Blog

I am sure that every one of you has heard of IoCs, or Indicators of Compromise. They are the forensics that security investigators look for so they can identify the characteristics of the malicious activity that has already occurred. Some examples of IoCs are:

• Hash values of files
• IP addresses used by the attacker
• Domain names associated with the attack
• Network/host artifacts 
   

For the second year in a row, AttackIQ’s observations and analytics have provided the Verizon DBIR team a redacted dataset from our cloud analytics to help find common patterns and observations from emulated attack behavior. Last year, we contributed to a section of the Verizon 2018 Data Breach Investigations Report called “Beaten paths,” where we provided redacted data on what phase in the attack chain most security controls stop the attacker. This year our contributions were again related to attacker paths, but this year the section is called “Unbroken chains,” related to observations of attack paths and event chaining. This is a relatively new section in the DBIR report, and new support has been added to the Verizon VERIS schema that now helps describe this behavior.

CIOs, CISOs, SecOps, and IT teams of many organizations are often asked about their specific defensive capabilities. “How well would we handle Locky Ransomware or EternalBlue?”

Most are unable to reliably and objectively provide data-driven answers. Evaluating your own security maturity can help you understand your current capabilities and drive towards a more mature security program, providing your organization with further capabilities.

In this blog post, I’ll review a simplified set of maturity levels that can help you evaluate your security program and discuss how AttackIQ can enable your organization to grow more mature at each level.

I am routinely asked what the key areas of success are for an Enterprise to evaluate a security validation platform that can objectively validate their security controls, produce the proper evidence and enable strategic business decisions. To answer that important question, I’ve put in place 5 keys to success in evaluating a security validation platform that will drive a data-driven security strategy. Additionally, I will be expanding on these 5 areas in future blogs.

Unless you have been living under a rock somewhere, you would have heard about docker containers. Just like in 1956, the advent of the shipping containers that revolutionized freight transport, docker containers have changed the way modern software is packaged and deployed. Unlike a virtual machine, which abstracts out the entire software including the operating system, containerized applications and their related components run on top of a single operating system. Since it doesn't
need to replicate the operating system for each application, containers are lightweight but still retain all the benefits of process isolation and more. Each containerized application has a private namespace with private network interfaces and IP addresses, and it can mount its own file systems. The picture below is a simplified view of how a dockerized container sits on top of a host operating system.

I woke up on Saturday morning with a Wired Article on my doorstep titled “A Mysterious Hacker Group is on a Supply Chain Hijacking Spree”. Well, it wasn't literally on my doorstep, but rather it popped up on my phone up and came in the form of an email from Carl Wright, our CSO. A few minutes later, I see comments from Brett Galloway, our CEO.

Last week I covered the licensing implications of open-source software (OSS). There is another critical aspect of open source that we need to be vigilant of, and that is vulnerability management. Unlike commercial software, where critical fixes are made available and pushed to the enterprise, the users of open-source software are responsible for keeping track of vulnerabilities and updating relevant components as soon as new fixes are released.
 

Earlier this week, as I was scanning the Wall Street Journal, this headline caught my eye: “Norsk Hydro Repairs Systems and Investigates After Ransomware Attack.” Norsk Hydro is one of the world’s largest aluminum makers, headquartered in Oslo with more than 35,000 employees in 40 different countries. On March 19, they were hit by a ransomware attack that disrupted most of their production and forced them to switch to manual operations.  
 

Like many of you, I was excited to see the Mitre Evaluations posted. I quickly navigated to attackevals.mitre.org and started to click on the cards to check out how the different security vendors fared. I expected to see different areas of the Mitre ATT&CK matrix light up based on the detection by a given security vendor. To my surprise, the matrix looked the same for all of the vendor cards. On further reflection, I realized that this is to be expected, as the ATT&CK matrix displayed the tactics, techniques, and procedures (TTP) exercised by the APT3 group, and, obviously, the same emulation was run on all the different vendor products.
 

I may be showing my age as I recall the days when malware was primarily spread by depositing infected files on a computer system. This spawned the antivirus software industry, whose basic technique was to scan your disks and sniff around your system for files containing signatures identifying them as malicious entities. Analogous to our living world, antivirus software became the predators hunting down malware like prey before they could cause lasting damage to our systems, our networks, our companies, and even our countries.  
 

RSA 2019 was an incredible conference for AttackIQ. We had many reasons to be excited, as this year we celebrate the 5th Anniversary of AttackIQ and yet the first time we had a booth on the show floor! We commemorated these milestones with an incredible booth display to demo our platform, numerous technical partnerships to announce and our new CEO, Brett Galloway leading the way! I couldn't have been more proud of AttackIQ as one of its co-founders.

I have been attending RSA for more than 15 years. It's an intense, long week but a rare opportunity to meet with many strategic security leaders and professionals all in one concentrated location. It can be very productive if planned right. Here are a few tips that have helped make my time worthwhile at RSA over the years.

Our latest Integrations update includes a new approach which makes it easy for FireDrill customers to enable detection of scenario executions. A smart query feature for all FireDrill integrations.

Enterprise security teams are faced with a growing problem. Advanced adversaries are winning the war, stealing data at will and wreaking havoc on corporate networks.

AttackIQ is pleased to announce the release of our Cyber Hunt Exercise Module; a new workflow within FireDrill that enables customers to validate and measure the detection and response capabilities of their Detection Analysts.