How Coordinated, Collaborative Security Can Help You Defeat Unknown Malware

In a previous blog, “How to Gain a Competitive Advantage with an Integrated Approach to Security,” we’ve shown you how adding an advanced threat analysis technology to a large enterprise security ecosystem is contributing to its success both operationally and from a business perspective.

This time, we’ll step through the technical details of how to combat unknown malware in a typical enterprise environment. Let’s look at a company that has just gone through an acquisition. As a result of the acquisition, employees are being required to use many new applications. One of the employees clicks a link in an email for an application that appeared legitimate but is, in fact, malicious and installs a keylogger that captures users’ keystrokes.

Here’s how the McAfee integrated ecosystem approach to security rapidly responds to unknown files of this kind and prevents them from executing and doing damage across the organization.

Step 1:

McAfee Threat Intelligence Exchange discovers the keylogger on endpoints and blocks the file from executing. The Threat Intelligence Exchange client then queries the McAfee Threat Intelligence Exchange server on file reputation and simultaneously queries McAfee Global Threat Intelligence, which gathers file reputation intelligence from millions of sensors all over the world. The file is cached on the server while McAfee Threat Intelligence Exchange checks its blacklist and whitelist. After this query-response process, McAfee Threat Intelligence can update the reputation as “good” or “bad.” However, in this case, the file is unknown and requires further analysis.

McAfee Advanced Threat Defense combines sandboxing dynamic code analysis with in-depth static code analysis to identify any potentially malicious code.

Step 2:

Through REST API, McAfee Threat Intelligence communicates with McAfee Advanced Threat Defense, where the unknown file is sent for further analysis via sandboxing. McAfee Advanced Threat Defense spins up a virtual machine (VM) to detonate the file via dynamic analysis, which enables examination of any malicious behavior. At the same time, McAfee Advanced Threat Defense will perform static code analysis by unpacking the file and reverse engineering the code, allowing comparison to known malware families leveraging code reuse and identifying any potentially malicious code. Obfuscated and metamorphic code, which can be highly evasive, can be unveiled through the combination of dynamic and static code analysis. If any malicious intent is identified, McAfee Advanced Threat Defense then convicts the file and updates the reputation, applying a high-severity rating, in this case. This process reveals several indicators of compromise (IoCs) about the file: it attempts to bypass security controls, it installs a keylogger, and it makes connections to risky websites. The file is then sent back to the McAfee Threat Intelligence Exchange server, which updates its local repository and any integrated vector from endpoint to network. McAfee Advanced Threat Defense will also publish IoCs across the McAfee Data Exchange Layer (McAfee DXL), to any subscriber. 

Step 3:

McAfee Data Exchange Layer, which enables sharing of threat information across McAfee security components and third-party security products, publishes these IoCs for ingestion by other solutions in the environment.

Step 4:

McAfee Data Exchange Layer will publish IoCs generated from McAfee Advanced Threat Defense to the security information and event management system (SIEM), McAfee Enterprise Security Manager. The SIEM then aggregates the IoCs and correlates these events. For example, it can do historic investigation, looking into its archives of networks or systems to find evidence of this malware and correlate these IoCs with other events. If it finds that systems have connected to malicious URLs associated with the keylogger, it can send out additional alerts so that remediation can be applied. Once the correlation has been done, McAfee Endpoint Threat Defense and Response uses its automated search capability to get access to this information and generates a URL that will open up the McAfee ePolicy Orchestrator (McAfee ePO) management console where McAfee Active Response is housed, and the pivot to remediation can take place.

Step 5:

Since the malware has a high-severity rating, McAfee Enterprise Security Manager triggers an alert, which enables the administrator to take remediation actions, such as killing the process or removing the file—along with any trace files—from the affected machines.

This use case illustrates the value of a unified architecture, where collaboration of all your security components can dramatically improve security operation response and efficiency, reduce threat dwell time, and increase your capacity to handle security events. In a recent McAfee survey, 70% of participants believe that this approach results in reduction of manual efforts through integrated workflows and automation and 65% believe it provides more effective triage automation.

Watch our video, and see the power of McAfee integration and intelligence sharing in action: “Defeat the Grey.”

The post How Coordinated, Collaborative Security Can Help You Defeat Unknown Malware appeared first on McAfee Blogs.

How Valuable is Your Healthcare Data?

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the report Health Warning: Cyberattacks Are Targeting the Health Care Industry, our McAfee Labs team digs into the dark underbelly of cybercrime and data loss involving health care records. In this case, the darkrefers to the dark web.

Following up on the Hidden Data Economy report, we looked further to see if medical data was showing up for sale. We found dark web vendors offering up medical data records by the tens of thousands. One database for sale offered information on 397,000 patients!

2016-10-27_17-36-06

These databases contained not only names, addresses, and phone numbers of patients, but also data about their health care insurance providers and payment card information.

What’s it worth?

Of course, for this to be worth a cybercriminal’s time, they must be able to profit from it. We are finding that health care records to be a bit less valuable than records such as payment card records that contain financial information. The going price for a single record of information on a user that includes name, Social Security number, birth date, account information such as payment card number (referred to as fullz in dark web lingo) can range from $14 to $25 per record. Medical records sell for a much lower price, anywhere from a fraction of a cent to around $2.50 per record.

Does this mean medical records are not as valuable? Although not as lucrative as fullz, medical record information has  higher value than just a username/password record when sold on the dark web. We think that sellers are trying to maximize their gain from the data theft. In one underground market forum, a seller listed 40,000 medical records for $500, but specifically removed the financial data and sold that separately.

Why is the health care industry a target?

Although there are regulations and guidelines for the health care industry to protect patient information, the industry itself faces many challenges. Foremost, the focus of the majority of health care workers is the treatment of patients. Because they are dealing with life and death situations, the equipment used to treat patients must be working and available at a moment’s notice. This means there is often little time to install a patch or an update on a piece of medical equipment. The equipment may also be running an outdated operating system that simply cannot be patched to protect against the latest threats. It is not uncommon to see medical equipment running on Windows 95. The medical industry is also subject to FDA regulations and approvals. There may be equipment that is approved by the FDA only on an older operating system and would need to be recertified if updated.

How do I stay safe?

Unfortunately, these data breaches are outside the control of the average person. Health care providers typically use the information they collect from you for your treatment, so you cannot withhold your home address or phone number. As a consumer, you need to be alert for health care data breaches that potentially impact you.

  • Pay attention to the news: Once discovered, medical data breaches tend to make the evening news. Even if you went to a health care provider only once to get an x-ray because you thought you broke your thumb and that provider experiences a data breach, odds are your information was compromised.
  • Monitor your credit score: A common use for resold information is the opening of credit cards or bank accounts. Subscribing to a credit-monitoring service will help you know if a new account has been opened without your knowledge.
  • Watch out for phishing: If your contact information has been stolen, you are almost certain to be the target of numerous phishing attempts. Keep an eye out for suspicious emails and text messages. You can read one of my previous blogs for tips on how to spot a phishing attempt.

The nature of today’s digital world can unfortunately cause our personal and private data to be leaked. If you stay vigilant, you can reduce the impact these breaches will have on your life.

Stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and “Like” us on Facebook.

Stay Safe!

The post How Valuable is Your Healthcare Data? appeared first on McAfee Blogs.

How Valuable is Your Healthcare Data?

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the report Health Warning: Cyberattacks Are Targeting the Health Care Industry, our McAfee Labs team digs into the dark underbelly of cybercrime and data loss involving health care records. In this case, the dark refers to the dark web.

Following up on the Hidden Data Economy report, we looked further to see if medical data was showing up for sale. We found dark web vendors offering up medical data records by the tens of thousands. One database for sale offered information on 397,000 patients!

2016-10-27_17-36-06

These databases contained not only names, addresses, and phone numbers of patients, but also data about their health care insurance providers and payment card information.

What’s it worth?

Of course, for this to be worth a cybercriminal’s time, they must be able to profit from it. We are finding that health care records to be a bit less valuable than records such as payment card records that contain financial information. The going price for a single record of information on a user that includes name, Social Security number, birth date, account information such as payment card number (referred to as fullz in dark web lingo) can range from $14 to $25 per record. Medical records sell for a much lower price, anywhere from a fraction of a cent to around $2.50 per record.

Does this mean medical records are not as valuable? Although not as lucrative as fullz, medical record information has  higher value than just a username/password record when sold on the dark web. We think that sellers are trying to maximize their gain from the data theft. In one underground market forum, a seller listed 40,000 medical records for $500, but specifically removed the financial data and sold that separately.

Why is the health care industry a target?

Although there are regulations and guidelines for the health care industry to protect patient information, the industry itself faces many challenges. Foremost, the focus of the majority of health care workers is the treatment of patients. Because they are dealing with life and death situations, the equipment used to treat patients must be working and available at a moment’s notice. This means there is often little time to install a patch or an update on a piece of medical equipment. The equipment may also be running an outdated operating system that simply cannot be patched to protect against the latest threats. It is not uncommon to see medical equipment running on Windows 95. The medical industry is also subject to FDA regulations and approvals. There may be equipment that is approved by the FDA only on an older operating system and would need to be recertified if updated.

