UBA vs UEBA and SIEM

Tony MasonVulnerability Management & SIEM

User and Entity Behaviour Analytics (UEBA)

What is UEBA?

What is the difference between UBA vs UEBA and how does it fit in with SIEM?

User and Entity Behaviour Analytics (UEBA) focuses on analysing activity. Specifically user behaviour, device usage, and security events ­within your network environment.  It helps companies detect potential insider threats and compromised accounts. The concept has been around for some time. It was first defined in detail by Gartner in 2015 in its Market Guide for User and Entity Analytics.

How Does UEBA Work?

In essence, UEBA solutions create a baseline of standard behaviour for users and entities within a corporate network.  Ultimately they look for deviations to the baseline. They alert network admins or security teams to anything that could indicate a potential security threat.

To do this, UEBA solutions collect live data that includes:

  • User actions. Such as applications used, interactions with data, keystrokes, mouse movement, and screenshots.
  • Activity on devices attached to the network. Such as servers, routers, and data repositories.
  • Security events from supported devices and platforms.

Advanced analytical methods are then applied to this data to model the baseline of activity. Once this baseline of behaviour has been established, the UEBA solution will continuously monitor behaviour on the network.  Then it compares it to the established baseline.  It looks for behaviour that extends beyond an established activity threshold to alert appropriate teams of the detected anomaly.

UBA vs UEBA and SIEM 

Initially this technology was referred to simply as User Behaviour Analytics (UBA). As the name implies, this concept focused exclusively on activity at the user level. This was to indicate potential threats. However, Gartner later added the “entity”. This was to reflect the fact that “other entities besides users are often profiled in order to more accurately pinpoint threats”. Gartner defined these other entities as including managed and unmanaged endpoints, servers, and applications. This included everything that was cloud-based, mobile-based, or on-premise based.

This expanded scope then includes looking for any “suspicious” or anomalous activity that may be based on network traffic. Or requests sent from a specific endpoint to unusual ports or external IP addresses.  It also looks at operating system process behaviour, privileged account activity on specific devices, the volume of information being accessed or altered, or the type of systems being accessed.

By broadening the scope of its focus to cover non-human processes and machine entities, Gartner’s UEBA definition means UEBA can analyse both sources of data. This helps to gain greater context and insight around activity.  As a result it can produce a more accurate profile of the baseline of activity within an IT network.

Therefore, the solution is able to more accurately pinpoint anomalies and potential threats.  This even includes things that would often have gone unnoticed by “traditional” security monitoring processes such as SIEM or DLP.

Do SIEM And UEBA Offer The Same Protection? 

With many corporate security teams having already implemented security information and event management (SIEM) solutions, a common question is whether UEBA and SIEM offer the same protection. After all, they both collect security-related information that can indicate a potential or active threat.

UEBA solutions typically include the following benefits:

  • The ability to use behavioural baselining to accurately detect compromised user accounts.
  • Automation to create improved security efficiency.
  • The use of advanced behavioural analytics helps to reduce the attack surface by frequently updating IT security staff and network admins about any potential weak points within the network.

The key difference is that SIEM solutions are traditionally more focused on log and event data. These wouldn’t allow you to create a standard baseline of overall user and network environment behaviour in the same way that a UEBA-focused solution would. However, it’s important to note, that similar to UEBA solutions, this information gathered by SIEM solutions comes from a wide range of different IT network endpoints. It is then collated and analysed within a central system.

Sound familiar? It should; the line between UEBA and SIEM can be rather thin, depending on the collection and analysis capabilities of a given SIEM solution.

With the right input data, the SIEM solution can process the collected data and combine it with real-time event analysis. It can then present it in a format that helps provide security analysts and system administrators with actionable insights into anomalies that may indicate a threat.

Successful SIEM

The use of SIEM solutions is becoming increasingly widespread within the corporate landscape. This is because they do offer organisations a number of important benefits, these include:

  • Improved handling of cybersecurity incident and response.
  • Improved security defences.
  • The ability to automate compliance reporting to help organisations achieve compliance with the relevant regulations for their industry ie GDPR, HIPAA, and PCI DSS etc.

To be able to more accurately predict potential threats through user and entity activity, SIEM solutions need to both:

a) Be able to collect needed and relevant activity and behavioural data.

b) Plus have the ability to accurately analyse that data in the context of finding anomalous threat-related activity to produce more targeted and actionable alerting.

As you can see, there are some differences between the two solutions. However, SIEM solutions become a viable option in an organisation’s journey to implement UEBA as long as SIEM solutions can:

  • Be set up to comprehensively collect enough similar data to provide the same value as a traditional UEBA solution.
  • Plus provide the needed conclusive analysis to identify leading and active indicators of threat activity.

By Nick Cavalancia Microsoft Cloud and Datacenter MVP for AT&T.

AlienVault USM – UBA vs UEBA and SIEM

Traditional SIEM software solutions promise to provide what you need, but the path to get there is one that most of us can’t afford. Traditional SIEM solutions collect and analyse the data produced by other security tools and log sources, which can be expensive and complex to deploy and integrate. Plus, they require constant fine-tuning and rule writing.

AlienVault USM provides a different path. In addition to all the functionality of a world-class SIEM, AlienVault USM unifies the essential security capabilities needed for complete and effective threat detection, incident response, and compliance management—all in a single platform with no additional feature charges. Their focus on ease of use and rapid time to benefit makes the USM platform the perfect fit for organisations of all shapes and sizes.  See here for more information.

KnowBe4 National Cybersecurity Awareness Month Update

Tony MasonSecurity Awareness & Phishing

October is National Cybersecurity Awareness Month (NCSAM).  Therefore, to help celebrate, KnowBe4 has fresh content updates and new features. Plus they have a great security awareness resource kit.

Check out your 2020 NCSAM Resource Kit from KnowBe4. Firstly this includes resources for your users like infographics, cybersecurity awareness tips and new posters. In addition they have their most popular security awareness assets and a sample training plan.

KnowBe4 National Cybersecurity Awareness Month Resource Kit

We hope these resources help you keep your organisation safe throughout the month of October! Access your resource kit here today.

KnowBe4 National Cybersecurity Awareness Month PRODUCT UPDATES – October 2020

NEW!

Language Localisation in the Phish Alert Button for Microsoft 365.
We are excited to announce the availability of KnowBe4’s enhanced Phish Alert Button (PAB) for Microsoft 365 with the new language-aware feature! 

With this new version of the PAB, you can now enable languages in your Phish Alert settings. You can then automatically display the preferred language based on your users’ system language settings. The same languages (22) offered for the KnowBe4 Learner Experience, are supported for this version of the Phish Alert Button. Also, you have the ability to add custom languages by adding them to your manifest file and reinstalling the PAB.

Phish Alert Button for Microsoft 365

As a result, this localisation enables your users to interact in a more immersive experience for reporting suspicious emails through their Phish Alert Button.  Plus this also reinforces the learning experience when accessing their KnowBe4 training in their preferred language.


KnowBe4 National Cybersecurity Awareness Month – QUARTERLY PRODUCT UPDATE VIDEO

Every quarter, the KnowBe4 Technical Content team creates an update of all new content and features added during the last three months. Here is the Q3 2020 issue. This covers new content that has been added to the KnowBe4, PhishER, and KCM platforms.

KnowBe4 Quarterly Product Update

FRESH TRAINING CONTENT BY PUBLISHER

KnowBe4

This new brandable training module was added by KnowBe4 this month. 

Basics of Credit Card Security

Basics of Credit Card Security
This module covers the basics of credit card security. It is meant for all employees in your organisation who handle credit cards and/or credit card data. Employees will learn what the hackers are after and the techniques hackers use to try and gain access. Plus they will also learn the best practices they can take to protect the organisation and its valuable credit card data.


The Security Awareness Company (SAC)

SAC added five new pieces of training content to the ModStore this month.

KnowBe4 National Cybersecurity Awareness Month – October 2020 Security Awareness Newsletter
Cybercrime goes well beyond data breaches and the exposure of confidential information. Sadly it can also lead to life-threatening scenarios or total disruption of services that millions of people rely upon every day. In this issue, we dive into the many threats cybercrime poses and the results of successful attacks. Plus most importantly, how to prevent cybercrime from impacting organisations and individuals.

Security Awareness Newsletter

Scavenger Hunt Fun for Your Employees
Each month, scavenger hunt questions are created to help you gamify and reinforce the topics covered in each newsletter. You can use these questions as-is or edit as you see fit. You can simply look for the complementing pdf of scavenger hunt questions in the ModStore. The newsletter and questions are both available in 18 languages.

PHI in Peril Puzzle

HIPAA Puzzle

Four employees of the Better-U Clinic have violated HIPAA regulations. You can find out who violated what rule, what their job title is, and which patients’ Personal Health Information (PHI) was affected.

You can use this logic puzzle to challenge your users! Puzzles are shown to improve brain elasticity and helps us form new ways of doing things. In this instance, solving problems before they occur. This puzzle can be found under SAC’s security documents content category. 

These two video modules focus on privacy, security, and protecting confidential information. 

HIPAA Training
  • The What, Why, and How of HIPAA
    This short brandable training module will provide your users with a quick overview of HIPAA. Why it matters, and how it impacts all of us, professionally and personally. A brief quiz is included at the end of the course.
  • Privacy vs. Security: What’s the Difference?
    Privacy and security are two sides of the same coin. This video module explains the differences between privacy and security. It then explains why they go hand in hand in protecting your data and your organisation.

All training content from The Security Awareness Company is available at the Diamond subscription level.


Twist & Shout


Security Snapshots Season 1 Series
Twist & Shout delivers a new video series with 12 stand-alone security micro-dramas. Each video takes a light and comedic approach to a fundamental behavioural issue. It demonstrates how employees’ actions can jeopardise your security. The frame-by-frame slow-motion effects educate and entertain your users. It also has how-to conclusions to help avoid these situations.

Security Snapshots Season 1 Series

Topics include phishing, unsecured WiFi, waste-disposal, email attachments, and oversharing on social media.

Restricted Intelligence Season 1 Series – Now with Quizzes
In a world of sensitive information…they were their own worst enemies. In this 6-episode series, your users can watch in disbelief as our well-intentioned but clueless team staggers from one data debacle to another. Pausing only to leave the doors unlocked on the way out and enjoy a little phishing. The new quizzes have been added to the series so your users can take a short quiz at the end of each module. 

Restricted Intelligence Season 1 Series

This brandable series covers topics on passwords and access, safe surfing, phishing, removable media, social media, and mobile devices.

All training content from Twist & Shout is available at the Diamond subscription level.


Popcorn Training

Three new brandable training modules were added this month from Popcorn Training.

Ethics (Fraud & Anti-Money Laundering) & Digital Identity: Authentication.
  • Ethics: Fraud 
    Fraud has the potential to limit the confidence that stakeholders have in an organisation. As well, it can also promote mistrust inside the workplace. Your users can learn how to spot fraud red flags in this short training module.
  • Ethics: Anti-Money Laundering 
    Money laundering can happen in many institutions and is a lot more common than you think. Your users can find out more about the process of money laundering and what to look out for in this training module.
  • Digital ID: Authentication
    From the Building Secure Software Series, episode 6 explains how authentication is the first part of managing the digital identity of your users. Overall, this module covers the basics of authentication controls and how to implement it based on the value of the data in your applications.

All Popcorn Training content is available at the Diamond subscription level.


exploqii

Three new video modules from exploqii were released in September.

Money Mules, Internet Explorer: End of Support, Cyberattacks Overview
  • Money Mules
    A tempting job advertisement promises high commissions and demands only a small service in return – making a private bank account available for a transaction. But behind the apparently reputable offer is nothing less than money laundering. And those who take up the offer, risk being liable to prosecution. Therefore, your customers can learn about the ‘money mules’ scam in this module.
  • Internet Explorer: End of Support
    The first steps onto the internet: more than a few users took them with Microsoft’s Internet Explorer. It hasn’t always been the most innovative web browser. However it certainly is one of the most widespread. In the environment of larger organisations in particular, it may represent a risk because older versions are often used. This video module explains why and how important it is to switch to a successor web browser.
  • Overview: Cyberattacks
    What is ransomware – or phishing? And what does it have to do with your data? And your organisation’s security? But above all: How can your users protect themselves? To explain, this video module provides an initial overview of the most widespread attack methods and raises awareness of data security. It also shows that cybersecurity training sessions are an effective way to protect your data, employees, and organisations.

All exploqii content is available at the Diamond subscription level.


El Pescador

Remote Work 
Remote work is now a reality for many employees. It is important to remember how to ensure the security of your organisational data. Not to mention all the information from your employees, suppliers, and customers.

You can use this poster to promote and reinforce the “Remote Work” series as part of your training campaign.

All El Pescador content is available at the Diamond subscription level.


FRESH NEW TRANSLATIONS

In addition to fresh new training content, you really want content localised to the language needs of your organisation and users. That’s why in addition to constantly updated and new content, KnowBe4 releases fresh new translations regularly to the ModStore.

Any training content with new languages available will be tagged with an orange “New Translation” banner.

Therefore, check out the new translations added in the KnowBe4 ModStore:

  • Tuesdays with Bernie Trader Edition is now available in multiple languages across all seasons.
  • 2020 Security Culture Survey is now available in English US, English GB, Danish, Dutch, Finnish, Norwegian, Polish, and Swedish.

In the month of August, 177 new translations were added for the following training content categories:

  • Newsletters/Security Documents/Posters: 34
  • Games/Assessments/Training modules: 34
  • Video Modules: 109

KnowBe4 National Cybersecurity Awareness Month

With a Diamond level subscription, there is so much available for your training needs!

As of September 30, 2020 KnowBe4 has: 

  • 1,187 Pieces of Education and Training Content
  • 288 Interactive Training Modules
  • 403 Video Modules
  • 244 Posters and Artwork
  • 229 Newsletters and Security Docs
  • 23 Games
  • Over 5,000 Phishing Templates

Secure Your Cloud Infrastructure For Remote Workers

Tony MasonData Protection, Enterprise Security, Office 365 Security, SIEM, Vulnerability Management & SIEM

Secure Your Cloud Infrastructure For Remote Workers
Remote Workers

As working from home becomes more long-term, it’s important to secure your cloud infrastructure for remote workers.

Cloud Infrastructure allows for great speed and ease of deployment. New infrastructure can be deployed in minutes.  The rate of change in cloud infrastructure is far quicker than with on-premise and it is so easy and quick to deploy. This is enabling businesses to move quickly and keep dynamic in this ever-changing world.

On the one hand, this is great, speeding up set-up and new solutions.  However, on the other, it leaves relatively inexperienced staff creating new infrastructure and leaves you vulnerable to misconfigurations that can be exploited.  DevOps & developers are now creating new infrastructure not just IT and security teams.

Companies Need To Consider Cloud Best Practices

Importantly, you need to minimise the chance of misconfigurations and be able to quickly remediate them should they occur.

At the same time, you need to ensure you don’t restrict the dynamism of a company, keeping your environment secure without impacting its flexibility.  In addition, you must ensure you don’t restrict and block developers as they will find a way around these and leave you even more exposed.

Create A Baseline

You need to create a baseline to define what your cloud environment should look like from a security perspective. This should include what services are and are not authorised to be used.

In addition, you should set how things should be configured and who gets what access and who can make changes. Fortunately, you can start with existing best practice recommendations such as CIS Benchmarks for AWS, Azure, and Google Cloud Platform (GCP). Plus each cloud provider has their own best practices.

You also need to create an incident response plan that everyone can follow when responding to incidents.

Enforce Your Baseline

To help enforce the baseline you can use a cloud security posture management (CSPM) solution. Rapid7 now work with DivvyCloud which help you to create & enforce baselines. These solutions help you with visibility of misconfigurations and policy compliance.  You can then remediate quickly.

Otherwise you can use infrastructure as a code solution.  Here you create templates for cloud infrastructure where everything is properly configured according to your baseline.

Developers can then use those templates to reduce the possibility of human error during configurations of new infrastructure. However, your cloud infrastructure can still be changed at a later date, so you still need to monitor for misconfigurations as you would for other software vulnerabilities.

Access Management

Ensure users are accessing cloud accounts with single sign on tools.  Plus consider assigning the same permissions at group or team level so no-one sneaks under the radar with an access they shouldn’t have.

Another consideration is to never use the root user if you can absolutely avoid it.  If this user were to be compromised, the system would be seriously vulnerable.  Check the credential reports from your cloud platform to check who has access to what and what they are doing. This can help you set up specific permissions if necessary.

Set Up Vulnerability Monitoring

Cloud networks need to be monitored and patched as much as on-premise networks do. As instances can be spun up and down so much more quickly in the cloud, you need regular monitoring to give you up to date information.

Log Everything

All cloud providers have logging facilities. It’s important to keep using these for all areas as someone could quickly and easily deploy something where you are not currently monitoring.  It’ll enable you to see what’s happening and whether there was any unauthorised access. Ensure this data is encrypted and no-one has access so nothing can be changed.

As cloud providers don’t monitor your on premise networks and remote workers, you’ll need to consider a 3rd party SIEM with threat detection capabilities such as Rapid7 InsightIDR or Alien Vault USM Anywhere.  This can then monitor your cloud and all other environments in one place. This will also help you monitor lateral movement.

Consolidate Your Team

When it comes to your IT team, ensure you have one unified team overseeing your security with clear accountability and responsibilities. Don’t separate this out to cloud and on premise or vulnerabilities will get missed.

Automate

As you can see, things in the cloud can move extremely quickly and humans can’t keep up. Therefore, automate where possible. The more you can automate, the fewer human errors you will get.

Data Storage & Microsoft 365

In order to maximise and enhance the security of the new cloud-based office, businesses must be aware of the shared responsibility of data.

Unfortunately businesses often incorrectly store their data in the same service and OS that operates the core aspect of their business such as Microsoft 365.

You need to back up data separately, to ensure there is a duplicate source available in case the original is compromised.  Your backup solution should also offer regular automated backups, rapid recovery and the capability to safeguard business continuity as well as meet compliance requirements (such as GDPR).  Barracuda Total Email Protection offers an all in one cloud based email security, with backup archiving and eDiscovery.

In summary, cloud-based offices are definitely our future with Gartner reporting 41% of employees planning to continue working remotely. However, this puts an immediate security concern on businesses as we are faced with increased risks of cyber attacks and ransomware threats.

Therefore, we need to put security at the top of our agenda and secure cloud infrastructure for remote workers, as we transition to long term remote working.  We need to be reassured that we have the sophisticated tools in place to monitor our networks, recover files from unexpected problems, and solutions in place to repair any damage.

Do You Evaluate Your Security Controls?

Tony MasonBreach & Attack Simulation, Enterprise Security

Do You Evaluate Your Security Controls?
How Secure Is Your Security Posture?

With many now working from home and businesses changing, are you sure your security controls are robust enough? When checking your security posture, be sure to ask the right questions.

The only way you can really see if your security controls are working effectively is to test them.  There are many tools available to do this.  However, you need to decide what you specifically want to know and how the findings are relevant to you at the moment. After that, you can choose the best tool for the job.

Typically, security teams use various testing tools to evaluate their infrastructure. According to SANS, 69.9% of security teams use vendor-provided testing tools, 60.2% use pen-testing tools, and 59.7% use homegrown tools and scripts.

Pen Testing

Vendor provided tools test for a specific security solution. Whereas pen testing is often used to check that controls meet compliance requirements, eg PCI DSS regulations. Automated pen tests are good at showing you whether an attacker can get in, highlighting the vulnerable pathways. However, they don’t always cover the entire kill chain.

They can imitate many threat actor techniques and even different payloads.  However, they typically don’t copy and fully automate the full Tactics, Techniques, and Procedures (TTPs) of a real threat actor.

Also, it is difficult to get consistent data from automated pen tests.  This is because they rely on skilled human pen testers, who typically have varying levels of expertise. 

Added to this, the sheer variety of pen-testing tools and different approaches can really complicate testing. An example of this can be seen with different attack vectors requiring different testing tools. These tools also tend to be weak at recognising vulnerabilities in business logic, which can skew results.

Pen testing is costly and requires a significant amount of advance planning. This means testing can often be restricted to only annually or half yearly. In addition, organisations can still be slow to respond accurately to immediate threats even with automated pen tests.  This is because pen-testing takes time to scope, conduct, and analyse. 

The SANS poll found that most respondents test their controls quarterly at best.

However, as we know, the real-world threat landscape is evolving every day. This means cyber criminals have lots of time to exploit any gaps or weaknesses in between each pen test.

Security Questions To Ask

According to Cymulate, if you want visibility into the effectiveness of security controls – right here, right now – you’ll have additional questions that pen testing cannot easily answer:

  • Are your controls working as they are supposed to work, and as you expect?
  • Are interdependent controls correctly generating and delivering the right data? For example, are your web gateway, firewall, and behaviour-based tools correctly alerting the SIEM when they detect suspicious activity?
  • Have configurations drifted over time or been set incorrectly? For instance, are controls actively detecting threats, or were they left in monitoring mode?
  • If you have rolled out new technology or settings, how have they affected your security posture?
  • Are controls able to defend against the newest threats and variants?
  • Does your security defend against the latest stealth techniques, such as living off the land (LOTL) fileless attacks by sophisticated attackers?
  • Do you have visibility into security outcomes that require both human processes and technology?
  • Is your blue team able to identify and respond effectively to alerts?

Breach and Attack Simulation (BAS) Tools

Automated Breach and Attack Simulation (BAS) tools enable you to answer these questions.

BAS complements point-in-time testing to continually challenge, measure, and optimise the effectiveness of security controls. BAS is automated, allowing you to test as needed, and the best solutions assess controls based on the latest malware strains and threat actor TTPs—without having to assemble teams of security experts.

Organisations are using BAS to:

  • Simulate attacks without jeopardising production environments
  • Simulate attacks across the full kill chain against all threats, including the latest attacker TTPs
  • Test continuously with the flexibility to target specific vectors, infrastructure, and internal teams for awareness against the latest threats
  • Automate simulations for repeatability and consistency
  • Conduct testing at any time interval—hourly, daily, weekly, or ad hoc with results in minutes
  • Identify gaps and evaluate controls against the MITRE ATT&CK framework
  • Remediate security posture and the company’s exposure using actionable insights

As the threat landscape changes daily and the attackers continue to up their game, you and your executive team need assurance that controls across the kill chain are indeed delivering the protection you need – every day, every hour, or every moment.

Cymulate, Breach & Attack Simulation (BAS)

For a growing number of organisations, BAS is delivering the continuous security control and cyber risk assessment data needed to achieve that goal.

Cymulate is a Breach and Attack Simulation (BAS) platform that lets you protect your organisation at the click of a button. Operating thousands of attack strategies, Cymulate shows you exactly where you’re exposed, and how to fix it.

During the Coronavirus Pandemic, our security controls are currently more vulnerable with many of our workforce working from home, with home VPNs, and more distractions etc.

To help, Cymulate are currently offering 60 days Free use of their license, no strings attached.  Please get in touch to take advantage of this offer and test your security now.  It may bring up some surprises, but better earlier rather than later.

Tel: 01628 362 784  Email: sales@s3-uk.com

Should you phish test during the COVID-19 pandemic?

Tony MasonSecurity Awareness & Phishing

Phishing Templates

Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer discusses the phishing dilemma, ‘Should you phish test users or not during the Covid-19 pandemic?’. 

There’s no question, these are challenging times. Employees and organisations around the world are doing their best to keep everyone safe. Plus we are settling in to a new normal for accomplishing work from home. Tensions are high. Fear and uncertainty abound. No one wants to add more stress to an already stressful situation.

Over the past week or so, I’ve seen a few social media postings and had a few discussions with people who believe that organisations should not phish test users during this time. They feel that the best way to practice “socially responsible awareness training” is to provide simple information-based awareness training and abstain from phish testing. Thoughts like this may be well-intended; but I believe that they are wrong. Here’s why:

Cybercriminals are ramping-up their real attacks right now. This brand-new graph shows the exponential growth of new COVID-19 malicious phishing templates:

The Growth & Development of COVID19 Phishing Templates

So, it is super-important to keep our end-users on their toes. In fact, because cybercriminals are in a COVID-19 feeding frenzy, I’ll be bold enough to say that *not* conducting phishing training during this time amounts to negligence. Cybercriminals prey on stress, distraction, urgency, curiosity, and fear. Not only that, they are also bringing that full force against your end-users and your organisation.

That being said, I totally understand where people are coming from when they feel hesitant to phish test users during this COVID-19 pandemic. Organisations don’t want to add additional stress to their people. They are afraid that they may make employees feel confused or alienated. Totally understandable… and totally addressable. The key factors: your tone and your process.

Tone

I’ll address tone first because I believe it is the single most important piece to getting this right. I’ve outlined the critical importance of tone before on webinars, in conference sessions, and in my book. But, because tone is so much easier to feel than to describe, I’ll use a video example.

This is from a COVID-19 awareness project that I kicked-off with.  It is designed specifically to help security awareness leaders conduct critical phish testing in a way that feels caring and compassionate. Have a look and hopefully you’ll get a feel for what I mean. This is a pre-campaign message for customers to send to their end-users:

There are a few key aspects that resonate through the videos in this series. In essence, those come down to:

  • Open with compassion and understanding: Things are new and different. We get it.
  • Explain the situation: The COVID-19 situation opens-up new work from home risks and cybercriminals are taking advantage of it.
  • Outline our responsibility: As a result, we all need to be more vigilant.
  • Say what we are doing: One of the ways we plan to do that is to send out simulated phishing tests.
  • Describe the intended outcome: The intent isn’t to trick anyone, shame anyone, or so on. It is to help us build secure reflexes.
  • Provide advice and direction: Cybercriminals are relying on distraction, stress, and panic. So, anytime you see anything related to COVID-19 in your inbox, always evaluate it with a sense of scepticism. Report suspected phish.
  • Close with a sense of community: “Keep Calm and Don’t Click. We’re all in this together.”

Process

The other key factor that you need to think about is process. Because we’ve entered a ‘new normal,’ you should send out a fresh message to your users letting them know that cybercriminals are having a heyday with COVID-19. And because of this, you are going to help prepare your people for what’s coming.

In essence,  your process should be the following:

  • Warn your people about the scams: Provide timely information about how cybercriminals are using this stressful time to their advantage.
  • Tell them that you are going to help prepare them by sending COVID-19 and other simulations. If you are a KnowBe4 customer, you can use the pre-campaign video from the series I described above. If not, you can create your own message based on the formula that I outlined. Remember: tone is key!
  • Ramp up testing to increase vigilance
  • Consider using a failure landing page with a video that explains how cybercriminals are using COVID-19 right now to capitalise on the situation. This needs to be encouraging. If you are a KnowBe4 customer, you can use the post-click video from the series I described above. If not, you can create your own message based on the formula I outlined. A key message here is something like, “Oops, you clicked… Don’t worry, this wasn’t a real phishing email. You’re safe and our organisation is safe. But beware, cybercriminals are using all of the news, panic, and disorientation around COVID-19 as a way to trick people into clicking on malicious links, open sketchy attachments, accidentally give away login/password info, and more. Your job is to be super-sceptical of any email that evokes strong emotion (fear, urgency, and so on)… especially if the email is related to COVID-19.
  • Reinforce vigilance with consistent encouraging messaging. (e.g. “Keep Calm and Don’t Click. We’re all in this together.”)

Conclusion

I hope this was helpful for you when deciding whether to phish test your users during this COVID-19 pandemic. To summarise, when you engage your employees with the right message and tone, there is nothing to fear. In fact, they will feel a sense of pride in helping protect the organisation. That’s all for now. “Keep Calm and Don’t Click. We’re all in this together.”

Finally, for KnowBe4 customers, we have a full campaign ready for you. It consists of a video for the KnowBe4 Platform Admin, one video to announce the campaign to your users, and a video that lives on the landing page after they clicked on your COVID simulated phishing test.

Call us on 01628 362 784 if you have any questions on how to set up this campaign and we will get you going.

Additionally, we also have coronavirus phishing and security awareness resources to help keep your network secure while users are working from home.

If you are not yet a KnowBe4 customer check out more information here or if you would like to preview the KnowBe4 Modstore click here.

Examples of COVID-19 Phishing Emails

Tony MasonSecurity Awareness & Phishing

Coronavirus Phishing Emails
Coronavirus Phishing Emails

The Epidemic of COVID-19 Phishing Emails Rages On. KnowBe4 customers using their Phish Alert Button (PAB) continue to share an ever-growing variety of emails from bad actors looking to capitalise on the crisis.

There are some rather unusual social engineering schemes. KnowBe4 are offering up a selection of those emails. IT administrators and users can then see for themselves what these scams look like.

The Tried & True

Spoofs of authoritative sources of information continue to be the most common malicious virus-themed emails. The top three spoofed organisations remain:

The CDC (Centers for Disease Control)…

coronavirus_phish-7a

The WHO (World Health Organisation)…

coronavirus_phish-13a

HR:

coronavirus_phish-8a

As with the earlier spoofs KnowBe4 reported, all three of these more recent emails lead to credentials phishes. The third (from HR) does take a bit of a novel approach. It instructs recipients to download an attachment billed as an informational poster/flyer for the walls. In reality, the alleged poster/flyer is just a standard credentials phish.

coronavirus_phish-8b

It’s also worth pointing out that the second email above (the WHO spoof) not only spoofs Docusign (a frequent target of malicious spoofs) as well as the World Health Organisation. It is also delivered through Sendgrid. Sendgrid is a well-known email service provider widely used by many companies.

Sadly, this isn’t the first time we’ve seen a malicious email campaign coming via what is almost certainly a compromised Sendgrid account. We also regularly encounter malicious emails phishing for Sendgrid account credentials. Indeed, malicious emails coming through Sendgrid are becoming more and more common. This is becoming a worrisome trend. Given that Sendgrid is likely whitelisted within many organisations, it’s worrying that emails are coming via that service to sail right through firewalls and email filtering straight into users’ inboxes.

The New & Novel

As we repeatedly advise, the bad guys are always innovating. They are always trying new approaches and experimenting with new social engineering schemes. Recently we’ve seen some rather striking and even unusual attempts to trick users into clicking through to malicious content. As we might expect, some of these newer social engineering schemes seem to work better than others.

As is currently being widely reported, malicious actors are now using a Coronavirus/COVID-19 dashboard. This is complete with a live map similar to the real thing built by folks at John Hopkins University. This is to lure users to sites that install malware of one sort or another.

This particular email spoofs HHS (the U.S. Department of Health & Human Services). It dangles a link to that malicious map application in front of users desperate for the latest information on the spread of the virus.

coronavirus_hhs_map-1

Although governmental agencies and organisations are the preferred targets for spoofing in virus-themed phishing emails, private companies are also targets as well.

In this malicious email the bad guys spoof the well-known health insurance giant Cigna. They hit users with a fake bill for “Coronavirus (COVID-19) insurance coverage.”

coronavirus_insurance-1

One might well wonder whether this is a viable approach. We don’t know at this point. Despite the fact the many users will recognise the improbability of Cigna signing them up for insurance coverage against a pandemic without even bothering to ask, there could well be plenty of freaked-out users who will immediately click that Big Blue Button to find out just what the heck is going on. Some may even find such (fake) news welcome and comforting.

The Utterly Bizarre

And then there is this spoof of Air Canada, which…well, maybe you’d just better take a look for yourself.

coronavirus_aircanada-1a

Well now. We’ve certainly seen Coronavirus survey emails before , both real and malicious (see KnowBe4’s second blog post from last week). This one, however, is off the charts. The malicious actors behind this spoof either: a) have an unusually warped and evil sense of humour; b) have it in for PR/Marketing at Air Canada (maybe the bad guys lost some frequent flyer points and weren’t too happy about it?); or, c) are just completely clueless and tone deaf.

Whatever the case, we wouldn’t expect many users to fall for this last phish. Then again, there’s one in every crowd.

Conclusion

Good information and education remain the best disinfectants for malicious online schemes trailing in the wake of the Coronavirus itself. Unlike toilet paper, hand sanitisers, and medical masks, good information is not in short supply and not subject to panic buying at your local grocery store.

Our hope is that by letting concerned users actually see the COVID-19-themed phishing emails that the media is widely reporting they can make better, more informed choices about how to navigate the flood of information landing in their inboxes at this stressful moment.

While your users are working from home, they are more likely to be phish-prone. Try this Free Phishing Test to see how vulnerable your business is.

KnowBe4 Security Awareness Training & Simulated Phishing well worth considering in the current climate as home workers are more susceptible to phishing emails.

The Impact Of Coronavirus & How Security Testing Comes Into Play.

Tony MasonBreach & Attack Simulation, Enterprise Security

Coronavirus Impact
Coronavirus Impact

The Coronavirus outbreak has caused a global panic. It has taken its toll on a number of major industries. Gily Netzer from Cymulate examines the impact it has left on the travel industry, supply chain and manufacturing, and on the world economy. She then advises how security testing comes into play. We need to make sure our security is ready.

Coronavirus Creating Worldwide Panic and Business Opportunities for Hackers

Amid the recent Coronavirus epidemic creating pandemonium worldwide, hackers have been exploiting the deadly outbreak to their advantage.  They are disguising information about the virus in the form of malicious emails aimed at Japan courtesy of the notorious Emotet gang.

The new campaign distributes Emotet payloads through emails that warn of the Coronavirus infection. Once the attachment is opened, the unsuspecting victim will then be directed to the familiar Office 365 document.  As a result, this will then allow the malware to install and infect the devices.

Another malicious email attack borrows the World Health Organisation as a “trusted source”.  They are trying to dupe victims into installing the AgentTesla Keylogger via a document attachment.  This is in an attempt to steal both personal and financial information.

Along with new phishing techniques comes other Coronavirus-related scams that have risen in the last couple of days amid the Coronavirus outbreak. One such scam recently circulating in the news was an online masks scam.   Sadly this tricked 3,000 people in Hong Kong to purchase the masks but they never received them or heard back from the seller.

Unfortunately the demand for masks has beyond exceeded production, causing a frenzy among concerned people in China and all across the continent. Since February 2020, there have been a reported 7,500 coronavirus-related fraud cases in China totalling over 192 million Yuan or $28 million.  

Coronavirus Impact on the Global Supply Chain

Global supply chains have been feeling the impact of the outbreak. Supplies and raw materials are becoming scarce as workers go into quarantine. As a result international businesses are having to rethink their supply chain strategy.

Furthermore, Chinese manufacturers are suffering immense financial setbacks as their PMI dropped to 35.7 in February from 50 in January.  This is the lowest it has been since 2004. In addition, production has also come to a halt as more workers remain in quarantine.  

Health guidelines and travel restrictions have caused manufacturers and international retailers to shift their methods of transportation.  Consequently, they are having  to consider alternative routes to move materials and reach customers abroad, potentially costing millions in the process.

