Did you miss our latest newsletter? If so, you can get a copy here and don’t forget to sign up for future copies.
2017 has seen an increase in the uptake of our tailored phishing services, as organisations look to gain a deeper understanding of the threat posed.
Currently the average exposure (the percentage of employees clicking phishing emails) is 42% with outliers at 83% and in many of our engagements we are able to entice end users to provide domain credentials.
This clearly shows a need for training and awareness along with regular testing to measure the effectiveness of any intervening attempts to improve on how staff deal with phishing attempts.
As part of this holistic approach, 7 Elements are proud to announce that we are partnering with Advanced Engagement to deliver customised security awareness training, alongside real world phishing engagements to measure the effectiveness of such campaigns.
Advanced Engagement is a dedicated security awareness training company trusted by financial services organisations and professional bodies with the aim of positively influencing the security culture in your organisation.
If you would like to explore your organisations exposure to phishing, then please get in touch with our team to discuss how we can help.
Digital Leaders DL100 2017 annual awards.
We are very proud to announce that 7 Elements has been shortlisted within the ‘Cyber Resilience Innovation of the Year’ category, for our Incident Response Service.
“To be publicly nominated was amazing in its own right, and then to be shortlisted for this award is fantastic recognition of all the hard work the team has done to deliver a truly client focused service.” David Stubley, CEO of 7 Elements.
The final order for this year’s DL100 List 2017 will be based on the number of public votes received and the order they are placed in by the judges. The public vote and judges’ scores each make up half of the final score.
Matt Hancock, the minister for Digital and Culture, made it clear today that the Government wishes Cyber Essentials Accreditation to become a priority for all businesses. This comes after 2016 was plagued consistently with high-profile attacks: ranging from Yahoo to the American Election. In a recent IoD Survey, it was found that whilst 95% of business leaders considered cyber security to be very/quite important to their business; 45% did not have a formal cyber security strategy in place.
Cyber Essentials is already a requirement for many Government suppliers and sub-contractors, such as in the Healthcare and defence industries. However, Matt Hancock stated that the Government will be widening this Cyber Essentials criterion to include more suppliers than ever. Furthermore, a number of the UK’s biggest firms, such as Barclays, BT, Vodafone and Airbus Defence & Security, have agreed to promote Cyber Essentials accreditation to their suppliers.
7 Elements is the leading Scotland- based Cyber Essentials Certification Body. As an independent technical information assurance consultancy, we pride ourselves on being well placed to help your organisation through the process of gaining Cyber Essentials certification.
At 7 Elements, we successfully manage security incidents for our clients that cover a broad spectrum of threats. These range from highly capable advanced persistent threats through to opportunistic and untargeted attacks using commonly available exploit code. While all incidents are their own unique creations and the true nature of the incident only becomes clear during the course of the investigation, through my seventeen years of hands on experience, I have identified four key lessons that will make the management of incidents easier and more effective.
In this blog, we will take a look at each lesson in turn.
The First Lesson. Prevention is better than cure.
There really is no excuse for being the third, fourth or even the 100th company breached using the same MO (Modus operandi).
Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise. This is demonstrated in the recent attacks utilising SQL injection to compromise externally facing applications to expose sensitive data, and the on-going use of targeted phishing emails to gain access to corporate networks, amongst others. The use of similar methods by attackers means that organisations have an opportunity to identify attack approaches and vulnerabilities that could be applicable to them. Organisations should therefore look to use the experiences of others within their sector to enhance their own incident management procedures.
While the full details of the incident will not be publicly available, organisations can gain insight into the incidents of others through information sharing forums (for example the National Cyber Security Centre led Information Sharing Partnership ‘CiSP’) and employees’ individual relationships with their counterparts in other organisations. It is likely that an organisation will be able to gain sufficient information to identify the vulnerabilities exploited by attackers and key attack vectors. Using the information available, an organisation can identify potential attack scenarios and whether they are likely to be breached as a result. Organisations can then take preventative steps to remediate exposure prior to real life exploitation.
The Second Lesson. Not all incidents require a forensic approach.
Many people are conditioned to believe that any response to an incident automatically requires a forensic-led response. However, organisations need to remember that as long as they are making informed decisions then they can decide on the approach that fits best within the context of the incident or the required outcome. This could result in a more intelligence-led approach being undertaken, a forensic-led approach or a blend of both being utilised. This point is summarised well by Andy Settle (Senior Managing Consultant – Cyber Security & Threat Intelligence Solutions, IBM);
Any ‘incident’, by its very nature, requires a response which is founded upon timely and informed decision making. There are no luxuries, incidents bring with them the constraints of time, resources and limited and at times conflicting information. Although a ‘forensic led’ approach is commonly accepted for incident response, so too is ‘intelligence led’. What both of these approaches accept is the need for insight and understanding to underpin decisions throughout the stages of an incident. Rather than endeavouring to take an ‘intelligence’ or ‘forensic’ approach, better yet to take a ‘business led’ approach. One which returns the organisation back to business-as-usual in the most appropriate manner. Incident response is a business support function in time of adverse and hostile conditions, understanding that this will never be resolved with a prescriptive one-size-fits-all approach is the beginning of a mature and robust business-continuity strategy.
Forensic investigations by their nature are more detailed and methodical, as they are often focused on obtaining information and evidence that could be used within a court of law for the purpose of prosecution of a crime. Requiring suitably trained professionals and following established data handing procedures. Taking a forensic approach will thereby take longer to establish the facts and likely result in additional incident costs. Organisations should therefore take the decision at an early stage whether they wish to take the case to court or involve law enforcement. Therefore, a key question that should be asked at the beginning of any incident is:
Is there a possibility that this incident will be taken to court or involve law enforcement?
If there is any possible outcome that turns the answer to this question into a yes then you would have no choice but to use an approach that meets the evidential handling requirements of the local legal jurisdiction of the incident. Within the UK the foundations for this approach have been well documented by the Association of Chief Police Officers (ACPO) and serve to ensure that evidence handling, investigation practices and supporting activity are carried out legally.
If your organisation only needs to understand the facts around an incident and has no requirement to involve law enforcement, an intelligence-led approach may be more suitable.
Taking an intelligence-led approach broadens the tools and overall options available as part of an incident response. It will enable your organisation to gain a rapid understanding of the size and complexity of the event without the overheads of a forensic investigation. This can often result in the ability to contain or even stop the attack at an earlier stage, or even isolate compromised systems and therefore protect the wider environment.
Such an approach also enables the use of individuals with experience of incident work as well as wider security testing capabilities and attack centric knowledge. Through this broader understanding and capability, it is possible to identify and understand attack vectors rapidly. In many cases, a blended approach will often be the more suitable option. In one real life incident, a substantial fraud had been committed and law enforcement were involved from the start of the investigation. As such, a comprehensive forensic response was required to deal with the incident. As a result, this approach caused a delay with regards to understanding the initial attack vector. Without this knowledge, the organisation was not in a position to react to any possible wider exposure. Therefore, a more agile stream of work being undertaken in parallel to the forensic stream of work was called for.
In this example, it was possible to gain access to logs that would not form part of the forensic investigation. Through rapid analysis of these logs, utilising the knowledge of security testers, it was possible to identify the initial point of compromise. The analysis also identified the methods of compromise and established an overall timeline for the attack. This stream of work proved hugely valuable to the on-going investigation, enabling the organisation to take proactive steps to reduce exposure across the wider environment.
The Third lesson. The three C’s.
Co-ordination of a major cyber breach will require strong management of both technical teams and management teams. Therefore, organisations will require a robust approach to Command, Control and Communication. The key aspect of all of this will be to free up the technical troops to actually get on with the task. If they are joining incident calls every 30 minutes or even hourly, then the response work is just not going to get done.
In all of the incidents that we have managed, we recommend that the organisation forms two incident cells, a management focused cell and a technical cell. With the technical response team separate from both of these.
The management cell are responsible for making any business decision required, setting the overall direction of the incident response and in any engagement with the media / public relations or external law enforcement. Their role is to balance what can / should be done to resolve an incident, agree priorities against wider business considerations, take any risk based decisions and authorise technical activity and budget spend. The management cell will also need to take in to account the changing nature of the incident and adjust priorities accordingly.
The technical cell is responsible for handing off tasks to the response team, to provide a buffer between the response team and the management function, allowing traction to be made.
We then have a representative from the technical team attend the management incident calls to provide co-ordination of activity and inform and advise the management team on the technical aspects of the incident.
Lastly, we advise having a nominated individual who is responsible within each cell for collating actions and maintaining an action log with named owners. This has two main benefits, firstly it avoids actions that are agreed verbally at 3am in the morning from being lost in the overall noise generated by an incident. Secondly, by acting as an agenda for future update calls and providing structure around those meetings.
Once an incident has been concluded, action logs provide an excellent resource for any post incident reviews.
The Fourth Lesson. Shifting sands.
All incidents are their own creations and the true nature of the incident will only become clear during the course of the investigation. As such, what you think you are facing on day one, may not be the reality later on. It is important to accept that you will have to work with limited and often constantly evolving information. However, by establishing the extent of the compromise zone at an early point, an incident response team can place a boundary around the investigation and thereby reduce potentially unnecessary effort. Therefore, cutting costs and leading to more informed decisions being taken.
Technical activity that you can expect to deploy while looking to establish the compromise zone may include:
- Log, host and traffic analysis.
- Security assessments of compromised environments to identify potential onward points of compromise.
- Bespoke vulnerability research.
- Forensic analysis of compromised assets.
- Malware analysis.
- Security architecture review to identify potential compromise zones.
- Intelligence-led and incident focused analysis of compromised assets.
- Forensic analysis of compromised assets.
In Summary. Know your enemy and know yourself.
As we have seen, often attacks methods are known in advance and knowledge of current attacks can be used to reduce the likelihood of an incident. Where an incident has occurred, challenge the assumption that a forensic approach is the only option and establishing a strong command and control approach is vital. Lastly, understanding how an attacker exploits vulnerabilities to gain unauthorised access to systems will help understand what is going on. Security testers are great at understanding those attack vectors and theorising the “what would I do” card.
So, as part of your incident response capability, making use of these experts and when suitable taking an intelligence-led approach can help in gaining a prompt understanding of the type of incident that you are facing. Thereby enabling the organisation to make informed decisions that will lead to a proportional response and ultimately in establishing the compromise zone and gaining rapid control of an incident.
7 Elements are proud to be the 2016 SME Cyber Defender of the Year. The award recognised our achievements for the delivery of incident response services.
Contact our team if you would like to find out more about how 7 Elements can work with you to avoid unnecessary incidents and when required effectively respond and recover.
7 Elements are proud to be the SME Cyber Defender of the Year 2016. The award recognised our achievements for the delivery of incident response services. Contact our team if you would like to find out more about how 7 Elements can work with you to avoid unnecessary incidents and when required effectively respond and recover.
Unless you have been living under a rock for the past year you will have seen the rise of ransomware attacks worldwide. There are lots of great online resources that cover ransomware in great detail so we will not repeat that here. Instead, we are going to look at three questions that we are often asked when discussing ransomware.
- “What are the current delivery methods for Ransomware that you are seeing?”
- “How should we respond to an incident?”
- “What should I do to mitigate?”
This article will look at each question in turn.
Ransomware Delivery Methods
We have seen a split between the different delivery methods used by various ransomware gangs, and the methods used differ due to the technical skill set of the attackers and also when targeting end users or corporate systems directly.
Targeting end users
The main methods employed to get the ransomware on to the target system still fall within the following two categories:
- Email based attachments – often using fake invoices with embedded malicious macros.
- Malicious Websites – where exploit kits are used to deliver the malicious payload. This can be through accidentally visiting a site while browsing the Internet or via clicking on a link within a malicious email.
Targeting Corporate Systems
- Internet Exposed Remote Management – where remote management systems are compromised (often through weak passwords) and the ransomware is directly delivered on to corporate servers.
In terms of remote management compromise, the attacks appear to use the following approach:
- Identify remotely exposed RDP with weak credentials.
- Create further administrative level accounts on the server to maintain access.
- Maintain access for a period of time (in one case, we dealt with, access was maintained for at least four weeks).
- Drop ransomware.
It would appear that stages 1-3 is most likely a separate party to those dropping the ransomware. From what we have seen, it is likely that access to the compromised server is being sold once the entity responsible for the initial breach has gained everything they want from the server. My assumption is that the entity selling access, could easily be selling access to a number of malicious parties and if one happens to be focused on ransomware, then that is the impact on the end client.
When dropping the ransomware, more capable gangs are mapping a drive and running the malicious code remotely, while those at the lower end are most likely purchasing ransomware kits and often drop the executable directly on to the box.
Responding to a Ransomware Attack
A key action at an early stage of any incident is to stop the ransomware from continuing to encrypt files and causing further damage. As attacks can be focused towards end users as well as directly against corporate environments, steps should be taken to identify the type of attack. Identification of the type of attack is fundamental to understanding right approach for remediation to allow for the most effective infected asset identification and its removal from the network.