How do I stay safe?

Unfortunately, these data breaches are outside the control of the average person. Health care providers typically use the information they collect from you for your treatment, so you cannot withhold your home address or phone number. As a consumer, you need to be alert for health care data breaches that potentially impact you.

  • Pay attention to the news: Once discovered, medical data breaches tend to make the evening news. Even if you went to a health care provider only once to get an x-ray because you thought you broke your thumb and that provider experiences a data breach, odds are your information was compromised.
  • Monitor your credit score: A common use for resold information is the opening of credit cards or bank accounts. Subscribing to a credit-monitoring service will help you know if a new account has been opened without your knowledge.
  • Watch out for phishing: If your contact information has been stolen, you are almost certain to be the target of numerous phishing attempts. Keep an eye out for suspicious emails and text messages. You can read one of my previous blogs for tips on how to spot a phishing attempt.

The nature of today’s digital world can unfortunately cause our personal and private data to be leaked. If you stay vigilant, you can reduce the impact these breaches will have on your life.

Stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and “Like” us on Facebook.

Stay Safe!

The post How Valuable is Your Healthcare Data? appeared first on McAfee.

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the public perception of the presidential candidates. Moreover, never before have the personal health histories of the candidates figured so prominently in efforts to qualify or disqualify them as fit or unfit to serve as president.

A report released this week by Intel Security reveals the ease by which nation-states, domestic political actors, corporations, or activist groups could steal and expose the medical records of political opponents in the same way that the disclosure of incriminating email messages, video recordings, private documents, and speech transcripts has already been used as a political weapon in 2016.

The market for your medical data

The report shows that huge caches of detailed medical records can be purchased for a mere $0.03 to $2.42 per record and browsed to identify the names of political candidates and their family members. Such records contain protected health information such as family names, mothers’ maiden names, social security numbers, payment card and insurance data, and patient addresses. But they also include more sensitive information such as medical histories, details of medical conditions, mental health issues, medications taken, and the state of treatment for a variety of perhaps embarrassing afflictions or addictions.

Intel Security suggest that cybercriminals already mine and analyze millions of such records, cross-reference them with data from other sources, and assemble profiles around individuals who appear to be the most viable targets for crimes such as fraud, data theft, extortion, identity theft, and blackmail. Such crimes have gone digital along with so many other things in our world, and it is not a stretch to foresee them going political in the near future (assuming they already have not).

The “weaponization” of medical records

Although this political season suggests nothing is truly disqualifying, just a couple of years ago former Florida Governor Jeb Bush was deemed disqualified as a presidential candidate on account of, among other things, his daughter’s very public drug addiction. The theft, identification, and public disclosure of data exposing such cases would constitute a political “weaponization” of personal medical records.

Such a disclosure or threat of disclosure targeting a close relative could certainly prove damaging or threatening enough to force a politician from an election contest, or even out of politics altogether.

In 2016, Republican candidate Donald Trump has been criticized for releasing an allegedly inadequate and unconvincing doctor’s letter attesting to his “tremendous” state of health. The health of Democratic candidate Hillary Clinton has been questioned following the release of a mere four seconds of video depicting her exhibiting dizziness. Though these two candidates are not known for quitting, consider that a disclosure of medical records challenging the “robust health” assertions of most campaign teams might prove pivotal in the final days of a contentious election.

Health care hackers-for-hire

 Nor is it a stretch to assert that cyber capabilities—hacking skills, tools, and infrastructure— are beyond the reach of political actors.

Recent press reports claim that around 500 million Yahoo email accounts appear to have been compromised by a mercenary cyber gang. Intel Security has identified cyber gang services available for hire specifically for the purpose of attacking health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches.

In one case, a relatively non–technically proficient cyber thief purchased tools to exploit a vulnerable health care organization, and even leveraged free technical support to orchestrate his attack. The Intel research found that this actor extracted more than 1,000 medical records that the technical support provider said was worth as much as $15,564.

This data breach–enabling ecosystem is so developed that Intel Security was able to uncover the brazen efforts of cybercriminals to recruit as accomplices, through online ads and social media communications, health care industry insiders with workplace access to patients’ information.

Prognosis: unprecedented?

Intel Security’s report reveals how financial resources can command the technical means for launching cyber-attacks via a marketplace for health care hackers-for-hire and stolen medical data. All that remains is the motive, criminal or political, and the media opportunity to release damaging data through organizations such as WikiLeaks or press outlets.

To believe that such an event is unheard of, despite evident public disclosure of weaponized emails, video, and documents, would be to ignore that the 2016 US election season has entered the realm of the unprecedented..

 

 

 

 

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee.