Wednesday, April 29, 2015

Defense-Grade "Email" Security

Now that Websense and Raytheon have created a new company that will combine the Intellectual Property (IP) of both entities to create Defense-Grade Cybersecurity, we should all ask, what exactly is that?

One concept that the DoD space leverages, which this new company may bring to the enterprise space, is the Positive Security Model.  This concept, when leveraged on firewalls, ensures only known good ports/applications are opened... whereas in the enterprise space we typically allow all 65k TCP Ports outbound and look for negative events.  Which model do you think is best equipped to address 0-day threats?  :-)


Question #1 - how many of your threats are blended (email & web)?  Most I suspect.  As such, your users rcv emails that look much like this:




Question #2 - how many of your users are clicking on those links?  Again... most I suspect.  Wouldn't it be nice if they went to a landing page like this:



Question #3 - wouldn't it be nice if that landing page could leverage sophisticated real-time web security technologies to determine if a threat existed at point-of-click... like this:



How is this a Positive Security Model?  It is because we (ESPO Systems) have put our trust in the Websense URL Database. (The industry's most critically acclaimed.)  Let us explain:  If a URL is unknown/uncategorized by Websense, we've decided to wrap it and send our users to a landing page for real-time inspection.  If the website is clean, they are allowed access.  In summary, only known good links are allowed into our organization... much like the Positive Security Model only allows known good applications on the firewall.
Posted by at No comments:

Thursday, April 23, 2015

JSC MediaSoft in Russia Hosting Malware (AS48347)

Websense File Sandbox is detecting a downloader being distributed via SCR files within Zips this morning:





As usual, AntiVirus coverage is weak:



As such, you'll want to check your firewall logs for the "phone home" via outbound TCP:80 to Mother Russia:


Question - Do you do business in Russia?  Does is make sense to allow HTTP/S Posts to Russia?  If not, allow ESPO to align your Business Model with your IT Risk Model.
Posted by at No comments:

Thursday, April 16, 2015

Jenis_Group Hosting Malware

As of this morning, Websense is identifying malware on this newly compromised site:



Note that the Websense ThreatScope technology has identified malicious intent.  So what you ask?  Well... would you want an exe delivered via the web channel injecting itself into processes and writing files on your desktops:



However, and is unfortunately all too frequent, the signature based security vendors are asleep at the wheel with only 1 detection from the 62 AV Engines tested on VirusTotal:


Are you ready yet to contact ESPO Systems about how you can get Websense's Threatscope enabled in your system?

Posted by at No comments:

Tuesday, April 14, 2015

Malicious Excel Macro on the Loose

A new malicious Microsoft Excel Macro is making it's way around the internet this morning.  Per below, you'll see that the AV Vendors are doing a poor job protecting against this threat... as is all too often the case:



Are we sure that the excel file is malware?  As you'll see below, the Websense File Sandbox validates the malicious intent:



Finally, notice that the malware/downloader calls out via HTTP to a new domain.  Note that this executable, too, is detected by the Websense ACE Technology:






HOWEVER... note that the AV Vendors are not able to detect this threat either  :-(








Posted by at No comments:

Wednesday, April 1, 2015

Really Cisco???

Question - how much is Cisco charging you for the renewal of your IronPort S Class Appliance (web gateway)?  And... do you feel the Senderbase Reputation System, and the associated URL Database, is keeping your IT Assets secure?  We at ESPO would argue that you consider the following attack emanating out of Hong Kong:

Chinabest-ent.com is leveraging an IP Address currently owned by Network Infinity based out of Hong Kong.  If you are a Cisco customer, your users currently have no problem accessing this site as it's currently classified with a Neutral Web Reputation:







However, as proven below, the Websense ACE Technology has identified that the site is hosting malicious content:



More importantly, the malware then attempts to POST data out to a site in Russia:


In summary, we've stated many times how your Security spend could/should be reduced by squeezing your AV Vendors; however, it may be time to redirect your Cisco renewal towards Websense too.  :-)
Posted by at 2 comments:

Friday, March 20, 2015

Is your Risk Model aligned with your Business Model?

Why do we ask?  Dridex, which we've addressed previously here, is a UK focused banking trojan which has launched a new variant this morning.  As also noted previously, File Sandboxing, ala Websense' ThreatScope solution, is a very useful tool as the malware typically leverages Word and/or Excel macros... which we dare not block nor are the AV Vendors able to protect as proven by the current poor catch rate:



Per this report, you'll see that File Sandboxing works even when your AV solutions fail.  However, is there another way to address this issue by aligning your Risk Model with your Business Model?  In other words, you may not provide goods/services in Spain nor the Netherlands.  As such, is it wise to accept inbound email msgs from Spain (screen shot below) or allow the malware to phone home via TCP Port 80 to a server in the Netherlands (aforementioned File Sandbox report):



We at ESPO recommend leveraging DLP Solutions, ala Websense AP-Data, to not only detect secret sauce leaving your organization, but... to also leverage built-in Geo Location capabilities to block data destined to organizations in geographies that preclude them from becoming potential customers.  Connect with us if you'd like assistance in creating a similar program:




Posted by at 1 comment:

Friday, March 13, 2015

Really McAfee??? / Mar 13th

As noted many times previously, it is ESPO's recommendation that you call the sales rep of your "premium AV" company and demand a price reduction.  Today's Dridex Attack will enable us to dig a little deeper into McAfee to determine if their Mergers & Acquisition (M&A) strategy over the last decade was intended to improve their client's security posture or the executive's personal income statement.  The evidence:

1. Spam Bots in APAC have started a new malware campaign.  Per the 2 screen shots directly below, Websense is blocking the email msgs/attachments while McAfee's Reputation System, TrustedSource, thinks the sender is fine:




2. Per this link to our Websense File Sandbox Report, the M$ Word attachment to the aforementioned malware campaign is dropping executables, attempting to inject itself into explorer and modifying Registry Settings.  Seems malicous doesn't it?  Not according to McAfee or any other AV Company currently:



3. Per the final 2 screen shots directly below, the dropper attempts to pull bin.exe via HTTP from a site in the Czech Republic.  Websense not only had the site classified as malicious but the Real-Time Analytics of ACE would have detected/blocked the download while TrustedSource again thinks the site is just fine.




In summary, McAfee failed to stop the initial email connection, failed to detect the malicious macro in the Word attachment, and finally, failed to detect the phone home.  Final Verdict - McAfee Executives made serious money with the acquisition by Intel while your security posture has declined.  Time to call Websense???   :-)


Posted by at 3 comments:
Subscribe to: Posts (Atom)