Websense Insights : blended threat

Have you heard about Operation Spear-Phish? Take the challenge.

Jason Woo — Mon, 29 Oct 2012 17:38:00 GMT

Every week I hear cyber security teams say they’re worried about spear-phishing . They’re struggling to defend against them with their current technology. But to exacerbate matters, their users also struggle to understand how to spot a malicious email. Organizations need more hands-on training...(read more)

It’s Phishing Season in Canada: Don’t Take the Bait

Fiaaz Walji — Wed, 24 Oct 2012 14:00:00 GMT

Last week, the Canadian federal government announced its plans to create a secure, stable and resilient digital infrastructure in Canada. To help improve incident response and stop cyber-threats, the Government of Canada is investing $155M in our cybersecurity strategy. With the evolution of online attacks and our country's number two ranking for hosted phishing sites, this initiative is critical for protecting the country's enterprise and cyberspace.

According to recent Websense Security Labs research, Canada currently holds second place under the United States for the top countries hosting the most phishing sites. Combined, they account for more than 80 percent of all the phishing sites we encounter. Why, you ask? American and Canadian websites have great reputations on the Internet making them a lucrative target for cybercriminals.

Today, hackers have adjusted their phishing tactics in ways that get past traditional email security. Increasingly, we are seeing a shift from mass phishing campaigns, where indiscriminate emails are spammed out, to a more concerning type of attack targeting individuals with highly customized content - this is what is known as spear-phishing.

Just a few weeks ago, hackers breached an unclassified computer network used by the White House via a spear-phishing attack. And, in February 2011, the Canadian government was hit by a spear-phishing attempt. The hackers fooled Canadian federal IT staff into providing access to government computers and eventually gained access key government systems.

Because of this, employees, executives in particular, should question the legitimacy of emails during this rise in spear-phishing attempts. Don't be a victim. Here's how spear-phishing works and how you can protect yourself.

Step 1 - Hackers target recipients by gathering intelligence on them from the likes of social networking websites.
Step 2 - Hackers compromise a legitimate domain or server, where targeted recipients may have an existing relationship, to gain access to a legitimate and therefore reputable email address.
Step 3 - Hackers use gathered intelligence to create phishing emails, which are sent via a reputable email address (often spoofed by the attackers) to targeted recipients.
Step 4 - A large percentage of recipients act on the email by clicking on an embedded URL that links to a website that surreptitiously downloads malware. The site may be created specifically for this attack, or it could be a legitimate site that has been compromised.
Step 5 - The malware looks for network vulnerabilities, perhaps to shut down security defenses and create back-door access to internal systems to capture valuable corporate information.
Step 6 - Confidential data such as intellectual property and customer data is stolen.

As low-volume, targeted phishing attacks proliferate, organizations need to reexamine their email security posture and employee education strategy. Therefore, I suggest:

Educating your employees and build awareness of spear-phishing campaigns and how they are executed. For example, try pen testing your employees. Give them real-world examples of phishing attacks, allowing for the opportunity to relay immediate, focused feedback and training to those who fall victim to the exercise.
Deploying an inbound email sandboxing solution to continually analyze and monitor for malicious content.
Using real-time analysis to constantly inspect your web traffic with a web security gateway solution to stop malicious URLs from reaching inboxes

Spear-phishing is becoming one of the most successful types of attack methods penetrating networks and stealing data today. We can't meet this and other cyber security challenges alone. It's imperative for the public and private sector to work together to fight cybercrime and restore Canada's cyber reputation. Please join me in applauding Canada's recent steps to fight cybercrime and share what you're doing to protect Canadian enterprise.

What is Scaring Businesses the Most? Spear-phishing. New Websense Security Labs Research

Patrik Runald — Tue, 09 Oct 2012 03:58:00 GMT

Spear-phishing is a huge concern for today’s government and enterprises. While high profile attacks like last week’s spear-phishing attack against the White House and last year’s attack against Oak Ridge National Laboratory underscore the risk to government agencies, today’s businesses...(read more)

Insights from Top CSOs: 100 Percent Concerned About Spear-Phishing

Jason Clark — Tue, 18 Sep 2012 12:14:00 GMT

I recently hosted a Websense customer round-table discussion with 20 CSOs from top U.S. companies. We swapped war stories, hashed out the security challenges they face every day and they shared how they’ve been successful. These CSOs work in a variety of industries, including federal, finance and healthcare. Recently, there have been a number of highly public targeted attacks, which led to a lengthy discussion on spear-phishing. I found their insights very valuable and I wanted to share some key points below.

Today’s phishing attacks are lower volume (slow-and-low for evasion), highly targeted and look legitimate. Malware is also increasingly delivered via an embedded URL, which might not be live until days after the email is sent. In addition, many of the CSOs also received variants of spear-phishing via SMS during the meeting.

100 percent of all the CSOs were very concerned about spear-phishing. Everyone felt their CEO would click on an infected spear-phishing link if an email got through. We all agreed there needs to be a published strategy for effectively dealing with spear-phishing blind spots. It came down to a three-pronged approach designed to stop 95-99 percent of spear-phishing attempts:

1) Employee education: The human element is incredibly important. Everyone agreed that employee education is fundamental to preventing a spear-phish attack. Consider pen-testing your users. Show them why they need to think before they click. Also, use a combination of audio and visual education methods like videos, webinars, newsletters and in-person trainings.

Many of these CSOs had employee education programs in place that addressed the topic at hire and on an on-going basis. The result isn’t really employee education or security awareness, it’s behavior modification.

2) Inbound email sandboxing: Most of these CSOs were Websense TRITON customers and cited our new email sandboxing feature as a very effective way of stopping targeted spear-phishing. When an email recipient clicks on an embedded URL, Websense analyzes the website content and browser code in real time, in a cloud environment, to ensure safety in any location at any time. This protects against a new phishing tactic we have seen from the bad guys. They send a clean URL in an email to their targets to get through the organization’s email security. After it is received, they will inject malicious code into the site.

3) Real-time analysis and inspection of your web traffic: Stop malicious URLs from even getting to your users’ inboxes at your gateway. Even if you have inbound email sandboxing, some users might click on a link through a personal email account, like Gmail. In that case, your email spear-phishing protection is unable to see the traffic. Your web security gateway needs to be intelligent, analyze content in real time, and be 95+ percent effective at stopping malware.

If you want to know how to quickly test your controls for this approach, let me know and I will be happy to share how to do it. In addition, every CSO in our roundtable said they rely on multiple layers of defense to stop spear-phishing attempts. For example, if an attacker hooked an unassuming employee with a spear-phish, a DLP system with enabled data theft defenses would prevent corporate intellectual property from being stolen. It’s critical that your most sensitive data is retained and contained.

It’s scary to think that almost every company in the world has a big spear-phishing blind spot, which can quickly ruin your day and possibly destroy your business. For more information spear-phishing protection, feel free to download this guide to “Defending Against Today's Targeted Phishing Attacks.”

If you have any questions about our discussion, feel free to drop me a comment or contact me via LinkedIn: http://www.linkedin.com/in/jasonclarkfl

EMEA Webcast: Seven Stages of Advanced Threats & Data Theft

Spencer Parker — Mon, 10 Sep 2012 14:59:00 GMT

The seven stages hackers follow to steal data have been exposed!

Traditional URL and AV defences are no longer effective in blocking targeted attacks. Cloud apps, mobility and remote users have all contributed to a growth in SSL traffic, which is a major blind spot for many defences.

In today’s ever-changing threat landscape, the need to stay informed on the latest attack strategies is vital. Tune in to my webcast this Tuesday, September 11, 2012 from 10 a.m. – 11 a.m. BST on the seven stages of advanced threats and data theft. We’ll be covering each of these steps:

1. Reconnaissance

2. Lures

3. Redirects

4. Exploit Kits

5. Dropper Files

6. Call-Home

7. Data Theft

These are the tactics and stages used in the attacks that have made headlines around the world. Whether it is breaking into a security company to steal source code, or a giant search firm to steal login credentials, most advanced attacks have followed this pattern. Understanding the attackers methods can help you to understand how to better protect your organization.

The four reasons these tactics work while most defences fail is that old defences:

Are primarily based on signature and reputation
Lack real-time, inline content analysis
Are forward facing only, lacking outbound (data stealing) protection
Frequently only offer more of the same in deployment options, leaving areas like SSL traffic in blind spots

Against this backdrop of sophisticated threats, our webcast will help you appreciate the structure of advanced attacks and provide insights on how to respond. For a preview of the seven stages, please visit our Websense 2012 Threat Report.

We look forward to speaking with our EMEA audience! Registration is required to join the webcast. Be sure to bring your comments and questions, as we'll be doing a Q&A session at the end of the presentation. After you've checked out the webinar, or reviewed the stages in our Threat Report, I'd be interested in hearing which stage you feel the most and the least prepared to mitigate. Leave your comments below!

Does your company have a mobile acceptable use policy?

Stacey Garcia — Thu, 16 Aug 2012 16:41:00 GMT

This week, Juniper Research estimated that the number of employee-owned smartphones and tablets used at work is set to reach 350 million by 2014, up from 150 million in 2012. With new smartphones and tablets inundating companies worldwide, IT security teams are struggling to determine acceptable use policies. It goes beyond corporate BlackBerries and laptops to the newest BYOD (like iPads, iPhones, etc).

To help teams manage the mobile influx, we just released a new five-part Websense Mobile Acceptable Use Policy Kit. It provides a guide to help your company embrace mobile devices, communicate with employees, and keep confidential data secure. You can confidently use this guide to help you get started on your company’s acceptable use policy or to supplement your existing mobile device acceptable use policy.

...(read more)

10 New Defenses That Help Prevent Data Loss and Theft

Tom Clare — Wed, 08 Aug 2012 23:11:00 GMT

Last week we announced several new, important core security technologies that we added to our TRITON architecture. Websense ACE now includes 10 new defense innovations; seven are focused on outbound traffic to keep data theft and call-home communications contained, preventing theft or loss. Because so many of them are industry firsts, I wanted to take a moment to explain what many of these do and why we created them.

Truth is, the bad guys are stealing corporate data and avoiding detection using advanced techniques. In just the last year, we've seen key intellectual property and user identities stolen from corporations and government agencies, including some you would least expect-including entertainment (gaming) and security companies!

Below are a few examples of how cyber criminals are going undetected, stealing your IP and how we can stop it from happening.

1. Criminal encryption-Once inside your systems, the bad guys have to get communications and data out. They often use proprietary encryption for communications and data files to send it out cloaked, making it unrecognizable to traditional defenses. Websense can now examine the type of encryption for outbound web requests and data files to determine if known encryption methods are being used, or are the communications and data files using proprietary (criminal) encryption techniques that are non-standard. If criminal encrypted uploads are detected, they can be blocked and a high severity alert appears providing incident details including geo-location destination.

2. "Non Document" Data Theft-The bad guys know that DLP can stop confidential documents from leaving an organization. However, images are not easily analyzed when in motion. As a result, criminals are accessing proprietary files and using images to steal data because data loss defenses are not analyzing images when in motion through gateways.

Websense now includes an in-motion Optical Character Recognition (OCR) defense within the web gateway to catch these attempts at stealing confidential information using images. The OCR feature is also available for end point protection and data discovery within the TRITON solution architecture. So even in a non-document form, Websense recognizes sensitive information and prohibits its misuse as data-at-rest, in-use and in-motion.

3. "Low and Slow" Data Theft (Drip DLP)-Organizations often define how many incidents of confidential information can leave an organization per document or request. For example, sending out one customer address to a website is likely to be approved, but sending out more than 100 customer addresses to one website is not. As a result, bad guys have learned these thresholds and are stealing data under the designated allowance in a "low and slow" approach. Often it includes sending sensitive information out in pieces over time with patience and persistence.

Websense can now recognize slow data "drip" leaks for multiple requests over a defined time period to prevent "low and slow" data theft. Administrators can define the time periods, incident levels and thresholds within web gateways for stateful (or drip) DLP.

In addition to Drip DLP, one of the first things cybercriminals do is collect password information to expand their reach within a network. Websense can also detect password file theft, including AD/SAM database data, on outbound web requests. Criminally encrypted upload and password file data theft detection are new features included in the entry level proxy-based Web Security Gateway from Websense.

