All posts by Rob Sobers

Varonis Brings Data Security to Nasuni

Nasuni Cloud NAS

We’re excited to announce that, in an upcoming release, the Varonis Data Security Platform will bring data-centric audit and protection to Nasuni Enterprise File Services. Nasuni is a key Varonis partner in the growing market for hybrid cloud Network Attached Storage (NAS).

If Nasuni is a critical part of your IT infrastructure, adding Varonis will enable you to:

  • Discover and classify sensitive, regulated files
  • Detect and alert on suspicious activity like ransomware and insider threats
  • Lock down file systems and permissions to only the right people
  • Capture and analyze a fully searchable audit trail of file system activity
  • Automatically find and flag stale data

Varonis will use the Nasuni API to analyze access events, lock down file systems and permissions, capture a detailed audit trail for compliance and forensics, and automate reporting. You’ll have unprecedented visibility and protection on your Nasuni edge appliances, helping you stay safe from insider threats and cyberattacks.

If you’re in the Boston area this week and are looking to leverage the cloud for more scalable file sharing, NAS consolidation, or multi-site file collaboration, head on over to Nasuni Summit on October 5 where you can hear more about our partnership. We’re also participating in panel discussions on security, compliance, and cloud.

Stay tuned to learn more about the official release of our Nasuni integration. If you’d like to be one of the first to try it out, simply reach out.

🚨 Petya-Inspired Ransomware Outbreak: What You Need To Know

NotPetya Ransomware

On the heels of last month’s massive WannaCry outbreak, a major ransomware incident is currently underway by a new variant (now) dubbed “NotPetya.” For most of the morning, researchers believed the ransomware to be a variant of Petya, but Kaspersky Labs and others are reporting that, though it has similarities, it’s actually #NotPetya. Regardless of its name, here’s what you should know.

This malware doesn’t just encrypt data for a ransom, but instead hijacks computers and renders them completely inaccessible by encrypting their Master Boot Record (MBR).

Petya is another fast-spreading attack which, like WannaCry, uses the NSA exploit ENTERNALBLUE. Unlike WannaCry, Petya can also spread via remote WMI and PsExec (more on that in minute). A few scary things about this new malware:

  • It doesn’t have a remote kill switch like WannaCry
  • It is far more sophisticated — it has a variety of automated ways to spread
  • It renders machines completely unusable

A number of prominent organizations and companies have already been badly hit, including the Ukranian government, which has quite the sense of humor:


Infections have been reported across the globe: affecting metro systems, national utilities, banks and international enterprises: the scope is not yet known, but reports continue to come in of infected computers and stalled IT systems across industries and throughout the world.

How is Petya spreading?

Petya was initially thought to have gotten a toehold in corporate networks via emails with infected Word document attachments which exploit CVE-2017-0199. (If you’ve patched Microsoft Office, you should be protected from this attack vector.)

While phishing is a viable attack vector, one of the primary vectors is MeDoc, a financial software firm based in the Ukraine. MeDoc’s software update feature was hacked and attackers used it to distribute the Petya ransomware (source). This explains why the Ukraine has been hit hardest.

Once a single machine is infected, Petya spreads peer-to-peer to other Windows-based endpoints and servers that are vulnerable to MS17-010–the SMB vulnerability that everyone was instructed to patch during WannaCry.  It can also spread via PsExec to admin$ shares, even on patched machines. We’ve written a detailed guide about PsExec and how to disable PowerShell recently. That’ll come in handy here.

A silver lining, at least at this juncture, is that the peer-to-peer infection doesn’t seem to leap beyond the local network. Petya can buzz through an entire LAN rather efficiently, but is unlikely to hop to other networks. As @MalwareTechBlog, the pizza-loving surfer dude who famously hit the WannaCry kill switch points out:

The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet (i.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected). Due to the fact networks are of limited size and fairly quick to scan, the malware would cease spreading once it has finished scanning the local network and therefore is not anywhere near as infectious as WannaCry, which still continues to spread (though is prevented from activating via the “kill switch”).

 

How to Detect PsExec with DatAlert

If you’re a DatAlert customer on the version 6.3.150 or later you can do the following to detect PsExec.exe dropped on Windows file servers:

1. Select Tools –> DatAlert –> DatAlert

2. Search for “system admin”

3. For each of the selected rules (expand the groups to see them), press “Edit Rule” and tick “Enabled”

If PsExec is detected, DatAlert will generate sysadmin tools alerts in the “Reconnaissance” alert category such as “System administration tool created or modified” or “An operation on a tool commonly used by system administrators failed.”

