hamburger

BitDam Blog

Rakesh Narasimhan Joins BitDam to head its North American Operations
Rotem Shemesh
Rotem Shemesh
1 minute & 30 seconds read · July 1, 2019

Rakesh Narasimhan Joins BitDam to head its North American Operations

We’re excited to announce that Rakesh Narasimhan has joined BitDam to expand the business presence of BitDam in North America and drive its growth.

Rakesh brings more than 25 years of executive experience in high-growth technology industries, building, operating, and scaling multiple USD Billion businesses. His vast experience includes a range of senior executive roles at Microsoft Corporation, Oracle Corporation and Citrix Systems. Most recently, Rakesh has been scaling businesses at startups in the Software and Space sectors.

From our CEO and Co-founder, Liron Barak:

“We are excited to have Rakesh join us during this critical stage of growth for BitDam. We see an increasing need in customers seeking advanced cybersecurity solutions to protect their communication and collaboration platforms such as email, cloud storage and messaging systems. Rakesh’s vast experience in delivering customer value will come in handy as we help enterprises protect themselves from content-borne threats and hence scale business growth for BitDam.

From Rakesh:

“In an increasingly connected world, organizations show no signs of slowing down their adoption of communication and collaboration solutions at work. Unfortunately, the bad guys are also increasing their attacks with sophistication, magnitude and evasiveness. Despite the heavy investment in top-notch cybersecurity solutions till date, organizations are NO better at meeting the serious challenges of protecting themselves from new, unknown cyber threats. A new approach is necessary to address the detection of and protection from content-borne malware. One that is unconventional in its technological approach to address forward-looking threats, rather than backward-looking security posture. BitDam, at its core, is about implementing this unconventional approach, and one that I believe will impact the cyber landscape in a big way. That is what convinced me to get involved with BitDam”.

Indeed, exciting times here at BitDam. Stay tuned for more updates.

You may follow Rakesh on Twitter: @rakeshnarasimha

Read more
Introducing BitDam’s Breach & Attack Simulation (BAS)
Alex Livshiz
Alex Livshiz
3 minutes & 45 seconds read · June 25, 2019

Introducing BitDam’s Breach & Attack Simulation (BAS)

At BitDam, we always try to provide our customers with the most comprehensive solutions to cope with cyber threats. As such, we perceive it important to not only provide them with protection against the most sophisticated attacks, but also help organizations assess their existing security gaps and act accordingly. This is why we introduced the BitDam penetration testing tool a while back. This PenTest tool got TONS of positive feedback, so we decided to go bigger, and are happy to introduce BitDam’s Breach and Attack Simulation(BAS).

Breach and Attack Simulation vs. Penetration Testing

Until recently, the common practice when an organization wanted to test its security, was to pen test its various defenses. This process is usually done manually by repeating the following cycle:

–  Search for an attack vector (e.g. file attachments in emails).

–  Find an exploit for attacking (e.g. an exploit for code execution in a PDF, running a malicious macro in an Office file etc.).

–  Provide an “attack POC” that bypasses the defense (e.g. sending an email with a malicious macro that bypasses the email security scan, while the file can’t really make any harm).

Although this is a very useful tool, it has some serious drawbacks:

– The process is mostly manual, meaning it’s costly and not scalable.

– No automated “executive summary” showing the current security’s weaknesses and strengths. This is crucial in order to understand which defenses need more attention or require upgrading. This is done manually, and again, makes the process expensive and inefficient.

– Requires heavy investment in R&D red teams (internal or outsourced) that focuses solely on pen testing the organization’s defenses.

This is where Breach and Attack Simulation comes in.

Breach and attack simulation (BAS) is a technology that simulates cyberattacks in order to test a network’s cyber defenses. It enables organizations to assess security effectiveness by simulating hacker breach methods to ensure security controls are working as expected. BAS technologies are fully automated enabling organizations to assess security continuously in real production environments, eliminates guesswork, incorporates business risk context, and provides actionable results.

BitDam’s Breach & Attack Simulation

BitDam’s E-mail-Centric Breach & Attack Simulation is offered as a free service allowing organizations to assess how vulnerable they are to email cyberattacks. Getting access to BitDam’s dashboard, users gain visibility into the Breach & Attack Simulation results within a few minutes from signing in. Through the dashboard, they can see their current level of email protection, the types of cyberattacks to which they are vulnerable and the type of threats that they are protected from.

What makes BitDam Breach & Attack Simulation a good email security assessment tool?

– As some of you may know, BitDam’s Advanced Threat Protection solution shows one of the highest detection rates in the industry (I can write a whole other post about the reasons for that…). Maybe the most important thing about BitDam’s solution is the fact that it identifies the most sophisticated and camouflaged attacks that bypass most other security solutions. These are the attacks that we include in our Breach & Attack Simulation. In other words – the quality of the attacks is what matters and you can be assured that BitDam Breach & Attack Simulation includes the most sophisticated, high quality attacks that are out there, and the ones that might show up next.

– More about quality? Many of our researchers used to work in the offensive side of the cyber world. And they used to be good at that. Some of the “attacks” in our Breach & Attack Simulation are developed by these experts.

– And hey, it’s not just what we develop in-house and what we see at our customer-base, we also make sure to be updated on new cyber techniques, trends and attacks that are out there on a daily basis, as active players in the global cyber community.

 

All that allows us to build a powerful database of files and attacks to use in our Breach & Attack Simulation solution.

How to use it?

Our Email-Centric Breach & Attack Simulation platform allows an organization to test its current email security defense with a click of a button and identify attack vectors that bypass current defenses and puts them in risk:


It takes just a few minutes to set up, requires no IT overhead, and hey – it’s free!

Try it yourselves here and evaluate your current email security gaps within less than 15 minutes.

Read more
Rotem Shemesh
Rotem Shemesh
2 minutes & 45 seconds read · June 17, 2019

The Hacker Mindset Exposed

Jack likes to call himself a “ransomware activist”, but, in reality, he is a seasoned hacker. So seasoned, in fact, that he knows all the tricks of the trade and has tried many of them himself. That’s how he got to ransomware for fun and profit.

Jack doesn’t think like you and I. He actually believes that breaking into your computer and encrypting your files until you pay a ransom is ethical as long as he allows you to get your files back—after he makes off with the bitcoins, of course. In the real world, Jack would be considered a thief, tracked down by the police, arrested, tried and put away for years. But in our crypto-cyber environment, there isn’t an effective digital police force. The guardians of the law can seldom locate the criminal, let alone punish him for his evil deeds.

Not only does Jack think differently about ethics, but he and tens of thousands of his cohorts have created a highly developed, out-of-sight social network – sort of like the Pirates of Penzance but without the songs.

Jack and his friends hail from all over the world, wherever there is an Internet connection. They actually have their own Internet called “the Dark Web” and frequently visit it to trade stories, techniques and code snippets. They are as knowledgeable about cyber exploits and defense methods as Symantec, Check Point and Palo Alto Networks put together. The best among them more so. They innovate faster than you can say, “Who moved my healthcare data?”.

Across their social networks, hackers not only share knowledge but millions of valid email addresses too, accumulated through their many successful exploits. These absconded email addresses are traded over an exchange to be used again and again. Have you ever received an email from someone you know and were directed to click on a bizarre attachment? Your friend didn’t send you that email. It was one of Jack’s colleagues trying to trick you.

Some of Jack’s hacker-friends like to get physical. They walk around a company parking lot handing out memory sticks. Did you ever get a free one with some cool software? Oops! That might have been a prelude to another cyberattack.

To understand the motivations of these cyber assailants, you need to get into their heads and learn how they think. How do they strategize and implement their plans? We’ve done the research and we’re going to share it with you.

In our latest eBook, How Hackers Plan Their Attacks, we look at the psychological roots of hackers and explain how they go about their sinister business in five stages:

  1. Planning
  2. Dropper
  3. Payload
  4. C2
  5. Execution

In each of the stages, we get into the head of the hacker and describe his thinking process along with the various choices he faces and the considerations that bring him to his ultimate attack vector. You will learn all about the hacker’s goals, what he thinks of your cyber defenses and how he uses the Dark Web and other sources to break into your endpoints and networks. You might be shocked to find out how refined the professional hacker’s methodology is and how vulnerable your endpoints still are.

Have a look at our eBook to have a peek inside the fascinating world of hacking from the hacker’s perspective.

Read more
New OLE Office Attack Vector
Alex Livshiz
Alex Livshiz
3 minutes & 46 seconds read · June 5, 2019

New OLE Office Attack Vector

We’ve recently encountered and caught an interesting file sent to one of our customers. In this post, I’ll walk you through this attack and what makes it so interesting. The file I’m going to review(SHA-256 “2a85f00afee44b4aced32f4222fc516d3a1dae856411dfdeafa5c09e44162ea5“) had only four detections on VirusTotal (VT) when caught by our engine, as you can see on VT’s new slick GUI:

Moreover, it appears that some of the signatures are quite generic:

Short History

This file uses a feature that was first introduced when CVE-2017-11882 became popular and was exploited in the wild quite frequently. In CVE-2017-11882, attackers used an embedded OLE object that would auto-open Microsoft’s equation editor, exploit a vulnerability in it, and allow remote code execution (RCE). Running the OLE automatically was done using an embedded object with an objupdate feature. A while after that, Microsoft patched the equation editor and published a general recommendation for organizations to disable the equation editor from running.

OLE Walk-through

OLE can be used for either creating objects or containers. They are implemented over Microsoft’s COM (Component Object Model) infrastructure, which provides an interface for exporting functionality and inter-process communication. COM is an integral part of the Windows OS, and this can be used for attackers’ advantage.

Although CVE-2017-11882 was patched, the feature of objupdate remained as is. In the file that we’ve encountered, there’s an inner OLE object with the objupdate feature, but this time – it opens an Excel document that is embedded into the object:

In this image you can see:

  • – The start of the OLE object data (the object keyword)
  • – The objupdatefeature, which causes this OLE object to run when Word opens
  • – The class of the object – sheet.8 (this is padded using spaces and dots)

 

When Office’s Word opens the .rtf file, it loads the OLE object automatically and sends it to a DCOM (Distributed COM) server to handle the loading of the object, as you can see by the following stack trace:

At the bottom, the OLE object runs automatically, and in turn, calls combase’s SendReceive function to communicate with the DCOM server.

What is a DCOM server? It’s a svchost.exe process that’s launched at Windows start-up and is responsible for DCOM communication. It starts with the command line:

C:\Windows\system32\svchost.exe -k DcomLaunch

 

The svchost.exe handles the OLE request, and opens Excel.exe as it’s sub-process. This makes it harder to detect the behavior dynamically:

When the Excel is opened, it auto-runs macros for infecting the machine.

Now that we understand OLE and how it was used in the file, let’s recap all the steps:

  1. A malicious .rtfis sent to an organization.
  2. Upon opening the file, the objupdate feature is utilized to load the inner OLE object automatically.
  3. The OLE loading is done by the svchost.exe process, that in turn opens Excel as a sub-process.
  4. The Excel file auto-runs a malicious macro

The Malicious Macro

Let’s have a look at the macro:

The Workbook_Open function mentioned above runs automatically as Excel starts. You can also see that the macro is very obfuscated. The function uses a switch-case (or select-case in VB) on the parameter defined with value 19. By debugging the macro, we find the relevant case:

The called function is a very obfuscated one:

This function opens powershell, which I caught by using Procmon:

Once the powershell is being ran, the attacker gains full control by achieving persistency on the machine and running the malicious code.

Conclusions and Mitigations

In this blog post we dived into a new OLE attack which is getting more and more popular. We’ve already seen this attack at several customer environments, and expect it to become even more common. Another interesting thing to note is that its positive detections on VT jumped from 4 to 23 in less than 24 hours. While it’s nice to know that security solutions are being updated within hours, it’s important to remember that the first few hours during which a malware is released are critical.

What should you do to be more protected?

  • – Make sure that macros are disabled in your organization by policy.
  • – Don’t open files that you receive via Email if they look suspicious
  • – Make sure that you use an attack-agnostic Advanced Threat Protection solution that detects malware from first sight.

 

To check how protected you are right now, try our Breach & Attack Test.

 

Read more
While the Cat’s Away, the Cyber Mice Will Play
Liron Barak
Liron Barak
5 minutes & 54 seconds read · May 22, 2019

While the Cat’s Away, the Cyber Mice Will Play

The mice don’t ever give up on the cat-and-mouse cybersecurity game and there is no reason why cybersecurity personnel should continue to play it. The mice—in this case, cyber attackers—have most of the advantages. They are relentless. They have numbers. They are mostly invisible. They can attack when and as often as they want. Stealthily, the mice can alter their attack ever so slightly to test and then defeat the latest security mechanisms of the cat. If one try fails, the mice can make another attempt at their leisure. Cats, on the other hand, can hardly put up a permanent defense against the numerous mice-assailants. The best they can do is catch one here and chase one there. But the mice are always back for more.

The cat-and-mouse game reflects the reality of hackers and cybersecurity. The company network is an attractive target that invites the next attack. Hacker mice can show up at their discretion with any new trick while the best the cat can do is to ward off the attack. Even capturing a mouse from time to time hardly puts an end to the game—there are always more mice and more attacks.

We want the cats to win!

A long history of misery

Mice have been invading our homes for a long, long time just as hackers have been invading our endpoints and networks. Hackers have been sending CISOs and security analysts into a panic ever since the first successful cyberattack decades ago when a researcher realized that it was possible for a computer program to move across a network, leaving a small trail as it went. The very first worm, called “Creeper“, transited terminals on the ARPANET (the pre-cursor of the Internet), leaving behind the clever message: “I’M THE CREEPER: CATCH ME IF YOU CAN.”

Almost from the very beginning of cyber history, email has been the main medium for delivery of malicious payloads. In fact, the very person who invented email liked this idea of malware and made the Creeper program self-replicating—the first computer worm. He subsequently created another program, Reaper, the first antivirus software that would chase Creeper and delete it.

Thus began the first cat-and-mouse cybersecurity contest and we haven’t taken a break until now.

Relentless Search for the Next Target

The cybersecurity cat-and-mouse game consists of hacker mice from all over the world continuously inventing new methods and sharing knowledge vs. defender cats devising effective resistance only after significant damage has occurred somewhere in somebody’s cyberspace. Then, the hacker mice tweak their latest method and cause the defender cats to scramble in another futile chase. And on and on. It never ends.

Here is a brief history of cyber cat-and-mouse wars:

  • Static (or Payload-based) Signatures. The hacker attacks with a malicious file. Upon encountering and deciphering this malicious file, the security solution creates a static signature—a binary sequence unique to the malicious file—to identify this file. The security team rapidly shares the signature with their colleagues to enable them to identify this hack attack. Another hacker tries again with a different malicious file with its unique signature. The security team counters by adding the new signature to their security database. As the number of such malicious files increases, so does the signature database, now known as malware blacklists. Hackers keep altering their malware files to change their signatures and escape detection, and the defenders have to find the altered files, add the new signatures to the blacklist and quickly distribute them. This happens thousands of times each and every day.
  • Heuristic Signatures. To try to be more proactive, the defenders attempt to implement heuristic signatures—essentially applying signatures not on malware files but on malware behavior. For example, upon initialization, viruses might run a check for the presence of any running anti-virus (AV) processes. An advanced AV will notice this check and take action to defeat the virus. But it won’t take long for the attackers to try a new trick—they change the virus’s behavior by altering its AV check from looking for the presence of running AV processes to looking for the presence of AV files. The defenders have to respond.
  • Sandboxing. The defenders then came up with the brilliant idea of “sandboxes” where they could open files and start applications in a controlled environment separate from the actual company network—kind of like having a robot take a suspicious object to a remote location and checking it out over there. If it blows up, nobody gets hurt. However, soon enough, hackers discovered that sandboxes have characteristics that distinguish them from the real network, so they devised mechanisms whereby the malware would know when it is in a sandbox and then they developed sandbox-evasion techniques.

    For example, sandboxes are implemented with a limited amount of time to run. Knowing this, attackers implement a sleep function, delaying malware activity by instructing the CPU not to react for X minutes. The defenders counter by detecting the sleep function and fast-forwarding the CPU clock, forcing the malware to run in the sandbox after all.

    The attackers quickly figure out the trick and they switch from using sleep functions to implementing time-consuming loops, once again escaping exile to the sandbox. The defenders develop a response for that as well—breaking loops that run too long.

    The attackers respond by coding some time-wasting mathematical calculations or by implementing some logic that runs the malicious code only if the lengthy loop finishes normally.

    And so the game continues.

Spin Control

Hacker mice are always looking for nooks and crannies—some vulnerability—and devising methods to defeat current security solutions. Defending cats are vigilant—always on the lookout to thwart the latest attack methods.

It’s hard to gain the upper hand in the cat-and-mouse game, but BitDam has an effective weapon: a whitelist approach that puts an end to this ceaseless competition.

BitDam researches the proper behavior of applications, file types and links at the CPU level. Our signatures are not the ever-growing database of malware (already in the billions and growing by leaps and bounds every day), but the opposite: the proper behavior of good stuff. Whenever the behavior of any application, file type or link diverges from that proper behavior, we mark it as malicious and we don’t let it get onto your computer.

Most attacks arrive via files and malicious website links. You click on any of those and you can quickly infect your computer and even your company network. When someone shares a link or a file with you, BitDam invisibly steps in. Unlike traditional mousy security solutions, we don’t wait until the actual malware is delivered in order to detect it. BitDam automatically takes the potentially malicious file or link out into the desert and compares its CPU flows while opening, to our whitelist of how it should behave. If there is a match, we deliver it as if nothing happened. But when there isn’t a match, we “blow it up in the desert” and don’t allow it to reach your computer.

Let the security cats win!

Read more
How to Automate Investigation in IDA Python Scripting
Alex Livshiz
Alex Livshiz
4 minutes & 16 seconds read · April 29, 2019

How to Automate Investigation in IDA Python Scripting

As a researcher in the Cybersecurity field, IDA is a tool that I use almost on a daily basis. IDA allows me to reverse engineer executables in order to deeply understand what happens under the hood.

If you’re like me, the first time you opened IDA blew your mind. I’m not just talking about their GUI (which I think is great), but the sheer amount of data IDA is able to extract from a Portable Executable (PE) file:

  • – Strings inside the PE
  • – Imports, Exports
  • – Functions, with their parameters and flows
  • – And so much more

In this post I’m going to discuss IDA Python scripting, why I needed it, and why you should use it too.

Why did I use it?

IDA Python is great for scripting, especially when you can’t just search manually for what you’re looking for. When investigating a suspicious behavior in a certain DLL, or extracting specific data, I find it very convenient.

After working and analyzing various malicious EXEs and DLLs, I noticed that my methodology doesn’t change too much. It always starts with:

  • – Search for interesting strings
  • – Search for WinApi uses that may indicate an attempt for achieving persistency on the machine
  • – Detect obfuscated content
  • – Etc.

IDA Python provides scripting capabilities, which allows me to extract this data, and saves a lot of manual hastle. Moreover, if there’s interesting info I want to extract (like size of code section, debug section info, etc), I can add it to the script for future uses.

Of course, there’s a lot more you can do with IDA. Everything that IDA displays, and much more, can be accessed using scripting.

Since IDA Python lacks a lot in documentation, here are few code samples.

IDA Python Tutorial

To run a python script on IDA, you need to make sure that you have IDA Python installed. I’m using IDA 6.5 and Python 2.7.

There are two ways to run your script:

1. Run your script directly from IDA, in the lower output window:

2. Inject your python code to IDA.

To do so, you create a .py file, write your code, and run IDA in the following way:

                                   idaq64.exe -c -A -T”Portable executable” -S”<<Your scipt path>>”

I’ll try to summarize the most useful\undocumented APIs by providing a few examples.

Example 1 – Print All Functions

Let’s say I want to print all existing functions in the DLL. Here’s all the code you need:

from idaapi import *
from idautils import *
from idc import *
  
# Wait for IDA to finish loading
autoWait()
  
# get the entry point of the PE file
start_address = BeginEA()
  
# If there’s no start address, there’s probably no .text section for the PE file
if start_address == BADADDR:
    qexit(
1)
  
  
# Go over all the functions
for funcea in Functions(SegStart(start_address), SegEnd(start_address)):
    function_name = GetFunctionName(funcea)
    function_start = funcea
    function_end = FindFuncEnd(funcea)
  
   
print “function name – {0}, start address – {1}, end address – {2}”.\
        format(function_name
, str(function_start), str(function_end))

Example 2 – Opcodes And Operands

IDA Python also provides you with API to go through opcodes and their operands. In this example, we iterate over all instructions in the “.text” section and print all addresses referenced by another address. Basically, this will print all function and location addresses.

from idaapi import *
from idautils import *
from idc import *
  
CODE_REFERENCE =
“Code”
DATA_REFERENCE = “Data”
  
# Wait for IDA to finish loading
autoWait()
  
# This returns the entry point of the PE file
start_address = BeginEA()
  
# If there’s no start address, there’s probably no .text section for the PE file
if start_address == BADADDR:
    qexit(
1)
  
# Go over all the instructions
for address in Heads(SegStart(start_address), SegEnd(start_address)):
   
if isCode(GetFlags(address)):
       
# Check if there are references to the address
       
has_ref = False
       
for ref in XrefsTo(address):
            ref_type = XrefTypeName(ref.type)
  
           
if ref_type.startswith(CODE_REFERENCE) or ref_type.startswith(DATA_REFERENCE):
                has_ref =
True
               
break
               
        if
has_ref:
           
print address

Summary

IDA Python is a great tool for extracting data from PE files, it enables basic scripting as well as many cool APIs. In this post I showed the rationale behind using this tool, and provided two easy-to-use code samples. Enjoy.

Read more
Rotem Shemesh
Rotem Shemesh
5 minutes & 8 seconds read · April 16, 2019

Ask the Expert: The Data Breach Effects We Never Hear About

We’re constantly hearing about data breaches in the context of financial losses – this company lost $40m, this one’s market value dropped by 3% – but what about the softer losses? What about the people who lose their privacy and have their most intimate details exposed?

In this blog post, we guest interview Dana Turjeman, Ph.D. Candidate in Quantitative Marketing in University of Michigan, and look at the implications on individuals who have suffered the consequences of a data breach.

About Dana Turjeman

Dana Turjeman is a Ph.D. Candidate at the Ross School of Business, University of Michigan, and her research focuses on privacy and impression management.

After working with an online match-making website (specifically for those seeking an extramarital affair) that suffered a severe data breach, Dana and her team wanted to learn more about the short term changes in the behavior of users following the announcement of a breach.

When she started to investigate the consequences of the data breach, she realized there was a lack of research on how such breaches affect users. Almost all work in this field was on financial damages suffered by public companies – simply because financial data on public companies are more available.

BitDam (BD): What’s the impact of data breaches on individuals?

Dana Turjeman (DT): Data breaches differ based on their level of sensitivity of the data, number of records, where the data ends up (public or not), and whether people can be protected from damage or not. On many occasions, data breaches cause financial harm to individuals; in many countries, these effects can be minimized by using financial identity and fraud detection services.

In other cases, sensitive information about habits, sexual preferences, and illegal behavior have been revealed. In the case of one of the affair-seeking websites that was breached, individual users got divorced, had their reputation severely harmed, and in extreme cases – committed suicide. This example of a breach is one of the most extreme in terms of the sensitivity of the data.

Usually, even though data breaches receive a lot of media attention, individual users do not have many ways to protect their identity, and even if they do have a way to protect it, they neglect to do so; this is often referred to as the “privacy paradox“. This might be for several reasons: optimism bias, laziness, uncertainty as to what can be done, and habituation (getting used) to data breaches. Measurement of changes to users’ engagement with companies is hard to achieve, following a data breach, and my research aims to solve this problem.

BD: Can you tell us more about your research?

DT: I have several projects on privacy; one of them focuses on the consequences of the data breach on the affair-seeking website, as I mentioned. Another relevant one is on the positive and negative sides of data collection, specifically in marketing practices.

In a different stream of my research, I look at impression management. In one relevant project, I observe changes people make on online dating websites (not only those seeking an affair) and investigate the “optimization” they make to their appearance on the website. Some users change details such as date of birth, height, and ethnicity – which can clearly never change. It doesn’t mean they lie in order to deceive. Rather, there are several reasons that have been discovered – personal security, ability to hide personal information and “hold the cards”, and yes, also – desire to attract more.

BD: It seems like the main focus when it comes to data breaches is on financial losses rather than customer behavior. Can you comment on that?

DT: Most research on the consequences of a data breach focuses on the stock market valuation of companies that suffered a breach, and customer surveys. It is hard to measure actual changes in customer behavior, for two main reasons:

(1) Companies don’t easily provide data following such instances (very naturally so – they want to share less, and not more, data, after a data breach), and (2) it is hard to measure users’ reactions, especially when there’s no “control group” (i.e., usually, in a data breach, all users/customers of the company are affected, and there is no clear group that can be used for comparison).

BD: How do you deal with these constraints?

DT: We solve both of these problems by having a rich data set that we received directly from the company (under a Non-Disclosure Agreement, and only for academic purposes), and by using advanced quantitative and causal inference methods.

BD: Why are the “softer” effects being overlooked in your opinion?

