Mikko Hypponen and Sean Sullivan from the F-Secure Labs recently sat down to answer some questions on online banking security from our F-Secure Community. The first question dealt with remembering strong passwords. They recommended a password manager, pass-phrases and simpler passwords for less critical accounts.
Here’s a system we recommend to create strong passwords you can remember for you most critical accounts.
More answers are coming soon or you can treat yourself to them all now.
The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared. Photo licensed under CC BY 2.0: Breach photo by Jim Champion
See that floppy disc? That's how F-Secure Labs used to get malware to analyze. Nowadays, of course, it's much different, Andy Patel from the Labs explained in a recent post, "What's The Deal with Scanning Engines?" In just a few hundred words, Andy lays out what makes modern protection so different from the anti-virus that you remember from the 80s, 90s or even the early 00s. And it's not just that floppy disks the Labs once analyzed have been replaced by almost any sort of digital input, down to a piece of memory or a network stream. The whole post is worth checking out if you're interested in how relentless modern internet security must be to keep up with the panoply of online threats we face. But here's a quick look at five of the key components of endpoint protection that work in tandem to stop attacks in their tracks, as described by Andy: Scanning engines. Today’s detections are really just complex computer programs, designed to perform intricate sample analysis directly on the client. Modern detections are designed to catch thousands, or even hundreds of thousands of samples. URL blocking. Preventing a user from being exposed to a site hosting an exploit kit or other malicious content negates the need for any further protection measures. We do this largely via URL and IP reputation cloud queries. Spam blocking and email filtering also happen here. Exploit detection. If a user does manage to visit a site hosting an exploit kit, and that user is running vulnerable software, any attempt to exploit that vulnerable software will be blocked by our behavioral monitoring engine. Network and on-access scanning. If a user receives a malicious file via email or download, it will be scanned on the network or when it is written to disk. If the file is found to be malicious, it will be removed from the user’s system. Behavioral blocking. Assuming no file-based detection existed for the object, the user may then go on to open or execute the document, script, or program. At this point, malicious behavior will be blocked by our behavioral engine and again, the file will be removed. The fact is, a majority of malware delivery mechanisms are easily blocked behaviorally. In most cases, when we find new threats, we also discover that we had, in the distant past, already added logic addressing the mechanisms it uses.If you're interested in knowing more about behavioral engines, check out this post in which Andy makes then easy to understand by comparing the technology to securing an office building. So you must be wondering, does this all work? Is it enough? Well, our experts and our computers are always learning. But in all the tests this year run by independent analysts AV-Comparatives, we’ve blocked 100% of the real-world threats thrown at us. Cheers, Jason
The Internet is pretty cool. You can use it to learn about things happening all over the world. You can start your own blog or social media account to share your views and speak up about the things you care about. You can stay in touch with people that live far away. It’s really all about connecting people, and it’s changed how people live their lives. The odd thing about all this connecting is that it's surprisingly easy to become disconnected from actual people. Spending time in front of a computer screen, especially when working in roles that involve lots of engineering or programming, can put people out of the picture. All too often, things get reduced to bits and pieces of information. People are what’s important to companies. Not just employees, but all the people involved with a business. And many companies say that the customer is #1, but they’ll have employees who never interact with the people they’re serving. So in this era of hyper connectivity, it’s easy for companies and employees to lose touch with the people that are actually paying their salaries. So Donal Crotty, F-Secure’s Director of Customer Advocacy, started a new tradition in 2015 to celebrate how we feel about customers, give them an opportunity to candidly share their views on the company with the Fellows that work here, and learn more about the company and the people that help make it a success. It’s called Customer Day. “Not everyone at F-Secure has the pleasure of actually meeting the people they’re trying to help,” says Donal. “It’s just the nature of some jobs. But it’s a real shame, because all the metrics and analytical tools companies use to gauge how happy or unhappy customers actually are simply aren’t enough. Numbers and data are no replacement for people, and that’s what Customer Day is for.” So today is the 2nd annual Customer Day at F-Secure (#fscustomerday16 on Twitter). And here at our Helsinki headquarters, as well as several of our regional offices around the world, Fellows and customers are coming together to connect with each other and learn more about the people and products. And have a bit of fun too. “IT companies will often say that they’re about people and not technology. But I’m not sure how many of them actually make the effort to put the people that build products and provide behind the scenes services in front of customers” says Donal. “We, as in people in companies, talk about customer experience, but it takes something more than just talking about it to make it meaningful. I like to think of it as a type of feeling. Our technology enables, but the feeling we give to customers is what we want them to live with.” Images provided by Bret Pulkka-Stone.