Helpful Navigation Toolbar

Thursday, November 12, 2015

Updates (and a new feature!) to buatapa


Hello again readers and welcome back! Today we are pleased to announce the release of a new version of buatapa, updating from version 0.0.5 to 0.0.6. The changes are going to be mostly transparent for end users, but it does account for a change in the output of autoruns.csv files generated with the recently release Autoruns 13.5, which has an additional field in the output. The new version of buatapa attempts to identify if the autoruns.csv file was generated by Autoruns 13.5, or if it was generated by Autoruns 13.4 (or earlier). The parsing of the data and need for the VirusTotal API key to do the VirusTotal lookups is exactly the same.


And as a super awesome bonus feature, it also performs queries of ThreatCrowd and returns data if it is found. In order to not have to write an additional timer (the ThreatCrowd API is limited to one query every 10 seconds) I included the ThreatCrowd lookup with the VirusTotal lookup, so for the purposes of buatapa you are required to have the VirusTotal API in order to perform the ThreatCrowd look ups. You can modify the script to not require that if you wish, but if you do that be sure to allot for a 10 second sleep between each query. 


Output results of buatapa 0.0.6


In this particular instance, we have two URLs, one is for the Virus Total results of the hash:


VirusTotal results for the ZeroAccess malware sample

and the other is for the Threat Crowd results of the hash:



ThreatCrowd results for the ZeroAccess malware sample


If it has been noted on ThreatCrowd you can go through the information listed to look for additional information on the malware, including domains and IP addresses, in an effort to help combat/detect other instances of the malware within your environment. Plus, the pictures are really nice!!



buatapa_0_0_7.zip - download here 

MD5: 8c2f9dc33094b3c5635bd0d61dbeb979
SHA-256: c1f67387484d7187a8c40171d0c819d4c520cb8c4f7173fc1bba304400846162
Version 0.0.7
Updated: January 30, 2018





Friday, October 30, 2015

Putting a wrap on October


Hello again readers and welcome back! For us, October consisted of a lot of traveling giving presentations about the Live Response Collection at BSides Raleigh, Anne Arundel Community College, WomenEtc. (Richmond, Virginia), and the Open Source Digital Forensics Conference (OSDFCON). I just posted the presentation that I gave at OSDFCon on slideshare, if you would like to view the slides!


NOTE: I made some slight variations on the presentation at each venue, so if you attended one (or more!) of my talks you will notice that the slides are similar, but may not be exactly what you saw. 


All of the events that I spoke at were great, but I was most impressed with OSDFCon this year. There was an incredible lineup of speakers at the event and the venue and presentation was fantastic (And thanks again goes out to Ali for all of her hard work, mainly behind the scenes, to ensure the event went smoothly!). There were quite a few students and other new entrants into the DFIR community at this years event, which is always great to see. Hopefully that trend continues, as there is not a single person within the DFIR community who has gotten to where they are today without the help, collaboration, and communication of others!


Not to give away any spoilers, but I am working on some exciting updates for the Live Response Collection, primarily on the OSX side, that I hope to have out before the end of the year. I am always looking for anyone who can devote any time or resources for beta testing, so if you want to help please do not hesitate to reach out!


Monday, September 21, 2015

Introducing Windows Live Response Collection modules...and how to write your own!



Hello again readers and welcome back. Today I am very happy to announce the public release of the latest round of updates to the Live Response Collection. This release focuses on the "modules" that I touched briefly on in the last update. The size of the six main scripts themselves has been greatly reduced and almost all of the code now resides in the folder "Scripts\Windows-Modules". This makes maintaining the code easier (since all six scripts share a large majority of the code, it only has to be edited once instead of six times) and allows even greater customization opportunities for end users. 

There are some small changes to the way the LRC handles data, including a built in check to ensure the date stamp does not have weird characters, which was seen on some UK based systems. The script now attempts to decipher that data properly but, in the event that it cannot, it tries to ensure that backslashes are removed from the date field so that way the output of the tools and system calls are stored properly. 



Writing your own module!!


The main focus of this update is demonstrating how easy it is to create your own module. I attempted to make this process as easy as possible, so if you want to write/add modules, you can do so very easily. Since it is written in batch, you can write your own module however you would like, but following this methodology should present the best results and ensure that the script will error out rather than possibly present bad data to you.

The first thing you have to do is choose an executable (or system call) that you would like to add. In this particular case, I decided that the "Wireless NetView" executable from nirsoft would be a good choice for the walk through. The first thing you have to do is to download the zip file from their website. Once that is done, navigate to the folder and unzip the file. Once that is done, you should see a folder like this. 


Contents of the folder "wirelessnetview"

Copy that folder to the "Tools" directory under the Windows Live Response folder. 


wirelessnetview folder under "Tools"

Once that is done, you are ready to begin writing your module!



Initial Steps of Module Creation

This version of the Live Response Collection contains a file in the "Windows-Modules" folder called "Windows-Module-Template.bat". Open that file in your favorite text editing program.


Contents of Windows-Module-Template.bat

Once you have it open, save it as the tool name that you would like to run. In this case, I would open the file "Windows-Module-Template.bat" and save it as "wirelessnetview.bat". 



Saving the template as our new module


Now you can begin to edit the "wirelessnetview.bat" module and add more functionality to the LRC! 


Writing the module



I tried to make it as easy as possible to do substitutions within the template, so really the only things you will have to do are:

1) Have an understanding of what command line arguments you need to give your executable file (or system command), and 
2) Be able to find and replace text within your new batch script

You should not have to change any of the environment and script variables, so I will not cover them in great detail, unless a specific request is made to do so. Here is a full listing of the items that you should replace (Ctrl + H in most cases):

YYYYMMDD - Four digit year, two digit month, and two digit day (19970829, 20150915)

DD - Date you wrote the module, with two digits (03, 11, 24, 31)

Month - Month you wrote the module (July, March, December)

YYYY - Year you wrote the module (2015, 2016, 4545)

[Your Name] - Your name, if you want to put it in there (Brian Moran, Leeroy Jenkins)

[you@emailaddress] - Your email address, if you want to put it in there (tony@starkindustries.com, info@mrrobot.com)

[Twitter name] - Your Twitter name, if you want to put it in there (Captain America, Star Wars)

[@Twitterhandle] - Your Twitter handle, if you want to put it in there (@captainamerica, @starwars)

[MODULENAME] - What you want to call your module. I prefer to use the tool name, so in this case WIRELESSNETVIEW

[Tool path] - This is the path, within the tools folder, of the folder name and the exe. In this case, it would be wirelessnetview\WirelessNetView.exe

[command line arguments] - This is where you have to do some testing of running your tool from the command line before you create the module. In this particular case, I am going to use what is listed on the web page as the command I want to run. The full command is 

WirelessNetView.exe /shtml "f:\temp\wireless.html", so our [command line arguments] in this case would be   /shtml

[Output folder] - The folder that you want to output the data to. Since this is network related, saving it under "NetworkInfo" seems like a good idea.

[Output file name and file extension] - The filename that you want to save the file as. Generally I make this the name of the tool, so I would call this one "Wirelessnetview.html".

[Tool name] - The name of the tool. (Wirelessnetview)

[Executable name] - The name of the executable (WirelessNetView.exe)

[Executable download location, if applicable] - The URL where you downloaded the tool from (in this case, http://www.nirsoft.net/utils/wireless_network_view.html)

And that is it!

**Please note that you can choose between modifying saving output directly, or saving output from the executable/command itself. It is best to refer to the executable or system command when trying to determine "how" you should save the output.**


So when we modify the wirelessnetview.bat file, we replace the following items with their value:

YYYYMMDD - is replaced with 20150917

DD - is replaced with 17

Month - is replaced with September

YYYY - is replaced with 2015

[Your Name] - is replaced with Brian Moran

[you@emailaddress] - is replaced with brian@brimorlabs.com

[Twitter name] - is replaced with BriMor Labs

[@Twitterhandle] - is replaced with @BriMorLabs

[MODULENAME] - is replaced with WIRELESSNETVIEW

[Tool path] - is replaced with wirelessnetview\WirelessNetView.exe

[command line arguments] - is replaced with /shtml

[Output folder] - is replaced with NetworkInfo

[Output file name and file extension] - is replaced with Wirelessnetview.html

[Tool name] - is replaced with Wirelessnetview

[Executable name] - is replaced with WirelessNetView.exe

[Executable download location, if applicable] - is replaced with http://www.nirsoft.net/utils/wireless_network_view.html



Screenshot of our new module, after replacing the text!