The following high-level approach is suitable for most ransomware attacks, while being agile enough to enable the incident analysts to address the ever changing nature of ransomware families.
- Identify patient zero and isolate from the network.
- Analysis of the ransomware family to identify clean up activity required and if files can be recovered directly.
- Identify route of compromise (email / web browsing / remote access).
- Block access to malicious sites / remote access solutions / remove infected emails to prevent further re-infection and or command and control.
- Identify the technology flaw exploited to gain initial compromise and remediate wider environment to protect from repeat infection.
- Identify key documents encrypted and conduct Internet search to confirm no external exfiltration of data.
Again there are many online guides and resources that outline how to mitigate ransomware1. However, this is in essence an arms race between the ransomware gangs and the current defences that can be deployed. As such, it is likely that new approaches that do not have current mitigation will be identified and exploited by the gangs. Therefore, incident planning and response should also play a significant part in your preparation.
Beyond maintaining effective backups that are protected from ransomware attacks and can be successfully restored in a timely manner, a number of further key mitigating activity can be deployed to reduce the likelihood of a successful attack:
- Reduce technology surface – remove any unnecessary software, technology stacks such as java, flash etc from the enterprise.
- Hardening of web browser – protect end users from opportunistic attack via malicious web sites by applying additional security controls within the browser.
- Patching – keep technology up to date, especially java, adobe, browsers and main operating systems.
- User awareness- work with your staff to raise awareness of phishing style emails, malicious documents and what actions to take if an infection occurs.
7 Elements had a very successful evening at the inaugural Scottish Cyber Awards 2016. Our CEO David Stubley was shortlisted for the Cyber Evangelist of the year, along with Stu Hirst (Head of Security for Skyscanner) and Prof Bill Buchanan of Napier Uni and The Cyber Academy.
“It was an honour to be shortlisted along with Bill and David who are absolute champions for cyber security in Scotland and beyond. 2017 is sure to be another challenging but exciting year for security and we can all continue to make great strides in protecting business from the continued threat of cyber crime”. Stu Hirst
With Bill quite rightly being recognised for all of his hard work within the Scottish cyber security community as the winner of the award.
“The Cyber Security awards showcased the great work within innovation within Scotland, particular with up-and-coming companies such as ZoneFox, 7 Elements and Net Defence. A key highlight of the event for me was the focus on innovation and especially on SME activity, as these companies will provide us the foundation for our economic activity around the area”. Prof Bill Buchanan
7 Elements, along with ZoneFox and Truststream were shortlisted for the SME Cyber Defender of the year award. With such a high quality shortlist, it was an immensely proud moment for the 7 Elements team to walk away with this award. Especially with ZoneFox later on collecting the award for Champions of Champions!
“To be recognised at the cyber awards is real confirmation that our commitment to delivering highly technical and client focused engagements makes a real difference to SMEs within Scotland”. David Stubley
“Being nominated for SME defender was a great indication of the fact that SME’s also require the same level of protection that larger orgs invest in, and it’s great to know we’re helping. Winning the international contribution and champion of champion award is a fantastic honour. The team have worked to give us our most commercially successful year, and to win these awards is the icing on the cake”. Dr Jamie Graves (Zone Fox)
The passion and commitment of all of the Scottish Cyber community was evident throughout the evening. We have great talent here within Scotland and the future is bright, bring on next year.
ScotSoft2016, the annual conference for the Scottish digital technologies industry, will take place on 6th October in Edinburgh. The must-attend technology event of the year, ScotSoft2016 comprises the Global Forum, Awards Dinner, the Developers Conference and the Scottish Government Public Sector Briefing. This year 7 Elements are excited to be involved as a main sponsor for the event.
ScotSoft has a packed programme of talks from speakers from all over the industry including Sam Ramji, Troy Hunt and of course, our very own David Stubley will be giving a talk named ‘Breaking Bad’.
‘Breaking Bad’ will focus on just how bad could a breach of your corporate web site be for your organisation. In this talk, David will look at attacking modern enterprise application frameworks and using common exploit code to demonstrate the true impact of a breach, including gaining access to internally sensitive systems and data.
7 Elements will also be running a Capture the Flag (CTF) event to allow delegates to test their hacking skills. It is a security-focused competition with points awarded for gaining unauthorised access to applications and systems within the target environment. The CTF is aimed at all levels, so make sure you come along and put your skills to the test and maybe even win prizes!
More information can be found here.