Wednesday, September 16, 2020

What I Am Reading 9/16/2020 - Crime Ops!

 NYTimes - W.T.O. Says American Tariffs on China Broke Global Trade Rules -

A World Trade Organization panel said Tuesday that the United States violated international trade rules by imposing tariffs on China in 2018 in the midst of President Trump’s trade war.


In a statement, Robert E. Lighthizer, the United States Trade Representative, blasted the World Trade Organization for trying to prevent the United States from helping its own workers.

“This panel report confirms what the Trump Administration has been saying for four years: The W.T.O. is completely inadequate to stop China’s harmful technology practices,” Mr. Lighthizer said. “Although the panel did not dispute the extensive evidence submitted by the United States of intellectual property theft by China, its decision shows that the W.T.O. provides no remedy for such misconduct.”

ZDNet -  MITRE releases emulation plan for FIN6 hacking group, more to follow -

MITRE and cyber-security industry partners have launched a new project that promises to offer free emulation plans that mimic today's biggest hacking groups in order to help train security teams to defend their networks.

Named the Adversary Emulation Library, the project is the work of the MITRE Engenuity's Center for Threat-Informed Defense.

The project, hosted on GitHub, aims to provide free-to-download emulation plans.

 Dark Reading - CISA Issues Alert for Microsoft Netlogon Vulnerability -

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning there is publicly available exploit code for CVE-2020-1472, a critical elevation of privilege vulnerability in Microsoft's Netlogon.

"Zerologon," as Secura researchers dubbed the bug, has a CVSS score of 10.0. It exists when an attacker creates a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). Microsoft patched the vulnerability as part of its August Patch Tuesday rollout; it's being addressed in a two-part rollout, the company reports.

 Dark Reading - Encrypted Traffic Inference: An Alternative to Enterprise Network Traffic Decryption -

(E)ncrypted traffic inference (ETI) is perhaps the most fascinating of all emerging alternative approaches. ETI solutions analyze aspects of encrypted traffic flows to discern whether they are likely to be malicious, without using decryption.

Based on concepts first published by Cisco Systems researchers in 2016, ETI works by capturing encrypted network flow data attributes -- including DNS metadata, TLS handshake metadata, and HTTP packet headers – and analyzing them for specific, intricate patterns that indicate malicious activity.

A number of vendors – including Cisco, Juniper, NTA vendor Corelight, NDR provider IronNet, and specialist vendor Barac – all offer some degree of ETI capability today.

 Cyberscoop - Chinese hacking groups are bullying telecoms as 2020 goes on, CrowdStrike says -

Six suspected Chinese hacking groups have zeroed-in on entities in the telecommunications sector in the first half of this year, according to CrowdStrike research published Tuesday.

While CrowdStrike did not identify the groups by name, attackers have likely been running their hacking operations in an effort to steal sensitive data about targets, or to conduct intellectual property theft, researchers at the threat intelligence firm determined. CrowdStrike also did not identify the targets.

Okta - CrimeOps: The Operational Art of Cyber Crime -

The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were. 

Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:

Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.

How does FIN7 actualize this vision? This is CrimeOps:

  • Repeatable business process 
  • CrimeBosses manage workers, projects, data and money.
  • CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more 
  • Frontline workers don’t need to innovate (because the process is repeatable)

 BBC - Boeing's 'culture of concealment' to blame for 737 crashes

The US report is highly critical of both Boeing and the regulator, the Federal Aviation Authority (FAA).

"Boeing failed in its design and development of the Max, and the FAA failed in its oversight of Boeing and its certification of the aircraft," the 18-month investigation concluded.

Threatpost - Report Looks at COVID-19’s Massive Impact on Cybersecurity -

Cynet found that cybercriminals are not just “sort of” leveraging the COVID-19 pandemic, they’re going all in.  Cybercriminals are pulling out their entire arsenal of new attack methods to best ensure attack success. This is like a sports team using all the new plays they’ve developed in one game rather than spreading them out across the season.

The report states that the percentage of attacks using new techniques has historically been around 20%.  That is, 80% of attacks have used well-known techniques that are easily identified assuming companies have updated preventative measures in place.

Since the start of the COVID-19 pandemic, Cynet found that new attacks jumped to roughly 35% of all attacks.  New attack techniques cannot be sufficiently detected by antivirus software alone and can only be effectively discovered using newer behavioral detection mechanisms.  That is, the new detection approaches must be used to detect the new attack techniques being deployed.

 Help Net Security - How security theater misses critical gaps in attack surface and what to do about it -

The insurance industry employs actuaries to help quantify and manage the risks insurance underwriters take. The organizations and individuals that in-turn purchase insurance policies also look at their own biggest risks and the likelihood they will occur and opt accordingly for various deductibles and riders.

Things do not work the same way when it comes to cyber security. For example: Gartner observed that most breaches are the result of a vulnerability being exploited. Furthermore, they estimate that 99% of vulnerabilities exploited are already known by the industry and not net-new zero-day vulnerabilities.

How is it possible that well known vulnerabilities are a significant conduit for attackers when organizations collectively spend at least $1B on vulnerability scanning annually? Among other things, it’s because organizations are practicing a form of security theater: they are focusing those vulnerability scanners on what they know and what is familiar; sometimes they are simply attempting to fulfill a compliance requirement.

NYTimes - Police or Prosecutor Misconduct Is at Root of Half of Exoneration Cases, Study Finds -

According to the report, by the National Registry of Exonerations, official misconduct contributed to false convictions in 54 percent of exonerations, usually with more than one type of misconduct. Over all, men and Black exonerees “were modestly more likely to experience misconduct,” although there were larger differences by race when it came to drug crimes and murder

 /r/Netsec - Lateral Movement Detection GPO Settings Cheat Sheet 

Twitter - 

15 weeks left, publishing my next book. Jam packed with pen testing, GPEN & OSCP prep, exam questions, tools & virtual machines. Looking for testers, RT for coverage

No comments: