Caught on tape: Malware Distribution Techniques

If you haven’t already done so, you should read the Verizon Data Breach Investigations Report that they publish annually. In the 2018 Verizon DBIR, it is chock-full of good reading around the specifics of breaches in 2017 and provides an insight to the Who, How, Why, What, and When. In the report you can read about the internal threat actors down to how malware was distributed. In all, Verizon has dotted all the I’s and crossed all of the T’s and provided you visibility into 53,000 incidents and 2,216 confirmed breaches across all verticals in 2017. Historically I have used these reports to help educate myself and my customers on the threat landscape as well as leverage the information to help justify spend on security related products, tools, or services to help keep the enterprise safe.

While reading the report, the sections regarding malware (ransomware included) stood out to me. Why? Well come on, you would think by 2017 will all of the security tools deployed that malware, even 0-day, wouldn’t be an issue but it still is. On pages 17/18, the report discusses the frequency of malware vectors, or basically how malware is distributed.

Continue reading Caught on tape: Malware Distribution Techniques

Executing Security at Scale

Raise your hand if you’re using any or all of these technologies:

  • NGFW
  • IPS/IDS
  • URL Filter
  • Antivirus
  • DLP
  • Sandbox
  • VPN
  • DDoS Mitigation

Pretty much all of us, right? Now raise your hand if you are decrypting SSL/TLS outbound.

While HTTP/2 doesn’t require SSL/TLS, it will use it by default if it is available. Oh by the way, all modern browsers have supported HTTP/2 since January of 2016. Factor in the efforts of Let’s Encrypt, the adoption of SSL/TLS has skyrocketed in the past few years and will continue to grow. Hell, even this shitty blog is using TLS 🙂 If you aren’t decrypting SSL/TLS you have to ask yourself, what good is my NGFW, IPS, Antivirus, etc if I am completely blind to it? The answer is simple, it isn’t good, in fact it’s terrible. You are bound by the constraints of legacy security, source/destination and ports. It’s like locking a screen door. It will keep the flies out but it won’t stop any real threats.

Continue reading Executing Security at Scale