Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me.
In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a cybersecurity team from the ground up. As an avid NFL fan (go Browns!) I’m always thinking about what I would do if I was a general manager in a draft room. This year, if I was building a football team, I’d be steering clear of Aidan Hutchinson and Travon Walker early on and trying to trade back and take receivers like Chris Olave or Garrett Wilson.
But cybersecurity is also a team sport. You need a layered model to ensure your organization stays safe from everyday vulnerabilities, state-sponsored actors and everything in between. To build that team, we need to go through seven rounds of selections to build out the ultimate roster of security tools and skills that everyone needs to keep their organization secure (obviously, some of these are a bit tongue-in-cheek, if you want honest to goodness security advice, reach out to Cisco Talos Incident Response today). Email me at threatsource@cisco.com with what — or who — you would select in the first round of your Cybersecurity Draft.
Round 1: Multi-factor authentication
MFA is a guy you want in the trenches with you every day on the security playing field. They’re going to protect your most important players from attacking bad guys looking to take advantage of holes in your protection. If we’re building a team from the ground up, we need to make sure we have the basics covered, and if your team doesn’t have MFA at this point, you’re going to be searching for an authentication method in the offseason free agency, and who wants to sign passwords to a three-year contract?
Round 2: An Incident Response plan
Incident Response Plans weren’t recruited highly in security high school, but they rose up through the ranks over the past few years to become a Wi-Feisman Trophy winner in 2021. An Incident Response plan is there for you when you fall behind on the scoreboard and need to make ground up quickly against attackers. A strong IR plan will give this team a base from which they can react to any attack quickly and try and minimize the damage, hopefully setting us up for a comeback in the fourth quarter. If you’re also looking to draft an IR plan of your own, might I suggest reaching out to Talos Incident Response, who can work to build one from the ground up?
Round 3: User training
A lot of people are concerned that when he was in college, User Training went relatively unnoticed for being “boring.” But there are ways to spice things up on the field, and I think as a manager, I can truly unlock Training’s potential. If our users are properly informed about the risks out there in an entertaining and educational way, we can hopefully lean on MFA in the trenches to work as it's supposed to.
Round 4: Endpoint detection
Endpoint detection is projected to go earlier than this in the 2022 Cybersecurity Draft, but I personally think people have kind of forgotten about EDR recently and it could slide into the later rounds, which is where I’ll grab them up. EDR will set up in secondary on defense and monitor for any attacker movements on the offensive side of the field, letting the rest of the team know about any unusual activities, users or connections.
Round 5: Vulnerability management program
A vulnerability, asset and patching management program like Kenna Security will round out our starting defense. Here’s a guy who can muck up the middle of the field and make it harder for attackers to break through the line and further toward your network’s endzone. By deploying software like this, this team will make sure major holes are patched up right away before the opposing team’s leader can even see them on the field, and best of all, we can automate the process so we don’t need to focus as much as hands-on coaching with this position group.
Round 6: Penetration testing
Round 6 seems late, but with this front office, we can find greatness anywhere. Penetration testing is going to be this team’s Tom Brady coming from Round 6. We’ll grab a few pentesters to place on the perimeter and look in at the team to find any vulnerabilities in our team before our opponents can. That way when we head into a week of practice, we know what needs to be fixed right away before we are out against our opponents, and they can take advantage. (Plus, this pretty much guarantees we can use red in our uniforms and get something close to the awesome throwback Falcons gear.)
Round 7: Physical backups
Physical backup drives are the kickers of cybersecurity — you hate it when you have to rely on them in the final seconds, but when they work out, they can still be a lifesaver. By keeping physical backups of our team’s data and gameplans, we’re protected in a worst-case scenario and can recover quickly in crunch time rather than hoping we can pay the opponents to give us the ball back. Cloud backups would work just as well in this case, but we like that physical drives have put in years of work to get to this point.
Other newsy nuggets
New research indicates the use of the NSO Group’s Pegasus spyware continues to spread, even to democratic nations. The Spanish government recently deployed the tool against individuals in Catalan, an area looking to separate from Spain. Spyware continues to be a growing concern across the globe, with evidence indicating that Pegasus is being used in at least 45 countries, according to new reporting in the New Yorker, and similar tools are in use by law enforcement agencies in the U.S. and Europe, areas where governments have pledged to crack down on spyware. (The New Yorker, CNET)
Western governments doubled down on warnings that Russian state-sponsored actors could target critical infrastructure with cyber attacks in the coming weeks, as the country’s invasion of Ukraine drags on. A new alert from cybersecurity agencies in the U.S., Canada, Australia and other countries warns the attacks could come as a Russian response to international sanctions, adding that “other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.” (CISA, Reuters)
The Emotet botnet could be testing new techniques in preparation for a large-scale campaign in the coming months. Security researchers recently spotted the threat actor emailing targets OneDrive URLs that hosted ZIP files containing malicious Microsoft Excel files that installed Emotet onto the targeted machine. This would represent the biggest comeback from Emotet since a law enforcement effort in January 2021 disrupted the botnet. Talos has previously seen signs that the botnet and the actor behind it was not likely to go away even after the takedown efforts. (Cybersecurity Dive, ZDNet, Talos)
Can’t get enough Talos?
- Talos Researcher Spotlight: Liz Waddell, CTIR practice lead
- Threat Roundup (April 15 – 22)
- Talos Takes Ep. #93: Kenna 101 — Best patching and mitigation strategies
- Quarterly Report: Incident Response trends in Q1 2022
Upcoming events where you can find Talos
BSides Charm (April 30 - May 1, 2022)
Towson, Maryland
RSA 2022 (June 6 – 9, 2022)
San Francisco, California
Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada
Black Hat USA 2022(Aug. 6 - 11, 2022)
Las Vegas, Nevada
DEF CON 2022(Aug. 11 - 14, 2022)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0
MD5: b46b60327c12290e13b86e75d53114ae
Typical Filename: NAPA_HQ_SetW10config.exe
Claimed Product: N/A
Detection Name: W32.File.MalParent
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
MD5: 10f1561457242973e0fed724eec92f8c
Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos