Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
we want to hear from you >
Every day, organizations worldwide are targeted by data-stealing attacks. While these attacks have evolved in frequency and sophistication, many security defenses have failed to adapt. Old techniques don’t address containment against data theft and cybercrime call-home communications. The growing prevalence of cloud apps, along with increases in SSL traffic, mobility and remote users are also adding more blind spots to traditional defenses.
It’s imperative that we continue to stay up-to-date on the latest tactics and tricks. Join me this Wednesday, August 8, 2012 from 10 a.m. - 11 a.m. PT for a webinar on the seven stages of data theft. We’ll be covering each of these steps:
Reconnaissance - Targeted attackers access credentials and research online profiles, email IDs, org. chart information, hobbies and interests from social profiles to gain insight on their victims.
Lures - Designed to prey on human curiosity, web lures often link to videos or breaking news, while email lures are more business-focused on transaction and fake delivery notices.
Redirects - Users are usually directed to a survey, rogue anti virus offer or a fake web page where an exploit kit is waiting. Traditional redirects are injection attacks, while newer ones focus on social networking wall postings, fake plug-ins, fake certificates and heavily obfuscated java script.
Exploit Kits - The exploit kit objective is like that of a sniper: take the shot with a malware dropper file only when an open door for tested vulnerabilities is found.
Dropper Files - This stage is what most people consider the focus of their forward-facing defenses: analyze every file that comes into the network for malware. The problem is dropper files use dynamic packers, so known signatures and patterns are not available.
Call-Home - This stage involves calling home for malware downloads and tools, and for sending back information, standard procedure for any successful online attack. The problem is that most defenses are only forward-facing and do not analyze the outbound traffic from infected systems.
Data Theft - This is what they are after. The ability to contain an attack and stop data theft raises many questions that we will address. Can your defenses detect password files leaving your network or the use of custom encryption on outbound files?
In addition, we’ll be covering: why current defenses are failing; today’s new security requirements; and the newest, bleeding edge advanced threat and data theft defenses to emerge thus far.
We look forward to having you join the webinar. Bring your questions and be ready to talk threats!
Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to...
I’ve been on the road quite a bit and have collected a lot of good information that I want to share with you all. Most of what’s been attracting my attention is the recent crop of targeted attacks. For every one you hear about in the news, another 50 occur behind the scenes. I’ve spent a lot of time working with CIOs and CISOs to help them develop a strategy to protect against these threats.
One place where targeted attacks were a huge topic of conversation was at the U.S. Security Confab event that I attended last week. It’s hosted annually by my friends Jerry Archer, CISO Sallie Mae, Dave Cullinane, CISO EBAY, and Bob Bragdon, Publisher CSO Magazine. If you have never attended I highly recommend it (as if you needed an excuse to spend a week in California). It’s one of the best security conferences in the world.
APTs, targeted attacks, and advanced malware were the common threads that permeated the majority of the presentations. The resounding theme was also the lack of shared strategy and organization within the security community against our common enemy – cybercriminals. Right now when one of us is attacked we share the information upstream with the government, but we fail to turn that into any real, viable intelligence for the private sector. Don’t you think it would be helpful if we had a standardized way to share the intelligence in a standard format that details the “who” and the “how” of the attack? And I’m not just talking about U.S. here; this could be global as well. In this scenario, thousands of companies would be protected instantaneously when one of us learns of a new cyber threat.
Recently, we took a step in the right direction when the Pentagon announced that cyber space is a new battleground. A cyberspace attack on U.S. assets is now considered equal to an attack occurring on U.S. soil. At the same time Department of Defense Secretary, William J. Lynn III acknowledged the need for cooperation. He said:
“Strong partnerships with other U.S. government departments and agencies, the private sector and foreign nations are crucial. Our success in cyberspace depends on a robust public/private partnership. The defense of the military will matter little unless our civilian critical infrastructure is also able to withstand attacks.”
This is a great step, but we must continue to organize within the security community, since the bad guys are already organized and many of us stand on our own. Click here to read more about the Pentagon news.
This week I am attending the Austin NG security summit, so next week I will be talking about successful strategies to protect against ATPs and targeted attacks as well as any great insights from the Austin summit. In the meantime, let me know if you have any questions.
In the first two installments in this series, I talked about getting rid of the FUD around APTs and why they should matter to you, even if you aren’t a government agency, or one of the biggest companies on earth. Now let’s get down to the controversy that is consuming a lot of bandwidth in security circles: What is an APT and how is it any different from older malware attacks out there like botnets, blended attacks, and standard binary-based viruses? So much is written about the topic, yet many people don’t really understand it and are just rehashing an old topic under a new name.
The jaded folks in the security community say that all of the talk about APTs is FUD because true APTs are very few and far between. I beg to differ. I’d say that the APT buzz is not Fear, Uncertainty, and Doubt but rather Fear, Certainty, and Damage.
Let’s start with what makes a “true” APT (all examples are real)...
Who: This is nation-state activity to penetrate another nation or corporations computers or networks for the purposes of causing damage, disruption or exploitation with an endgame objective of disabling an opponent's military capability or stealing important source code to increase their own power. These guys are the special forces of the threat landscape; super skilled buzz-cut clean shaven expert hackers. You’d never know who they were however – because if I told you I’d have to kill you.
Why: Cyber Warfare has been described of as the fifth domain of warfare with the Pentagon formally recognizing cyberspace to be just as critical to military operations as land, sea, air and space. It is reported that at least 100 countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities. Cyber Soldiers may operate as APT (advanced persistent threat) or corporate spies at times, but everything they learn is geared toward a specific nationalist objective.
What: Stuxnet is a great example of this attack method, a text book case of an APT. The Worm was discovered July 2010 and is the first specialized complex malware to only target industrial software. It was aimed at compromising the Iranian nuclear program and believed to be the work of a well funded group of 5-10 people over 6 months. Speculation: only a nation state has these capabilities.
Who: These are the heavyweights of the cybercriminal world. Corporate attack and espionage is a stealthy, organised, funded activity by professional agents operating rather like the legitimate companies they hope to steal from. The worker bees are usually found beavering away with state of the art computing equipment, multiple monitors and the blinds well drawn. While the big cheeses are well connected individuals with fingers in pies and eyes firmly on the ball. Together they make a formidable team.
Why: Big Bucks. These guys are out to target company confidential data which can then be sold on to the highest bidder. There are two distinct categories within this group; one aiming long term using Advanced Persistent Threats (APT) and the other group more focused on short- to midterm financial gains.
What: The APT attack nicknamed Operation Aurora in 2009/2010 was aimed at US high tech companies including Google and Adobe. It was thought to originate in China with speculation of Government involvement. Aurora exploited a zero-day vulnerability in Internet Explorer with a goal to steal IP and modify source code.
Alan commented on the initial APT post: I hope you don't spew marketing hyperbole else this will turn dull rapidly. Don’t worry. We are going to stick to the facts. In this piece, I want to separate from the buzz around these attacks and talk about why you should care.
We’ve heard from a lot of executives, “What should we do about APTs?” There is a high level of concern from large organizations with serious IP (like source code) that they know others will try to get. But there’s also a large group that thinks, “I’m a $10M manufacturing company, in Ohio. I don’t think Chinese or North Korean hackers are going to be knocking on my door anytime soon.”
And, they are right. (read more)
If you are like me, you’ve seen and heard plenty about Advanced Persistent Threats (APTs) this year. It’s the new hot-button term. So popular that everyone has their own definition.
FUD continues to cloud the discussion we should be having. So we are starting a series of posts to separate the fact from fiction and to really nail what you should be concerned about. We will:
- Define what APTs are (and aren’t)
- Examine attacks from a research/technical perspective
- Discuss who should care and what you should do about it
- Talk about why most of today's security technologies aren't stopping these attacks
- Explain the malware technology adoption lifecycle (the dynamic missing from most discussions)
Websense Security Labs has been on the forefront of examining APTs in the wild and have charted the emergence of these exploits. We’ll explain why high-profile attacks seem to work so effortlessly. And we’ll discuss the ongoing evolution of APTs: from government/nationalistic targets to organized criminal gangs and soon individual hackers.
I encourage you to join our June 8 webcast on APTs. It’s being hosted by Patrik Runald, one of our senior security research managers.
Let’s skip the APT hype and FUD. Let’s use real-world examples to talk about what matters most to you.
In the meantime, I have my own question: how many of you have been approached by senior management with any questions about big data breaches, like, “Hey, I saw the news about (insert company) losing company data. What are we doing to avoid that?” What did you say?
