Organizations Getting Better at Detecting Breaches: Report

Organizations have become slightly better at detecting cyber intrusions, but malicious actors are constantly working on improving their tactics and techniques, according to CrowdStrike’s 2017 Cyber Intrusion Services Casebook.
The report is based on data collected by the security firm from more than 100 investigations. Four of these cases are analyzed in detail in the report, including a SamSam ransomware attack on a commercial services organization, a cybercrime operation aimed at a manufacturer’s e-commerce application, a PoS malware incident targeting a large retailer, and a NotPetya infection.
CrowdStrike has determined that organizations continue to improve their ability to detect intrusions on their own. The percentage of firms that self-detected a breach increased to 68 percent, up from 57 percent in the previous year.
As for dwell time, which is the number of days between the initial intrusion and detection, the average has decreased slightly to 86 days. CrowdStrike pointed out that it still takes some organizations as much as 800 to 1,000 days to detect a breach, but these cases are an exception.
“Regardless of dwell time duration, automated systems may eventually detect an intrusion, but by the time human staff is alerted and aware it’s often too late: the attackers must be stopped before they can achieve their objectives,” CrowdStrike said in its report.
Of the attacks analyzed by CrowdStrike, the most prevalent were aimed at stealing intellectual property, stealing money, stealing personally identifiable information (PII), and ransom or extortion.
In more than one-third of attacks, hackers gained access to the targeted organization’s systems using web server, web application or web shell exploits, or file uploaders. Other commonly seen attack vectors were remote access via RDP or VPN (23%), supply chain compromise (12%), social engineering and phishing (11%), and cloud-based service exploits (11%).
Roughly two-thirds of the attacks analyzed by the security firm were fileless – they involved malicious code being written to and executed from memory, harvesting credentials via phishing or social engineering, remote logins via stolen credentials, and exploits targeting web applications.
CrowdStrike also noticed that tactics and techniques typically used by nation-state actors have been increasingly leveraged by cybercrime groups.
“These include fileless malware and ‘living off the land’ techniques involving processes native to the Windows operating system, such as PowerShell and WMI (Windows Management Instrumentation),” CrowdStrike said. “Many also employ anti-forensics tools and methods in an effort to erase signs of their presence and increase dwell time. Brute-force attacks on RDP (remote desktop protocol) servers are also prevalent in these cases.”

Attackers are also increasingly turning to self-propagating malware, particularly in the case of ransomware such as the notorious WannaCry. These attacks are often successful due to organizations failing to update critical systems and deploying comprehensive security technologies.
Related: CrowdStrike Launches Cybersecurity Search Engine
Related: Breach Detection Time Improves, Destructive Attacks Rise


Cyber Security Law 网络安全法宣传视频系列001
S7总决赛正式收官 居庸关长城变成红蓝色

On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.
Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).
The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company’s vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device’s main operating system.
It’s a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it’s equally appealing to hackers for what Positive Technologies has dubbed “God mode.”
The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn’t be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.
But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.
They claim to have employed a generic technique to bypass the stack canary, a value written to memory to catch overflows via change detection, thereby allowing them to run executable code using Return Oriented Programming.
Though the vulnerabilities require local access to an affected machine or the credentials to access the machine through a remote IT management system, an Active Management Technology (AMT) flaw disclosed by Intel in May raises the possibility of a remote attack.
“Given the massive penetration of devices with Intel chips, the potential scale for attacks is big, everything from laptops to enterprise IT infrastructure is vulnerable,” the pair said in a statement emailed to The Register.

“Such a problem is very hard to resolve – requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect.”
Dino Dai Zovi, co-founder and CTO of security biz Capsule8, in an email to The Register, said the most troubling aspect of the research is that it may be exploited without the need to open the target system’s enclosure.
“This is not a huge impediment to an attacker with physical access, but as some laptops have case tamper switches, it is able to bypass that protection,” he said.
Ermolov and Goryachy contend patches for the flawed hardware related to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707 don’t preclude the possibility of exploitation because an attacker with access to the ME-region firmware can overwrite it with a vulnerable version for exploitation.
“Writing an older version of the ME firmware typically requires either writing to the flash chip directly or taking advantage of weak BIOS protections, which would depend on the vendor’s particular configuration,” said Dai Zovi.
The US government’s concern about ME exploitation has made it to the private sector. Hardware vendors Dell, Purism, and System76 are now offering gear with Intel’s ME disabled. And Google has been working on NERF (Non-Extensible Reduced Firmware), an open source software system based on u-root that replaces UEFI and the Intel ME with a small Linux kernel and initramfs (which mount the root file system).
Dai Zovi observed that in addition to these vendor options, “the security community has responded to distrust of the ME by developing a number of open source projects to disable it,” such as me_cleaner and Heads.
Asked whether Intel has any plans to alter the way its Management Engine works or to offer chips without the ME, a company spokesperson suggested such requests should be directed to hardware vendors.
“The Management Engine (ME) provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management,” the spokesperson said.
“System owners with specialized requirements should contact the equipment manufacturers for this type of request. However, since any such configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations.” ®


支付安全最挂人心 “网络安全进社区”于上海开展活动
从替补成员到总决选第二名 李艺彤玩微博实现逆袭