Some of the biggest names in the industry have been hit hard too. Titans such as Apple, Starbucks, Nike, Home Depot, and Microsoft – have all begun cutting down on services and staff in China until the Coronavirus epidemic subsides.

The Financial Impact of the Coronavirus

Wall Street has felt the impact of the Coronavirus with substantial losses unseen in over a decade. Many investors have even speculated a global recession.  This could potentially be larger than the 2008 financial crisis which cost the U.S. economy trillions of dollars.

Fears of a widespread epidemic have left major market indexes such as NASDAQ, the S&P 500, FTSE, and the Dow Jones plunging by over 200 points a week ago down and hitting new record lows since the 2008 recession.  

The financial toll may rise even further as investors continue to panic and manufacturers cease production, at least for the foreseeable future.  

Coronavirus Impact on Travel

Not since 9/11 and the 2003 SARS outbreak has the travel industry been hit so hard. Cancelled flights and low tourism demand due to the Coronavirus outbreak could cost airlines over $30 billion as companies continue to limit business-related travel.  

Companies such as Google and Salesforce have taken safety precautions by suspending non-essential travel.  Others have been limiting on-site job interviews and asking employees not to bring any guests until things clear up.

Breach and Attack Simulation Runs Anywhere  ….. 24/7.

Quarantined? Don’t stop optimising your security posture. 

At a time when human interaction exposes us to infection and the world faces a global epidemic and slows down, hackers don’t.

They don’t need to be at the office to do their job. At a time like this, it’s good to know that continuous security testing can be performed remotely.

SaaS-based Breach and Attack Simulation can be done independently without the need to set up physical meetings or leave your house, if you are concerned about travelling. Even from the safety of your home, you can test and optimise your company’s network.

With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—24/7 regardless of where you are. Whether you’re working from the comfort of your living room, at a local café, or even while relaxing on the beach.

Test it for yourself today with a 14-day free trial. Give us a call to hear about this new Breach & Attack Simulation from Cymulate and check how secure your security really is. Contact us here.

Modern Cloud SIEM Solutions from Rapid7

Tony MasonSIEM, Vulnerability Management & SIEM

As everything is moving to the cloud, Rapid7 explain why modern SIEM is in the cloud and what benefits you can expect from a cloud SIEM.

Modern cloud SIEM solutions enable three new use cases

In the past, SIEM has been most valuable around:

  • Correlation: Give me context, and help me investigate alarms triggered by my stack
  • Compliance: Help me prove that all access is logged, events are being tracked, and file integrity monitoring is in place

These use cases are foundationally valuable. However, getting to a successful deployment with traditional SIEMs requires a huge amount of up-front configuration, tuning, and ongoing maintenance. Historically, security teams had to spend more time tuning detection rules and filtering through the noise.  Instead they could have been acting on the outputs and progressing their security posture.

Cloud SIEM tools, like Rapid7 InsightIDR, are quickly gaining market share today. Security teams can now shed infrastructure and data management hats to focus on three key use cases:

Use case No. 1: Unify data (all of it!) with your cloud SIEM

Our networks now have important log and event sources sprawled across hundreds of log sources, endpoints, cloud services and hosting platforms. As a supporting visual, here’s Rapid7’s data architecture diagram:

Cloud SIEM solutions
Rapid7 Data Architecture Diagram

Combined with alerts from your monitoring tools and prevention systems, all of this information should be able to flow into your SIEM for reporting and data visualisation. This is where many on-premises SIEM deployments led to challenges.  That’s because hardware management, data parsing, and scaling requires continuous grooming and feeding to perform effectively.

Therefore, if you’re considering cloud SIEM, ensure that it has support for your critical data sources such as cloud hosting. Plus check it will actually relieve you from management and maintenance burdens as your business scales. You should be able to start sending data for analytics within minutes of starting a trial or POC.  You shouldn’t be waiting for an appliance shipment or professional services.

Be wary of cloud SIEMs that still require on-premises tuning and maintenance.

What’s next?

More native ingestion support for cloud hosting providers (e.g., Azure, AWS, and Google Cloud). Greater support for telemetry gathering from the endpoint. This enables more nuanced detections, investigations, and threat hunting. Endpoint data such as parent/child processes is essential to our MDR SOCs. These data collection and hunt capabilities will become more accessible to security teams of all sizes.

Use case No. 2: Proactive threat detection with your cloud SIEM solutions

Year after year, the Verizon Data Breach Investigations Report shows that the same attack vectors — phishing, malware, and stolen credentials — are being used successfully. Let’s say you need to detect malware. To identify modern threats, you need visibility into endpoint telemetry, such as PowerShell logs, which you may be able to access from your SIEM.

However, to investigate root cause and identify lateral movement, that information alone isn’t enough. Authentication tracking and user behaviour data is also needed to catch account takeover and the use of stolen credentials.

Modern cloud-based SIEMs should not only give you access to this information. They should also apply security analytics to this data to proactively flag compromise. Accurate threat detection is a bold promise.  However, as SIEM is the only technology with access to this disparate data, ensure the product has the analytics to expose the behaviours you want to see.

MITRE ATT&CK has gained massive traction as a quantitative framework to map out detection capabilities. A suggested approach is to identify gaps in your detection, then understand the data sources that would reveal malicious activity. Thereafter ensure your cloud SIEM either has appropriate out-of-the-box detections or the ability to build custom content.

What’s next?

While many SIEM providers claim user behaviour analytics to detect anomalous behaviour, few have out-of-the-box content for known-bad attacker behaviours. Put them to the test by performing attack simulation or POCing around penetration tests.

Use case No. 3: Automate and respond with your cloud SIEM solutions

SIEM exists to give you the information and context you need in order to respond to and contain threats. This may involve booting an asset off the network, killing a process, or disabling a user account. User behaviour analytics (UBA) can reveal the relationships between IP address → asset → user accounts. Consequently, this allows you to make stronger decisions without hours of laborious investigation.

Cloud SIEM allows you to take investigation findings, such as machine-readable threat intelligence, and with security orchestration, automation and response (SOAR), apply that to your prevention and detection defences. By automating mundane and repetitive tasks, you can focus on high-value work such as threat hunting and attack simulation.  As a result, you can make proactive changes to strengthen your network based on investigation findings.

What’s next?

Automated workflows will become commonplace. Teams with high alert volumes today are using SOAR for phishing triage, alert enrichment, and to automate communications (e.g., to ticketing systems and ChatOps). This will allow threats that target users, such as phishing or Office 365 brute forcing, to be better defeated at scale.

Rapid7’s approach to SIEM has been cloud-native since its inception as a user behaviour analytics tool in 2013. Part of the Rapid7 Insight Cloud, InsightIDR Cloud SIEM can help you unify, detect, and respond to threats across your environment within hours, not months.

For more, check out here, or contact us to start your full-featured 30-day trial today.

sales@s3-uk.com

01628 362 784

Top 10 Fraud Alert Tips for Black Friday & Cyber Monday

Tony MasonData Protection, Security Awareness & Phishing

Top 10 Fraud Alert Tips Black Friday & Cyber Monday

Black Friday attracts crowds, crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. Check out these Fraud Alert Tips to stay safe online throughout the festive season.

Top 10 Fraud Alert Tips for Black Friday from KnowBe4.

  1. Never click on links in emails. If you want to shop at a site, enter that site address in your browser. There are thousands of fake sites that look almost identical to the real thing. Don’t fall for evil-twin shopping sites.
  2. Don’t open attachments with special offers. It’s a classic scam. The offer should be in the email and you should be able to see it right away. 
  3. Watch for malicious ads and popups. Do not click on ads that sound too good to be true, and ignore popups that might propose the “best deal ever”. 
  4. Beware of e-skimmers. This is a new one. Do you know that bad guys sometimes skim your credit card at petrol stations or ATMs? Well, there is a new flavour of that, the shopping website you order from might be infected with an “e-skimmer” and they steal your card data when you check out. You can prevent that by using PayPal or Amazon. 
  5. Use a credit card to buy stuff online if possible. NEVER use a debit card to make online purchases but use that debit card to take out cash only.  
  6. Do not shop over a public Wi-Fi. You simply do not know if it’s secure and who is listening. Only shop using a secure, trusted network. If you have no other way to shop, use a VPN which encrypts your traffic.
  7. Be very careful when you see a free offer during the festive season. There is an explosion of all kinds of survey fraud and gift card scams. 
  8. Do not re-use any of your passwords. Instead, use a password manager to create hard-to-break passwords. Re-using any password is literally an invitation to get hacked. 
  9. Keep a close eye on your credit card and bank accounts. During this season, unexpected and strange charges might appear which could very well be the first sign your card or even your whole identity has been stolen. If you think you might have been scammed, stay calm and call your credit card company, cancel that card and get a new one.
  10. Be especially suspicious of gift card scams. They can be a perfect Christmas gift, but gift card scams are skyrocketing. Only buy gift cards from trusted sources.

Check out KnowBe4’s security awareness advocate, Javvad Malik’s, insights to Forbes.

So, especially at this time of year, do not let the bad guys exploit your festive spirit and use it against you.

Remember to stay alert when you shop online! Think Before You Click!

The Forrester Wave™: Vulnerability Risk Management, Q4 2019

Tony MasonVulnerability Management & SIEM

Rapid7 is named a leader, receiving the highest score possible in nine criteria for its InsightVM, vulnerability risk management tool.

Forrester Wave Vulnerability Risk Management

Forrester cites 14 key areas buyers should consider when evaluating VRM solutions. Rapid7’s own customers tell us that the following 5 capabilities are especially critical…

5 Capabilities Your Vulnerability Risk Management Solution Needs:

1 Visibility of your complete IT environment

Identify all of your externally-facing, internet-connected assets. In addition include those that may be undiscoverable with other tools. This helps to get a complete view of your risk. InsightVM received the highest possible scores for this capability in the Digital Footprinting criteria.

2 Extensibility & integration

Your VRM solution must enable integration, orchestration, and automation of the tools and processes across your stack. InsightVM also received the highest possible scores for its extensibility and Partner Ecosystem.

3 Reporting for the progress that matters most

Tracking the goals and metrics most relevant and impactful to your team is critical. Similarly it is important to communicate those milestones to peers and leadership. InsightVM is designed to track your progress and drive alignment across the organisation.

4 Simple pricing

Pricing and budgeting should be simple. InsightVM makes this easier with a price per asset model – no fine print needed.

5 Prioritisation for your business

Identify and prioritise risk with complete coverage of your environment and the addition of business criticality to assets. InsightVM also received the highest possible score in the criteria of Vulnerability Enumeration and Risk-Based Prioritisation.

What Else Should You Expect from Your VRM Vendor?

In addition to the key areas covered by the Forrester Wave, we’ve rounded up some additional considerations for vendor selection. Here are some we’ve heard from Rapid7 customers:

A unified security platform

As well as offering our full vulnerability risk management feature set for all InsightVM users, the Rapid7 Insight Cloud supports you across the entire security life cycle. In other words, this covers from prevention to detection and response.

Visibility across the organisation

Identifying and prioritising risk is table stakes, but proving the effectiveness of your program is key. Your solution should help you work in tandem with IT operations. In addition it should also help you communicate how you’ve tangibly reduced risk for your organisation. This should be both within your team and to leadership.

Commitment to service and success

Rapid7 guarantee 99.95% uptime. On the off-chance the system availability drops, only Rapid7 offers up to a 100% service credit of the prorated monthly fee paid. Other vendors cap service credits at a mere 10% or less.

Demonstrable ROI

In an exclusive case study from Forrester, Rapid7 customers offer visibility into the ROI of their programs. This features a significant decrease in incidents and spend when switching to Rapid7 from another VRM vendor. 

See the full report here.

Rapid7 InsightVM