1. technology and computing
2. computer security
3. antivirus and malware

Most Read
Blogs
10
Thanks for reading the
Bit9 + Carbon Black Blog!
Here are the most popular
blogs of the year, so far,
as determined by you,
the reader.
9
8
7
6
90% of Security Could
be Fixed by IT
Ben Johnson
Customer Use Case:
“Searching for Zeus,
I found so much more…”
Bit9 Blog Editor
Carbon Black 5.0 Changes
the Endpoint Security Game
with Live Response
Ben Johnson
Screenshot Demo: Detecting
Banking Trojan “Dyre/Dyreza”
with Bit9 + Carbon Black
Rob Eberhardt
Screenshot Demo:
Carbon Black “Live
Response” in Action
Ben Johnson
5
4
3
2
1
Orchestration and Analytics are
the New Infosec Buzzwords
Ben Johnson
Don’t Be Cracked: The Math
Behind Good Online Passwords
Ryan Murphy
5 Ways We Can Address
the Talent Shortage in
Cyber Security
Ben Johnson
With 110 Days Left Until WS2K3
Deadline, Many Organizations
Are Unprepared
Christopher Strand
The March Madness
of Cyber Security
Ben Johnson
10
90% of Security Could be Fixed by IT
JANUARY 28, 2015 º BEN JOHNSON
Anton Chuvakin posted a great LinkedIn Pulse article today
discussing, what he said, is too much focus on defending against
the APT.
In the article “Defeat the Casual Attacker First!!!” Anton wrote:
“Focus on improving your security maturity—not on randomly
picking high-maturity tools (like NFT) and practices (like hunting)
and then declaring success! Before you buy another ‘antiadvanced-anything’ box, THINK—are you handling the basics well
already and, if YES, what is the best direction for improvement
from your current position?”
I happen to wholeheartedly agree with Anton. But allow me rant
for a moment.
As I wrote earlier this week, I chuckle when I hear about security
best practices because most companies aren’t employing
standard practices, let alone anything more. I’m convinced that
90 percent (maybe more) of security issues can be resolved by IT.
Ask yourself these questions:
“Am I doing the basics?”
“Am I leveraging all the tools I have?”
“Am I making the tools talk to each other through security
engineering to help me understand the story behind the
data and the story behind the number of incidents I’m
investigating?”
Unfortunately, there’s still a mindset of installing special APTtargeted defenses to supplement a generally poor security
hygiene. This will not work. The malicious humans are going to
just use metasploit or other simple tools because they still work.
You need to address the commodity malware first, so your team
isn’t fighting the same little brush fires again and again. And,
much like a brush fire, commodity malware can flare up and
grow or, in other words, lead to advanced attacks.
You need to empower your responders, your SOC, and your
jacks-of-all-trades to quickly respond, remediate, and fix the
problems that take up your time. And guess what? Most security
teams are not catching all the simple malware and the nonadvanced threats. Anton’s point is dead on.
So, before we focus on the Chinese, the most sophisticated
cyber mafias, etc., let’s fix the broken windows and clean up our
environment FIRST so we can start hunting the really evil threats.
Anton’s security camera analogy is great: “go look and see what’s
going on by rewinding the tape.”
At Bit9 + Carbon Black we happen to have a good approach to
that. But make sure you’re not just buying tools because they say
“next-gen,” or “advanced.” Make sure these tools are helping you
with all threats, whether commodity, advanced or insider.
Most importantly, make sure the tools you invest in and the
defenses you architect can be utilized by your staff. You want
those technologies to enable your staff to do more with less and
start reclaiming the battlefield.
9
Customer Use Case: “Searching for
Zeus, I found so much more…”
FEBRUARY 19, 2015 º BIT9 BLOG EDITOR
(Editor’s Note: This post was written by an information security engineer
who works for a Bit9 + Carbon Black customer. The engineer submitted
this post after “hunting for evil” using Carbon Black and wanted to share
the information with the #Bit9Blog readership. As a policy, Bit9 + Carbon
Black does not reveal its customer names, so the author of this post and
his employer are anonymous.)
I dug into rpcnetp.exe a little bit for some more detail. It spawns svchost,
of course, but that in turn spawns iexplore (Internet Explorer) and
something called “upgrd.exe.”
Upgrd.exe runs a batch file “c:\windows\system32\upgrd.bat” that runs
through a number of steps. Details about each step are available within
Carbon Black, but not included here. The Internet Explorer process
makes one connection to “search.namequery.com“:
Here’s the whole process tree:
Computrace has also been known as LoJack and it is an anti-theft BIOS
add-on. One of its capabilities is to provide remote access to your stolen
laptop. Part of the point of the Kaspersky post is that Computrace
exhibits a lot of the same behavior as malware, but is often whitelisted
by AV vendors. I found that out of 57 AV vendors, zero deemed it
malicious.
Recently, I had the opportunity to play with Carbon Black in a live
environment and go hunting for evil.
A common behavior for Zeus malware is to spawn a svchost.exe child
from an unsigned parent process. Though this is not guaranteed
malicious behavior, it’s uncommon enough to be a good place to start
looking for Zeus or other nasty software. To do this in Carbon Black, you’d
run a process search like this:
The Kaspersky researchers are concerned that Computrace could be
hijacked by malicious parties to provide an easy backdoor into a system.
At this point, I had unsigned software spawning Internet Explorer for
beaconing purposes as well as running some kind of batch script. It
looked like malware, it acted like malware, but was it really malware?
This query is looking for unsigned processes (i.e., filter out the processes
with a digital signature) that have a child process of svchost.exe.
I didn’t find Zeus himself, but I did find something that looked pretty
malicious. The bulk of the hits that returned from this search were for a
single host:
Here’s one indication from Carbon Black that we’re talking about the
same thing:
Armed with this information and with these questions in mind, I went
looking around on the Internet to see if I could find anything more.
Luckily, I found a recent article by a Kaspersky researcher about this exact
thing. The article discusses the Absolute Computrace software made by
Absolute Software Corp.
“We believe that Computrace was designed with good intentions, but
our research shows that vulnerabilities in this software can turn a useful
tool into a powerful weapon for cybercriminals,” they said.”
A quick search in Carbon Black for the process rpcnetp.exe can tell you
how many hosts are running this software.
Malicious or not, Carbon Black gave me insight into powerful software
running on endpoints to which other security tools turn a blind eye.
This is clearly useful information and highlights the kind of visibility that
Carbon Black provides.
8
Carbon Black 5.0 Changes the Endpoint
Security Game with Live Response
Enter Live Response
JANUARY 27, 2015 º BEN JOHNSON
Today, we announced the immediate availability of Carbon Black 5.0.
As we have now heard several times from our early access customers,
Carbon Black 5.0 is a “game changer.” Why? Let’s dive in and see.
The root problem in cyber security today is a lack of qualified security
professionals. A big part of the reason for talent shortage is that triaging
day-to-day detection events is too slow and inconclusive. It’s alert
fatigue. Valid alerts are just noise if you can’t respond to them.
where the problem was. That individual (and his or her team) needed
to be better equipped. That’s why Carbon Black continuously records
endpoint activity on Windows, Mac and Linux systems to enable the
responder to rewind the tape and actually see what happened.
Furthermore, it’s a numbers game. With proper visibility comes the true
power—the ability to focus your team on fixing the root cause of suspicious
and malicious activity, and quickly understanding an attack’s scope.
In recent posts, you’ve heard us talk about OODA and feedback loops.
Ultimately, the operational aspect of security needs to be both more
efficient and more effective. You need to prioritize data collection
over detection, meaning you should already have the cyber-security
equivalent of an endpoint surveillance camera installed before
compromise so you’re not scrambling to collect data during the fire drill.
Beyond response and root cause, you can add your own detection
capabilities or use applied threat intelligence that leverages reputation
and other information to score endpoint activity. You might not want
to respond to every instance where a network connection is made to
dropbox.com, but you would probably want to be notified when an
application other than a browser or dropbox.exe makes that connection.
Enter Carbon Black, especially with the new 5.0 capabilities we now
are shipping.
It’s about data understanding, not data volume, and having that clear
visibility is critical to stronger detection. Carbon Black 5.0 enhances
its threat intelligence component with the ability to create feeds for
indicators of attack—going beyond its already strong support of
matching event activity with known indicators of compromise. Also
new in 5.0, are detection feeds from Bit9 that help customers find and
prioritize suspicious or malicious behavior.
Until now, security pros had to respond to alerts without the necessary
recorded history and visibility to allow for fast, efficient triage. That SOC
analyst, the jack-of-all-trades security guy…whomever is looking at that
information security alert, was often reduced to guessing what and
The most exciting part of Carbon Black 5.0 are its “Live Response”
capabilities. What does this mean? Carbon Black has been great at
endpoint threat detection and response. But once you’ve determined
scope, once you’ve walked up and down the process tree to find root
cause, once you’ve quickly triaged and validated that alert, you want to
do something about it.
Now, with Carbon Black 5.0, in the same console (and programmatically
via our API), you can perform endpoint isolation to quarantine that
endpoint from the network, and connect to it to do further investigation,
preserve state, and take action.
The Carbon Black sensor is already there, so you don’t have to scramble
to get IT to install a post-mortem toolset, and you don’t have to login
locally using privileged credentials that the attacker might be hoping
for. The workflow, all within the Carbon Black 5.0 console, enables you
to quickly triage your alert, isolate that endpoint from all others, and
drop into a powerful shell that connects you to that system to pull files,
kill processes, dump memory, and run any additional tools that your
response workflow includes.
From here you can easily create new watchlists so that as soon as those
TTPs (or some part of that attack) occur again anywhere else in the
enterprise, you’ll be notified. This gives your security team true endpoint
visibility and control.
Carbon Black 5.0 includes other new features, such as cross-process
memory events, a new dashboard, and more. See our product page for
more detailed information about the features in 5.0.
Your most junior folks now have a tool that gives them great visibility
and quick triage capabilities, and your more experienced security
professionals can incorporate Carbon Black programmatically into your
overall cyber defense orchestration. Blend this with dwell-time statistics,
system hygiene, event prevalence, frequency, root cause, and applied
threat intelligence, and you get, as the first users of Carbon Black 5.0
have told us, a true “game changer.”
7
Screenshot Demo: Detecting Banking Trojan
“Dyre/Dyreza” with Bit9 + Carbon Black
Opening a new view of Explorer.exe during the same time frame gets
interesting:
If Dyre evades detection, the malware grabs sensitive user information
such as credentials, certificates, and session information, using a browser
man-in-the-middle attack. There are many variants of Dyre in the wild,
and they typically target very specific activities, such as banking websites
and even data-storing sites like Salesforce.com.
ppparent_name:iscsicli.exe modload: cmd.exe
Unsigned processes with cross-process activity into explorer.exe:
Checking network connections of Explorer.exe shows some interesting
behavior as well:
SHA-256: 05edcc3e5679ee254c78058c4f446e195544d3ff3374bd
141c1895e7ed6a410b
ppConnection to Google.com (Checking to see if it has internet)
ppConnection to a STUN (session traversal utilities for NAT) server to
create an SSL-encrypted session
ppConnections to other IPs that happen to be on some RBLs (realtime blacklists)
ppSecond tested Sample showed different connections, albeit similar
behavior
Some items of interest to consider:
ppThe Creation/execution of “Googleupdaterr.exe” or “exe:zone.
identifier”
ppLocation of file creation “C:\users\CURRENTUSER\appdata\local”
Detection via Watchlist
Dyre/Dyreza has plenty of variants and behaviors. The list below may not
be 100 percent comprehensive for your sample. Below are some of the
recurring patterns that should make detection via watchlist very easy.
Carbon Black watchlist query strings to get you started:
SHA-256: 523b9e8057ef0905e2c7d51b742d4be9374cf2eee5a81
0f05d987604847c549d
ppTested as Document-772976_829712.scr
Upon execution, Bit9 in medium enforcement prompted for execution.
I clicked “Allow” to allow execution. The root executable immediately
disappeared (deleted itself ) and the machine seemed otherwise
unaffected.
ppalliance_score_virustotal:[10 TO *] netconn_count:[1 TO *]
Bit9 rules and suggestions:
ppAutoruns (at least alert – will block legitimate modifications)
• Registry rule
• Write action: prompt or alert
• Registry path: *\software\microsoft\windows\currentversion\
run\*
• Process: any process
ppAlternative autoruns method
ppTested as Dyre_Unpacked.exe
We created a firewall rule to disallow ANY Internet connectivity from this
particular VM and I highly recommend isolating this host on an alternate
VM network, as well.
Binaries of a malicious nature attempting to make network connections
(low hit count, as Dyre seems to make connections from legitimate
processes):
Use DNS RBLs (real-time blacklists) to fortify Carbon Black and alert on
connections to known-bad IPs/DNS entries
Process Analysis shows root executable and child process of
“Googleupdaterr.exe”
(IMPORTANT: ALWAYS CREATE VM SNAPSHOTS and ALWAYS LOCK
DOWN NETWORKING FROM INFECTED HOST)
Two Dyre samples were tested:
ppcrossproc_name: “explorer.exe” digsig_result: “Unsigned”
I then opened the Carbon Black console and searched for the root
executable:
Dyre and its ever-changing list of variants have proven difficult or even
impossible to detect by antivirus, memory-based scanning products, and
next-gen perimeter defenses. In this screenshot tutorial, we will dissect
a basic Dyre infection to show some simple methods of detection and
prevention using Bit9 + Carbon Black.
As with most malware, there are many variants and behavioral
differences between samples. Testing for this tutorial was done on a
Windows 7 Virtual Machine with both Carbon Black 5.0 and Bit9 7.2
agents loaded (Bit9 in medium enforcement mode Bit9)
pppath:c:\users\*\appdata\local\* -path:c:\users\*\appdata\local\*\*
iSCSI client loading a child process of cmd.exe:
FEBRUARY 9, 2015 º ROB EBERHARDT
Within the last year, a new banking trojan has begun targeting large
enterprises and major financial institutions. The malware, called “Dyre” or
“Dyreza,” is typically spread through spam or phishing emails.
Execution directly from Users Application Data folders:
The second stage payload items of interest below:
ppFirst stage payload deleted itself
ppResulting executable “Googleupdaterr.exe” makes itself resident in
the registry
ppexe creates a mutex/process injected into explorer.exe
Windows Explorer.exe is making multiple network connections (UNC
and other connections typically come from ntoskrnl.exe, svchost.exe,
etc. Explorer tends to make domain-local connections on rare occasions
for local-network discovery. 1 might be a bit noisy, 2-3 might be a good
starting point):
ppnetconn_count:[1 TO *] process_name:explorer.exe
Typical Dyre/Dyreza registry modification to maintain persistence:
ppregmod:software\microsoft\windows\currentversion\run
Other Dyre/Dyreza earmarks:
pppath:c:\windows\*.exe -path:c:\windows\*\* -process_
name:explorer.exe-process_name:regedit.exe -process_
name:splwow64.exe
• Registry rule
• Write action: block
• Registry path: *\software\microsoft\windows\currentversion\
run\*
• Process: googleupdaterr.exe or iscsicli.exe
ppBlock batch files from executing inside of AppData (You can get less
specific on the Path, but risk blocking custom apps)
•
•
•
•
Custom rule
Rule type: execution control
Execution action: block
Path or file: C:\Users\*\AppData\Local\Temp\*
ppBlock (and alert) on creation of the typical Dyre/Dyreza
configuration file
•
•
•
•
•
Custom rule
Rule type: file creation control
Write action: block
Path or file: C:\users\appdata\local\userdata.dat
Process: any process
ppMove machines to high-enforcement mode
**A special thanks to a Carbon Black customer who contributed some
content ideas for this blog**
6
Screenshot Demo: Carbon Black
“Live Response” in Action
Here’s the nice shot of the process tree for this example attack:
Time to do more investigation and begin your cleanup and recovery:
JANUARY 28, 2015 º BEN JOHNSON
For a long time, security professionals over invested in “set-it-and-forgetit” detection capabilities like antivirus. We’ve since wised up and moved
on to detection, detection, and more detection, but as a result, we
started to drown in a sea of alerts. Even valid alerts are just noise if you
can’t appropriately respond to them.
On the left, you have Outlook.exe, which started this whole thing via
Internet Explorer and Acrobat, On the right, you have what occurred
after including eventguide.pdf, svchost.exe, and a bunch of other
commands and utilities to help accomplish the attacker’s goal. It doesn’t
take much digging to see what occurred.
Cyber defense, after all, is about humans fighting humans. It’s no longer
AV fighting worms. So the true problem is that most of us are in a state
of continuous response, handling many, many alerts every day and often
guessing what to do based on inconclusive information.
When an alert deserves actual attention, we cobble together several
tools and often have to lean on IT to help us put our tools on the asset
in question to start collecting evidence and taking action. It’s a losing
game. Not anymore. Enter Carbon Black 5.0, introduced on January 27.
The continuous recording and centralized storage inherent in Carbon
Black enables you to quickly gain access to endpoint context and
visibility, regardless of which thread you have to pull:
So, you pull on that thread, be it an IP-address, filepath, or hash (or many,
many others), and you get hits. You get process instances that match
those attributes.
Let’s dive in to start doing triage and analysis:
(Note: I’m skipping over a lot of events that would easily raise eyebrows,
because the point isn’t to explain this specific attack; it’s to show you
how you can be more operationally effective.)
With Carbon Black, we’re trying to put all this information at your
fingertips. We want you to easily answer questions such as: “When
did this process start?” “Who is its parent?” “Does it have children?” “Is it
signed?” etc. But more than just answering these questions, Carbon Black
shows you the various events the process was performing:
But what’s your immediate goal? As a responder, you’re trying to quickly
assess root cause and understand what occurred. With Carbon Black,
you can walk up and down the tree and see all the event activity that
occurred for each process.
Several built-in commands give you unprecedented control and action
capabilities within your endpoint threat detection and response solution:
So what now? Call IT and re-image? Go grab a forensics tool, walk to the
person’s desk (or hope IT can push it out for you) and start collecting
more data?
Not anymore. Carbon Black 5.0 enables you to respond LIVE!
Live Response
The first thing a responder would most likely want to do is STOP THE
BLEEDING. With Carbon Black 5.0, we have built-in endpoint isolation
where our sensor can stop all communications except with our server.
The compromised endpoint won’t be able to do anything, but you’ll still
have communications with it:
Ok great, bleeding stopped, but you can do more. With Live Response,
Carbon Black gives you a terminal right in our Web console and via the
already-existing sensor on the endpoint. You just click “Go Live” and
you’re in.
Want to dump memory to preserve it for analysis or litigation? Just
upload something like Winpmem and you’re all set.
5
Additionally, you can look at registry key values, files and more:
Orchestration and Analytics
are the New Infosec Buzzwords
MARCH 11, 2015 º BEN JOHNSON
(Editor’s Note: this article originally appeared as a contributed piece on
infosecurity-magazine.com)
From here, as a responder, I would take various IOCs, IOAs, and
behavioral information from this attack and convert those into watchlists
and feeds to drive detection.
As cyber security gets hotter (or maybe more and more depressing,
depending on how you look at it), new buzzwords come to dominate
our discussions.
The next time these hashes, IPs, or patterns of compromise are used,
I will be alerted on them quickly. And, with Carbon Black 5.0, you can
spend your time inside the new “Alert Triage” section to help prioritize,
resolve and score your alerts:
We’re all sick of ‘APT’ and ‘threat intelligence’ (at least I know I am). We’ve
also begun to tire of hearing words such as ‘breach,’ and even ‘cyber’ itself.
However, buzzwords have a place. They are a good barometer of the
focus of both the security industry and the general population.
I predict that ‘orchestration’ and ‘analytics’ will be the industry’s next top
buzzwords. Let me explain why.
‘Analytics’ isn’t necessarily a new buzzword, but it’s a bit behind ‘threat
intelligence’. Everyone was saying ‘threat intelligence’ in 2014 (and some
of 2013), but it only recently started to become more concrete and
standardized in its definition.
Carbon Black 5.0 also computes dwell time, machine hygiene, top
offenders, best alert resolvers, and more, enabling you to directly
measure your team’s improvement over time. Now, show your
organization’s leaders how effective—and fast—you are at battling
threats.
Early-adopter customers have called Carbon Black 5.0 a “game
changer.” It’s already helped them take action and leverage more threat
intelligence than ever before from our partners and our own Threat
Intelligence Cloud.
We’ve also added new event types such as remote thread injection
and other activities that memory attacks leverage. Additionally we’ve
introduced more partnerships and integrations with on-premises
network security products to move toward the one-plus-one-equalsthree solution.
Feel free to reach out to us and make the call for yourself as to whether
or not Carbon Black 5.0 is truly a “game changer.”
‘Analytics’ is lagging behind. But we need analytics as attacks become
increasingly complex and diverse. Once intruders obtain access, they
often start using built-in tools or tactics to blend in with the noise
of regular environment activity. Detection is becoming increasingly
difficult, so we turn to analytics.
Think of credit card fraud. Financial companies don’t know exactly how
a stolen credit card will be used. It could be to buy iTunes credits online,
electronics in a store in Hong Kong, or any of a million other things.
To detect credit card fraud companies look at known good and bad
transactions and try to profile expected normal behavior. When activity
begins to fall outside that fuzzy box, you’re notified.
Analytics is the comparison of current user, system or network activity
against historical activity and current behavior by other parts of the
environment – and it is going to become hot over the next year. We
will still be authorizing applications and detecting known bad binaries,
network sites, and behavior, but analytics will continue to rise as the use
of stolen credentials and insider threats becomes increasingly prevalent.
I’ve been at Fortune 50 companies where the only quick way to detect
where Chinese hackers were ‘living off the land’ (inside the environment,
lurking, watching and learning) was to look for things such as strange
network-share usage; abnormal command-lines for cmd.exe, ftp.exe,
and robocopy.exe; and other unusual behavior. Analytics could quickly
identify what otherwise would take weeks.
This brings us to ‘orchestration’—the overall quarterbacking of your
environment when analyzing a detection event, responding to an
incident, or performing risk hunting. When doing this, we need speed.
We need faster OODA loops (an aerial dogfighting term for feedback
loops). And we have complex environments and various tools and teams
that have to synchronize.
Orchestration focuses on people, processes and teams. We need to be
organized in this world of continuous response where we are putting
out multiple fires. We need to be able to quickly add context about what
should be occurring and what particular systems are used for. We need
to know more rather than think more during our security investigations.
And we cannot afford sloppy processes or missing information.
We also need faster feedback loops. The bad guys move quickly,
especially when there are malicious humans at work. But even with
malware, it’s often tough to keep up with the dangerous activities
being performed. With today’s technology, we need orchestration of
our defensive technologies. We need to quickly stop the bleeding. We
need to be able to retrieve reputation, classification and attribution
information without much (or hopefully any) effort.
We need to be able to disrupt and contain live attacks, and we need to
be able to quickly disregard alerts that turn out to be false positives or
not urgent. After all, valid alerts are just noise if we cannot appropriately
respond to them.
We need orchestration, and more specifically, orchestration through
APIs, security engineering, and automation. We need our network,
endpoint, data and communications defenses to inform each other, to
change analysis weightings based on each other’s current state, and we
need to give a human operator quick access to all the data.
We need introspection and retrospection to be quick and painless so
we are informed. Remember analytics? We need our systems to work
together to tell us if this behavior is normal, how prevalent it is, and
what other groups think about it (remember threat intelligence?). As an
industry, we’re moving in that direction, but we’re not there yet. I hope
we make big strides very soon.
The biggest problem in cyber security is the shortage of people. I believe
analytics and orchestration can help to significantly reduce this gap. We
have the computing power; let’s put it to good use. Let’s build, create
and innovate in the areas of analytics and orchestration.
4
Don’t Be Cracked: The Math
Behind Good Online Passwords
LC = lowercase
UC = uppercase
SC = special characters (!@#$%^&*, etc.)
MARCH 15, 2015 º RYAN MURPHY
When weak-password stories come up, the focus often turns to advice
about what to do: “be sure to change your passwords immediately…” “
Follow these 8 tips to stay safe online…” You’ve seen them all.
Unfortunately, these warnings and tips seem to fall on deaf ears. Data
from previous password breaches shows that people are still routinely
using common passwords like “password” “qwerty” or “123456.” There’s
math behind why passwords like those are are weak and why others, like
“p@s$w0rdD0gB1t3” are strong. The good news is that creating more
secure passwords might be as simple as adding two more characters.
The Basics: Password Storage & Hashes
Organizations usually store passwords in one of two ways – 1) as plain
text or 2) as hashes. Plain text storage means that an intrusion of the
database would give away complete login details, full username and
password – not a good idea. Hashes provide an extra layer of security.
Hash operations are one-way mathematical formulas that take input, like
a password, and transform it into a hash (see table below). The beauty
of the hash is that it’s very difficult to get the original password from just
the hash. You are able to turn a password into a hash very easily, but it’s
impossible to turn a hash into a password. Think of a broken window.
You can turn a window into shattered glass, but it’d be near impossible
to turn that shattered glass back into a window. It’s a one-way street.
Username
Password Hash
[email protected]
2ac9cb7dc02b3c0083eb70898e549b63
[email protected]
2455640b3bb59c197e714c8600dff64c
[email protected]
b194a20eb542608fb54b17ce8f4a77e1
Systems typically store passwords as one-way hashes, like the ones
above, so when a user tries to log in using their password, that text is
transformed into the corresponding hash and cross referenced against
the hash stored in the system for that user.
How Do Hackers Get Passwords?
Sometimes a hacker will exploit a vulnerability in the system and get
access to the data in the table above. The hacker has his hands on the
usernames and the password hashes but needs the actual password to
login in to the account.
Remember, it’s impossible to go backwards from the hash to password.
The hacker’s only option is to “go forward” as many times as he needs to.
“Going forward” means the hacker is performing the same hash-
producing mathematical operation (with computer-generated guesses)
on a variety of passwords until the right hash is produced.
For example, using [email protected], the hacker might perform
the hash operation on the commonly used password “Password” and
get the following result: “dc647eb65e6711e155375218212b3964,” which
according to the table above, is not a correct hash match, thus not the
right password.
The hacker’s computer keeps trying and trying and trying again,
with billions of random and commonly known passwords until he
arrives at “Password1” which, here, matches the hash in the table
above:“2ac9cb7dc02b3c0083eb70898e549b63.” Now he knows that
[email protected]’s password is “Password1”. Although this may
seem laborious, a computer can easily guess over 1 billion passwords
per second.
How Long Does It Take for a Hacker to Get Your Password?
Note the bottom right corner of the table. If your password is 12
characters long, contains uppercase and lowercase characters, a digit
and a special character it may take over 15 million years for a hacker
to guess your password. This is the simple math behind blanket
recommendations to increase your password complexity.
NOTE: The math in the above assumes the hacker is randomly
generating password guesses.
So What Makes a Password Secure?
Above, we tackled the basics about password storage, the value of hashes
and then calculated how long it takes a hacker to get your password
using brute force cracking – as quickly as 3.5 minutes in some cases.
What we hope our readers got out of what’s above is that the longer
and more complex a password is (complex as defined as containing an
uppercase character, lowercase character, number and special character)
the longer it takes a hacker to crack.
A 12-character password with each of those elements would take as
long as 15,091,334 years to crack with a single computer.
•If your password is eight characters long and all lower-case, like
“password,” it would take a hacker 3.5 minutes to guess it.
For many people, 15 million years of “protection” might create better
peace-of-mind. However, the unfortunate reality with online passwords
is that even these long and complex passwords are susceptible to
cracking. Here’s why:
•Changing one of those lowercase characters to an uppercase
character, like “Password,” means it would take him almost 15 hours.
In order for a password to be considered secure, it needs to be truly
random and unique.
•Replacing any letter with a special character and keeping the
uppercase character, like “P@ssword,” means it would take the hacker
70 days to guess your password.
What Does it Mean to Be Truly Random?
The short answer: it depends, but very quickly if your password is weak.
•If you added a single character to “P@ssword” to form “P@ssword1” it
would take the hacker 18 years to guess the password.
•If you added two characters to “P@ssword,” to form “P@ssword11” it
would take the hacker 1,707 years to guess the password.
So on and so forth until you arrive at some astronomical numbers. See
the table below:
8 character
9 character
10 character
11 character
12 character
208 seconds
90 minutes
39 hours
42 days
3 years
LC & UC
14 hours
32 days
4.5 years
238 years
12,394
years
LC & UC
& Digits
2.5 days
.5 years
26 years
1,650 years
102,304
years
LC & UC
& Digits
& SC
70 days
18 years
1,707 years
169,546
years
15,091,334
year
LC
Many people often choose a base word for their password, like
“password,” and transform it to be logically “complex.” So they’ll replace
letters with special characters or digits and add some capitalizations.
So a password that was “password” becomes P@55w0rD. In fact, if each
letter could be one of an uppercase, lowercase, or special character,
there are 6,561 (38) versions of “password” — which is far from an
unbreakable amount.
Thus, a hacker using a brute force technique isn’t just going to start with
“aaaaaaaa” and go down the list, “aaaaaaab”, “aaaaaaac”, etc. He is going to
apply intelligence to the cracking. That intelligence most often involves
using common base words. So not only will he try cracking the very
simple “password” but also all 6,561 versions, to include the complex
“P@55w0rD”.
There are approximately 220,000 dictionary base words, meaning that
even if you added up to three extra digits to your transformed, baseword-based password and formed something like “P@55w0rD123,” a
computer would take about 26 minutes to crack it — no matter how
long the password is. With complete randomness in a password, hackers
can’t make common base word assumptions about your password and
cut down the brute force space.
But that’s not all. A secure password must also be unique.
What Does it Mean to Be Unique?
Unfortunately, some companies still store actual text passwords in their
databases instead of the hashes so if a hacker gets into the system,
he now has more base words to add to his roster. So if you use the
same password, or even base word, for two accounts and one of those
is compromised, no matter how long or random it is, that hash and
password are now known. The hacker can then log in to any account
that you are using the same password for. This also means that if
someone else uses your password, or some version of it as outlined
above, you are compromised.
So What Do I Do?
1) Make sure all of your passwords are truly random.
2) Make sure none of your passwords are used by you or anyone else.
How do you do that? Let’s assume for a moment that all 7 billion
people in the world have 100 online accounts and have used a different
password for each. That makes 700,000,000,000 truly unique passwords
in the world.
In order for there to be .0001% chance that you have the same password
as someone else, you’d need to choose from 7 quintillion passwords,
that’s 7,000,000,000,000,000,000. That may sound like a lot, and it is. If
you’re using a Standard English keyboard (94 characters) that’s a 16
character password, which would take 1 quadrillion years to brute force
crack, and can’t be circumvented by a shortcut.
Since you cannot control what companies do with your password, we
recommend having a 16 character truly random and unique password
so the hacker can’t leverage someone else’s password to figure out yours
and has to do the hard work (read 1 quadrillion years) to figure it out.
How is anyone supposed to remember 100 truly random and
unique, 16 character passwords?
Online password managers. Which is what everyone recommends but
never tell you why. Using these services you only have to remember one
password, and make it good! The only shortcut to getting your password
now is to get access to your computer itself — another series of articles
all together. The online password manager remembers the rest for you.
In fact, it might even be more convenient for you since you now only
have to remember one password. And it’s more secure.
(Here’s a link that reviews such password managers: http://www.
pcmag.com/article2/0,2817,2381432,00.asp)
They each have their own advantages and work for different platforms
so it’s difficult to recommend just one. Try a few for yourself and see
which you prefer.
3
5 Ways We Can Address the
Talent Shortage in Cyber Security
MARCH 3, 2015 º BEN JOHNSON
One of the biggest problems in cyber security is that there are not
enough qualified experts to manage the volume of attacks, alerts, audits,
incident response drills, infrastructure upgrades, and compliance reports.
And that’s not even getting into threat hunting or risk hunting. So, how
do we address this problem?
We’re making some progress on multiple fronts, but we can do better.
Technology, and the actual technological approaches of new solutions
are starting to save humans lots of time. We still need people, though,
and, more importantly, we need to create programs that encourage and
incentivize new players into today’s information battle.
The U.S. government is creating programs to incentivize entrance into
the information security field but, right now, these programs are largely
targeted at college students. Don’t get me wrong, we need youthful
energy to combat the “game face” that attackers put on, and we need
young talent we can mold and grow into the right type of cyber soldier
against today’s and tomorrow’s attacks. But more is needed.
There’s a multitude of technology professionals, analytical thinkers, and
engineers who would love to get in the game—but they don’t really
know how to do it.
I’ve talked to several people who have shifted into security after starting
their careers in another field, or who have worked long enough to have
rock star coworkers make similar transitions. These situations are still
pretty rare, though. We need people to dive right in if they show the
right aptitude and passion for cyber defense.
Here are some quick points to keep in mind if you’re considering moving
into security.
Look at your existing area of expertise. If you’re a programmer, maybe
you can work on creating more secure software development life cycles,
or you can try to find a security engineering position where you help
utilize vendor APIs to incorporate automation and orchestration. If you’re
a network admin, maybe you move into more of a network securitymonitoring role. The same goes with other existing technology jobs.
Cyber defense usually has a spot for you that requires your existing skills.
Not everyone is the quarterback. I meet with lots of teams every
week, and some need a quarterback, but pretty much everyone needs a
lineman or a defensive back—team players who fill important supporting
roles. Often, these roles are great because you get to interact with lots
of different specialists and play with a lot of tools. You’ll gain experience
quickly and figure out where you can make the greatest contribution.
You might even help evaluate products and set up various sensors and
monitoring capabilities, essentially doing the basic blocking and tackling
that should be done before anti-APT and threat-hunting efforts become
the team’s focus.
Think about roles differently. Some of the best teams I have met
are doing it with a slight twist. Almost all security hires are more like
programmers, because these days being able to leverage vendor APIs
and tie information together (again, orchestration) is huge. Being able
to write a few lines of code to filter out some of the events you’re
seeing, being able to generate more customized alerts that are more
easily digestible, and being able to pull in custom context and threat
intelligence are some of the reasons to have programmers on your
security team. Beyond this, teams are having success bringing in
financial analysts as security analysts, because these individuals are
skilled at critical thinking, looking at data and patterns, and leveraging
multiple technologies to help reach a conclusion.
Incentivize and grow. The government needs more incentive programs
to fill the national cyber shortage, but the effort should extend beyond
that. Private companies should offer incentive deals where a prospect
is loaned $10,000 to take and complete SANS classes. If they pass, they
are hired by the company. The employer knows that the employee has a
particular baseline, and they could count that money as the employee’s
training budget. Or, embrace similar ideas where a working adult who
might not have the money upfront can make the shift, too. We need to
think more like this so we can attract working professionals and other
non-college talent pools into the world of cyber defense.
Make it welcoming. Security circles are often filled with mild arrogance
because, well, those people are often very smart and are doing hard
jobs. But we need these circles to be welcoming. The security ninjas
need to treat the white belts with respect and nurture them so they
can eventually wear a cyber defense black belt. We need mentoring
programs, cheaper or free training, and marketing and PR efforts to let
the public know that cyber security is a great career path.
You don’t have to be in security now to get a security job, and you don’t
have to just recruit existing security professionals to fill your ranks. There’s
opportunity, we just need to create more incentives, generate exposure
to the broader technology and analytical thinker talent pools, and then
execute. Let’s make 2015 better than 2014 when it comes to expanding
the security talent pool.
2
With 110 Days Left Until WS2K3 Deadline,
Many Organizations Are Unprepared
MARCH 26, 2015 º CHRISTOPHER STRAND
There are 110 days left until July 14, 2015, the day Microsoft will end
support for Windows Server 2003 (WS2K3.)
Be honest with me for a second. Did you actually know that date? You’re
probably not alone if you didn’t. It appears that many IT professionals
do not. It also appears that many organizations—with a total of about 9
million servers—are still running WS2K3. That’s a very big problem.
Servers, including domain controllers and Web servers, are where most
organizations’ critical information resides. So, if organizations continue
to run Windows Server 2003 after July 14, without implementing
appropriate compensating controls, they are putting customer records,
trade secrets, and other highly valuable data at risk. Cyber criminals,
hacktivists and nation-states prey on unprotected servers, leaving
enterprises exposed to potentially catastrophic breaches that can lead to
lawsuits, regulatory fines and loss of customer trust.
What happens after July 14? According to Microsoft: “After July
14, Microsoft will no longer issue security updates for any version of
Windows Server 2003. If you are still running Windows Server 2003 in
your datacenter, you need to take steps now to plan and execute a
migration strategy to protect your infrastructure.”
This deadline must be taken seriously. However, based on the results of
a recent survey conducted by Bit9 + Carbon Black, many organizations
are not.
From the “Windows Server 2003 (WS2K3) End-of-Life Survey,” two key
results jumped out at me:
1 – Nearly one in three enterprises (30 percent) plan to continue
to run WS2K3 after the July 14 deadline, leaving an estimated 2.7
million servers unprotected
My first though when I saw that result come in was: “Wow, that’s a lot.”
But why is that important? Continued operation of unsecured
WS2K3 systems can leave organizations exposed to “zero-day forever
scenarios”—where new zero-day vulnerabilities are discovered and
exploited by attackers and no publicly available patch will ever be
provided. This is of particular concern with WS2K3, since it lacks many of
the more advanced memory protection features found in later Windows
operating systems, making the impact of exposed vulnerabilities
potentially more dangerous.
2 – More than half of enterprises (57 percent) do not know when
the end of life deadline is
In the survey, we gave a multiple choice (with 5 options) and asked
respondents to identify the month that WS2K3 end-of-life would
occur. Thirty percent of organizations surveyed said “I do not know.” An
additional combined 27 percent guessed incorrectly, choosing “May
2015,” “September 2015,” or “October 2015.”
There are 110 days left until the deadline. It takes about 200 days
to migrate operating systems for an enterprise. More the half of
organizations don’t even know what month support is ending. Do the
math. The result is not good.
How does this relate to Windows XP end-of-life?
With the critical role servers play at any enterprise, WS2K3 end of
life presents an even greater risk than last year’s Windows XP end of
life. Microsoft cut support for XP in April 2014. That decision affected
individual consumers and businesses alike. With WS2K3, consumers are
not likely to be impacted directly, but business running unsupported
operating systems will put customer records, classified company
information, and other sensitive data at risk.
What can be done?
With 110 days left until the end-of-life deadline, organizations yet to
upgrade must immediately aim to get their WS2K3 systems into a
compliant state to eliminate financial, and potential legal, penalties and
avoid the brand damage associated with failed audits, data breaches,
and noncompliance.”
Effective compensating controls for organizations without an upgrade
plan include: network isolation, application whitelisting, and continuous
server monitoring.
1
The March Madness of Cyber Security
MARCH 24, 2015 º BEN JOHNSON
It’s March Madness. My bracket is busted. Thanks to N.C. State’s upset of
Villanova, many of my friends’ brackets are busted as well.
While we’ve all come to know March Madness for the buzzer-beating
basketball games and Cinderella upsets and [insert another sports cliché
here], there’s a different kind of “madness” to think about: the madness
going on in cyber security.
Recently it was revealed that Premera was not only breached but had
ignored warnings in an audit conducted by the Office of Personnel
Management several weeks prior.
As a security strategist, that seemingly blatant disregard of the audit’s
findings is appalling. It’s…wait for it…madness.
Let me explain.
Compliance is not security. You’ve probably heard that 100 times before
but I’ll say it again. Compliance is not security. Compliance checkups,
otherwise known as audits, are there to set a minimum baseline. Audits
are not looking to make sure your organization has optimal security
posture.
If you go to the doctor for a physical, and the doctor says you’re not
dying, does that mean you are in your prime physical condition? Not
necessarily. Does it mean your immune system is optimized to prevent
or quickly respond to any viruses or bacteria that you may be exposed
to? Again, not necessarily.
Similarly, just because you pass an audit does not mean your
organization is secure or has any sort of cyber resiliency.
There’s a maddening, fundamental issue at work here. Despite the
advances we are making in pushing cyber defense to be a C-level issue,
there are still far too many people in power who don’t “get it.”
I recently visited three security guys who defend 50,000 computing
assets at a high-tech manufacturing company. They told me they were
just asked by their CIO, “So our perimeter is impenetrable now, right?”
What?!
When I heard that, I wanted to vomit, but I also wasn’t terribly surprised.
When we discussed getting more visibility in their environment, they
basically said it was better not knowing. Ah, good; the old “screw it”
defense. It’s concerning to see where cyber security is at some places.
Let’s return to basketball analogies. In information security, it often
feels like we’re blindly throwing up an alley-oop, hoping someone is on
the other end for the dunk (or, in our case, to find and stop malicious
activity).
The reality, most often, is there isn’t anyone on the other end of the pass
and we’re just chucking up false hope.
So in this “game,” what “plays” can you run?
ppRecognize that humans discover breaches—technology is just
there to support those humans and (we hope) make their jobs
faster and easier. Technology alone is not enough, just like a team’s
game plan is not enough on the basketball court. The players need
to execute for everything to work.
ppInvest time in improving your posture—even if you believe you
will get further behind in your alert queue, time spent determining
and fixing root cause versus just remediating an alert will pay
significant dividends and ultimately save you time. Legendary UCLA
coach John Wooden often would tell his players: “Be quick, but
don’t hurry.” That’s great advice for cyber security, as well.
ppFocus on feedback loops and orchestration—make sure you’re
measuring how you’re doing, that you’re testing yourself for a
response scenario, and that you’re looking for misconfiguration
and performing risk hunting. Imagine if the University of Kentucky
hadn’t spent any time practicing this season. Would they be 36-0
right now? Practice is key.
In information security, as with March Madness, there will be upsets,
there will be Cinderella stories, and there will be unsung heroes. Cyber
resiliency is a team effort. And not just your corporate team. Your region
and your “bracket” (i.e., the whole industry) as well. We all want to get
better year over year. The first thing we can do is make sure we’re not just
chucking up alley-oops, and if we are, check to see if someone is on the
other end to catch the pass and complete the play.
ABOUT BIT9 + CARBON BLACK
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—
those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signatureless threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations
worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed
security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.
© 2015 Bit9 and Carbon Black are trademarks of Bit9, Inc.
20150514
1100 Winter Street, Waltham, MA 02451 USA
P 617.393.7400 F 617.393.7499 www.bit9.com
Aligning with the Critical Security Controls to Achieve Quick Security Wins 24