In February, a report appeared on the website of one of the cybercriminal groups – LockBit, in which criminals tested encryption speeds across 36 different ransomware variants, including two of their own: LockBit 1.0 and LockBit 2.0. It turned out that those two solutions; LockBit 2.0 and LockBit 1.0 are at the top of the table. Information about the conditions of these tests was limited.

Splunk specialists decided to verify the test results based on more detailed assumptions. It turned out that LockBit was the fastest tool. But LockBit 1.0 was actually faster than its newer counterpart LockBit 2.0. The total encryption time of nearly 100K test files spread across 100 directories (various file types and sizes) for LockBit 1.0 was 2 minutes 20 seconds, for LockBit 2.0 it was 2 minutes 30 seconds. The test showed that LockBit 2.0 is much more efficient than 1.0, using only half the number of CPU threads, and hitting the disk 27 fewer times.

Yet, it doesn’t change the fact that the older version was faster. Splunk researchers found the second place actually belongs to PwndLocker, as its software needs only 2 minutes and 28 seconds to encrypt the same data.

All three of the fastest tools are using the method of partial encryption. It is enough to render most files unusable. LockBit 2.0 only encrypts the first 4KB of a file, leaving the remainder untouched. PwndLocker leaves the first 128B unencrypted, to encrypt the next 64KB of a file. The fastest variant, LockBit 1.0, encrypts 256KB of every file by utilizing a high number of CPU threads along with high disk access rates.

The slowest, Avos, needs 132 minutes to encrypt data. The median for all tested tools is about 23 minutes. For many organizations, it is impossible to act so fast. There is no chance to counteract during the encryption phase, as it has to be done before. According to Mandiant’s “M-Trends 2022” report ransomware criminals tend to spend three to five days in the victim’s environment collecting information before they start the encryption process. That is enough time to stop them, but when encryption starts, it is already too late.

* https://www.splunk.com/en_us/blog/security/truth-in-malvertising.html

The post The Power of Reports and Software Testing appeared first on CQURE Academy.

In the last few years, cybersecurity professionals have been experiencing extreme stress or burnout. According to a last year’s Forrester’s survey, 65% of them considered leaving their job because of it. This high level of burnout is paramount for cybersecurity professionals’ decision to leave their jobs. For some of them, it means leaving the industry altogether. To some extent, this is an effect of the COVID-19 pandemic. In the last two years, cybersecurity specialists have been asked to take on heavier workloads as companies undergo digital transformations. At the same time companies aren’t increasing wages to compensate for it. Since these jobs remained in high demand, many workers easily found another position and started getting a substantially higher salary. Once these specialists leave, the company has a nearly impossible mission to replace them.

A competitive and adequate salary is important, but a proper set of benefits is the actual way to fight burnout and keep employees. Flexible work options are one of the methods to improve its quality. Another idea may be offering remote work opportunities. This solution supports retention and can be helpful for managers in expanding the hiring pool to a global scale.

However, companies quite often forget that working in the cybersecurity industry requires continuous training. Specialists must learn constantly about the newly discovered vulnerabilities in currently used technology to stay on track. It is essential for them to follow new cyber solutions as their security has not been properly tested by the brutal reality habited by cybercriminals.

The willingness to acquire knowledge is a characteristic of cybersecurity specialists. This particular eagerness to expand the competencies and gain new skills may become one of the foundations of human resources policy. The development opportunity can be a key benefit that will build better relationships with the employer and compensate for inconveniences. This policy is not only about access to trainings. More important is the creation of a proper path of development in cooperation with the employee. It will allow them to develop skills in the direction that is suitable. The key role in this aspect is a career advisor who will create a development plan for each employee. This solution is also beneficial for companies, which in this way acquire the necessary competencies using the available resources. The skill gap in the labor market makes it difficult to hire a specialist in a particular area – a better idea for companies is to equip staff with desirable knowledge through trainings.

The internet makes it easy to learn new skills without access to a physical classroom. However, the vast amount of content online also opens the door to training programs that employers may not view as legitimate. Steer clear of that unwanted outcome by researching courses from companies and organizations with well-known name value. The most important factors that should be taken into account when choosing trainings are, firstly, experience in the field of cyber-combat and the work of a trainer in real-life scenarios. Secondly, take into account their pedagogical competencies that allow you to gain new skills in an effective and accessible way.

Everyone in the cybersecurity world heard about the skill gap. Unfortunately, we do not have time to educate millions of specialists in a short time. It is better to look around and pay more attention to already operating security teams and upgrade their skills.

The post Skill Gap in Cybersecurity appeared first on CQURE Academy.

According to the data collected by (ISC)2 in the report “Cybersecurity Workforce Study 2021”, the global cybersecurity workforce is well-educated (86% have a bachelor’s degree or higher), technically grounded (most graduated with degrees in STEM and some from business fields). The average annual salary before taxes in the USA is about $90,900 — up from $83,000 among respondents in 2020, and $69,000 in 2019. While only 9% of the North American workforce reported a pre-tax salary below $50,000, the largest single North American grouping (49%) earned more than $100,000. But reality looks different in different parts of the world. Salaries and their distributions vary broadly by region. According to the same report, the average annual salary in Europe is around $78,000, in the Asia-Pacific region, it is $61,000. In Latin America, the average is around $32,000. 

If we break down the cybersecurity workforce according to job profiles, their salaries look very different even just in the labor market in the USA. Security analysts, dealing with the vulnerabilities in the software, hardware and networks, also recommending the solutions, according to portal payscale.com (all data presented in this section comes from that source) can get around $81,000. The salary of a security engineer who performs security monitoring to detect incidents is about $104,000. One of the highest-paid professions in the industry is a security architect responsible for designing new security systems, his average salary is about $125,000. Security administrators’ average salary is $76,000, they manage the organization’s security systems and often perform tasks of the security analyst, especially in a smaller organization. Another job profile, a security software developer can get around $73,000, they implement security into applications’ software and develop software to monitor and analyze traffic to detect intrusion and malware. The chief information security officer (CISO) is a special case because it is a high-level management position responsible for maintaining the entire information security staff. According to the portal payscale.com, the average annual salary in that position is about $166,000. 

However, when we take a closer look at the data, it turns out that experience level has an exceptionally large impact on salaries. For example, a security analyst with less than one year of experience can count on $65,000, employees with more than 20 years of experience in the same position receive an average of $112,000. Experience in a CISO position is even more important, as new managers can count on $106,000 and people with over 20 years of experience on average get $180,000. There are some cybersecurity leadership roles at large U.S. corporations offering one million dollars compensation packages. The recipients of these big pay packages include military cyber experts making a switch to the commercial sector. 

One more thing. According to the mentioned (ISC)2 report there is a significant difference in average salaries between cybersecurity experts who have earned at least one cybersecurity certification compared to those who have not earned any. Those who have a cybersecurity certification earn $33,000 more in annual salary. 

To put it in a nutshell, salaries in the cybersecurity industry vary widely. They are primarily influenced by the region of the world, experience, job profile and earned certificates. It is worth being aware of how the choice of a career path may affect income. 

The post Salaries in Cybersecurity appeared first on CQURE Academy.

SCENARIO I

A big global company in the chemical industry was attacked by cybercriminals and their data in branches across the world were encrypted. The organization refused to pay the ransom and decided to restore infrastructure by using data backups and paper documentation (the law required the company to keep it in the archive). They decided to take a risk, even if there was a possibility that some of the data would be permanently lost. Operational technology was not infected and there was no direct connection to IT infrastructure.

We were asked for help in post-incident recovery by attacked company’s business partner. On-site, we were expecting to receive proper documentation and procedures, but quickly realized there is none. There were technically competent people at the UK and US headquarters of the attacked company, but they were not prepared for such an event affecting so many countries and regions around the world at the same time on this scale. Their first idea for recovery didn’t work well in branches. We were supposed to perform scanning with a tool provided by them and flag healthy systems. If even one was unhealthy, then all the systems in the network should have been reinstalled, but there was no procedure on how to do it and especially with such a vast number of systems without proper documentation. We were doing it manually as automation for the installation didn’t exist. A much better idea would have been to set up all the systems at the same time with the help of a previously prepared server. Halfway through the work, the headquarters decided that it needed a different, customized system. We needed to start from the beginning. After installation, we realized there was no step to enter a login and password to log into the systems. They were not connected to Active Directory, there was no admin account accessible for us or anyone else. Long story short, HQ made a mistake while preparing new images and there was no time left for them to prepare and deliver new ones. We managed to deal with this problem. We also wrote some scripts that speeded up our work. Finally, in cooperation with us, procedures were created, which finally were to be implemented in other locations.

One of the reasons why the company had such a vast number of problems was connected to serious technological debt. It wasn’t an issue of the IT in a particular branch, but of the entire organization, in particular in the headquarters. There were 80 domain administrators, the attack surface was extensive. They were using old systems without support, e.g., Windows Server 2003. The attack vector was probably classic phishing followed by privilege escalation. Main servers were a mess, with lots of unnecessary things installed, they were like a regular workstation. Fortunately, not all company locations had been encrypted.

SCENARIO II

A global technological company was attacked by a ransomware group of cybercriminals and lost access to encrypted data. In this case, the board decided to pay and the criminals delivered the decryptor. Despite the decryption of files, many systems still didn’t work properly and the company didn’t get access to all of its resources. The documentation existed but was encrypted. The company also had backups, but no one could log into them because the authentication server was encrypted.
Like in the previous case, we were asked for help by our partner. The main consulting company hired by the attacked organization belonged to the group of “the big four.” There was a procedure created by this large consulting company, but it didn’t fully work in the field. We got the hardware into our hands after the decryptor was used and our task was to put everything in motion. The headquarters was unable to start many processes and the preconfigured device that was delivered to us turned out to be inoperative. We spent dozens of hours working with HQ specialists to solve those problems and support them whenever the standard operating procedure was not working for them. Finally, we recovered all the systems and were able to bring back the fully operational state of their production sites. During this time, we even reversed engineered malware and decryptor to fully understand how we can decrypt unrecoverable files which at first looked like they might be lost forever.

Main issue
In post-incident recovery, actions, procedures, and documentation are the key elements for an organization to get back on its feet. Problems in such situations are a result of neglecting to practice catastrophic level event scenarios and recreation of the organization from a non-existent environment. It’s very common among organizations to focus on the idea of having backups but there is no fundamental analysis of ransomware-related risks. There is a lack of decent impact analysis. In our cases, it turns out that the average time of recovery from a catastrophic event was two weeks. During this time, the organizations cannot produce goods, or the logistics department is not operative. In the first case scenario, the company couldn’t print the labels for the barrels that are legally necessary for the circulation of this particular commodity. Production could work on a full scale, the trucks were waiting, but nothing was happening because the print servers were not working.
Another source of the problems are contracts with a specific range of activities signed by organizations with cybersecurity providers. In the first case, they were responsible only for cleaning systems and getting rid of the malware. They didn’t care if the company was operating after they have fulfilled their obligations, it was not the kind of service they were paid for, just wanted to clear the site and move to the next one as soon as possible.

Companies’ reactions
After the incident, the company’s budget usually is more generous for the cybersecurity department. Unfortunately, the memory is short and after a few months’ security loses its importance again. Especially when proposed changes may have an uncomfortable impact on the business, e.g., more standardization, less flexibility, more restrictions for employees processing sensitive data. Sometimes companies fire CISO or CTO and hire a new person for this position. It will always be a mistake, especially just after an incident or even worse, during the incident, because a new CISO will spend a long time before understanding the system into which he or she has entered. A new person comes with some experience and very often changes old solutions for completely new ones. Replacement is not a method to fix the issues. In many organizations there is no position such as a CISO, the person responsible for security is an employee responsible for the maintenance of production, who does not want to complicate their lives in the name of security.

Solution
Permanent cooperation with a managing security service provider could prevent the development of such scenarios. It’s a cost-effective option for organizations without an in-house security operations centre. However, there are some limitations of this solution, the service is generic and there is not much customization with regard to the particular system. Cooperation with a managing security service provider allows the organization to be prepared for incidents and introduce the short-term and long-term post-incident strategy. It is necessary to consider different scenarios, even just on paper. Playbooks are in every security framework, it is standard, but procedures very often don’t have too much in common with reality or they are simply being ignored.

The post Dark hours – postincident recovery without procedures and documentation appeared first on CQURE Academy.

Google’s Android, Chrome, and Play platforms continue to be vulnerability-rich environments. In 2021 Google paid a record $8.7 million in rewards to 696 third-party bug hunters from 62 countries who discovered and reported thousands of vulnerabilities in the company’s technologies. It’s a nearly 30% increase from the $6.7 million in 2020.

Companies often hire a team to test the security of their website or system before deployment. But what happens when new features or updates are pushed? What about the bugs or weaknesses that these teams miss? That is why it makes sense to sign up for a bug bounty program to make sure that the system gets tested by a vast range of freelance security experts, not just one team. Bug bounty programs also ensure that the system is always being tested, not just at one point in time. For a mid-size company, it could be a way to save money. After all, an in-house team of cybersecurity experts may be simply too expensive for them. In bug bounty programs cybersecurity experts are rewarded when they discover a new bug, the time they spend to do so doesn’t matter for a company.

There are two most popular variants of the bug bounty program: ethical hackers work directly with the company or with the use of an intermediate platform. This intermediary can provide verification of the cybersecurity expert’s work before notification to the company. Typically, a hacker receives a monetary reward for successful submission. For less critical vulnerabilities they can get branded company merchandise. The prize offered should be equivalent to the severity of the vulnerability discovered and the effort the ethical hacker has made. If the compensation offered is unfair, the company can expect negative backlash. In 2013 Yahoo had to change its bug bounty policies after it offered t-shirts to bug hunters for successfully finding critical vulnerabilities. After that Yahoo’s program reputation was damaged. This part is still often criticized by the community as unfair as the wages paid by standard penetration testing are much higher and not dependent on the number of reported findings.

Some bug bounty ecosystems introduce reputation points and associated leaderboards to reward successful submissions. These reputation points are often the criteria for admission to private programs. While direct programs are often public, allowing for submissions from anyone, in private programs only selected security researchers can see the program details and participate. Private programs allow some organizations to test procedures before going public, some of them remain private for a significant amount of time or permanently. Consequently, these programs avoid some issues prevalent in public operations.

A bug bounty is a side activity for many security researchers, but there is also a group of people who have made bug bounty a way of life. A 30-year-old hacker from Romania worked for his first million in those programs for two years. Such a result is certainly impressive, but it is worth remembering that bug bounty programs do not mean high revenues for everyone. Different companies have a different approach to when the prize should be paid out, some do it when the reported bug is accepted, others only when it is fixed, and this can take many months.

Very often, there is also a dispute about how to classify the severity of the vulnerability. Most companies are friendly to bug hunters cooperating with them, unfortunately, this is not a common standard. The rules of the game are determined by the company, in the event of a disagreement, some researchers break the rules and – giving up the prize – publicly disclose the details of the vulnerability. This, in turn, can lead to legal issues and costs on both sides of the dispute.

Ideal solution

At first glance, the bug bounty program looks like an ideal solution: it enables constant testing of system security and does not ruin the company’s budget. The reality is not so colorful. A significant issue in bug bounty programs is the high volume of low-quality submissions. The poor-quality report is the result of racing to submit a vulnerability. Many ethical hackers look to maximize the number of submissions rather than focusing on specific vulnerabilities. The reason behind it is simple, it’s a more profitable tactic.

One of the key factors influencing the effectiveness of bug hunters is an “arms race” in the category of finding assets. Companies do not always inform about any subdomains or subpages within the scope of the program, because of that it is common to run tools that search for additional targets. The methodologies are different: spidering, brute-forcing, dictionary attacks, they are used at the same time with the fastest available tools and cloud systems. For example, the Axiom tool can divide the work into hundreds of machines in the cloud, which will be deleted a second after the work is finished.

There is also a problem with the duplicate submissions. The race to submit as the first often leads to reports lacking essential details. A company or platform requires from the ethical hacker further information. At this time, another hacker may submit a more significantly detailed report for the same vulnerability. The second report, although possibly more beneficial to the organization, according to the rules, is a duplicate. The treatment of duplicates varies. Synack addresses this issue by setting a 48-hours window for submissions, all reports are accepted. After two days duplicates are grouped together and the one with the most detailed report gets the bounty. Some platforms do not monetarily reward duplicates. This mechanism discourages detailed submissions.

Another disturbing trend within bug bounty programs is the result of the probability of finding a given number of bugs. As the average bounty per program scales super-linearly, while the probability of bug discovery decays rapidly. After some time switching to another program is more profitable than making an in-depth analysis of the old one. There is a potential problem with incomplete coverage possibly leading to a false perception of security.

There is also a lot of controversy in cases where a security researcher has found and reported a bug to a company that does not have an official program. This creates potential legal issues; bug hunters could be seen to be extorting the target rather than acting for good. Above all companies and ethical hackers don’t have binding contractual relationships. There is always the risk that a bug hunter could choose to sell the vulnerabilities they discover on the black market, or even double bluff their client and ask for payment as well as sell the information on the dark web.

Cybersecurity expert Troy Hunt describes the phenomenon of the so-called Beg Bounty. In this scenario, a company receives from researcher unexpected information about a very serious vulnerability. The details will be disclosed in a moment, but first, you need to determine the amount of the payment. Often this particularly important vulnerability is something completely irrelevant from a security point of view: unrealistic clickjacking, missing some HTTP header, or loose SPF record configuration.

Go hybrid

Companies don’t have to choose between bug bounty programs or a team of experts to profoundly test their security. The best model is a combination of two solutions, a third-party penetration testing performed annually or after a major system update and a well-organized bug bounty program to complement the existing vulnerability management process. In-depth tests are an excellent tool to find and fix security weaknesses. Bug bounty programs can help to secure companies in the gaps between penetration tests.

The post Bug bounty or profound pentest? It’s not the Matrix, take both pills. appeared first on CQURE Academy.