4. Email Security Evasion-Cybercriminals know that organizations are frequently using email security services that include some sort of embedded link security scanning. They know that if they send an email with an embedded link to a website with malicious code, the email may be blocked from ever getting to the recipient. Here is how they are evading traditional email security measures:

They take control of a website, but don't infect the destination page yet.
Next, they send out emails as lures (whether mass or targeted) to potential victims, perhaps on a Friday night. Because this is a clean destination web link, it goes through the email security gateway analysis and the email now resides in the user's in-box ready to open.
On Sunday night, the bad guys insert malicious code or a redirect to a malware download server into the destination website. Remember, the email with the embedded web link is already in the victim's box, ready to open.
On Monday, the victim heads out to a favorite coffee shop before work and opens up the email and clicks on the embedded web link - leading to the now malicious website and resulting malware infection.

Our Websense Security Labs have seen this type of attack increasing on a regular basis. Websense now has the capability to mark these emails with embedded links for real-time cloud sandboxing analysis for point-of-click protection whenever and wherever the email is opened and the web link is clicked upon. For example, when a user goes to click on the email embedded web link on Monday, the original web link has been wrapped by Websense with a web link to cloud-based security services providing real-time security analysis of the original web link destination. This defense is key against spear-phishing and targeted attacks blending email and web together.

We've also upped the ante with forensic intelligence. We are able to clearly illustrate:

Who is being attacked (e.g. finance, engineering, person, title, etc.).
How the attack happened, with the option to use an online malware sandbox service to see step-by-step attack infection methods and dynamic web links and call-home requests.
Where the attack communications are destined with geo-location awareness for countries.
What data was targeted and when applicable, forensic data capture.

Websense researches the latest threats and data theft trends and anticipates tomorrow's. These methods of prevention and detection for containment are only available with Websense TRITON security solutions. With this release, the Websense TRITON solution redefines the security gateway and clearly demonstrates that we are leading the security industry in innovation, and more specifically using DLP as a defense against data theft. It provides enterprises with the deep protection, forensics and visibility necessary to prevent today's advanced attacks that lead to data theft.

And these are just a few of the additions we have implemented. You can read about them more here.

Webinar Wednesday: 7 Stages of Advanced Threats & Data Theft

Tom Clare — Mon, 06 Aug 2012 21:18:00 GMT

Every day, organizations worldwide are targeted by data-stealing attacks. While these attacks have evolved in frequency and sophistication, many security defenses have failed to adapt. Old techniques don’t address containment against data theft and cybercrime call-home communications. The growing prevalence of cloud apps, along with increases in SSL traffic, mobility and remote users are also adding more blind spots to traditional defenses.

It’s imperative that we continue to stay up-to-date on the latest tactics and tricks. Join me this Wednesday, August 8, 2012 from 10 a.m. - 11 a.m. PT for a webinar on the seven stages of data theft. We’ll be covering each of these steps:

Reconnaissance – Targeted attackers access credentials and research online profiles, email IDs, org. chart information, hobbies and interests from social profiles to gain insight on their victims.
Lures – Designed to prey on human curiosity, web lures often link to videos or breaking news, while email lures are more business-focused on transaction and fake delivery notices.
Redirects – Users are usually directed to a survey, rogue anti virus offer or a fake web page where an exploit kit is waiting. Traditional redirects are injection attacks, while newer ones focus on social networking wall postings, fake plug-ins, fake certificates and heavily obfuscated java script.
Exploit Kits – The exploit kit objective is like that of a sniper: take the shot with a malware dropper file only when an open door for tested vulnerabilities is found.
Dropper Files – This stage is what most people consider the focus of their forward-facing defenses: analyze every file that comes into the network for malware. The problem is dropper files use dynamic packers, so known signatures and patterns are not available.
Call-Home – This stage involves calling home for malware downloads and tools, and for sending back information, standard procedure for any successful online attack. The problem is that most defenses are only forward-facing and do not analyze the outbound traffic from infected systems.
Data Theft – This is what they are after. The ability to contain an attack and stop data theft raises many questions that we will address. Can your defenses detect password files leaving your network or the use of custom encryption on outbound files?

In addition, we’ll be covering: why current defenses are failing; today’s new security requirements; and the newest, bleeding edge advanced threat and data theft defenses to emerge thus far.

We look forward to having you join the webinar. Bring your questions and be ready to talk threats!

Black Hat Briefings & Exhibits: Day One...

Bob Hansmann — Thu, 26 Jul 2012 18:46:00 GMT

Time for Black Hat again! Day one is almost complete and I’ve seen some big themes.