This should help you detect if Petya is using PsExec to spread across your file servers. Keep reading because there is more you can do to prevent initial infection and stop Petya from spreading on your endpoints.

What does Petya do?

Once on a machine, NotPetya waits for a hour and a half before performing any attack, likely to give time for more machines to be affected, and to obfuscate the point of entry.

After waiting:

  1. It encrypts the Master File Table (MFT) of locally attached NTFS drives
  2. Copies itself into the Master Boot Record (MBR) for the infected workstation/server
  3. Forces a reboot of the machine so that users are locked out
  4. Displays the ransom demand lock screen on boot (shown below)

By encrypting the MFT, the individual workstation or server is taken offline until the ransom is paid. This has the potential to disrupt an organization to a much greater degree than if some files on a server are encrypted. In many cases, IT may need to individually address each machine; the standard ransomware response of “We’ll just restore those files from backup” is rendered ineffective.

If remote boot / imaging processes aren’t in place to restore infected machines, it may be necessary to put hands on the workstations to fix them. While possible in most cases, for companies with many remote installations it can be extremely challenging and time consuming. If you’re a shipping company with 600+ cargo ships on the move at any moment nearly impossible.

As Microsoft notes, “Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code” — if the infected user does not have admin privileges on the machine, it will try to encrypt user data matching the following extensions:

It does not add a unique extension to the encrypted files (such as .locky) — it encrypts the contents and preserves the original filename and extension.

What To Do?

Preventing Petya closely mirrors the steps that you may have previously taken for WannaCry:

  • Disable SMBv1 while you patch
  • Block TCP port 445 from outside (or between segments if possible)
  • Apply the patch!

Local Kill Switch

There is also somewhat of a local kill switch. On any given machine, if the file %WINDIR%\perfc exists (no extension) the ransomware will not execute. You can get creative with ways to deploy that file to all workstations in your environment.

Additionally, you can see which endpoint AV products are able to detect Petya by looking at the VirusTotal results.

A sample of Petya acquired by researchers was compiled on June 18:

Should You Pay?

A Posteo (an email service provider) account was included in the Ransomware message. The abuse and security team at Posteo have posted an update at:

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

They have:

  1. Blocked the account
  2. Confirmed that no decrypt keys were sent from the account
  3. Contacted the authorities to offer what assistance they can

All of which adds up to the fact that you shouldn’t pay the ransom as you won’t receive the necessary decryption keys.

This is a developing story and we’ll keep this post updated as we learn more.

Other Helpful Links

Reality Leah Winner and the Age of Insider Threats

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

Image credit: http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.

WannaCry’s Accidental Hero

WannaCry’s Accidental Hero

Quick update on the massive #WannaCry cyber attack. Before I begin, this is going to SOUND like good news, and it is, but please realize that the propagation of this malware can be restarted VERY easily, so please follow the instructions we laid out here to patch.

Apparently there was a kill switch built into the malware. It attempts a HTTP GET on iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the request succeeds, it stops propagating, as noted by Talos Intellgience:

Earlier today, @MalwareTechBlog observed the traffic to the fake domain, registered it, and sinkholed it, thus stopping the bleeding in a major way. Funny enough, he didn’t realize the domain check kill switch existed. It was sort of dumb luck:

There you have it. @MalwareTechBlog: #WannaCry’s accidental hero.

UPDATE: As Didier Stevens points out, the kill switch is NOT proxy aware. Won’t work for companies that have a proxy.

What is a Data Security Platform?

What is a Data Security Platform?

A Data Security Platform (DSP) is a category of security products that replaces traditionally disparate security tools.

DSPs combine data protection capabilities such as sensitive data discovery, data access governance, user behavior analytics, advanced threat detection, activity monitoring, and compliance reporting, and integrate with adjacent security technologies.

They also provide a single management interface to allow security teams to centrally orchestrate their data security controls and uniformly enforce policies across a variety of data repositories, on-premises and in the cloud.

Data Security Platform (DSP)

Adapted from a figure used in the July 2016 Forrester report, The Future Of Data Security And Privacy: Growth And Competitive Differentiation.

The Rise of the Data Security Platform

A rapidly evolving threat landscape, rampant data breaches, and increasingly rigorous compliance requirements have made managing and protecting data more difficult than ever. Exponential data growth across multiple silos has created a compound effect that has made the disparate tool approach untenable. Siloed tools often result in inconsistently applied data security policies.

Many organizations are finding that simply increasing IT security spend doesn’t necessarily correlate to better overall data security. How much you spend isn’t as important as what you spend it on and how you use what you buy.

“Expense in depth” hasn’t been working. As a result, CISOs are aiming to consolidate and focus their IT spend on platforms over products to improve their enterprise-wide security posture, simplify manageability, streamline processes, and control costs.

According to Gartner, “By 2020, data-centric audit and protection products will replace disparate siloed data security tools in 40% of large enterprises, up from less than 5% today.”

(Source: Gartner Market Guide for Data-Centric Audit and Protection, March 21, 2017).

What are the benefits of a Data Security Platform?

There are clear benefits to consolidation which are generally true in all facets of technology, not just information security:

  • Easier to manage and maintain
  • Easier to coordinate strategy
  • Easier to train new employees
  • Fewer components to patch and upgrade
  • Fewer vendors to deal with
  • Fewer incompatibilities
  • Lower costs from retiring multiple point solutions

In information security, context is king. And context is enhanced drastically when products are integrated as part of a unified platform.

As a result, the benefits of a Data Security Platform are pronounced:

  • By combining previously disparate functions, DSPs have more context about data sensitivity, access controls, and user behavior, and can therefore paint a more complete picture of a security incident and the risk of potential breaches.
  • The total cost of ownership (TCO) is lower for a DSP than for multiple, hard-to-integrate point solutions.
  • In general, platform technologies have the flexibility and scalable architecture to accommodate new data stores and add new functionality when required, making the investment more durable
  • Maintaining compatibility between multiple data security products can be a massive challenge for security teams.
    • DSPs often result in an OpEx reduction because the security teams are dealing with fewer vendors and maintaining, tuning, and upgrading fewer products.
    • Capex reduction by retiring point solutions
  • CISOs want to be able to apply their data security strategy consistently across data silos and easily measure results.

Why context is essential to threat detection

What happens when your tools lack context?

Let’s take a standalone data loss prevention (DLP) product as an example.

Upon implementing DLP it is not uncommon to have tens of thousands of “alerts” about sensitive files. Where do you begin? How do you prioritize? Which incident in the colossal stack represents a significant risk that warrants your immediate, undivided attention?

The challenge doesn’t stop here. Pick an incident/alert at random – the sensitive files involved may have been auto-encrypted and auto-quarantined, but what comes next? Who has the knowledge and authority to decide the appropriate access controls? Who are we now preventing from doing their jobs? How and why were the files placed here in the first place?

DLP solutions by themselves provide very little context about data usage, permissions, and ownership, making it difficult for IT to proceed with sustainable remediation. IT is not qualified to make decisions about accessibility and acceptable use on its own; even if it were, it is not realistic to make these kinds of decisions for each and every file.

You can see a pattern forming here – with disparate products we often end up with excellent questions, but we urgently need answers that only a DSP can provide.

Which previously standalone technologies does a Data Security Platform include?

  • Data Classification & Discovery
    • Where is my sensitive data?
    • What kind of sensitive, regulated data do we have? (e.g., PCI, PII, GDPR)
    • How should I prioritize my remediation and breach detection efforts? Which data is out of scope?
  • Permissions Management
    • Where is my sensitive data overexposed?
    • Who has access to sensitive information they don’t need?
    • How are permissions applied? Are they standardized? Consistent?
  • User Behavior Analytics
    • Who is accessing data in abnormal ways?
    • What is normal behavior for a given role or account?
    • Which accounts typically run automated processes? Which access critical data? Executive files and emails?
  • Advanced Threat Detection & Response
    • Which data is under attack or potentially being compromised by an insider threat?
    • Which user accounts have been compromised?
    • Which data was actually taken, if any?
    • Who is trying to exfiltrate data?
  • Auditing & Reporting
    • Which data was accessed? By whom? When?
    • Which files and emails were accessed or deleted by a particular user?
    • Which files were compromised in a breach, by which accounts, and exactly when were they accessed?
    • Which user made this change to a file system, access controls or group policy, and when?
  • Data Access Governance
    • How do we implement and maintain a least privilege model?
    • Who owns the data? Who should be making the access control decisions for each critical dataset?
    • How do I manage joiners, movers, and leavers so only the right people maintain access?
  • Data Retention & Archiving
    • How do we get rid of toxic data that we no longer need?
    • How do we ensure personal data rights (right to erasure & to be forgotten)?

