeps all its static assets in a static folder.

So in our old files the references were something like this:

assets/templates/css/style.css

assets/templates/js/script.js

assets/templates/images/image.jpgs

Now in Hugo they becomes this:

css/style.css

js/script.js

images/image.jpgs

So I ran a search in all the files to see how bad it was and the results were a mere 1229 occurrences in 226 files 😮 yeah, good thing our code editor has a nifty Replace in Files function 😏.

So after running the Replace In Files function for each of our broken assets now my site looks something like this:

So at this point I was more than happy now I had to start making content pages in Hugo and start copying the content of each page into its own .md (Markdown) file. Luckily this particular site only had 16 articles so I decided to do this manually otherwise I would’ve probably reached out to our resident Hulk genius Zach to help me come up with some clever way of accomplishing this. (Hackers: 1 Ben: 2)

The case of the broken links

After creating all my content pages I started navigating the site locally and noticed the links were not the same as they were on the old site, no bueno as I would have to make 301 redirects for every page in order to avoid affecting my Google page rank. (Hackers: 1 Ben: 1) 😑.

I told you guys Hugo was awesome right? I was not about to do 301 redirects for 16 pages thankfully Hugo has a thing called permalinks. So by adding a permalink to my Hugo config.toml I can solve this issue with a single line of code 😬 all I had to do was match the permalink to the same URL pattern of YYYY/MM/DD/Title I used in the old CMS (Hackers: 1 Ben: 2) 😜, here’s what that looks like:

    [permalinks]
      blog = "blog/:year/:month/:day/:title/"

After applying the permalink and testing everything locally the site was once again ready to go live, I used these instructions on how to host a Hugo site on Gitlab ❤️ and these instructions on how to use a custom domain on Gitlab Pages with CloudFlare Certificates. So now my site is out of a CMS, is version controlled in Gitlab, has CI/CD and hosted for FREE. (Hackers: 1 Ben: 3) 🎉

So that was my weekend without videogames 😭, I hope yours was better ✌️.

If we’re gonna get fuzzy, let’s be discrete - Up close and personal with a Minesweeper solver

Zach Kanzler on July 24, 2018

In 1992, Microsoft released Minesweeper alongside Windows 3.1. We can only imagine the purpose Microsoft originally intended, but most of us know Minesweeper as the worst Cookie Clicker clone ever designed. We’d fire it up and click all over the board until the smiley face turned sad (and dead). Sometimes we’d get pretty far; sometimes wide swaths of the board opened up, and we knew we were probably some kind of genius, fated to discover new physics, or a way to recycle sewage into edible food. Well, until sad face appeared again, boredom grew to disdain, and Chip’s Challenge twinkled its eyes at ya.

I grew to love Minesweeper in my final year of grade school. Because I’d fallen deep into computers from a young age, my high school, hesitating not a single second seizing opportunities to hire less IT staff to foster curiosity, assigned half my day to PC Support, where on occasion I’d be asked to fix a computer. Otherwise, I played a lot of Minesweeper. (And, of course, those LAN multiplayer Halo and Quake 3 demos #millenials)

The rules of Minesweeper are pretty simple. At the start of the game, the board contains a number of mines – this number is displayed prominently. Each cell either contains a mine, or doesn’t. When you click a cell, it reveals either a mine, in which case:

In the first picture, there is a number 1 which has only a single neighbour. By the rules of the game, this neighbour must contain a mine. We flag it, so we remember not to click it.

That was the only place where the obvious choice of action is derived entirely from a single number. We’ve gotta get clever to continue. And so we shall!

Numbers that share neighbours also share information – like, if neighbour X is a mine, it may mean neighbours Y and Z cannot contain mines, and are safe for the clicking. Which, you guessed it, we can take advantage of.

The topmost number 1 touches both neighbours highlighted in blue. Since this #1 means only one of its neighbours has a mine, we can infer that if we knew the location of the mine, the other neighbours could safely be clicked. The same applies to the 1 below it at (2, 1), whose neighbours are highlighted in orange.

See the single orange neighbour not overlapped by the blue? If we were to assume a mine was there, it would mean those two blue neighbours contained 0 mines, safe for the clicking. So we click them. Now the topmost #1 touches no cells, leaving no place for its single mine. Of course, this means the #1 pops out of existence, appearing spontaneously in the bank account balance of some fortunate soul (or Shia LaBeouf’s, setting off a chain of events culminating in the attempted assassination of the US president). Or, we end up clicking a mine and losing the game. It all depends on how strange you believe the universe is.

For the sake of the exposition, we’ll adhere to Occam’s razor, and assume clicking both of the blue-shaded cells leads to certain death. Since we’re forced to click both blues if we flag the orange, we know we can’t flag it without certainly dying. We’ve gotta do the other thing… what was it? …uh, Clicking? Yeah.

This same logic can lead us to flagging a cell, instead of clicking.

Taking it one step further, we can combine information from multiple cells to expose less obvious solutions. In the next example, the #1’s at the bottom left portion touch all but a single neighbour of the #3. We know both of those #1’s combined provide two mines, leaving one mine of #3 unaccounted for. We infer the mine’s location must be in the only neighbour #3 doesn’t share with the #1’s.

Note: cells shaded blue have been right-clicked, and red-shaded cells have been left-clicked.

Using only this rule, we can get pretty far. Much of the time, a single move can open up the board.

That is, until those moves run out.

Well, there is one other general strategy we missed. Our previous strategies relied on one number completely containing all the neighbours of another number. There are some cases where only partial overlap is decisive enough to uncover Deep Truths™ of the board.

The three blue-shaded cells contain exactly one mine. Another way of putting it is: the blue-shaded cells contain a maximum of one mine. This is true, even for the cells overlapping the green – since there is a maximum of one mine, we can effectively treat the two overlappers as a single cell. This leaves only one other place for green’s remaining mine: the bottommost greenie. We flag it, and the board opens up again… at least for a bit.

And then there were no more strategies. Finito. Good day, sir!

Well, of course, no more strategies except for the other ones, which we’ll take a look at next time, before finally accepting the futility of our situation and graphing grasping at straws to milk the board for all she’s worth.

Bonus win gif for you beautiful readers.

Kovter Research and Analysis

Stephen Coty on July 19, 2018

Through recent alert analysis, Perch Labs has identified Kovter as malicious code on the rise since January. To truly understand the code, we need to understand its history:

• Kovter, in 2013, was known as a piece of silent ransomware code that transferred files to an infected host without detection. Throughout 2013 and 2014, it was an effective ransomware that would wait on a system until a certain function would be performed. One of those functions was a popup screen notifying the user of illegal activity, with an interface provided to pay a fine, now known as a ransom.
  
• Kovter then evolved into many click fraud campaigns. It would infect hosts and steal data to well architected Command and Control (C2) server architecture.
  
• In 2015, Kovter evolved into one of the first file-less piece of malicious code that utilized autorun registry edits. It would embed a JavaScript function into the registry that executes a PowerShell script which then installs multiple binaries.
  
• As Kovter continued to evolve, it added to its file-less capabilities by including file-like components and spawning local shells to spread laterally throughout your network.
  
  

The Kovter family of malicious code has a tradition of being effective and difficult to detect. The most common attack vector for Kovter has been through spam and targeting phishing email campaigns. Spam and phishing emails using false delivery notifications for UPS, FedEx or invoices are nothing new but are still incredibly effective especially when well researched and targeted. The main variants of Kovter are aimed at performing ad fraud and are difficult to detect and remove, as they implement these file-less infection methods. They can steal personal or corporate information, download additional malware or have complete access to the infected host.

Kovter Methodologies

1. Attack the Human
Kovter arrives within mail attachments as a macro in an office file. When activated, the macro downloads additional files that triggers a powershell command stored in the registry to gain full control of the host. Then the randomly named file deletes itself. One of the most recent campaigns used an effective technique to trick users by using fake delivery notifications from UPS, USPS, and FedEx. The Emails have historically targeted Finance and HR departments through related internet services documents such as resumes and invoices. The email attachment is either a ZIP file that archives a double extension file (*.doc.html) or a standalone double extension HTML file.

2. Extract, Decode and Run
Phishing, if targeted, is successful because of the research done on the company or individuals. Malicious actors will troll LinkedIn to identify key employees or easy targets. They then troll social media to evaluate likes and dislikes to help craft an email based on the data found. The HTML document will convince the user to click and download an “Office plugin,” but in the background, the HTML actually contains an embedded base64-encoded ZIP file.

3. Install Malicious javascript
When executed, the HTML extracts a JS file (WebView-Plugin-Update-0.exe.js) which is a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. Once connected, the fake WebView Plugin will download a JS file and immediately executes it after a de-obfuscation process.

4. Connect to C2 for additional payloads
The file, once properly decoded, will again try to build different URLs using different domain names. There will be two possible URLs from each domain. The first URL will download something from the ransomware or spyware family and the second URL will download KOVTER. Both URLs will download a file with a *.PNG extension that will be renamed to *.EXE and executed later. There are layers of obfuscated files and multiple command and control sites.

5. Connect to new C2 to test file storage
The malicious code will now attempt to communicate with the C2 servers that have been architected to store stolen assets from the infected hosts. Once communication is established there is a process that schedules regular connections to upload any data that the infected host has collected.

1. Log Management
Log messages are a very useful tool for a variety security tasks, but simply collecting logs locally in text files is often not enough. With tools like syslog-ng, security experts can centralize all of the log messages coming from servers, network devices, applications and lots of other sources (even printers and peripherals). With central log collection, one can easily check log messages even if the source machine suffered a hardware failure or logs were removed during a security incident. And once all of the logs are centralized, you can do interesting things like filter the messages, getting rid of the ones you don’t want, or classify messages so that you can group similar messages together. There are a few steps to follow to maintain an efficient and effective logging process:

• Set a strategy – don’t log blindly
  
• Structure your log data, and consider the format of your logs
  
• Separate and centralize your log data
  
• Practice end-to-end logging
  
• Correlate data sources
  
• Use unique identifiers
  
• Add context
  
• Perform real-time monitoring
  
  

2. File Integrity Management
Organizations can also list methods for detection, which can be based on commands known to be used by malicious PowerShell scripts looking for patterns used to obfuscate their command-prompt. Files from any of the below malware will, once loaded, be detected through their file loads. This is another observable that can be detected through an FIM solution.

3. Intrusion Detection and Netflow
An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. While anomaly detection and reporting is the primary function, some intrusion detection systems are capable of taking actions when malicious activity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.

4. Solid Threat Intelligence

5. ²⁴⁄₇ Monitoring of indicators like the IP address below
In cyber threat intelligence, analysis often hinges on the triad of actors, intent, and capability; with consideration given to their tactics, techniques, and procedures (TTPs), motivations, and access to the intended targets. Studying this triad enables us to make informed, strategic, operational, and tactical assessments.

References:

Recorded Future – Kovter ID Card

How to boost your FFIEC CAT score, Part 1: What the CAT dragged in

Mike Riggs on July 11, 2018

Since the Federal Financial Institutions Examination Council (FFIEC) introduced the Cybersecurity Assessment Tool (CAT) a few years ago, financial institutions have finally recommended a prescriptive path to operational cybersecurity maturity.

So what has the CAT brought us?

• Financial institutions welcomed the CAT. While institutions aren’t required to complete the assessment, examiners use it as their framework when assessing institutions during exams. The CAT was intentionally vague and lacked specific guidance; but it did act as a tool that gave institutions the right amount of autonomy to grow in the areas they saw fit while adhering to the suggested path to maturity. It introduced new concepts, including Domain II, which covered complex topics in Threat Intelligence and Information Sharing.

• It’s tough to evolve beyond the baseline requirement of “belonging or subscribing to a threat and vulnerability information sharing source that provides information on threats”. At my institution, we were already ahead of the curve by belonging to the FS-ISAC and being active with their various Community Institution and CyberIntel mailing lists, but the volume of information coming through was too much and mostly unactionable at a small institution like ours. There was a struggle to find a product to help cover the information overload and make the information actionable without increasing headcount or level of effort in information security resources.

• This gap in coverage is where Perch Security has found a niche in financial services. I was a Perch user before I was an employee. I loved the product because Perch boosts an organization’s CAT Domain II maturity level and helps cover many other controls that are part of a well-defined cybersecurity program. From threat intelligence detection and response to participation in threat intelligence communities, Perch helps make up shortfalls in stretched budgets of financial institutions by backfilling with People (managed 24x7 SOC services), Process (helping bring structure around escalation and initiation of incident response and threat intel consumption) and Technology (automating the detection of the threats on your network).

Look for future blog posts From Michael Riggs, CISSP, that will cover achieving maturity in specific CAT domains.

React in Outlook? How we built the Weekly Indicators Summary

Charles Burgess on January 24, 2018

Email has always lagged behind the browser in terms of features and capabilities. While in the latest version of Chrome or Firefox you can play console-quality games, make music, and share your screen, email is a very different story. Getting a layout to look consistent across devices or sharing the joy of an animated GIF are things we take for granted on the web, but can be frustrating to deliver to your inbox.

Weekly Summary emails

If you use Perch, you’ve probably gotten one of our new Weekly Summary emails by now. For everyone else, they look a little something like this. Our emails have always had a lot of information, but as our customers have had more sightings, alerts, and intel, it can start to feel overwhelming. Chances are pretty good your inbox doesn’t need any heft added to it, so when redesigning the Weekly Summary we wanted to help our customers get as much insight as they could with as succinct an email as possible. By highlighting trends and counts in colorful charts at the top of the email, we think the Weekly Summary gives you more actionable information faster than ever before.

Testing the limits of email

Those charts are a key part of the new design, but charting in email has been avoided by many a dev team. There are some “hacks” you can do to sprinkle some data-viz magic into your emails but often times they aren’t pretty or scalable.

If you have a single chart to send (and time on your hands), you could try making a static copy of the chart in a design program like Sketch or Photoshop and saving it as an image to include in the email. But with a flock of customers and billions of data points that change by the minute, that won’t work here.

In previous Perch emails we have create simple bar charts with css but every email client has slightly different support and the code gets messy fast. No one wants to maintain a Rube Goldberg machine, especially one made of CSS.

With the Perch product, we use React and Recharts to create beautiful, reusable charts with live data for each customer. We can’t use this approach in our emails though because most email programs will not allow us to execute Javascript. This means no React, no Recharts, and no real-time chart goodness.

Leaning on the community

Our dev team did some head-scratching, white-boarding, and forum-surfing before we found repng. Repng is a Javascript library that allows you to convert any React component (like a LineChart from Recharts) into a PNG. So now, we can reuse the same charts we know and love from Perch in our emails with just a dash of CLI magic. Running the process on a Node.js micro-service, we can easily pass all the data we need for the Weekly Summary to the chart-to-png service, generate the email-friendly graphic, and send the email out the door with 100% more visual goodness.

Show me teh codez

Want to add some charts to your emails? Here’s a quick starter that will get you going in the right direction.

Start by grabbing node and npm if you don’t have them already.

We need to install all of our dependencies first:

npm install react react-dom recharts repng express bodyparser

Then we can set up out express server to listen for incoming data:

const bodyParser = require('body-parser');
const express = require('express');
const React = require('react');
const { LineChart } = require('recharts');
const repng = require('repng');

const app = express();
const port = 8080;

// Add middleware for reading JSON bodies
app.use(bodyParser.json());

// <LineChart width={500} height={300} data={data}> ... </LineChart>
// This is the JSX you may be more familiar with,
// but for the sake of not dragging babel into this
// we will use the "vanilla JS" flavor of react in this snippet.

// Note: "data" should be an array of objects that have an:
// amt: Number | name: String | pv: Number | uv: Number

const chart = props => 
  React.createElement(
    LineChart,
    { data: props.data, height: props.height, width: props.width },
    React.createElement(XAxis, { dataKey: "name" }),
    React.createElement(YAxis, null),
    React.createElement(CartesianGrid, { stroke: "#eee", strokeDasharray: "5 5" }),
    React.createElement(Line, { type: "monotone", dataKey: "uv", stroke: "#8884d8" }),
    React.createElement(Line, { type: "monotone", dataKey: "pv", stroke: "#82ca9d" })
  );

// Add routes
app.post('/convert-chart-to-png', (req, res) => {
  repng(chart, {
    width: req.body.width,
    height: req.body.height,
    props: req.body
  })
  .then(streams => {
    const [ pngData ] = streams;
    pngData.pipe(res);
  });
});

// Start the server
app.listen(port, () => console.log(`Running on port ${port}`));

In your terminal of choice, cd your way to the project folder and run node index.js (or whatever you named your file) and your server should echo “Running on port 8080”.

Now you can POST some chart data to localhost:8080/convert-chart-to-png and get base64 image data in the response!

Obviously this code is not production-ready, but hopefully it can inspire you to do something cool with React and repng - it doesn’t even have to be a chart. You could just as easily pass any react component so why limit yourself?

Wrapping up

We hope to use this technique to bring more of what our customers love about the Perch web app directly to their inbox.

You know what they say: an image is worth a thousand words, but a chart is worth a billion data points - or something like that.

Supercharge your SOC: 3 security playbook ideas with the Perch API

Wes Spencer on January 21, 2018

Security automation is all the rage these days, and for good reason. Repetitive, time-consuming tasks are not only a resource drain, but they can cause rather significant security gaps as well. These manual and repetitive tasks are prone to analyst error and carelessness but are also monotonous drudgery that can leave quality talent looking for more interesting jobs.

For most CISOs, turning to security automation and orchestration through the use of playbooks is becoming a step in the right direction. Automation is a powerful strategy to not only eliminate repetitive tasks, but can uncover threats and other issues that no human would have the time to discover manually.

In conversations with our customers, we’re seeing some innovative ideas being discussed. We’re really excited to see our customers leveraging the new Perch API into their automation and orchestration playbooks, due to the depth of community intel we have available. In this article, I wanted to highlight a few ideas to spark your imagination.

Backtesting IoC’s for Deeper Threat Correlation

Security shouldn’t operate in silos any longer. Unfortunately for many organizations, making decisions about threats based upon what others in their threat community are seeing is difficult if not impossible.

However with the power of Perch’s community data, the opportunities are boundless for integration of Perch into a security playbook. Let me illustrate just one single example. Imagine your organization receives an email from an unknown sender. You could build out a playbook that integrates Perch (among other tools!) into a set of actions.

Using the Perch API, a simple query could be made to determine the reputation of the sending IP in the email header. Data can quickly be extracted into metrics such as:

• Has this IP been reported by other security sharing communities before?
  
• How recently has this IP been reported as potentially malicious?
  
• Who else has seen this IP? Does it appear to be targeting a specific industry?
  
• How many different indicators have been published that contain this IP?
  
  

Hopefully by now I have you salivating at the mouth at the potential opportunities afforded by leveraging the Perch API into your playbooks. The results of this deep community data can be used to build out risk scores, response thresholds, and automated actions such as rule blocks and spam tags.

Automate the SOC Workflow

Any CISO worth their salt will tell you they prefer to leverage best of breed security tools as part of an overall security posture. Typically, however, this advantage comes with an agonizing tradeoff. Multiple tools must be individually managed and correlation and integration of data and alerts between tools is a complex challenge.

Perch was created by former security practitioners. We know firsthand that these are challenges Perch should help solve, not contribute to making worse. The Perch API can easily integrate into incident response (IR) systems to enrich its data and fill in gaps with Perch’s threat intelligence. It can help IR be orchestrated from a single unified platform, reducing analyst workload and correlation time.

Indicator Sharing: From Consumer to Producer

At any ISAC or ISAO conference, you’ll hear pleas for organizations of all sizes to begin the process of going from simply consuming threat intel to producing it. We are all in this fight together. When one organization shares intel about a threat they are seeing, countless other organizations may benefit from that intel as well.

While the philosophy is easy to explain, we’ve noticed the most significant challenge to being a producer of threat intel is committing to the time required. This is an element that can easily be automated by the Perch API.

Imagine an end user at your organization visits a compromised website that redirects web traffic to a known malicious host. However, because the website was recently compromised, there is no threat intel about the website itself, but only from the malware redirection. A security playbook could easily be written that uses the Perch API to publish a new indicator to your trusted threat sharing community (ISAC or ISAO) at nearly the same time the attack was detected or blocked. Being able to shut down an attack higher up the kill chain can be an effective way to shift pain back onto the bad guy by disrupting his attack infrastructure and give others an early warning against the threat.

Conclusion

These three ideas are just a few of many new and innovative ideas we’re having in discussions with our customers. To be sure, many more ideas will continue to flow out of these playbooks. What about you? What ideas do you have about leveraging Perch among your other tools and playbooks for security automation and orchestration? I want to hear from you!

Customer Insights: John Nelson reacts to the HITRUST and American Medical Association Cyber Risk Announcement

Wes Spencer on October 6, 2017

In late September, HITRUST and the American Medical Association announced a partnership
to provide education on cyber risk management to healthcare organizations across the US. Their efforts focus on information security risk management, HIPAA compliance and cyber security; with recommendations specifically tailored for small practices, who often lack the resources and personnel that larger organizations have.

Today I spoke with John Nelson, Systems Administrator / Security Officer for U.S. Expediters, Inc. to discuss the ramifications and opportunities of this partnership.
John is the Security Officer for U.S. Expediters, Inc. He is responsible for policy development and operations related to information security and compliance. Following a career in Fire and Emergency Medical Services, he has been involved with information technology in the healthcare sector since 2000.

Wes:
John, tell us your thoughts on the AMA and HITRUST partnership for security education around cyber risk management.

John:
I am encouraged to see the AMA stepping up and seeking partners to help educate their members about the challenges they face in effectively dealing with a rapidly changing threat landscape. This initiative
seems to fit well within the AMA’s stated mission: “Our mission is to promote the art and science of medicine and the betterment of public health.” The last few decades have seen digital technology bring radical
changes in everything from practice management to the very tools used to diagnose and treat patients. Along with that change, of course, comes new risk. It is well that the AMA is expanding it’s advocate role to
include education about those risks and how to mitigate them.

Wes:
What do you think this means for small and mid-size healthcare organizations in the US?

John:
Honestly, my fear is that the serious gaps I often see in the security posture of smaller organizations (which include, by the way, most hospitals and medical practices) will remain largely unmitigated. So often,
many excellent solutions, designed and marketed to larger enterprises, are unapproachable for most smaller organizations. They’re either too complex, or too expensive, or both. My hope is that, with educational
pushes like this, the great numbers of these smaller organizations will recognize this gap and create demand for effective and more affordable solutions.

Wes:
As we all know, smaller healthcare organizations have their hands full with so many priorities. Cybersecurity is just one challenge among many. In your experience, what should security leaders in small and mid-size
healthcare organizations be thinking about to enhance their cybersecurity posture?

John:
In a word - vigilance. I wish I had a dollar for every time I’ve heard it asserted that, “Our anti-virus software is up to date, so we’re good.” For years, passive defenses like that were usually enough, but the modern
threat landscape demands a more proactive approach. We must continually assess that landscape and our security posture within it. We should be actively identifying and mitigating vulnerabilities within our environments.
We should be actively looking for signs of compromise in our environments. The “2017 Cost of Data Breach” report from The Ponemon Institute puts the “mean time to identify” a breach at 191 days. That’s down significantly
from 229 days in the 2016 report, but it still dramatically underscores the need for more, and better… vigilance.

Thanks for your time, John! We really appreciate you talking to us today.

About U.S. Expediters: U.S. Expediters, Inc. is based in the Houston, TX area. It is a group of companies, each of which is involved in the treatment of sleep apnea. Among those entities is cpap.com, the world’s largest
Internet retailer of CPAP equipment.

About Perch Security: Perch Security offers the first Community Defense Platform. For the first time, even small and midsize businesses can use their sharing community membership (ISACs and ISAOs) to access their relevant
industry-specific threat intelligence and participate within the community – all without purchasing specific tools or increasing staff. www.perchsecurity.com

CCleaner: how to use Perch to confirm you weren't compromised

Wes Spencer on September 21, 2017

Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software.

According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.

Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact.
Security controls like firewalls and endpoint protection are often unable to initially detect supply chain attacks due to trust relationships already in place.

In the wake of supply chain attack, you can benefit from reviewing your network traffic for any indicators of compromise (IOC); and access to network traffic history (like Perchybana) lets you analyze and respond immediately.

Perch customers can quickly search for any indications of compromise using Perchybana, Perch’s new network data search and correlation tool. In Cisco’s report, the following observable was published:

• 216.126.225[.]148
  
  

Additionally, Perch analysts were able to add additional observables from Cisco’s report:

• 52.213.122[.]236
  
• ns2.ab1145b758c30[.]com
  
• ns1.apavcul[.]ru
  
• ns2.februarystorm[.]net
  
• ns1.kdcmwuz[.]ru
  
• ns2.gdgctwymm[.]net
  
• ns1.lutmkwr[.]ru
  
• ns2.hideallip[.]net
  
• ns1.uvttrpa[.]ru
  
• ns2.soyuzinformaciiimexanikiops[.]com
  
  

To review for any network traffic with these observables, Perch users can quickly use these search terms within Perchybana to determine if further incident research and response is warranted:

As always, Perch’s Security Operations Center team is monitoring for these IOCs and proactively reached out to any customers who may be impacted.

Other People's Analysts

January 12, 2017

Over the last 6 years, I have been entrenched in Cyber Security.

Packet capture
Network Forensics
Identity and Access Management
Threat Intelligence
During my nPulse Technologies days (acquired by FireEye), I relearned all the network packet stuff that I had been taught in college. The OSI network layers, VLANs, Q-in-Q… oh boy! Reassembling packets (with python no less) was a REALLY fun exercise… never made it into the product, since there were open source tools that did it better (faster?).. but I did it…. then came the challenge of using the reassembled data in an application.

Imagine this now, you’re a cyber analyst. You’ve got some juicy intel from your ISAC (FS-ISAC? NH-ISAC?) … or maybe it’s from your industry buddies that you share intel with. You set up your alerting mechanisms, you set up your SIEM, and you wait.

PING! You get a hit! You know now have an IP address that a machine in your network tried to go to. You start your research, do a little OSINT, do some googling… find out it’s a shared host. Oh well.

False Positive.

You tell your buddies, and that’s it for the day.

Guess what just happened? Your group just got smarter because two of you did some work. The first guy set up the intel, and you validated it as a false positive. Since you both shared within your community, you just got smarter! You leveraged a few members of the community to make you all better!

This is the best scenario we have today. Some communities share data. Not many communities allow for automatic sharing of sightings (did you see that IOC in the wild?). NO communities allow you to share what you did in regards to that IOC. Did you block it in a Firewall? Did you mark it as a False Positive?

There aren’t many tools out there that can help this process.. The more we can share, the more we can attribute, the more we can automatically know what’s going on in the network of our peers, the safer we’ll all be.

Tackling Expensive and Complicated Information Security

January 11, 2017

Information Security: It doesn’t have to be so expensive (or complicated!)

The Bad News

For Small/Medium Businesses (SMBs), you can’t approach information security the same way your bigger brothers do. Face it, Capital One has a much larger information security (infosec) budget than the Downtown Credit Union in Powhatan, VA. Small companies don’t have the same staffing models, technology expertise or highly specialized analysts that focus solely on protecting data. Sure, there are free and open source tools, for example, but they still require expertise and time to get them up and running, not to mentioned tuned, maintained, updated, etc!

Here’s another challenge. A good information security practice relies on intelligence about threats, attacks, vulnerabilities, etc. There are open source data sets that can help your SMB know what to look for in network scans, packet matching signatures and queries in your SIEM, but that open source data tends to be stale. Don’t get me wrong, it’s table stakes. You NEED to be on the lookout for what Emerging Threats has, but it’s not sufficient. That data will protect you, but it’s a tiny part of the known bad things out there.

Ok, one more ‘bad news’ comment. There are vendors out there that will sell you cyber threat intelligence (CTI) data. Some aggregate data from intelligence providers; they’re called TIPs, Threat Intelligence Platforms. They provide tools and technologies to help you get known intelligence data. Others research, probe and monitor the internet/private networks looking for ‘things’ that are bad. They’ll either sell you the data or sell it to an aggregation company who will sell it to you. They provide a great service, and deserve to be paid for the work they do, but again, this may be pricey and out of your budget.

The Good News!

There is a new reality out there. There are sharing communities being formed to share this threat intelligence data (ISACs and ISAOs). These groups are focused around specific industries (Health Care, Financial Services, Aviation, etc) and allow a platform to share more RELEVANT data. This is data that affects your industry, and therefore has a much higher chance of being relevant to you company. Their cyber intelligence data is target to their industry and typically much more relevant than the data served from large repositories.

Size doesn’t always matter. With finite resources, both technical and human, it’s nearly impossible for SMBs to look out for all the bad things; and why should they? A bank doesn’t care about a command and control channel for a botnet that is targeting manufacturing equipment.

Sharing communities are becoming the KEY source of threat intelligence data for small to mid-size business. It’s putting the control of the infosec spend back into their hands.

By leveraging shared community data as the primary (but still not only!) source of intelligence, we substantially reduce the cost of a comprehensive cyber intelligence and threat mitigation plan. Once we embrace this new world of industry-specific, relevant cyber intel, we’ll have new ways to connect in a USABLE way. What’s “usable”? In order to reap the benefits of your sharing community memberships, you need readily tools that:

Don’t require a skilled analyst behind the dashboard 24x7.
Don’t require a SIEM to use it.
Doesn’t require a knowledge of code.
Doesn’t require more than a basic understanding of CTI (STIX, TAXII) terminology

Now What

Who’s going to provide a tool like this? Ha! I’m not good at keeping secrets, but I’m working on something that will help bring the promise of a sharing community to reality.