There’s some of the usual. Vulnerability scanning and pen testing are definitely present and the topics of identifying and learning from data breaches are still big—especially around the area of SIEM. There are also some new developments. For example, more exhibitors are simply about education, including your typical certification schools, but general higher learning institutions, like the University of Maryland, are also here.

As usual, Black Hat USA is full of security vendors and their products, but there seem to be more ‘service’ offerings showcased this year. This may not be surprising to those who have heard analysts increasingly discuss the weaknesses assumed by an organization that is overly dependent on purely in-house resources.

Education, services and research tools are obviously taking center stage in the battleagainst cybercrime. All this focus on education is precisely why we’ve developed a few new tools and resources to help resource-strapped customers tap into the expertise of the Websense® Security Labs™ researchers.

Sometimes you need more than what you have on-hand—especially when you are dealing with highly advanced malware and complex data stealing attacks. That’s when you need an expert security researcher to help. Our Websense Security Labs have morethan one hundred team members worldwide, hip–deep in the latest threats. The new Websense CyberSecurity Intelligence™ (CSI) services, announced today, help extend their expertise and educational benefits right into your organization.

Websense CSI services offer both online and 1:1 time with our researchers, through tools, training, in-person guidance and malware forensics.

All Websense CSI customers will have access to ThreatScope™, an online sandbox environment, to safely test potential malware. It uses our Websense Advanced Classification Engine (ACE) analytics to compile an extensive report of observed behavior on an uploaded file. Insights include the infection process; post-infection activities (such as calling home); system-level events and processes; registry changes and filemodifications.

Think about it, Black Hat USA only comes around once a year, but every day needs to be about education in the security field. Websense CSI services can be an extension of your learning process— giving you access to our researchers and the necessary tools to help you become more educated on the threats of today.

If you could study one aspect of today’s threats, what would you dive into?

Watch Olympians “Go for the Gold” at Work - Safely

Joshua Rosenthal — Sat, 14 Jul 2012 15:41:00 GMT

On July 27, for the first time ever, all of the summer Olympic game events will be streamed online by a network. In addition, we’ll see thousands of other sites re-streaming or hosting the content. The internet will be awash with Olympics.

And while I’m as excited as most, all this online Olympics access raises two major concerns:

An increase in social engineered attacks - Cybercriminals will leverage the Olympics to launch social engineered attacks to gain access to an individual or organization’s system. Social engineering gets them to the doorway by tempting users to click on a malicious link or file. But, for some companies, the door isn't going to be strong enough to stop the bad guys from coming in. There is going to be a huge influx of new sites being created and hosted just around the games. And many organization’s reputation-based defenses won’t classify them accurately. This compounds the issue of degradation of traditional signature-based defenses.
Corporate network bandwidth stress – An event of this proportion can consume an enormous amount of corporate network bandwidth. In particular, EMEA and APAC countries are heavily impacted due to the sheer number of events that coincide with the middle of the workday. And, mobile users on restricted or metered data plans will not be looking at mobile devices for their viewing. They will be looking to their work machines with a perception that there are big pipes available for viewing.

All that burning bandwidth and streaming media can come at a significant price to organizations. In preparation for the games, Websense is providing its customers with innovative ways to protect and manage their organization’s online profile during the Olympics.

To help companies understand and manage the bandwidth load of the Olympics, all streaming and internet media from the Olympics will be placed into a ‘Special Events’ category. This category is used by Websense for all major global events and makes it easy for Websense customers to see the bandwidth use and place limits and controls on that bandwidth as appropriate to the organization.

In addition to the activation of the Special Events category to help customers manage Olympic related bandwidth risks, Websense has recently made two other announcements that are of interest. First, several new URL categories were recently introduced to provide additional malware and other cyber threat defense options, a menace which is sure to leverage Olympic themes in their attacks at this time. And the most recent Websense TRITON release introduces a number of unique and innovative capabilities to help customers assume a stronger, more proactive security posture.

Through this important mix of technologies, we are working to ensure that your Olympic experience is both:

Within reasonable bandwidth expectations (Go ahead and let them stream the track finals!)
Secure by protecting you from the real-time threats likely to evolve out of social engineered attacks related to the Olympic games.

Do you have any tips on how you manage your network when large events take place? If so, leave a comment below.