DT: Some of the consequences of data breaches that I mentioned above – loss of privacy, reputation, etc., are hard to measure. Usually, it is easier to look at stock market valuation and assess what the damage is from there.

BD: Any idea on how to avoid such privacy violations?

DT: The easiest thing is to collect only the data that is really needed and hold it for the least amount of time necessary. But even with data that is collected, companies should:

  •     – Update their security practices all the time
  •     – Encrypt every piece of the data, and obviously the sensitive parts of it
  •     – Grant access to only those who must access the data
  •     – If using third-party code:
  •         – Be sure to use it only if it is from a reputable source
  •         – If it is an open-source, use open source that is well maintained and validated
  •     – Data protection should be discussed from the very first step of product development
  •     – Apply advanced cybersecurity solutions and keep up-to-date with new solutions and technologies

 

The Key: Stay Protected

Data breaches can take a massive financial toll on businesses. What’s less known, is the tremendous negative impact these breaches have on individuals. Thanks to researchers like Dana Turjeman, we’re starting to find out more about the effects these breaches have.

A key takeaway is how imperative it is to ensure that all content and applications are secure. Organizations and individuals should make sure they are protected and deploy sophisticated solutions to deal with these advanced threats before it’s too late.

Read more
Perimeter-Based Security
Maor hizkiev
Maor hizkiev
2 minutes & 43 seconds read · April 8, 2019

Perimeter-Based Security: So You’re Saying You Detect The Malware After I Got It?

If you read my previous blog then you already know that I like to dig into other vendors websites and marketing materials.

In this blog, I’d like to share with you another interesting aspect that I’ve learned about perimeter-based security solutions. Apparently, the bigger (and the smaller?) vendors claim that they constantly scan files or links, even after they were flagged as clean. The purpose of doing so is to lower the false negatives rate of the solution and alert on those threats retrospectively.

It does sound nice that you can be notified on a malicious file after it entered your organization, I mean, better late than never right? My claim is that it covers a much bigger problem in today’s detection engines.

Which files are scanned?

First, let’s look at it economically – constantly scanning all the files 7 days back sounds really expensive. So it is probably not something that is actually done as said, but it’s safe to assume that only a subset of those files is actually scanned. So how do they determine which files to scan? I’ll have an educated guess, and say that the subset is determined based on some characteristics, or maybe a low scoring that these files received. So, the question to ask now is “what about the files that are not falling into these categories?”. They are going undetected even a week after they have entered the organization.

Why didn’t you detect it a week ago?

Second, what does it actually mean that after a few days a vendor will suddenly detect a file? It means that they got new data on the file, whether it’s a list of recent malicious files that they received from a partner, a more significant statistics on that file, or that the malicious part in the file was triggered after a few days. Anyway, at the end of the day, it means that they weren’t good enough to detect the file on first sight. And more importantly, it means that you as an organization was exposed to this malicious file, and hey, it might be too late.

From our experience and data that we see at our customers, the time it takes for a vendor to update its solutions, ranges from 1 day to 12 days. The importance of detecting the threats on first sight is becoming THE purpose of cyber security today. Attackers are aware of that gap and taking advantage of it, so they are using an attack just like a disposable plate – after a short use, they throw it away, and recycling it to something brand new which most solutions can’t detect.

The high investing in post-detection mechanisms (continuous scanning and pull capabilities) raises some serious doubts in the effectiveness of those engines, as they are immortalizing the cat-and-mouse game, which is the preferred game for the attackers as they are the ones holding the advantage.

What can you do about it?

My suggestion is to look for solutions that do not pose these questions and doubts, or even better – solutions that are ‘attack-agnostic’. If a detection engine is not dependent at all on how attacks look like, and doesn’t ‘care’ that attacks pretend to be something else, it is more likely that it will detect attacks on first sight.

Read more
Don’t Jeopardize Your Security When Using Platforms Like G-Drive, Dropbox, OneDrive and Box
Rotem Shemesh
Rotem Shemesh
2 minutes & 20 seconds read · March 28, 2019

Don’t Jeopardize Your Security When Using Platforms Like G-Drive, Dropbox, OneDrive and Box

Most of us use some kind of cloud collaboration platform as part of our workday routine. We’re constantly sharing files and working together with our colleagues on projects. But with so much of today’s business taking place online, the security of our documents becomes paramount.

Security Focus Has Been On Email
Online security has been highly focused on protecting against email-borne threats. And with good reason – over 90% of attacks penetrating organizations’ defenses are delivered via email.

Currently, it’s relatively easy for hackers to attack via email. For too many organizations and individuals, an absence of sufficient awareness, training, and sophisticated security tools means that they are left vulnerable to even simple phishing attacks.

This has been changing over the last couple of years, however, as more companies start to offer specific email security tools – in the form of both basic solutions from email service providers, as well as from vendors that specialize in security.

A New Challenge Emerging: Content-borne Attacks Via Cloud Drives

With so many people focused on email security, a new, much more dangerous threat has emerged.

Cloud storage platforms like OneDrive, SharePoint, G-Drive, Dropbox, and Box are often left unsecured. They lack the high level of security that has become instrumental in securing email, endpoints, and networks. While there have been major attacks using cloud storage platforms in the past – most notably the G-Suite Google Docs hack – most hackers aren’t yet focusing on these platforms.

This is set to change as email security improves. Hackers have already begun looking for newer attack vectors, and cloud storage is high up on their list. We’ve already seen a dramatic increase in content-borne attack incidents that start from within these platforms. 

An additional factor that makes cloud storage platforms so tempting for hackers, is how trusting people are of the platforms. Believing shared documents to be safe from traditional phishing and email fraud, users often throw caution to the wind even when receiving a document from a stranger.

BitDam scans files and links before users can access them through cloud drives.

Secure Your Cloud Collaboration Platform

What’s becoming clear from the increase in both quantity and severity of security breaches that leverage from a cloud collaboration platform, is that a purpose-built solution is required in order to keep yourself, and your organization, protected.

That’s where BitDam comes in. BitDam stops advanced content-borne attacks contained in any type of file or URL across channels, including your email (Office 365, G-Suite or any other email service), cloud collaboration platform (Google Drive, OneDrive, Dropbox, Box), and even Instant Messaging (Teams, Skype or Slack).

In today’s environment of sharing and collaborating on even the most highly sensitive documents, it’s imperative to have the best protection possible. For more information or to schedule a trial, get in touch.

Read more
Rotem Shemesh
Rotem Shemesh
2 minutes & 15 seconds read · March 14, 2019

Customer Interview: Michael Lee Sherwood, The City of Las Vegas

“In Cyber Security, nothing’s ever enough. There’s always more you can do.”

Michael Lee Sherwood, Director of Innovation and Technology, The City of Las Vegas

We’ve interviewed Michael Lee Sherwood, The City of Las Vegas‘ Director of Innovation and Technology about his experience with BitDam’s Advanced Threat Protection. Here is the result in video and text:

Please introduce yourself – Who are you, and what do you do?

My name is Michael Lee Sherwood. I’m the director of Technology and Innovation for the City of Las Vegas.

In one sentence, what’s your take on cyber security? And what was the challenge you had before BitDam?

Cyber Security is a completely evolving area and one of our number one priorities, prior to using BitDam has been how do we gauge that risk? How do we engage the threat and ensure that email can be a tool used for safety?

What does BitDam do for you? And what makes you happy with their service?

BitDam really helps us now by scanning our emails before they come in and eliminating threats that might otherwise have come into our network. So one of the key reasons other than a great partnership with BitDam, is its technology. With BitDam we’ve seen very little latency from time of entry to actually delivery to our customers’ mailbox. BitDam has been very successful in not only helping us address email threats, but actually providing us intelligence into the type of threats that is coming in as well as how we can mitigate future threats from impacting our network.

In your opinion, what makes BitDam different in the marketplace?

There’s a vast amount of products out in the security marketplace and growing all the time. I think what separates BitDam from other products and in my opinion, makes it unique, is their approach and their knowledge on Cyber Security.

What was the installation like? How long did it take to start seeing the value?

The BitDam solution was probably one of the easiest installations I’ve ever had. Within the first hour or two hours of the product being deployed, we had our first return of a suspect email. And in today’s cyber landscape, the ability to respond quickly and decisively is most important.

What have the results been so far?

I think in our case with BitDam, we’ve had 26 detections so far. We’ve had no infections from malware since we’ve had the product in place. It has provided valuable intelligence.

Is there anything else that you’d like to add?

I look at it this way, not only is BitDam an insurance policy, it’s an insurance policy that pays us dividends every day.

 

Read more
Pages: