Cyberthreat on the Internet

The Cyberthreats and Trends Enterprises Should Watch in 2016

Every year, Verisign iDefense Security Intelligence Services produces its Cyberthreats and Trends Report, which provides an overview of the key cybersecurity trends of the previous year and insight into how Verisign believes those trends will evolve. This report is designed to assist in informing cybersecurity and business operations teams of the critical cyberthreats and trends impacting their enterprises, helping them to anticipate key developments and more effectively triage attacks and allocate their limited resources.

(more…)

How to Choose a Cyberthreat Intelligence Provider

Throughout the course of my career I’ve been blessed to work with some of the most talented folks in the security and cyberthreat intelligence (CTI) mission space to create a variety of different capabilities in the public, private and commercial sectors. Before I came to lead the Verisign iDefense Security Intelligence Services team about five years ago, I had to evaluate external cyber-intelligence vendors to complement and expand the enterprise capabilities of my former organization.

(more…)

Verisign’s Perspective on Recent Root Server Attacks

On Nov. 30 and Dec. 1, 2015, some of the Internet’s Domain Name System (DNS) root name servers received large amounts of anomalous traffic. Last week the root server operators published a report on the incident. In the interest of further transparency, I’d like to take this opportunity to share Verisign’s perspective, including how we identify, handle and react, as necessary, to events such as this.

(more…)

To Patch or Not to Patch? 4 Steps to Effective Vulnerability Management with Security Intelligence

At the 2015 Qualys Security Conference (QSC) in Las Vegas, Jayson Jean, director of iDefense Vulnerability Intelligence, and Research Engineer Rohit Mothe, discussed the ways in which Verisign iDefense Security Intelligence Services have provided key context around public and zero-day vulnerabilities, and by association, helped customers make better-informed decisions around threat mitigation. A core concept discussed in their talk is that threat mitigation often starts with recognizing and prioritizing mitigation of software vulnerabilities.

Managing risk can require difficult decisions about what to patch or mitigate now, and what will have to wait. This is due to the fact that most businesses operate under a “resource-constrained” model and don’t have the staff or funds to patch everything immediately. But making these decisions accurately and quickly requires the context that security intelligence provides.

(more…)

Verisign iDefense Analysis of XcodeGhost

At Verisign we take our Internet stewardship mission very seriously, so when details emerged over the past week concerning the XcodeGhost infection, researchers at Verisign iDefense wanted to help advance community research efforts related to the XcodeGhost issue, and leveraging our unique capabilities, offer a level of public service to help readers determine their current and historical level of exposure to the infection.

Background

First identified in recent days on the Chinese microblog site Sina Weibo, XcodeGhost is an infection of Xcode, the framework developers use to create apps for Apple’s iOS and OS X operating systems. Most developers download secure Xcode from Apple. However, some acquire unofficial versions from sites with faster download speeds.
Apps created with XcodeGhost contain instructions, unknown to both the app developers and the end users, that collect potentially sensitive information from the user’s device and send it to command-and-control (C2) servers managed by the XcodeGhost operator. This way, the XcodeGhost operators circumvented the security of Apple’s official Xcode distribution, and the security of Apple’s App Store.
Image 1: iDefense IntelGraph chart and intelligence alert, “XcodeGhost”
The infection had widespread impact. As of September 25th, Palo Alto Networks and Fox-IT had identified more than 87 infected apps by name, and FireEye claimed to have identified more than 4,000 infected apps. This activity impacts millions of users both in China and elsewhere in the world. To understand key aspects of the infection, iDefense researchers leveraged authoritative DNS traffic patterns to the C2 domains.

(more…)

Missed Us at Black Hat? No Problem. See iDefense IntelGraph Today.

Black Hat USA 2015 is behind us. Through all of the presentations, celebrations and meetings, one thing was very clear to me and the iDefense Security Intelligence Services crew in attendance: online security practitioners and their constituents face a more complex threat landscape than ever before. From some pretty intense software vulnerabilities to even scarier remote-control hacking of automobiles, the “bad guys” have some pretty serious tools at their disposal.

(more…)

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

With significant data breaches making headlines over the last six months, most notably the U.S. Government’s Office of Personnel Management (OPM), organizations managing critical networks and data are watching their worst nightmares play out on a public stage. As these organizations hustle to shore up their defenses in the wake of new breaches, security intelligence is playing a large role in helping key decision makers cut through the glut of security information, and understand which threats are relevant. But how do analysts determine the relevance of a threat?

(more…)

Cyberthreat on the Internet

Understanding the Threat Landscape: Basic Methodologies for Tracking Attack Campaigns

headshot-josh-rayThe indicators of compromise (IOCs) outlined in my last blog post can be used as a baseline for developing intrusion sets and tracking attack campaigns and threat actors. When launching an attack, threat actors use a variety of vectors and infrastructure, which Verisign iDefense analysts – as well as analysts across the cybersecurity community – correlate to group attacks, tracking actors and determining attack methods. Tracking and analyzing how an adversary targets your organization, and developing insight into their tactics, capabilities and intent, contribute to an organization’s effective risk mitigation strategy. Campaign analysis allows an organization to focus its monitoring, incident response procedures, training efforts and internal security controls more effectively on those assets and personnel that a threat actor will likely target for compromise.

(more…)

Cyberthreat on the Internet

Understanding the Threat Landscape: Indicators of Compromise (IOCs)

I previously provided a brief overview of how Verisign iDefense characterizes threat actors and their motivations through adversarial analysis. Not only do security professionals need to be aware of the kinds of actors they are up against, but they should also be aware of the tactical data fundamentals associated with cyber-attacks most commonly referred to as indicators of compromise (IOCs). Understanding the different types of tactical IOCs can allow for quick detection of a breach, as well as prevention of a future breach. For purposes of this overview, Verisign iDefense breaks IOCs into three distinct categories: email, network and host-based.

(more…)

Cyberthreat on the Internet

Understanding the Threat Landscape: Cyber-Attack Actors and Motivations

The threat landscape has rapidly expanded over the past few years, and shows no signs of contracting. With major establishments in both the public and private sectors falling victim to cyber-attacks, it is critical for organizations to identify the motivations, modus operandi (MO) and objectives of adversaries in order to adequately and effectively defend their networks.

Understanding the taxonomy of cyber-attacks is the first step in preparing an organization against exposure to them. Verisign iDefense Security Intelligence Services classifies cyber-attacks into three categories: hacktivism, cybercrime and cyber-espionage.

(more…)