Iconix Whitepaper – Defending Against Advanced Persistent Threats

May 31, 2011

Today Iconix released a whitepaper entitled, “Defending Against Advanced Persistent Threats.”

As the whitepaper describes, the United States, its allies and its industries are engaged in cyber warfare.  A leaked secret State Department cable describes a cyberwarfare attack:

Since late 2002, USG organizations have been targeted with social-engineering online attacks by BC [Byzantine Condor] actors. … BC actors typically gain initial access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems [spear-phishing]. The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks.

This cable describes the multi-faceted attack termed an “Advanced Persistent Threat” or “APT.”  Press reports state that China, using attacks built upon spear-phishing, has stolen terabytes of sensitive data — from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems.

It is critical that many layers of defense are used by organizations in the battles against APT.  Operating systems and browsers must be current and patched.  The latest software applications should be deployed with all patches installed in a timely manner.  State of the art security software should be deployed.  Systems should be monitored.  Staff must be trained.  But part of the solution is to realize that people respond to well-crafted spear-phishing emails.

When human factors are considered in the threat profile, human factors must be deployed in the defensive measures.  A tool is now available that uses human factors to identify trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

Your systems are under attack from clever and determined opponents employing Advanced Persistent Threats.  The opponents’ preferred method of the initial incursion into your systems is spear-phishing.  As has been demonstrated in numerous cases, that opponent is persistent – eventually an employee will respond to a carefully crafted email and that response will initiate a series of events that will result in cyber espionage. The attacks are crafted to avoid technical defenses (small email volumes that are “under the radar”, zero day exploits and other APT countermeasures).  The initial point of vulnerability is the person interacting with a compelling email.  Training is not effective in defending at the point of vulnerability.  At that point of vulnerability, SP Guard provides the person with a defense against the spear-phishing attack.

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.

Advertisements

Target – The Human

May 25, 2011

“Target – The Human” in the May 2011 issue of Information Security provides a detailed discussion of the social engineering schemes that are being used to compromise data processing systems. The article quotes Shawn Moyer, managing principal research consultant with Accuvant LABS R&D team:

A common mistake enterprise security managers make is focusing on infrastructure and system defenses instead of people. A lot of defenders still think in terms of an attacker on the Internet externally trying to find a way in. … The reality is, if I’m the outside threat, I find an insider and that insider becomes your threat.

The article describes how scoundrels use social networks to collect personal information to devise clever schemes of deception. Lance Spitzner, director of SANS Securing the Human Program, describes how network attackers used publicly available information from the internet to obtain personal information to create an enticing email. For example, attackers identified employees who attended a conference. The attackers created a spear-phishing email that pretended to follow-up on the conference. Spitzner noted:

By customizing the email, two things happen: They’re far more likely to click on it and by having a small number [of targets] it’s more likely to slip through. It goes under the radar of antivirus companies because they don’t have signatures [for it].

Heather Adkins, information security manager at Google, describes the recent security breach at Google. In this case, the miscreants gathered information posted by employees on social websites and used this information to create a phony photo website. The bad guys then sent emails containing links that appeared to come from people the employees trusted. The links downloaded malware that allowed the criminals to infiltrate Google’s servers.

The article concludes with a discussion of training to combat the spear-phishing threat. While Iconix agrees that training is an important element of a multi-layered defense, training is not enough. The Iconix whitepaper “Phishing Training – A Losing Cyberwar Strategy” discusses the deficiencies of training in detail.

When human factors are considered in the threat profile, human factors must be deployed in the defensive measures. A tool is now available that uses human factors to identify trusted email so that the target of the spear-phishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm. Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

Your systems are under attack from clever and determined opponents employing Advanced Persistent Threats. The opponents’ preferred method of the initial incursion into your systems is spear-phishing. As has been demonstrated in numerous cases, that opponent is persistent – eventually an employee will respond to a carefully crafted email and that response will initiate a series of events that will result in system compromise. The point of vulnerability is the person interacting with a compelling email. Training is not effective in defending at the point of vulnerability. At that point of vulnerability, SP Guard provides the person with a defense against the spear-phishing attack.


Iconix Whitepaper –– Phishing Training – A Losing Cyberwar Strategy

May 18, 2011

Today Iconix released a whitepaper entitled, “Phishing Training – A Losing Cyberwar Strategy.”

As the whitepaper describes, the United States, its allies and its industries are engaged in cyber warfare.  A leaked secret State Department cable describes a cyberwarfare attack:

Since late 2002, USG organizations have been targeted with social-engineering online attacks by BC [Byzantine Condor] actors. … BC actors typically gain initial access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems [spear-phishing]. The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks.

This cable describes the multi-faceted attack termed an “Advanced Persistent Threat.” Press reports state that China, using attacks built upon spear-phishing, has stolen terabytes of sensitive data — from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. 

It is critical that many layers of defense are used by organizations in the battles of cyberwarfare.  Operating systems and browsers must be current and patched.  The latest software applications should be deployed with all patches installed in a timely manner.  State of the art security software should be deployed.  Systems should be monitored.  Staff must be trained.  But part of the solution is to realize that people respond to well-crafted spear-phishing emails.

When human factors are considered in the threat profile, human factors must be deployed in the defensive measures.  A tool is now available that uses human factors to identify trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.

On the cyber battlefield, your systems are under attack from clever and determined opponents employing Advanced Persistent Threats.  The opponents’ preferred method of the initial incursion into your systems is spear-phishing.  As has been demonstrated in numerous cases, that opponent is persistent – eventually an employee will respond to a carefully crafted email and that response will initiate a series of events that will result in cyber espionage.  The point of vulnerability is the person interacting with a compelling email.  Training is not effective in defending at the point of vulnerability.  At that point of vulnerability, SP Guard provides the person with a defense against the spear-phishing attack. 

To learn more, visit us at http://www.iconix.com/business/spearphishing.php.


Sony PSN email Scam

May 13, 2011

Electronic Theatre, the gaming publication, reports that scams arising from the security breach of the Sony Playstation Network (PSN) have started.

Electronic Theatre reports that soon after the PSN network was compromised, Sony sent out a real email warning.  On May 4, 2011, members to the Electronic Theatre team started receiving additional warning emails which were almost identical to the original messages — except this time the email contained a link to reset your password.  The password reset page is actually a scam intended to steal your personal information.  While Electronic Theatre does not believe that these email criminals are the same people who hacked the Sony network, this scam does demonstrate the clever ways that criminals quickly exploit any opportunity that becomes available.

Electronic Theatre reminds its readers to be vigilant about email correspondence.  To that we add that you should use the latest version of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool. 

 

Know Who.  No Doubt.  Use eMail ID.


Malicious Software Features Usama bin Laden Links to Ensnare Unsuspecting Computer Users

May 3, 2011

The FBI today (May 3, 2011) issued a warning about emails that feature Usama bin Laden photos or videos but which actually contain malware that will infect your computer.  The FBI warns that viruses are often programmed to steal your personally identifiable information.

The FBI offers this advice:

  • Adjust the privacy settings on social networking sites you frequent to make it more difficult for people you know and do not know to post content to your page. Even a “friend” can unknowingly pass on multimedia that’s actually malicious software.
  • Do not agree to download software to view videos. These applications can infect your computer.
  • Read e-mails you receive carefully. Fraudulent messages often feature misspellings, poor grammar, and nonstandard English.
  • Report e-mails you receive that purport to be from the FBI. Criminals often use the FBI’s name and seal to add legitimacy to their fraudulent schemes. In fact, the FBI does not send unsolicited e-mails to the public. Should you receive unsolicited messages that feature the FBI’s name, seal, or that reference a division or unit within the FBI or an individual employee, report it to the Internet Crime Complaint Center at www.ic3.gov.

Yes, you should be alert to potential scams.  And of course you should use the latest versions of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool. 

 

Know Who.  No Doubt.  Use eMail ID.