Breach Preparedness , Data Breach , Events

CrowdStrike CEO George Kurtz Details Incident Response Essentials Mathew J. Schwartz (euroinfosec) • June 17, 2016    

Preparing for data breaches - to detect them quickly, respond appropriately and ascertain exactly what happened - can help make the difference between a security incident having major or minor repercussions, says George Kurtz, CEO of cybersecurity firm CrowdStrike.

See Also: Vulnerability Management with Analytics and Intelligence

"When you have an issue, what you're trying to really do is prevent the mega-breach," Kurtz says. "You might have somebody compromise a system or infect a system, but what you're trying to do is avoid those 200 days of having an adversary roam unfettered on your network, stealing intellectual property, or financial data or personally identifiable information."

Prevention, however, requires preparation, including honing an organization's breach-response plan in advance, as well as marshaling and training everyone who will be required to help respond. The same goes for technology - for example, being able to replay what happened on any given endpoint after a potential breach gets found.

"Knowing exactly what piece of malware - as an example - touched a particular document may either cause you to have to notify that you've been breached, or it may save you potentially millions, because you can ascertain and empirically prove that that document or data element wasn't touched," he says.

In this interview with Information Security Media Group conducted at the Infosec Europe conference in London, Kurtz also details:

Best practices for complying with the EU's new General Data Protection Regulation and related notification requirements; The importance of running tabletop exercises to help organizations hone their data breach response plans; The case for having an organization's legal team hire outside incident responders in advance of a breach; Factoring the potential for malicious insiders into incident-response plans.

Kurtz is CEO of CrowdStrike. Previously, he served as the worldwide chief technology officer - amongst other roles - at McAfee, was also the founder and CEO of Foundstone, and developed the first ever internet penetration-testing methodology for all of Price Waterhouse.

Fraud , Phishing

Experts Say Alert Over $3.1 Billion in Losses Is Late, Offers Little Advice Jeremy Kirk (jeremy_kirk) , Tracy Kitten (FraudBlogger) • June 17, 2016    

The Federal Bureau of Investigation is now warning U.S. businesses of a new type of business email compromise scam, a.k.a. CEO fraud, that takes aim at personally identifiable information, rather than simply tricking accounting staff into scheduling fraudulent wire transfers.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

Additionally, the FBI has revised its tally of losses attributed to BEC attacks once again, putting worldwide fraud losses at more than $3 billion through the end of May. Just two months earlier, the agency said $2.3 billion had been lost to these scams between October 2013 and February 2016. Less than a year ago, it said losses were around $1 billion.

"Since January 2015, there has been a 1,300 percent increase in identified exposed losses," the FBI states. "The scam has been reported by victims in all 50 states and in 100 countries."

But in its June 14 public service announcement about the shifting focus of BEC attacks, the FBI notes that hacked email accounts linked to executives are now also being used to request personally identifiable information and W-2 tax forms from human resources and auditing departments.

Targeting PII was first seen earlier this year, prior to U.S. tax season, the FBI adds.

Email Authentication Won't Reduce Risk

To mitigate emerging risks, the FBI suggests companies implement two-factor authentication for email, which requires password entry and use of a dynamic PIN or code to log in to the email account.

"TFA [two-factor authentication] mitigates the threat of a subject gaining access to an employee's email account through a compromised password," the FBI says.

But experts say dual-factor authentication for email is not going to mitigate risks associated with BEC attacks, regardless of whether the attackers are after PII or want to schedule fraudulent wires. Because most BEC attacks are waged via spoofed, not compromised, email accounts, two-factor authentication will not mitigate risk, they contend.

"The majority of BEC attacks do not involve stealing the email password of executives," says Dave Jevans, vice president of mobile security at cyberthreat defense firm Proofpoint and chairman of the Anti-Phishing Working Group, a global coalition focused on unifying response to cybercrime. "BEC attacks involve sophisticated email spoofing. Two-factor authentication on the email of executives won't do much to solve this problem, and almost nobody has implemented 2FA on corporate email."

Rather than dual-factor authentication for email, companies should implement DMARC - Domain-based Message Authentication, Reporting & Conformance, which standardizes how email recipients authenticate emails through a uniform reporting mechanism, says Tom Kellermann, CEO of Strategic Cyber Ventures, a cybersecurity technologies investment firm.

"Businesses should mandate the use of DMARC and also require secondary, out-of-band authentication, like a text message or phone call, to validate a request for information or a transfer of funds," he says.

Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, says companies also should enhance email security by using cryptographic techniques to secure emails. But Nelson agrees email authentication is not the answer.

"Financial institutions and their corporate customers can do a lot more to filter email and make sure that phishing emails don't get through," he says. "But in the case of BEC, we aren't talking about phishing; these are spoofed emails. I don't know that doing some sort of authentication of the email would help in that case. Verifying the legitimacy of the user would help. And if it is a spoofed email and not coming from the address of the executive or the business, then that is something that you should be able to detect in your email filtering system."

And in terms of reducing phishing, Nelson says most banking institutions and businesses are having more success mitigating their risks through employee education rather than technology.

At the end of the day, Nelson says the best way to reduce risk is to eliminate email approval for wire transfers and requests for PII.

Warning Comes A Little Late

Financial fraud expert Shirley Inscoe, an analyst at consultancy Aite, says there's really nothing new about the attacks the FBI references in its most recent alert.

"I've been hearing about it throughout 2016," she says. "I'm surprised it took the FBI so long to issue an alert, as this really does allow major access to PII data by crime rings. They will add this information to their massive databases, and match it up with payment card information from previous data breaches when possible."

Hackers also use PII data to perpetrate tax fraud, Jevans and Nelson say, which also is nothing new.

"Stealing of PII is so that scammers can file fake tax returns before the actual person does, and they can claim a refund," Jevans says. And if criminals file the fake tax returns through a tax preparation company or service, then they can have their refunds issued on debit cards - which means instant cash, he adds.

"They are using that PII for tax return fraud," Nelson agrees. "We heard about it last year, and most states are getting hit hard; they already sent a tax refund to someone that is clearly fraudulent. Now they have to clean it up."

But Inscoe says the industry should be worried about more than just tax fraud, especially since hackers are increasingly targeting PII through a number of different methods. "Access to this data will also make it simpler to commit identity theft and to impersonate customers when calling into contact centers. When they can do so successfully, they can get online credentials reset, order additional cards on accounts or obtain some other access device to commit financial fraud. Money is always the ultimate goal, whether it is to fund terrorism or just the product of greed."

Inscoe says businesses that fall victim to these types of BEC attacks must contact their banking institutions immediately, to ensure that employee bank accounts can be monitored for suspicious activity. "While most FIs [financial institutions] won't issue new cards due to the breach of PII, they can monitor the accounts of the employees whose data was breached more closely, place alerts on the accounts and take more care when asked to reset credentials or issue new cards," she says.

Not Technically Sophisticated

The schemes have stung countless companies. Attackers impersonate key executives or financial personal in companies and send emails to others in the organization ordering large wire transfers. (see Business Email Compromise: How Big Is the Problem?).

The scam is not technically sophisticated, but rather relies on social engineering. The hackers collect email account credentials through phishing schemes and then begin monitoring how employees communicate. In other cases, emails are spoofed to appear to come from an organization.

"Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment," the FBI says. "The fraudsters will use the method most commonly associated with their victim's normal business practices."

In addition to email authentication, the FBI also suggests businesses invest in intrusion detection systems that are tuned to catch emails coming from spoofed domain names that closely resemble the businesses' legitimate domains.

The FBI also advises businesses to register domain names that are close to the actual company domain name.

And, as a final precaution, the FBI says significant transactions should always be verified over the phone, not over email alone.

Data Breach , Data Loss

Dumped Document on Donald Trump Allegedly Stolen from Organization Jeremy Kirk (jeremy_kirk) • June 16, 2016     An alleged DNC background document dumped by Guccifer 2.0 (source: Gawker)

There's never any lack of lust for fame in the hacking world. Now one hacker, "Guccifer 2.0," has claimed sole responsibility for the breach of the Democratic National Committee's systems, posting a cache of documents on a public website.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

It's a weighty, but as of yet unverified, claim following the DNC's disclosure on June 14 that its networks were breached (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).

The DNC took the fairly unheralded step of allowing the computer forensics firm Crowdstrike to release public details of the intrusions just days after the hackers were booted from the network. Forensic clues point to two known groups nicknamed Cozy Bear and Fancy Bear, both of which may be linked to the Russian government, Crowdstrike believes.

Guccifer 2.0 claims on a newly-created WordPress blog to have hacked the DNC alone, extracting thousands of documents and emails that are now being transferred to the secrets-spilling website Wikileaks.

The alleged hacker took a dig at Crowdstrike, contesting the company's competency: "I'm very pleased the company appreciated my skills so highly. But in fact, it was easy, very easy." Efforts to reach the hacker were unsuccessful.

Crowdstrike is keeping Guccifer 2.0's claims at arm's length, saying it is confident in its conclusion of the source of the attacks.

"Whether or not this posting is part of a Russian intelligence disinformation campaign, we are exploring the documents' authenticity and origin," it said. "Regardless, these claims do nothing to lessen our findings relating to the Russian government's involvement, portions of which we have documented for the public and the greater security community."

Guccifer Legacy

The original Guccifer is Marcel Lazar Lehel of Romania. He accessed the email accounts of close to 100 prominent people, including former Secretary of State Colin Powell and the sister of former President George W. Bush. Lehel pleaded guilty in late May in U.S. federal court to aggravated identity theft and unauthorized access to a computer.

In the blog post, Guccifer 2.0 mentioned his namesake: "Guccifer may have been the first one who penetrated Hillary Clinton's and other Democrats' mail servers. But he certainly wasn't the last. No wonder any other hacker could easily get access to the DNC's servers."

More than One Hack?

The published documents include a meaty, 237-page Word document marked confidential and titled the "Donald Trump Report." It's a comprehensive background briefing on the presumptive Republican presidential nominee. The date on the document is Dec. 19, 2015.

The hacker contested the DNC's assertion no financial data was compromised in its breach. Also released was an Excel file that purports to be a list of high dollar Democratic party donors. According to one screenshot, actor Morgan Freeman of Los Angeles donated $1 million, and film producer Jeffrey Katzenberg $3 million.

Officials with the DNC couldn't immediately be reached. Gawker reported that the DNC is aware that the documents are circulating.

If the documents are genuine, it would indicate perhaps more than even two groups had access to the DNC's systems. This is not unusual. Security audits often find many pieces of malware on vulnerable systems, and it is possible that many actors or groups saw exploitable holes.

The development also doesn't mean that Guccifer 2.0 is necessarily affiliated with either Cozy Bear or Fancy Bear. In fact, state-sponsored cyberespionage groups have no interest publishing their stolen data publicly, as it's intended for internal consumption.

This edition of the ISMG Security Report kicks off with thoughts on how the Watergate break-in of the Democratic Party headquarters by operatives of President Nixon's reelection campaign 44 years ago today would have played out if current technology existed then. We might never had heard the word Watergate.

The Watergate anniversary comes the same week news surfaced of another breach - this one virtual - of the Democratic National Committee, in which Russian hackers allegedly accessed emails, chat conversations and opposition research on Donald Trump, the presumptive Republican presidential nominee.

You'll hear in this report (click on player beneath image to listen):

ISMG Managing Editor for Security and Technology Jeremy Kirk explain why the DNC and its security contractor CrowdStrike did something highly unusual: provide details about the breach. In my conversation with Jeremy, I explain why Russians hackers are so good at their job. DataBreachToday Executive Editor Mathew J. Schwartz points out that old internet protocols - including telnet and FTP - continue to be in widespread use, and used insecurely. BankInfoSecurity Executive Editor Tracy Kitten evaluates the war of words between bankers and retailers over national data breach notification legislation before the U.S. Congress.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Please check out our June 10 and June 14 reports, which respectively examine the concerns expressed by security practitioners at the Infosecurity Europe conference in London earlier this month and analyzes Symantec's purchase of Blue Coat. The next ISMG Security Report will be posted Tuesday, June 21.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.