Anti-Malware , Cloud Computing , Network & Perimeter

Head of Blue Coat to Become Third New Symantec CEO in Four Years Mathew J. Schwartz (euroinfosec) • June 13, 2016    

For its next move since jettisoning storage firm Veritas and becoming a pure-play security vendor, Symantec will now buy network and cloud security firm Blue Coat from private-equity owners Bain Capital, obtaining a replacement CEO in the process.

See Also: Vulnerability Management with Analytics and Intelligence

Symantec announced June 12 that the boards of directors of both companies have approved the deal, which will be worth approximately $4.65 billion and is expected to close by October. As part of the deal, Blue Coat chief Greg Clark will become CEO of Symantec, thus making him the company's third CEO in just four years.

"With this transaction, we will have the scale, portfolio and resources necessary to usher in a new era of innovation designed to help protect large customers and individual consumers against insider threats and sophisticated cybercriminals," Dan Schulman, chairman of Symantec, says in a statement.

Symantec's previous era arguably ended in April, when outgoing CEO Michael Brown was booted after the company missed its Q4 fiscal 2016 sales targets. Symantec had forecasted that sales would reach $885 million to $915 million; they instead came in at $873 million. The company met its consumer sales targets; the shortfall came in enterprise sales. As Symantec said in its Q4 2016 quarterly filing: "A shift in enterprise security customer buying preferences is resulting in less license revenue during the quarter and more revenue being deferred to future periods. This included a faster than expected shift within our product mix to subscription and ratable contract structures."

In other words, the company appears to be having difficulty maintaining enterprise-related revenue as more organizations shift to cloud-based security products and subscription models that involve payments in installments.

Yet Another 'CEO Transition Plan'

Symantec attempted to spin these challenges - and Brown's departure - in a "CEO transition plan" statement, with Schulman claiming that "this is the right time to transition leadership for Symantec's next chapter of growth."

But growth has been a tricky topic for Symantec, although it remains one of the world's biggest information security firms, with $6.51 billion in 2015 revenue.

Two venture capitalists are bullish on Symantec's prospects after acquiring Blue Coat. In connection with the Blue Coat acquisition, technology investment firm Silver Lake will invest $500 million in Symantec, taking its total investment to $1 billion. Bain Capital, which bought Blue Coat in May 2015 for $2.4 billion, will invest $750 million.

Symantec says it will pay for the deal in part with cash currently in its coffers, as well as via $2.8 billion in new debt. "The company is focused on paying down a significant portion of this debt within the next several years with cash on the balance sheet and through cash generation," it says in a statement.

Despite aggressively shuffling its leadership in recent years, Symantec's board has yet to find someone who can revitalize the company. Symantec's board fired Enrique Salem - who oversaw the completion of the Veritas deal - in 2012 for missing earnings forecasts, fired his replacement, Steve Bennett, in March 2014, before announcing Brown as interim CEO, who was fired in April. Brown had served on the Veritas board since 2003 and joined Symantec's board in 2005 with its acquisition.

Blue Coat CEO Clark, who will soon take over leadership of Symantec, built and sold three technology startups before joining Blue Coat, which says it has 15,000 customers and had $598 million in revenue for the fiscal year ending April 30.

But Andreas Lindh, who serves as a researcher at Swedish security consultancy Recurity Labs, is not convinced that Blue Coat will help Symantec improve its financial performance.

Hold on a minute while I put on some Phil Collins to recapture some street cred.

The Veritas Legacy

Arguably, Symantec's flagging fortunes remain a legacy of its 2005 purchase of storage firm Veritas for $13.5 billion. Symantec was never able to convincingly blend the storage business with its security operations. The purchase continued to dog Symantec's operations until well past August 2015, when it announced that Veritas would be sold to The Carlyle Group, an asset management firm, for $8 billion in cash. At the time, now-former Symantec CEO Brown promised that the now "focused security company" would acquire new technology and unveil new products designed to jumpstart enterprise interest in its products and services.

But in January 2016, Symantec reported that "after uncertainties developed regarding the transaction," the purchase price had been revised downward to $6.6 billion in cash, although Carlyle also doubled the amount of offshore cash in Veritas - from $200 million to $400 million - and took a $400 million equity interest in Veritas, thus making the deal worth $7 billion.

The Retail Industry Leaders Association is battling against passage of a national data security and breach notification bill known as the Data Security Act of 2015, or H.R. 2205, arguing it would unreasonably require retailers to meet some of the same security standards as banks, says Austen Jensen, the group's vice president of government affairs.

Jensen argues that the bill, which came out of the House Financial Services Committee last year, fails to address the unique security and business concerns of retailers.

In a recent letter to Congress, RILA explained its concerns. The letter points out, for example, that the legislation would require retailers to conduct background checks on certain employees, just as banks must do. RILA calls that provision impractical.

"It's always important to remain vigilant when facing any type of threat," Jensen says. "Our members certainly already go above and beyond when it comes to making sure that we are hiring people of integrity and strong character background. ... But I would point out that there is no perfect bill, there's no perfect law; there's no law that's going to stop every breach, whether that is at a large FI [financial institution] or a retailer or a hospital or at your hotel or at your local pizza joint. So it's important that these issues get addressed, and that's why RILA's at the table."

RILA is supporting another bill, the Data Security and Breach Notification Act of 2015, or H.R. 1770, which came out of the House Energy and Commerce Committee last year. The bill would require organizations to report breaches to the Federal Trade Commission and FBI and to restore the integrity, security and confidentiality of their data systems following the discovery of a breach.

Unlike the Data Security Act of 2015, which would apply the same consumer security and privacy mandates outlined for banking institutions under the Gramm-Leach-Bliley Act to other businesses, the Breach Notification Act of 2015 focuses on the role the FTC plays in regulating and fining businesses that don't meet "reasonable" security standards, he says.

During this interview (see audio player below photo), Jensen also discusses:

His hopes for retailers and bankers can better collaborate on legislation going forward; Why the FTC's role in regulating retailers is so important; and Why Gramm-Leach-Bliley standards should not be applied to retailers.

At RILA, Jensen advocates before Congress to promote transparency, innovation and competition in financial practices within the retail industry. Before joining RILA, he spent more than 10 years in various staff positions in the U.S. House of Representatives.

Breach Response , Data Breach , Forensics

Incident Responders Share Specifics That Could Blunt Future Attacks Jeremy Kirk (jeremy_kirk) • June 15, 2016     Democratic National Headquarters in Washington. (Source: Google)

The Democratic National Committee's decision to reveal the compromise of its network by Russian hackers is providing a rare and surprisingly fresh postmortem of an advanced, apparently state-sponsored hack attack.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

The revelation comes just days after the hackers were booted from its network. Organizations do not usually give computer forensic investigators the green light to talk about an intrusion. Data breach response services are often retained under strict non-disclosure agreements, and discussions about a particular security company's customers are - generally speaking - taboo.

But the DNC, which apparently was infiltrated by two groups believed to have ties to - or even be sponsored by - the Russian government, allowed incident-response firm Crowdstrike to talk publicly about the attacks. The computer security company provides 24-hour breach response services, competing with firms including FireEye's Mandiant and PwC.

"The reality is at Crowdstrike we work these types of cases weekly and almost never can we tell the public about it," Dmitri Alperovitch, Crowdstrike's co-founder and CTO, tells Information Security Media Group.

The DNC approached Crowdstrike about going public with the intention of also providing advanced warning about the methods the hackers used to infiltrate its network. Of course, the DNC's decision also has political ramifications.

"They want to tell the American public what the Russian intelligence agencies are doing," Alperovitch says.

The DNC likely had several motivations in coming forward and disclosing the breach, says Dan Holden, director of Arbor Network's security engineering and response team. For starters, if the organization kept the breach private but it leaked out later, it would look bad, he says.

Also, the FBI is still investigating Hillary Clinton over how she handled classified information on her own private email server while she was secretary of state. The Democrats "certainly don't want to have anything else dealing with computer security hovering over her," Holden says.

Plus, U.S.-Russian spying tales are "always a classic good-guy, bad-guy story for many Americans who lived through the Cold War," he says.

And security expert Bruce Schneier, chief technology officer of IBM's Resilient, says that this attack has all the hallmarks of a straight-up spy story. "This seems like standard political espionage to me," Schneier says in a blog post. "We certainly don't want it to happen, but we shouldn't be surprised when it does."

Hacked by Fancy Bear, Cozy Bear

According to Crowdstrike, two hacking groups - nicknamed Fancy Bear and Cozy Bear - gained independent access to the DNC's network, although its unclear how they initially broke in. Cozy Bear, which Alperovitch says may be linked with Russia's state security service, known as the FSB, compromised the DNC about a year ago, targeting communications such as email and instant messaging.

The disclosure comes just a few days after Crowdstrike unplugged the DNC's network completely on June 10 to begin cleansing its systems. "We rebuilt it from scratch," Alperovitch says. "The remediation event went through the entire weekend. Our folks didn't sleep."

Before remediating the DNC's network, Crowdstrike had to figure out what was going on. The company installed its Falcon endpoint protection software on the DNC's equipment, which Alperovitch says quickly honed in on two separate groups.

The investigation showed that Fancy Bear gained access in April and focused on collecting DNC research on opposing candidates, including Donald Trump, the presumptive Republican presidential nominee. Crowdstrike has a "high level" of confidence that group is connected with Russia's GRU, the country's military intelligence unit, Alperovitch says.

Vendors often publish information about hacking incidents they've studied, which benefits marketing campaigns but also contributes to a growing body of knowledge for security researchers. Invariably, companies and organizations that are victims are either not described at all or only vaguely by market vertical, such as defense or telecommunications.

The same day as the DNC attacks were revealed, Palo Alto Networks published a blog post describing a spear-phishing attack against a U.S. government organization. Spear-phishing is the practice of carefully targeting a victim by email and tricking the person to click on a malicious link or attachment.

As is customary, Palo Alto did not name the organization. But it did say the group behind the attack was the Sofacy group, which is also known as APT28 - FireEye uses that naming convention for hacking groups. Regardless of nomenclature, that's the same hacking collective that Crowdstrike calls Fancy Bear.

Indicators of Compromise Released

Crowdstrike was also permitted to release so-called indicators of compromise, or IOCs, which list technical details that other organizations can use to spot similar attacks and thus protect their networks. In this case, a detailed blog post written by Alperovitch lists hashes for a malware implant used by Cozy Bear called SeaDaddy, as well as IP addresses for command-and-control servers tied to the attacks.

But both of the Russian hacking groups apparently used very little malware. Once inside the networks, they instead employed tools such as Microsoft's PowerShell scripting platform and the Windows Management Instrumentation, which is a framework for managing computers across a network. Security software wouldn't flag use of these IT tools as being malicious.

Going forward, Crowdstrike has also been retained to lock down and protect the DNC's network. "We have to assume the Russians will try to get back in," Alperovitch says.

Data Breach , Endpoint Security , Governance

Democratic National Committee's Computers Breached Eric Chabrow (GovInfoSecurity) • June 14, 2016     Hackers reportedly accessed opposition research on Donald Trump.

Russian hackers reportedly penetrated computers at the Democratic National Committee, accessing confidential information, including opposition research on presumptive Republican presidential nominee Donald Trump.

See Also: Data Center Security Study - The Results

An individual familiar with the breaches told the Washington Post that the hackers accessed a year's worth of detailed chats, emails and opposition research on Trump, which could contain details about his personal and professional history. That individual told the newspaper that DNC officials first learned about the breach nearly two months ago, when the political party's technology staff discovered malware on its computers.

The DNC turned to the incident response and threat intelligence firm CrowdStrike to investigate the breaches that began as early as last summer.

'Some of the Best Adversaries'

Dmitri Alperovitch, CrowdStrike's chief technology officer, in a blog identifies two Russian groups - "Cozy Bear" and "Fancy Bear" - as the hackers, characterizing them as "some of the best adversaries" among nation-state, criminal, terror and hacktivist groups. "Their tradecraft is superb, operational security second to none and the extensive usage of 'living-off-the-land' techniques enables them to easily bypass many security solutions they encounter," Alperovitch says.

Russia's dismal economy is leaving many of its top mathematicians unemployed, leading them to work as hackers. "Russians are the best mathematicians in the world and they don't have an industry that employs them very well," says Martin Libicki, a senior management scientist at the think tank Rand Corp. whose research focuses on Russian and Chinese cyber endeavors. "The Russians always had a penchant for espionage because they've run a police state since the czarist era. So, there are a lot of reasons for a lot of this stuff to come together."

Cozy Bear, also known as Cozy Duke or APT 29, last year successfully infiltrated the unclassified networks of the White House, State Department and U.S. Joint Chiefs of Staff as well as other national governments and private-sector organizations around the globe, according to Alperovitch. Fancy Bear, also called Sofacy or APT 28, has targeted worldwide systems in the aerospace, defense, energy, government and media sectors, he says.

Cozy Bear breached the DNC network last summer, while Fancy Bear separately breached the DNC network in April, Alperovitch says.

"We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials," Alperovitch says. "While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other's operations, in Russia this is not an uncommon scenario."

Russian Government Connection?

Joseph Carson, head of global strategic alliances at Thycotic, a provider of privileged account management tools, says it's difficult to determine if these hackers are following instructions from the Russian government or doing these activities simply for recognition or financial gain. "When Russia has a political dispute between other countries - for example Estonia, Georgia and Ukraine - we have seen a significant increase in cyber crime against those countries," he says.

Before Russia's invasion of Ukraine in 2014, when it seized Crimea, Russian hackers operated more stealthily than they do today, Rand's Libicki says. "These guys have always been good," he says. "But before 2014, you never saw them because they were like our NSA. They're very careful, they're very methodical; they really didn't want to get caught."

With tensions between the United States and Russia at a post-Cold War high, the hackers - and their apparent Kremlin patrons - seem less concerned about being identified for their online assaults, Libicki says. "They don't mind getting caught as much as they used to," he says. "It's a form of brandishing on their part, to see what kind of capabilities we have, to see what kind of bad enemy we can be to you if you don't watch out. From their intervention of Crimea forward, they're putting on a nastier face viz a viz the West."

The Tech Details Behind Breaches

The hackers' fine-tuned capabilities apparently enabled them to penetrate the DNC system, according to CrowdStrike's research.

The Cozy Bear intrusion mostly relied on the so-called "SeaDaddy" implant and a Windows PowerShell backdoor through Windows Management Instrumentation System, Alperovitch says. That enabled the hackers to launch malware automatically after a specified period of system uptime or on a specific schedule.

Windows PowerShell is a task automation and configuration management framework from Microsoft that consists of a command-line shell and associated scripting language built on the .NET Framework.

"The PowerShell backdoor is ingenious in its simplicity and power," Alperovitch says.

Fancy Bear took a different approach to breach DNC computers, he says, deploying X-Agent malware - a type of an .exe file - with capabilities to conduct remote command execution, file transmission and keylogging. These hackers also engaged in a number of anti-forensic analysis measures, including periodic event log clearing and resetting timestamps of files, Alperovitch says.

DNC: Donor, Personal Data Not Pilfered

The DNC tells the Washington Post, which first reported on the breach, that the hackers didn't appear to have accessed donor, financial or personal data. "The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with," says Rep. Debbie Wasserman Schultz, the Florida Democrat who's the DNC's national chairwoman. "When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network."

Travis Smith, security researcher at Tripwire, a security and compliance automation provider, says information about Donald Trump, the potential president of the United States, could have value to any major government worldwide. "Since Trump is relatively new to the political landscape, external governments are going to increase their espionage efforts to gather additional information," Smith says.

Pierluigi Stella, chief technology officer at managed security services provider Network Box USA, offers a different perspective: "A Trump presidency would definitely benefit the Russian's position in the world. I mean, Putin clearly feeds on the type of propaganda that Trump's putting out. So, was this a government hack? Who knows? What's evident is that it definitely wasn't theft for profit, since the data breached was neither credit card and personally identifiable information but rather, strategy and research."