Survey and Taxonomy Ofadversarial Reconnaissance Techniques
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Xbt.Doc.248.2.Pdf
MAY 25, 2018 United States District Court Southern District of Florida Miami Division CASE NO. 1:17-CV-60426-UU ALEKSEJ GUBAREV, XBT HOLDING S.A., AND WEBZILLA, INC., PLAINTIFFS, VS BUZZFEED, INC. AND BEN SMITH, DEFENDANTS Expert report of Anthony J. Ferrante FTI Consulting, Inc. 4827-3935-4214v.1 0100812-000009 Table of Contents Table of Contents .............................................................................................................................................. 1 Qualifications ..................................................................................................................................................... 2 Scope of Assignment ......................................................................................................................................... 3 Glossary of Important Terms ............................................................................................................................. 4 Executive Summary ........................................................................................................................................... 7 Methodology ..................................................................................................................................................... 8 Technical Investigation ................................................................................................................................ 8 Investigative Findings ....................................................................................................................................... -
IBM Multi-Factor Authentication for Z/OS
Multi Factor Authentication for Linux on IBM Z using a centralized z/OS LDAP infrastructure Dr. Manfred Gnirss Thomas Wienert Z ATS IBM Systems IBM Germany R & D Boeblingen, 18.7.2018 © 2018 IBM Corporation 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *BladeCenter®, DB2®, e business(logo)®, DataPower®, ESCON, eServer, FICON, IBM®, IBM (logo)®, MVS, OS/390®, POWER6®, POWER6+, POWER7®, Power Architecture®, PowerVM®, S/390®, System p®, System p5, System x®, System z®, System z9®, System z10®, WebSphere®, X-Architecture®, zEnterprise, z9®, z10, z/Architecture®, z/OS®, z/VM®, z/VSE®, zSeries® The following are trademearks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. -
SANS Spearphishing Survival Guide
SANS Spearphishing Survival Guide A SANS Whitepaper Written by Jerry Shenk December 2015 Sponsored by Proofpoint ©2015 SANS™ Institute Executive Summary Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience “small” breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions. The majority of those threats still arrive by email in the form of weaponized file attachments, malicious links, wire-transfer fraud and credential phishing. In most cases, attackers deploy email-borne attacks that target specific individuals and fool them into believing they are from someone they do business with or someone in authority who knows them. Often, attackers gather the information they need to pull off these sorts of phishing attacks over social media, where employees share significant amounts of personal and contextual information. Just as often, employees leak information over mobile applications that make it easier for criminals to target their attacks. While most antivirus, anti-malware and email security systems are good at catching traditional mass email phishing attacks with known malicious attachments, links and content, they are not catching the most sophisticated targeted attacks on email recipients. These types of attacks, called spearphishing, gather information on high- value targets who have direct access to company financial or customer information.1 Using social media, mobile apps and other sources of information (such as a company website), criminals can make connections between business associates and third parties in order to craft emails that look like they come from someone the targets work with—and neither network-based nor email-based security tools are catching them consistently. -
Tstable of Content
ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2017 North Atlantic Treaty Organization London International Model United Nations 18th Session | 2017 tsTable of Content 1 ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2017 Table of Contents Table of Contents WELCOME TO THE NORTH ATLANTIC TREATY ORGANIZATION .............................................................. 3 INTRODUCTION TO THE COMMITTEE .................................................................................................................. 4 TOPIC A: FORMING A NATO STRATEGY IN CYBERSPACE ............................................................................. 5 INTRODUCTION ............................................................................................................................................................... 5 HISTORY OF THE PROBLEM ............................................................................................................................................. 6 Timeline of notable attacks ....................................................................................................................................... 7 1998 – 2001 “MOONLIGHT MAZE” ....................................................................................................................... 7 2005 – 2011 TITAN RAIN & BYZANTINE HADES .................................................................................................. 8 2007 Estonia DDoS Campaigns ............................................................................................................................... -
2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit. -
Moonlight Maze,’ Perhaps the Oldest Publicly Acknowledged State Actor, Has Evaded Open Forensic Analysis
PENQUIN’S MOONLIT MAZE The Dawn of Nation-State Digital Espionage Juan Andres Guerrero-Saade, Costin Raiu (GReAT) Daniel Moore, Thomas Rid (King’s College London) The origins of digital espionage remain hidden in the dark. In most cases, codenames and fragments of stories are all that remains of the ‘prehistoric’ actors that pioneered the now- ubiquitous practice of computer network exploitation. The origins of early operations, tools, and tradecraft are largely unknown: official documents will remain classified for years and decades to come; memories of investigators are eroding as time passes; and often precious forensic evidence is discarded, destroyed, or simply lost as storage devices age. Even ‘Moonlight Maze,’ perhaps the oldest publicly acknowledged state actor, has evaded open forensic analysis. Intrusions began as early as 1996. The early targets: a vast number of US military and government networks, including Wright Patterson and Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA, and the Department of Energy labs. By mid-1998 the FBI and Department of Defense investigators had forensic evidence pointing to Russian ISPs. After a Congressional hearing in late February 1999, news of the FBI’s vast investigation leaked to the public.1 However, little detail ever surfaced regarding the actual means and procedures of this threat actor. Eventually the code name was replaced (with the attackers’ improved intrusion set dubbed Storm Cloud’, and later ‘Makers Mark’) and the original ‘MM’ faded into obscurity without proper technical forensic artefacts to tie these cyberespionage pioneers to the modern menagerie of APT actors we are now all too familiar with. -
Cyber News for Counterintelligence / Information Technology / Security Professionals 13 November 2014
Cyber News for Counterintelligence / Information Technology / Security Professionals 13 November 2014 Purpose Stuxnet worm entered Iran's nuclear facilities through hacked suppliers Educate recipients of cyber events to aid in protecting Engadget, 13 Nov 2014: You may have heard the common story of how Stuxnet electronically stored DoD, spread: the United States and Israel reportedly developed the worm in the mid- corporate proprietary, and/or Personally Identifiable 2000s to mess with Iran's nuclear program by damaging equipment, and first Information from theft, unleashed it on Iran's Natanz nuclear facility through infected USB drives. It got compromise, espionage out of control, however, and escaped into the wild (that is, the internet) sometime Source later. Relatively straightforward, right? Well, you'll have to toss that version of This publication incorporates open source news articles events aside -- a new book, Countdown to Zero Day, explains that this digital educate readers on security assault played out very differently. Researchers now know that the sabotage- matters in compliance with oriented code first attacked five component vendors that are key to Iran's nuclear USC Title 17, section 107, program, including one that makes the centrifuges Stuxnet was targeting. These Para a. All articles are truncated to avoid the companies were unwitting Trojan horses, security firm Kaspersky Lab says. Once appearance of copyright the malware hit their systems, it was just a matter of time before someone brought infringement compromised data into the Natanz plant (where there's no direct internet access) Publisher and sparked chaos. As you might suspect, there's also evidence that these first * SA Jeanette Greene Albuquerque FBI breaches didn't originate from USB drives. -
Security > Automotive > Blockchain > Virtual and Augmented Reality
> Security > Automotive > Blockchain > Virtual and Augmented Reality AUGUST 2018 www.computer.org CALL FOR NOMINEES Education Awards Nominations Taylor L. Booth Education Award Computer Science and Engineering Undergraduate Teaching Award A bronze medal and US$5,000 honorarium are awarded for an outstanding record in computer science and engineering A plaque, certificate and a stipend of US$2,000 is education. The individual must meet two or more of the awarded to recognize outstanding contributions to following criteria in the computer science and engineering field: undergraduate education through both teaching and service and for helping to maintain interest, increase the • Achieving recognition as a teacher of renown. visibility of the society, and making a statement about the • Writing an influential text. importance with which we view undergraduate education. • Leading, inspiring or providing significant education content during the creation of a curriculum in the field. The award nomination requires a minimum of three • Inspiring others to a career in computer science and endorsements. engineering education. Two endorsements are required for an award nomination. See the award information at: See the award details at: www.computer.org/web/awards/booth www.computer.org/web/awards/cse-undergrad-teaching Deadline: 1 October 2018 Nomination Site: awards.computer.org r5p77.indd 77 5/9/18 3:30 PM IEEE COMPUTER SOCIETY computer.org • +1 714 821 8380 STAFF Editor Managers, Editorial Content Meghan O’Dell Brian Brannon, Carrie Clark Contributing Staff Publisher Christine Anthony, Lori Cameron, Cathy Martin, Chris Nelson, Robin Baldwin Dennis Taylor, Rebecca Torres, Bonnie Wylie Senior Advertising Coordinator Production & Design Debbie Sims Carmen Flores-Garvey Circulation: ComputingEdge (ISSN 2469-7087) is published monthly by the IEEE Computer Society. -
Security Analytics for Enterprise Threat Detection
MADE: Security Analytics for Enterprise Threat Detection Alina Oprea Zhou Li Northeastern University University of California, Irvine [email protected] [email protected] Robin Norris Kevin Bowers EMC/Dell CIRC RSA [email protected] [email protected] ABSTRACT These concerns affect not only individuals, but enterprises as well. Enterprises are targeted by various malware activities at a staggering The enterprise perimeter is only as strong as its weakest link and rate. To counteract the increased sophistication of cyber attacks, that boundary is becoming increasingly fuzzy with the prevalence most enterprises deploy within their perimeter a number of secu- of remote workers using company-issued computers on networks rity technologies, including firewalls, anti-virus software, and web outside of the enterprise control. Enterprises attempt to combat cyber proxies, as well as specialized teams of security analysts forming attacks by deploying firewalls, anti-virus agents, web proxies and Security Operations Centers (SOCs). other security technologies, but these solutions cannot detect or In this paper we address the problem of detecting malicious ac- respond to all malware. Large organizations employ “hunters” or tivity in enterprise networks and prioritizing the detected activities tier 3 analysts (part of the enterprise Security Operations Center – according to their risk. We design a system called MADE using ma- SOC) [44] to search for malicious behavior that has evaded their chine learning applied to data extracted from security logs. MADE automated tools. Unfortunately, this solution is not scalable, both due leverages an extensive set of features for enterprise malicious com- to the lack of qualified people and the rate at which such malware is munication and uses supervised learning in a novel way for prior- invading the enterprise. -
Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense -
Operation Black Atlas
A TrendLabs Report Operation Black Atlas How Modular Botnets are Used in PoS Attacks TrendLabs Security Intelligence Blog Jay Yaneza and Erika Mendoza Trend Micro Cyber Safety Solutions Team December 2015 Trend Micro | Operation Black Atlas: How Modular Botnets are Used in Attacks Contents Introduction ............................................................................................................ 3 Technical Details ................................................................................................... 3 Probing and Penetrating the Environment ......................................................... 3 Point-of-Sale Threats ......................................................................................... 5 New Items in NewPosThings ............................................................................. 7 Use of Known PoS Malware Threats ............................................................... 10 Gorynych or Diamond Fox ............................................................................... 13 Spy Net RAT .................................................................................................... 20 Victimology .......................................................................................................... 21 Attribution ............................................................................................................ 23 Conclusion ........................................................................................................... 25 TREND MICRO LEGAL -
The Rise of Cyber-Espionage
Case Study: THE RISE OF CYBER-ESPIONAGE 5HFUXLWPHQW3ODQ CounterTh e 20 7KH&RXQWHU7HUURULVW ~ June/July 2012 ©istockphoto/loops7 By Chris Mark At a Hopkinton, Massachusetts, offi ce, an executive received an email that appeared to be from a coworker on March 1, 2011. Attached to the email was an Excel spreadsheet titled “2011 Recruitment Plan.” The man opened the spreadsheet. The email was not from a coworker, it was a carefully crafted attack known as ”spearfi shing” in which a fraudulent email is sent to a specifi c person. he spearfi shing email contained an system, SecurID. SecurID is used by an Excel spreadsheet with a zero- estimated 250 million people worldwide. Tday exploit and a version of the Poison Th e attack was believed to have been ini- Ivy RAT (remote administration tool) tiated using a zero-day exploit created by payload embedded. Th e RAT enabled a Chinese hacker. Evidence suggests the a hacker to gain privileged access to the possibility of Chinese-sponsored cyber- network of RSA Security (an American espionage.1 RSA’s CEO, Art Coviello, computer and network security com- stated the stolen SecurID information pany). Th e company had been founded “could potentially be used to reduce by Ron Rivest, Adi Shamir, and Leonard the eff ectiveness of a current two-factor Adleman, the inventors of the RSA public authentication implementation as part key cryptographic algorithm. Th is single of a broader attack (italics added).”2 Th is The US government event initiated an attack that would result proved to be an ominous prediction.