Now that our module is written, we have to add the module to whichever batch scripts we would like. I usually like to keep the modules that perform similar functions near each other, so in this case I am going to choose to add it after the PRCVIEWMODULE. The easiest way to do this is simply copy the five lines of text associated with the PRCVIEWMODULE entry, and paste it below it.


Selecting the code associated with PRCVIEWMODULE


Copying the code associated with PRCVIEWMODULE to create a new subroutine for our new module


Once you have it copied, change the line GOTO ....MODULE in the original module to the name of your new module. In this case, we would change it to GOTO WIRELESSNETVIEWMODULE.  Then change the name of the subroutine itself to the name of your module, in this case WIRELESSNETVIEWMODULE. 


Adding WIRELESSNETVIEWMODULE code

Finally, change the name of the batch script that is being called to the name of your newly created script, then save it. That is it, you are all done!


Our module is fully added!

It is best to run your module(s) on a test system before deploying it widely, just to ensure that everything works properly. Also ensure that you add the code for your new module to each of the six batch scripts, if you so desire. 


I hope that this tutorial has been helpful, please do not hesitate to contact me if you have any additional questions or comments as you create your own modules for the Live Response Collection!





LiveResponseCollection-Cedarpelta.zip - download here 

MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019







Wednesday, August 26, 2015

Publicly announcing buatapa!!


Hello again readers and welcome back! Today's blog post is going to cover a small script that I developed called "buatapa". This was meant to be released several months ago, but steady case work has kept me busy. I finally carved out some development time to finish up this blog post and push it out publicly at long last!


buatapa

According to the magic of Google Translate, "bua tapa" is the Irish Gaelic translation of the phrase "quick win". 



The phrase "quick win" translated to Irish Gaelic, thanks to Google Translate!


I decided to call my (GASP!) first publicly released Python script "buatapa" for a couple of reasons, with the main reasons being that it is very heavily based off of Brian Baskin's noriben personal malware sandbox, so I wanted to have a cool name for it as well. The results of this script have the potential to indeed give you a "quick win" with trying to find malware on a Windows system.


What buatapa does

The purpose of this script is to collect the data and then run the script against the collected data from a second machine (rather than performing the VirusTotal queries from the suspected compromised system itself) in case there is no network connectivity on the suspected compromised system (like a secured environment, POS environment, etc.) It simply works by parsing the results of autoruns.csv that is generated by Sysinternals autoruns on a Windows system. The script finds Unicode characters, anything that resembles a poweliks Registry entry, and anything that does not have a signed certificate. It then attempts to perform a VirusTotal hash lookup for any files with abnormal characters and unsigned entries and returns the results in an easy to read text file. 



How to set up buatapa

The first thing that is required to get the fullest functionality is to get a VirusTotal API. You can get your public API by heading over to VirusTotal and signing up for an account, if you do not already have one. 

Once you have your account, login to VirusTotal and choose the option under your username of "My API key"



"My API key" option on VirusTotal

When you choose that option, you will be presented with a page like this, which contains your API key. 


Page with your API key, settings, and rate limits

Note that the public API has rate limit queries, which are built into the script automatically (rather than running four in a minute and then waiting for 60 seconds; I chose to do one query every 15 seconds. You can of course modify the script to change the sleep time and query rate if you would like).

Highlight your API key and input it into the script. (It is the exact same code as Noriben, so if you are familiar with that, you should be familiar with this.)


Copy the API key to here (or here) in the script (buatapa and/or noriben)

It is very important to also install the "requests" Python library to your Python distribution if you have not already. I once again defer to Brian Baskin's Python experience (which admittedly dwarfs my own) as he stated:

"Without Requests it cannot do VirusTotal queries. That's the only internet-based functionality. So you have to install requests ("pip install requests")...Requests is the HTTP library that I use. The built-in Python libs are horrible."

So, make sure that you type in run the command 'pip install requests' from a command prompt before you run buatapa or noriben, in order to get the internet functionality that is needed to run the scripts!!


Type in 'pip install requests' from a command prompt to install Requests


Running buatapa


You will have to have Python either natively installed on your system or be running something like Active State Python in order to run buatapa. In order to run buatapa, simply open a command prompt and give the path of where the buatapa script resides. The script will automatically create the output text file in the directory the script was run from, so make sure you have read/write permissions to that directory. For example, don't run it from C:\Windows\System32 unless you open the command prompt with Administrative privileges. You must give the script the "-c" argument to open the autoruns.csv file. 


The results from running buatapa (NOTE: The script is name "personal_buatapa.py" because it has my API key in it)

You do not have to use the Live Response Collection to create the autoruns.csv file (although I did include the output in the latest update, to make life easier for you if you do), however you do indeed have to have the output of autoruns saved as a csv for buatapa to process the file. The text output of autoruns, while easier for human reading, is more difficult to parse and correlate than the csv version.


Results from buatapa

The results are saved as a text file, named "$DATE_$TIME_buatapa_output.txt" (for example 20150825_181703_buatapa_output.txt), with all of the information that autoruns collects about the suspected entry presented in an easy to read text format. If a VirusTotal hit is found, the scan date, detection ration, and VirusTotal report URL will be presented at the very top of the entry. 


Screenshot of a snippet of the buatapa output


buatapa (by default) only looks at unsigned entries, but it also attempts to identify abnormal Unicode characters (anything that is not Windows CP-1252) as well as trying to look for entries that are similar to poweliks. You can change the defaults by giving the script different arguments, which can be seen the -h or --help flag.


buatapa usage



buatapa is by no means meant to replace in-depth analysis; it is meant to provide a faster and easier way to identify potentially compromised systems. buatapa will likely not be able to identify incredibly well-hidden rootkits, digitally-signed malware or never seen before malware, as it is not meant to do that. It is meant to rapidly provide an easy to read list of files that have been identified by VirusTotal as likely being malware that is set to automatically run in an area recognized by autoruns. It will provide you a "quick-win" in identifying the "low hanging fruit" malware. 


As I have said many times in the past (and will continue to say many times in the future) the malware will only be as sophisticated as it needs to be in order to gain access to the data your adversaries are after. If a piece of malware originally written four years ago can steal every credit card transaction in your environment, the adversary will use it. They will not use their "next generation Cloud 2.0 automatic exfiltration memory-only kernel-level rootkit" malware in the event that it might actually get discovered in an environment where very basic malware would suffice. Remember the third party vendor used by Goodwill to process payments last year? The malware that was allegedly used in that compromise displayed every single transaction in a command prompt window and had no method of persistence. If the window had simply been closed by ANY individual, even by accident, or if the system was rebooted, the compromise would have stopped. Hardly "advanced" or "sophisticated", but the malware allegedly ran for 18 months and resulted in 868,000 compromised credit cards.





buatapa_0_0_7.zip - download here 

MD5: 8c2f9dc33094b3c5635bd0d61dbeb979
SHA-256: c1f67387484d7187a8c40171d0c819d4c520cb8c4f7173fc1bba304400846162
Version 0.0.7
Updated: January 30, 2018


If you encounter any bugs or any have suggestions or feedback on the tool, please do not hesitate to let me know!






Thursday, August 20, 2015

...at long last, updates to the Live Response Collection!!



Hello again readers! I am happy to announce, after many long months in development (and due to a pretty busy six months, about six months later than I had originally planned) an updated version of the Live Response Collection is available!


The first item that you will probably note is the Windows folder looks very different. I wanted to provide a cleaner look for users, so when you run the LRC against a system it is easier to find the output folder. By having four main folders, instead of about 35, the results will be much easier to see. I moved all of the "tools" into the folder cleverly named "Tools", and all of the scripts into the similarly cleverly named folder "Scripts". While this does not change the function of the tools, it does slightly change file paths leveraged by the old scripts, so you will have to update any custom changes that you made for your environment.


New Windows folder structure



Within the "Scripts" folder I also began the process of what I am calling "Modules", which I started for several reasons. Since all six scripts share a lot of code and functionality, I wanted to reduce the overall size of each file by leveraging code that they share. It makes the maintenance and updates for the LRC easier. It also allows easier user customization, because instead of trying to figure out which large section of code they want to use (or not to use) you can just choose to skip a module completely if you don't want it by replacing the name within the code itself. I plan on writing a future post in the future detailing just how easy it is to write a customized module, complete with a breakout of the variables that the script(s) rely on, so users can add functionality and features easier than ever (<hint hint> and hopefully you share them for inclusion into a future LRC release!)


The beginnings of LRC "modules". There will be more!

As I stated, the overall functions of the LRC did not change terribly much, some Startup folder hashing was added as well as also saving autoruns output to csv, which will be touched on in my next blog post. The next post will also be the public release of a tool that is also several months in the making, but also several months later than I had originally anticipated to release it. 




LiveResponseCollection-Cedarpelta.zip - download here 

MD5: 7bc32091c1e7d773162fbdc9455f6432
SHA256: 2c32984adf2b5b584761f61bd58b61dfc0c62b27b117be40617fa260596d9c63
Updated: September 5, 2019







Tuesday, July 14, 2015

Gardening, cyber security, and YOU!


Hello again readers! We spent the first week of July on vacation in North Carolina and then I spent a few days last week at the SANS DFIR Summit in Austin. I was going to write a small recap of the DFIR Summit but I think Matt Bromiley summed it all up pretty well in his post and I don't have much more to add, other than my favorite part of the DFIR Summit is actually seeing friends and colleagues in person and of course the sheer amount of networking opportunities. I personally would like to see more time allotted for networking, but there are so many quality presenters that it would be a shame to have fewer presentations.


This blog post is going to cover some additional thoughts that I had on the impromptu Incident Response panel on which I participated, led by Brian Carrier, and also included Frank McClain and Rob Wallace. One of the comments that I made regarding expensive cyber security tools was akin to "you can buy a screwdriver, but you cannot set it on a table and have it magically build you a house". Likewise, it doesn't matter how effectively written or well-thought out a tool is, at the end of the day, it is simply a tool. The functionality and quality of information (or work) that is produced by that tool is entirely dependent on the human that uses it. I could buy the most expensive, top-of-the-line, hammers, screwdrivers, saws, levels, shims (also a type of cache), nails, screws, and so on, but at the end of the day I do not have the skills needed to build a house. In fact, building Lego sets is about the extent of my construction capabilities. 


Unfortunately a lot of vendors market their tool(s) as an "end-all-be-all solution". A lot of decision makers for businesses see this and decide to buy the latest and greatest tool but do not make any investment into the needed individuals to really harness the power of the tool. (My Cyber-Business-Guru/friend, Jack, would note that the mistake is assuming that the tool is a cost-savings over hiring expensive personnel.  You Must Have Both!A good parallel with this can be made regarding our garden and our time away from home over the past few weeks; as you often come back to a garden that is completely unrecognizable from the one that you initially had.


Imagine that a vendor salesperson comes in and pitches the "EXTREME Cyber Security Protector 3000XL" as being able to "stop threats before they happen, in real-time, allowing instantaneous cyber security protection....(and a few other random buzzwords...synergy...end-to-end solution, cost savings, win-win, force multiplier...)". Of course the salesperson makes a great presentation (otherwise they would not be in sales long) and management decides to buy it.






Sure, initially the tool may work fine, but these tools are never meant to be a "set it and forget it" solution. The same can be said about our garden. We kept up on doing regular maintenance, watering, and weeding our garden up until we went on vacation, so it looked similar to this despite our "purchase"* of the most expensive wheelbarrow that I could find:



Newly planted garden. Retrieved July 13, 2015 from http://www.livecreativelyinspired.com/wp-content/uploads/2014/07/marigolds-newly-planted-in-the-vegetable-garden.jpg


So far, so good, right? Well, we got quite a bit of rain it rained Miracle Grow for weeds while we were gone, and upon returning home we got even more rain on a regular basis. Due to all of the precipitation, we did not have an opportunity until this past weekend to perform the needed upkeep to get rid of the weeds and ensure we have a nice garden with the flowers and shrubs that we want, not milkweed, $#&%*! kudzu, and other weeds that we do not want. 



But ... we bought an expensive wheelbarrow. How did this happen??  Retrieved July 13, 2015 from http://www.waldeneffect.org/20100716garden2.jpg

I think that this is a perfect parallel; as we have to perform regular maintenance on the garden to ensure that we have the plants that we want (ie our network, our data,) or else we end up with something that is overrun with weeds and out of control (malware, toolbars, scareware). Having a good team of individuals helping ensure your "garden" (network and devices) is secure, regardless of the tool(s) that is used is much more rewarding in the long run than spending large amounts of money on tools that just sit there and are rendered ineffective in a short period of time. In the end, it isn't about buying the fully automated, ridiculously expensive wheelbarrow, it is about the humans who filled it with the all of the unwanted items that were running rampant in our garden




Now where do you want this malware (weeds)?  Retrieved July 13, 2015 from http://www.summerhouseart.com/blog/wp-content/uploads/2010/03/weed-wagon.jpg

*FULL DISCLAIMER: We did not really purchase the battery powered wheelbarrow and the photos above are not of our garden or our wheelbarrow. 





Tuesday, June 16, 2015

How to Have that Awkward Conversation




Hello again readers!! Today's post is the first (but most certainly not the last) "guest post" in which friends and colleagues can share their experiences and insights and give alternate perspectives on digital forensics, incident response, and information security. 

Today's post is authored by my friend "Jack" who has much more experience (and an MBA) on the "business" side of forensics and incident response than I ever will (and let's be honest, I also will never have an MBA). "Jack" may or may not also be in the Witness Protection Program, but the OPM data breach might change that.....

(PS: Apparently cat memes are the number one attraction to blog posts, according to 87 out of 100 business professionals. The other 13 were no doubt scouring the internet for other pictures of cats.)





How to Have that Awkward Conversation

By: "Jack"


NO, not the “It’s not you; it’s me!” one.  The one where you tell your employees (or clients!) that you’ve been hacked, their information is who-knows-where, and oh by the way, you’ve got no idea how the bad guys even got in.  You know. THAT one.  

I’m not going to sugarcoat this.  It’s going to be painful.  It’s going to be embarrassing.  But just like adults always tell kids, it is better to hear it directly from you.   If the news media or banking institutions are notifying victims instead… oh boy; it’s a public relations nightmare.  

First rule of Data Breach Club: Talk first and say it loud.  No one likes being indoctrinated into Data Breach Club, but I’ll let you in on a little secret:  It’s not an exclusive membership.  You’re either in the club, or you don’t know you’re already in the club.    



    

If you are upfront and honest, chances are better that you might maintain the relationships your organization has with its employees, partners, and clients.  Further, you may not have a choice about public disclosure, or private disclosure, depending on contracts you have with clients.  Depending on the laws where you operate, you may be obligated to provide full disclosure within a certain time period.  Most state breach notification laws don’t specify what your notification should include; however there are some minimum guidelines which we attempt to cover in our samples below.   

In the State of Maryland for example, the Attorney General’s website says the following about data breach notifications:


Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e. for identity theft. If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers. 
In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following the investigation. A business may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected individuals or restore the integrity of the system. Notice to affected consumer must be given in writing and sent to the most recent address of the individual, or by telephone to the most recent phone number. Notice may be sent via e-mail if an individual has already consented to receive electronic notice or the business primarily conducts its business via the Internet. The law also contains a provision for substitute notice, allowing a business to provide notice of a security breach by e-mail, posting on its website and notice to statewide media if the cost of notice would exceed $100,000 or the number of consumers to be notified exceeds 175,000 individuals.  (https://www.oag.state.md.us/idtheft/businessGL.htm)

Searching online for “data breach disclosure laws AND [your location]” should net you some relevant results.  When in doubt, call a lawyer that specializes in data breaches.  If the Google can’t find one, your local Bar Association should be able to assist you.  






So how do you begin that notification email?  Your letter should contain some version of the following:
[ ] denote areas where you should fill in the blank


Part I—Introduce the Problem and Accept Responsibility:  You need to be upfront and honest; if you have a lawyer advising differently, find a new lawyer (Preferably one you suspect has a secret identity and fights crime at night using heightened senses resultant from a hazardous chemical spill; but I suppose if you can’t find one, any ethical data breach lawyer will do.)  If you don’t know something, say so.  Trying to hide the fact that you don’t know something just makes you look like you are hiding something, which is usually assumed to be more sinister.  Also, please don’t place blame on nation-states for a mess of your own creation; you’ll end up looking ridiculous and becoming the Poster Child of “What NOT to do”.        

“We are contacting you because on [insert discovery date] we discovered a serious cyber-security incident that occurred between [Start Date] and [End Date] that involved a breach of your [personal information, such as medical records, credit card numbers, passwords, etc…].  At this time we do not believe that [other personal information] was accessed.  We know you have trusted us with your information and we take that trust seriously. We take full responsibility for this incident and we will work tirelessly to resolve it quickly and completely.”

And if you delayed in sending notifications to victims, say why:

“In accordance with applicable laws, we delayed notification of affected parties by 30 days, due to an official request by law enforcement.”


Part II—Here’s What Is Happening Now:  This is where you tell them what you are doing do fix this problem.  (Not diverting attention, not doing just enough to get regulators off your back, not putting on a show to restore stock prices, not doing the minimum for regulatory compliance or limiting your liability.  Actually fixing the problem.  Let me say it again for dramatic effect:  Actually.Fixing.The.Problem.)  





You’ll want to (or be required to) at least cover what you did to stop the attackers, what you are doing to clean-up the breach, and what changes you will make in the future.  Your notification should say some version of the following, pick and choose based on your circumstances:  

“Upon discovery we immediately blocked the offending IPs and shut down all out-bound traffic.  We have begun the process of finding compromised machines.”

“We brought in cyber-security experts to investigate and fix this problem entirely and to ensure that we are more secure in the future.”  

“We advised the credit reporting bureaus and banks of this incident. We are offering a free credit report to every affected party, and here’s how to do that. [Instructions here.]”  

“We are cooperating fully with law enforcement and an investigation is on-going.  There will be full participation and transparency during the investigation.  Employees will be contacted in person if their assistance is required.  Do not provide any personal information, account numbers or passwords to any unverified person via email or on the phone, now or ever.”

“We are currently dedicating money to invest in our IT infrastructure, our security personnel, and monitoring tools so that attacks in the future are thwarted.”


Part III—Here’s What the User Has to Do:  This is where you tell your employees, clients, customers, and/or Partners what they need to do.  You must be exceedingly firm about password changes and policy enforcement while at the same time making this VERY easy for them.  It’s a huge component of rebuilding trust and being transparent throughout the process.  You’ll want to take note of the inclusion of an attachment, which should detail cyber-security best practices that they can use at work or at home.      

“You will be required to choose a new password before you can log into your account.  Everyone must do this, from the newest employee to the CEO of the company—even every member of the IT team to include admin accounts.  It may NOT be the same password as last time.  Your password will be required to have upper and lower case letters, a number, and a symbol.  You cannot use dictionary words.  It must also be at least 8 characters in length.  We apologize for the inconvenience, but this is a very important part of information security.  It removes the attacker’s access to our network.  Thoroughness of this step is paramount. 




“You may wish to place a fraud alert or freeze on your credit report, which you can do by contacting the three major credit reporting bureaus, Equifax, Experian, and TransUnion [insert contact info here].  Be aware that you will not be able to borrow money or open a new credit card until you lift the freeze.”

“If your bank has not contacted you about replacing your cards, you may wish to proactively call them and ask for a replacement card.”

“We recommend following industry standards and best practices when it comes to cyber security.  The attached document details steps you can take to better protect yourself from online threats, both professionally and personally.  There is even a section included that focuses on online safety for kids and teens.”  



Part IV—We are Here to Help You:  This is where you point people to your public relations team, who in turn can run point between the employees/clients/partners and the legal team, technical team, management team, etc…  






What?  You don’t have a public relations team/person?  Didn’t anyone tell you that this is a key part of a data breach incident? This is one of those indirect costs of data breaches that no one ever considers during the risk management process.  Yes, it will cost money; you didn’t think data breaches were cheap did you?  Please note the inclusion of a toll-free number and the promise of regular updates.  We define “regular” as at least every two weeks.    

“If you have any questions or concerns, you may contact our offices at: [1-800-555-5555] or email us at [company@ourcompany.com].  Our website: [www.ourcompany.com] will be updated with the latest information as our investigation continues.”

“Again, we apologize for this incident and any inconvenience this causes.  We value your trust and we are committing all resources to resolving this incident quickly and completely, so we can get back to [insert mission statement or “what you do” here].

Sincerely,
[Highest ranking person in your company]


No, I’m not kidding.  Your lawyer should not sign this for you.  Nor should your 3rd party data breach management company.  Not your PR firm, not the head of IT, and definitely not something cutesy like your mascot (even if your mascot is one of the cats in this blog post).  And for crying out loud, I don’t care how big and high profile you are, don’t have the President of the United States address the nation for you either.   

Before you send out this letter, run it by your public relations team/person, your general counsel/lawyer, your data breach response team, and your CEO, who as we discussed above will be signing the letter.    









Friday, June 5, 2015

Post OPM Breach...let the phishing begin!!




Hello again readers! As you may already know, last evening the Office of Personnel Management (OPM) admitted they sustained a data breach where they "lost 4 million records". In reality the number is probably much higher than that and the attack probably did not actually possess a "never before seen level of sophistication" or use a "previously unknown zero day attack" or any of the other "it is not our fault" mumbo jumbo that is usually seen after a data breach is admitted publicly. 


However, this blog post is not going to cover any of that, instead it is going to focus on two phishing emails I received last night that were possibly related to my own information being compromised in the breach, as my personal information is held by OPM as I was in the DoD (as a member of the US Air Force) and still currently hold a security clearance. (NOTE: I have not been notified that any of my information was compromised, and it could be completely unrelated. But...I mean....come on)



The phishing starts....

Last night I received two phishing emails that were related to "my Navy Federal Credit Union account". This is interesting because although I have indeed served in the military, I do not have any accounts with Navy Federal Credit Union at all. 


Two emails received from "Navy Federal"


The first email was received at 19:05:07 and the second was received at 19:53:17, so in less than an hour I had two phishing attempts. Once again, I cannot definitively say that it is related to the OPM breach, but the timing is suspect, to say the least.



Email 1: Your Account Statements is Now Avaliable

This was the first email that I received, with typical spelling errors and grammatical mistakes. As I have stated many times in the past, a "sophisticated" phishing email is one with no misspelled words or grammatical errors. This is clearly NOT in the sophisticated category. The link redirects to the domain "http://rudivervoort[.]be/SP/", which clearly does not seem to be legitimate for the Navy Federal Credit Union website. The email address is listed as "navyfederal@usmc.com", which is also NOT the domain of Navy Federal Credit Union. UPDATE: The url in the email is now listed on virustotal as well!



Original email

Email with some grammar and spelling issues highlighted

Email header information

VirusTotal results from link in email





Email 2: Account Review Notice!

This email was sent later and is crafted a little bit better than the first. There are no spelling errors, although there are quite a few grammatical errors. Analysis of the email header shows it "originated" in the same Canadian IP addresses as the first phishing email, which may suggest they were related. The redirect link is a shortened URL, which should not happen in a legitimate email from your banking institution. In fact, the URL is shown on VirusTotal as malicious (already!). The email address this time around is listed as "Nfcu_navyfederal@net2.com". The first email address, in my opinion, was better.


Original email



Grammar highlighted

Email header information

VirusTotal results on link in email



Regardless of whether these emails are actually related to the OPM breach or not, it does highlight the importance of taking some safety precautions to avoid falling for phishing emails: 


  • Always ensure you read an email thoroughly. Look out for spelling and grammar issues; if it seems strange, it probably is
  • Hover over links before clicking on them
  • Better yet, do not click on ANY link from your bank, credit card company, shipping company, etc. Log into the website of your service provider directly if you get an "important message" from them



A very timely Dilbert comic strip. Retrieved June 5, 2015 from http://dilbert.com/strip/2005-08-12