Analyst Research

A number of analysts firms have taken note of the Data Security Platform market and have released research reports and market guides to help CISOs and other security decision-makers.

Forrester’s “Expense in Depth” Research

In January 2017, Forrester Consulting released a study, commissioned by Varonis, entitled The Data Security Money Pit: Expense in Depth Hinders Maturity that shows a candy-store approach to data security may actually hinder data protection and explores how a unified data security platform could give security professionals the protection capabilities they desire, including security analytics, classification and access control while reducing costs and technical challenges.

The study finds that a fragmented approach to data security exacerbates many vulnerabilities and challenges, and 96% of these respondents believe a unified approach would benefit them, including preventing and more quickly responding to attempted attacks, limiting exposure and reducing complexity and cost.. The study goes on to highlight specific areas where enterprise data security falls short:

  • 62% of respondents don’t know where their most sensitive unstructured data resides
  • 66% don’t classify this data properly
  • 59% don’t enforce a least privilege model for access to this data
  • 63% don’t audit use of this data and alert on abuses
  • 93% suffer persistent technical challenges with their current data security approach

Point products may mitigate specific threats, but when used tactically, they undermine more comprehensive data security efforts.

According to the study, “It’s time to put a stop to expense in depth and wrestling with cobbling together core capabilities via disparate solutions.”

Almost 90% of respondents desire a unified data security platform. Key criteria to include in such a platform as selected by the survey respondents include:

  • Data classification, analytics and reporting (68% of respondents)
  • Meeting regulatory compliance (76% of respondents)
  • Aggregating key management capabilities (70% of respondents)
  • Improving response to anomalous activity (68% of respondents)

Forrester concludes:

Forrester on Data Security Platforms

Gartner’s DCAP Market Guide

Gartner released the 2017 edition of their Market Guide for Data-Centric Audit and Protection. The guide’s summary concisely describes the need for a platform approach to data security:

Garter on Data-Centric Audit and Protection

Gartner recommends that organizations “implement a DCAP strategy, and ‘shortlist’ products that orchestrate data security controls consistently across all silos that store the sensitive data.” Further, the report advises, “A vendor’s ability to integrate these capabilities across multiple silos will vary between products and also in comparison with vendors in each market subsegment. Below is a summary of some key features to investigate:”

  • Data classification and discovery
  • Data security policy management
  • Monitoring user privileges and data access activity
  • Auditing and reporting
  • Behavior analysis, alerting and blocking
  • Data protection

Demo the Varonis Data Security Platform

The Varonis Data Security Platform (DSP) protects enterprise data against insider threats, data breaches and cyberattacks by analyzing content, accessibility of data and the behavior of the people and machines that access data to alert on misbehavior, enforce a least privilege model and automate data management functions. Learn more about the Varonis Data Security Platform →

What customers are saying about the Varonis Data Security Platform

City of San Diego on the Varonis Data Security Platform

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Detecting Malware Payloads in Office Document Metadata

Office Documents with Malicious Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata:

Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra files written to disk or network requests made.

The question  about whether DatAlert can detect stuff like this came up in the Twitter thread, so I decided to write up a quick how-to.

Finding Malicious Metadata with Varonis

What you’ll need: DatAdvantage, Data Classification Framework, DatAlert

Step 1: Add Extended File Properties to be scanned by Data Classification Framework.

  • Open up the Varonis Management Console
  • Click on Configuration → Extended File properties
  • Add a new property for whichever field you’d like to scan (e.g., “Company”)

Varonis Management Console

(Note: prior to version 6.3, extended properties are created in DatAdvantage under Tools → DCF and DW → Configuration → Advanced)

Step 2: Define a malicious metadata classification rule

  • In the main menu of DatAdvantage select Tools → DCF and DW → Configuration
  • Create a new rule
  • Create a new filter
  • Select File properties → Company (or whichever property you’re scanning)
  • Select “like” to search for a substring
  • Add the malicious value you’d like to look for (e.g., .exe or .bat)

Varonis DCF New Classification Rule

Step 3: Create an alert in DatAlert to notify you whenever a file with malicious metadata is discovered

  • In the main menu of DatAdvantage select Tools → DatAlert
  • Click the green “+” button to create a new rule
  • Click on the “Where (Affected Object)” sub menu on the left
  • Add a new filter → Classification Results
  • Select your rule name (e.g., “Malicious Metadata”)
  • Select “Files with hits” and “Hit count (on selected rules)” greater than 0

DatAlert Rule for Malicious Document Metadata

You can fill out the rest of the details of your alert rule–like which systems to scan, how you want to get your alerts, etc.

As an extra precaution, you could also create a Data Transport Engine rule based on the same classification result that will automatically quarantine files that are found to have malicious metadata.

That’s it! You can update your “Malicious Metadata” over time as you see reports from malware researchers of new and stealthier ways to encode malicious bits within document metadata.

If you’re an existing Varonis customer, you can setup office hours with your assigned engineer to review your classification rules and alerts. Not yet a Varonis customer? What are you waiting for? Get a demo of our data security platform today.

Are Wikileaks and ransomware the precursors to mass extortion?

Are Wikileaks and ransomware the precursors to mass extortion?

Despite Julian Assange’s promise not to let Wikileaks’ “radical transparency” hurt innocent people, an investigation found that the whistleblowing site has published hundreds of sensitive records belonging to ordinary citizens, including medical files of rape victims and sick children.

The idea of having all your secrets exposed, as an individual or a business, can be terrifying. Whether you agree with Wikileaks or not, the world will be a very different place when nothing is safe. Imagine your all your emails, health records, texts, finances open for the world to see. Unfortunately, we may be closer to this than we think.  

If ransomware has taught us one thing it’s that an overwhelming amount of important business and personal data isn’t sufficiently protected. Researcher Kevin Beaumont says he’s seeing around 4,000 new ransomware infections per hour. If it’s so easy for an intruder to encrypt data, what’s stopping cybercriminals from publishing it on the open web?

There are still a few hurdles for extortionware, but none of them are insurmountable:

1. Attackers would have to exfiltrate the data in order to expose it

Ransomware encrypts data in place without actually stealing it. Extortionware has to bypass traditional network monitoring tools that are built to detect unusual amounts of data leaving their network quickly. Of course, files could be siphoned off slowly disguised as benign web or DNS traffic.

2. There is no central “wall of shame” repository like Wikileaks

If attackers teamed up to build a searchable public repository for extorted data, it’d make the threat of exposure feel more real and create a greater sense of urgency. Wikileaks is very persistent about reminding the public that the DNC and Sony emails are out in the open, and they make it simple for journalists and others to search the breached data and make noise about it.

3. Maybe ransomware pays better

Some suggest that the economics of ransomware are better than extortionware, which is why we haven’t seen it take off. On the other hand, how do you recover when copies of your files and emails are made public? Can the DNC truly recover? Payment might be the only option, and one big score could be worth hundreds of ransomware payments.  

So what’s preventing ransomware authors from trying to doing both? Unfortunately, not much. They could first encrypt the data then try to exfiltrate it. If you get caught during exfiltration, it’s not a big deal. Just pop up your ransom notification and claim your BTC.

Ransomware has proven that organizations are definitely behind the curve when it comes to catching abnormal behavior inside their perimeters, particularly on file systems. I think the biggest lesson to take away from Wikileaks, ransomware, and extortionware is that we’re on the cusp of a world where unprotected files and emails will regularly hurt businesses, destroy privacy, and even jeopardize lives (I’m talking about hospitals that have suffered from cyberattacks like ransomware).

If it’s trivially easy for noisy cybercriminals that advertise their presence with ransom notes to penetrate and encrypt thousands of files at will, the only reasonable conclusion is that more subtle threats are secretly succeeding in a huge way.  We just haven’t realized it yet…except for the U.S. Office of Personnel Management. And Sony Pictures. And Mossack Fonseca. And the DNC. And…

The Enemy Within: A Free Security Training Course by Troy Hunt

The Enemy Within: A Free Security Training Course by Troy Hunt

It takes a very long time to discover a threat on your network according to the Verizon DBIR:

breach-discovery

Which is mind-boggling given the most devastating breaches often start with an insider—either an employee or an attacker that gets inside using an insider’s credentials. Target, OPM, Panama Papers, Wikileaks. The list goes on and on.

The truth is that many organizations are behind the curve when it comes to understanding and defending against insider threats.

So when we were tossing around topic ideas with Troy, it quickly became clear what our next video course should focus on.

I’m happy to announce the third course in our free, CPE-eligible security training series—The Enemy Within: Understanding Insider Threats.



Get all the videos now



What’s inside?

The course is broken into 8 video modules totaling over an hour worth of entertaining material covering where insider threats originate from, how they exfiltrate data, and how to stop them.

More free content

While you’re at it, grab the previous two courses in the series:

About Troy

Troy is a Microsoft Regional Director, most Valuable Professional and top-rated international speaker on online security, regularly delivering the number one rated talk at events across the globe. He’s also the author of 26 online Pluralsight courses which frequently feature at the top of the charts. Troy’s site, HaveIBeenPwned.com, is one of the world’s most popular data breach verification sites.

Yahoo Breach: Pros react to massive breach impacting hundreds of millions o...

Yahoo has confirmed a data breach affecting at least 500 million users in the latest mega breach to make headlines. Here’s what some infosec pros had to say about it.

***

***

***

***

***

***

***

***

***

***

***

***

We’ll update as more details around the story unfolds. Stay tuned.

Why the OPM Breach Report is a call-to-action for CSOs to embrace data-cent...

The Committee on Oversight and Government Reform released a fascinating 231-page report detailing the how and why behind the epic breach at the United States Office of Personnel Management.

Richard Spires, the former CIO of the IRS and DHS, remarked on OPM’s failure to take a data-centric approach to information security:

“[I]f I had walked in there [OPM] as the CIO—and, you know, again, I’m speculating a bit, but—and I saw the kinds of lack of protections on very sensitive data, the first thing we would have been working on is how do we protect that data? OK? Not even talking about necessarily the systems. How is it we get better protections and then control access to that data better?

What data was taken?

A picture of the damage inflicted by the OPM breach is painted through a series of powerful quotes, like this one from James Comey, Director of the FBI:

“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

It’s hard to refute the argument that this is the most devastating breach of all time given the scale and sensitivity of the data that was stolen:

  • 4.2 million personnel files of former and current government employees
  • 21.5 million security clearance background investigation files
  • 5.6 million fingerprints

The background investigation files include things like mental health history, alcohol abuse, gambling issues, and other deeply personal information.

How OPM happened

The landmark event that everyone thinks of when they hear “OPM breach” is the theft of 21.5 million background investigation files from the Personnel Investigations Processing System (PIPS) – a legacy mainframe that stores the organization’s crown jewels. This breach was disclosed in 2015.

However, a file share breach disclosed back in 2014 appears to have played an instrumental role in the eventual PIPS breach. In fact, investigations showed that hackers had access to OPM’s network since July of 2012 and were discovered only after advanced monitoring was enabled in March of 2014.

Regrettably, we’ll never know the extent of documents exfiltrated prior to March 2014.

On March 20, 2014, the Department of Homeland Security’s Computer Emergency Response Team (US-CERT) informed OPM’s own response team that a hacker had exfiltrated OPM data from the network.

To “better understand” the threat posed by the hacker (referred to as Hacker X1), OPM monitored the adversary’s movements for two months until they discovered a second hacker (Hacker X2) who gained initial access using a contractor’s stolen credentials.

Brendan Saulsbury, an OPM contractor with OPM’s IT Security Operations, says:

“So we would sort of observe the attacker every day or, you know, every couple of days get on the network and perform various commands. And so we could sort of see what they were looking for. They might take some documentation, come back, and then access, you know, somebody else’s file share that might be a little bit closer or have more access into the system.”

Hikit and SMB

Hacker X2 dropped Hikit malware to establish a backdoor, escalate privileges, and perform keylogging. Hikit was found on numerous systems and was beaconing back to a C2 server. OPM sniffed the hacker’s traffic to determine what was being exfiltrated.

Activity logs showed that the hackers would logon between 10 p.m. and 10 a.m. ET using a compromised Windows domain administrator account and search for PII on file shares using SMB commands.

OPM watched a hacker exfiltrate documents from a file share which contained information that described the PIPS system and how it is architected.

Appendix D of US-CERT’s June 2014 incident report describes the stolen file-share data:

exfiltrated-opm-data_001

OPM’s Director of IT Security Operations, Jeff Wagner, testified:

“In 2014, the adversary was utilizing a Visual Basic script to scan all of our unstructured data. So the data comes in two forms. It’s either structured, i.e., a database, or unstructured, like file shares or the home drive of your computer, things of that nature. All the data that is listed here, all came out of personal file shares that were stored in the domain storage network.”

The value of the data known to be exfiltrated was initially dismissed as being fairly inconsequential, but the US-CERT investigation report makes it clear that the hackers were doing reconnaissance on OPM’s file-sharing infrastructure in order to get closer to PIPS:

The attackers primarily focused on utilizing SMB [Server Message Block] commands to map network file shares of OPM users who had administrator access or were knowledgeable of OPM’s PIPS system. The attacker would create a shopping list of the available documents contained on the network file shares. After reviewing the shopping list of available documents, the attacker would return to copy, compress and exfiltrate the documents of interest from a compromised OPM system to a C2 server.”

When asked if the documents exfiltrated from the file shares would yield an advantage in future attacks, Wagner replied:

“It gives them more familiarity with how the systems are architected. Potentially some of these documents may contain accounts, account names, or machine names, or IP addresses that are relevant to these critical systems.”

Not so trivial after all.

After conceding that the hackers were getting “too close” to PIPS, security ops decided to “boot” the hacker in an operation called the “Big Bang.”

They successfully booted Hacker X1 in late May 2014, but Hacker X2 maintained a foothold, traversing the cyber kill chain en route to the famous PIPS breach:

“Beginning in July through August 2014, the Hacker X2 exfiltrated the security clearance background investigation files. Then in December 2014, personnel records were exfiltrated, and in early 2015, fingerprint data was exfiltrated.”

A stunning lack of visibility

US-CERT identified numerous gaps in the OPM’s centralized logging strategy:

“Gaps in OPM’s audit logging capability likely limited OPM’s ability to answer important forensic and threat assessment questions related to the incident discovered in 2014. This limited capability also undermined OPM’s ability to timely detect the data breaches that were eventually announced in June and July 2015.”

The big takeaway from US-CERT’s gap analysis is that traditional security strategies have a severe vulnerability when it comes to insider threats. By Jeff Wagner’s own admission, OPM had focused heavily on perimeter security, but lacked the technology necessary to detect and stop attackers who were already inside.

The report outlines OPM’s history of inadequate security controls and failed audits:

  • 2005 – the Inspector General (IG) gives OPM a bad security grade, says they’re vulnerable to hackers
  • FY 2013-2015 – OPM’s IT spending is at the bottom of all federal agencies
  • 2014 – the IG says “material weaknesses” have become “significant deficiencies”
  • 2015 – despite a mandate, only one percent of OPM employee and contractor accounts were required to use multi-factor authentication
  • 2015 (post-breach) – IG still sees an “overall lack of compliance that seems to permeate the agency’s IT security program.”

Why all CISOs need to pay attention to what happened at OPM

OPM isn’t exceptional. Many of the breaches that grab headlines are eerily similar.

First, they start with someone who is already an insider, like Edward Snowden, or an attacker hijacks the credentials of an insider, as was the case with Target and OPM. The explosion of ransomware has proven just how easy it is to get inside, and every vector seems to be working at scale – phishing, hijacked websites, cloud file-sharing.

Second, what do they take? Files and emails — unstructured data. In the Wikileaks and Snowden incidents, an insider took confidential cables, or emails. What was taken in the Sony Pictures breach? Emails, video files, files containing passwords. All unstructured data. Ransomware also shows how vulnerable this data is – a single infected user account can encrypt thousands of files without being noticed, many of which that user probably shouldn’t have access to in the first place.

There are of course other kinds of data we need to worry about, but unstructured data is what most organizations have the most of and know the least about. And so much of it contains sensitive information like that taken in OPM: social security or credit card numbers, health records, or detailed roadmaps describing how to infiltrate a massive database of PII.

Employees and contractors have access to all this data just by showing up to work—usually to much more than they need to do their jobs. Outsiders only need to steal an employee’s or contractor’s credentials through phishing or some other means, and then they have access to it, too.

It’s just too easy for data to be stolen, and we have to make it harder.

SIEM by itself is not enough

 “Currently, OPM utilizes Arcsight as their SIEM [security information and event management] solution of choice, but there are numerous gaps in auditable events being forwarded to Arcsight for analysis, correlation, and retention.”

Many organizations don’t forward file access events to their SIEM because native auditing is performance intensive, the raw audit logs are too noisy and voluminous, and SIEM vendors often charge by data volume. In order to protect file-share data from insider threats and outside attackers that find their way inside, security technologies like SIEM and UBA must have credible telemetry from the file shares, including access activity and content awareness.

A data-centric approach

As Richard Spires points out, we need a new approach that focuses more on the data itself than the infrastructure that allows us to access that information. It’s one thing to lose a server; it’s another to lose millions of files containing employees’ deepest personal secrets.

Organizations need to get a grip on where their information assets are, who is using them, and who is responsible for them. There are just too many unknowns right now. They need to put all that data lying around in the right place, restrict access to it and monitor and analyze who is using it.

One thing organizations have started to realize is that they can jump light years ahead of where they are today very quickly just by installing technology to watch and analyze how employees use data. Smart AI and machine learning can be used to look for patterns of abuse and help you spot breaches before they happen. Think of it like the fraud detection that your credit card company uses – it’s very effective in stopping thieves from stealing money. The same analytics can help prevent insiders and outside attackers from stealing data.

There is no security silver bullet. But if you’re not watching what is going on with your unstructured data, which is growing exponentially, you have an intolerably dangerous blind spot – it’s almost impossible to detect an attack and very difficult to assess the scope of the damage, making recovery arduous and expensive. Organizations have overlooked this for a long time because the notion of organizing, categorizing and sorting out this metadata has been daunting. But that doesn’t need to be the case anymore.

I’ll close with the bold statement that the report opens with – one that is directed to federal CIOs, but that all CIOs and CSOs should take to heart:

“Federal CIOs matter. In fact, your work has never been more important, and the margin for error has never been smaller.

As we continue to confront the ongoing challenges of modernizing antiquated systems, CIOs must remain constantly vigilant to protect the information of hundreds of millions of Americans in an environment where a single vulnerability is all a sophisticated actor needs to steal information, identities, and profoundly damage our national security.”

Well said.

Caveats & Notes

The report, which is titled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation,” was authored by Republican Congressional staffers. You can read the Democratic response to the report here.

Regardless of partisan politics,  the report contains important information about attack vectors, timelines, files stolen, and exfiltration methods. That’s what we’ll stick to here.

If you want to read the whole report, OPM released it as a rasterized image (so you can’t CTRL-F to search). Luckily, Dan Nguyen made an OCR’d PDF and plain-text versions for us:

If you’re feeling ultra-ambitious, OPM itself released a doc shortly after the breach explaining how they plan to improve their security posture. You’ll find that here.

Protecting Bridget Jones’s Baby

Protecting Bridget Jones’s Baby

In the wake of the Sony Pictures breach, studios are getting much smarter when it comes to data protection. A shining example is Miramax, a global film and television studio best known for its award-winning and original content such as 2016’s Bridget Jones’s Baby with Universal Pictures and Studio Canal.

Read the full case study ⟶

Miramax was looking for a solution that could monitor for insider threat and user behavior activity, and help classify its unstructured data for content discovery, remediation, and protection—that’s when implementation of Varonis DatAdvantage, DatAnswers, and Data Classification Framework all came into play.

Denise Evans, VP of Information Technology at Miramax mentioned, “Prior to implementing a least privilege model with Varonis, 40% of our files were overexposed when they didn’t need to be. This kind of exposure isn’t a problem until a  security breach occurs. Should there be a breach, we’re now able to quickly identify and target problem areas in a manner we weren’t previously able to do.” With the help of Varonis, Miramax was able to put in place a least privilege model, so that users only had access to the files they needed to do their jobs.

What’s also really compelling about this story is that Miramax is using our secure search product DatAnswers to enhance productivity. Miramax can now support eDiscovery requests and get very accurate search results that save the company time and money.

Click to read the full case study: https://www.varonis.com/success-stories/miramax