Tag Archives: Cyber Security

Good Read: Domain Generating Algorithm (DGA)

Abstract

A Domain Generating Algorithm (DGA) is a program or subroutine that provides malware with new domains on demand or on the fly.

History

Kraken was the first malware family to use a DGA (in 2008) that we could find. Later that year, Conficker made DGA a lot more famous.

What’s the use?

The DGA technique is in use because malware that depends on a fixed domain or IP address is quickly blocked, which then hinders operations. So, rather than bringing out a new version of the malware or setting everything up again at a new server, the malware switches to a new domain at regular intervals.

An example of DGA in practice is C&C servers for botnets and ransomware. If we were able to block these or take them down, we would cut the link between the victims and the threat actor. Bots would no longer be able to fetch new instructions and machines infected with ransomware would be unable to request encryption keys and send user data.

The constant changing of the domain for the C&C server is also sometimes called “Domain Fluxing” or “Fast Fluxing”, which actually is a reference to an older technique based on abusing the DNS load balancing system.

Read more in

https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/

WHAT TO DO BEFORE AND AFTER A CYBERSECURITY BREACH?

How to respond when a breach occurs?

As discussed above, managers and organizations should take preventative steps to avoid the risk of a breach occurring. After spending time planning, spending money, and training employees, someone still manages to break through the organization’s security measures? What do you do now?! Once a breach has been discovered, the organization should take the following immediate steps to limit the breach.

Step 1: Survey the damage

Following the discovery of the breach the designated information security team members need to perform an internal investigation to determine the impact on critical business functions. This deep investigation will allow the company to identify the attacker, discover unknown security vulnerabilities, and determine what improvements need to be made to the company’s computer systems.

Step 2: Attempt to limit additional damage

The organization should take steps to keep an attack from spreading. Some preventative strategies include:

  • • Re-routing network traffic
  • • Filtering or blocking traffic
  • • Isolating all or parts of the compromised network

Step 3: Record the details

The information security team should keep a written log of what actions were taken to respond to the breach. The information that should be collected include:

  • • Affected systems
  • • Compromised accounts
  • • Disrupted services
  • • Data and network affected by the incident
  • • Amount and type of damage done to the systems

Step 4: Engage law enforcement

A major breach should always be reported to law enforcement. The law enforcement agencies that should be contacted are: • The Federal Bureau of Investigation (FBI) • The U.S. Secret Service (USSS) • The U.S. Immigration and Customs Enforcement (ICE) • The District Attorney • State and Local law enforcement

Step 5: Notify those affected

If a breach puts an individual’s information at risk, they need to be notified. This quick response can help them to take immediate steps to protect themselves. However, if law enforcement is involved, they should direct the company as to whether or not the notification should be delayed to make sure that the investigation is not compromised. The individuals are usually notified via letter, phone, email, or in person. To avoid further unauthorized disclosure, the notification should not include unnecessary personal information. 

Step 6: Learn from the breach

Since cybersecurity breaches are becoming a way of life, it is important to develop organizational processes to learn from breaches. This enables better incident handling, should a company be effected by a breach in the future. Some learning issues include:

  • Document all mistakes
  • Assess how the mistakes could have been avoided •
  • Ensure training programs incorporate lessons learnt

Must Do’s

  • Organizations must put the proper resources in place to ensure that any form of cybersecurity breach is dealt with swiftly and efficiently. 
  • There should be an effective Incident Response Plan.
  • Thoroughly check all monitoring systems for accuracy to ensure a comprehensive understanding of the threat. 
  • Engage in continuous monitoring of their networks after a breach for any abnormal activity and make sure intruders have been inhibited thoroughly. 
  • It is important to perform a postincident review to identify planning shortfalls as well as the success in execution of the incident response plan. 
  • Be sure to engage with Law Enforcement, and any other remediation support entity, soon after the threat assessment is made to allow for containment of the breach and to inform any future victims.
  • Documentation is paramount. Thorough documentation from the onset of the breach through the clean-up must be a priority to ensure continual improvement of the Incident Response Plan. 
  • It is critical to the success of a business to integrate cybersecurity into its strategic objectives and to ensure that cyber security roles are defined in its organizational structure.

References

WebSecurity: Importance of HTTP Headers & In-Depth Security

There is a number of HTTP response headers that you should use to increase the security of your web application. They are referred to as HTTP security headers.

Once implemented, HTTP security headers restrict modern browsers from running into easily preventable vulnerabilities. They also provide yet another, additional layer of security by helping to mitigate security vulnerabilities and prevent attacks (like XSSClickjacking, information leakage, etc.). But it is important to mention that HTTP security headers are not intended to replace proper, secure code.

HTTP STRICT TRANSPORT SECURITY

HTTP Strict Transport Security (HSTS) is a mechanism that prevents user-agents (a browser or any kind of program designed for communication with a particular server) from browsing a website via an unencrypted connection in case an encrypted connection can be established, and only using a trusted certificate.

If the request is communicated through an unencrypted channel, it can be captured and tampered with by an attacker. The attacker then can steal or modify any information transmitted between the client and the server or redirect the user to a phishing website. So, the first goal of HSTS is to ensure traffic is encrypted, so it instructs the browser to always use HTTPS instead of HTTP.

Usually, browsers allow users to ignore TLS errors and continue browsing potentially insecure websites. With HSTS enabled, the user will be unable to skip the browser warning and continue. The second important goal of HSTS is to make sure that the traffic is encrypted using a trusted and valid certificate.

When HSTS response header signals the browser that the certain domain must be requested only using HTTPS, the browser saves this domain to the HSTS list and keeps it there for the timeframe specified in max-age directive of the Strict-Transport-Security header.

There are two cases when HSTS doesn’t provide proper protection:

  • when the user hasn’t browsed to the website before and is making his very first request to this website over HTTP,
  • when existing HSTS data has already expired.

X-XSS-PROTECTION

Some modern browsers have built-in XSS protection mechanisms that can be used as an additional layer of security against Reflected XSS. The main problem with that is that all of the browsers implement built-in XSS filtering differently, so to add more control to the process and make sure that the loading of a page with the malicious content will be blocked, the X-XSS-Protection header is needed.

X-XSS-Protection header is an optional HTTP header that performs XSS filtering by defining the anti-XSS mechanism behavior: from sanitizing the page by blocking injected Javascript to preventing page rendering and reporting the violation.

By default, browsers that support XSS filtering have it enabled. Though it can be disabled, this is considered a bad practice; often, if an application requires XSS protection to be disabled in order to function properly, it is an indication that the application is quite likely vulnerable to XSS.

Please note that only using the X-XSS-Protection header will not protect your application from XSS, but this header will make an important input in your defense-in-depth strategy and make it more robust.

CONTENT-SECURITY-POLICY: X-FRAME-OPTIONS

X-Frame-Options header a defines if the webpage can be rendered inside an <iframe><frame><applet><embed> or <object> tags. Depending on the directive, this header either specifies the list of domains that can embed the webpage, or allows the page to be embedded only inside pages of the same origin, or totally prohibits embedding of a webpage.

The main purpose of the X-Frame-Options header is to protect against ClickjackingClickjacking is an attack when the vulnerable page is loaded in a frame inside the malicious page, and the users are tricked into interaction with buttons and other clickable UI elements (e.g. unknowingly clicking “likes” or downloading malicious files) of a vulnerable page without their knowledge.

Sample Code Snippet

HTTP/1.1 200 OK
Date: Thu, 21 Mar 2019 09:05:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: close
Cache-Control: max-age=600
Content-Security-Policy: script-src 'self' *.followcybersecurity.com 'unsafe-inline' 'unsafe-eval'  www.google-analytics.com; img-src 'self' *.followcybersecurity.com
Expires: Thu, 21 Mar 2019 09:15:06 GMT
Location: https://followcybersecurity.com
strict-transport-security: max-age=31536000
Vary: Accept-Language, Accept-Encoding
x-content-type-options: nosniff
X-Frame-Options: DENY
X-Robots-Tag: noodp
x-xss-protection: 1; mode=block  

SolarWinds Hack: Hackers last year conducted a ‘dry run’ of SolarWinds breach

Abstract

Hackers who breached federal agency networks through software made by a company called SolarWinds appear to have conducted a test run of their broad espionage campaign last year, according to sources with knowledge of the operation.

—-

Five months later, the hackers added new malicious files to the SolarWinds software update servers that got distributed and installed on the networks of federal government agencies and other customers. These new files installed a backdoor on victim networks that allowed the hackers to directly access them. Once inside an infected network, the attackers could have used the SolarWinds software to learn about the structure of the network or alter the configuration of network systems.

Read more in Yahoo News

https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html

Daily Read: Operating System Query (osquery) utility

What is osquery?

osquery is a tool that exposes an operating system as a high-performance relational database. It enables developers to write SQL-based queries that explore operating system data. With osquery, SQL tables can be created to help represent otherwise fairly abstract concepts, such as:

  • Running processes
  • Loaded kernel modules
  • Open network connections
  • Browser plugins
  • Hardware events
  • File hashes

How Does osquery Work?

Here are some examples of what you can do with osquery and why it’s such a useful utility. Some of the data below could not be retrieved without the tedious parsing of system files or, even worse, without employing dangerous system commands:

  • List users
  • Get the process name, port and PID for all processes
  • List logged-in users

Examples

You can list most of the information in /etc/passwd using this simple query:

SELECT * FROM users;

References

https://www.netsparker.com/blog/web-security/osquery-injection/

https://osquery.readthedocs.io/en/latest/