BitDam Blog

G-Suite Security Checklist: Are you Protected?
Maor hizkiev
Maor hizkiev
5 minutes & 17 seconds read · August 5, 2019

G-Suite Security Checklist: Are you Protected?

When it comes to enterprise attack vectors, email is still king.

Your employees are receiving, opening, and forwarding hundreds of emails a day, making emails an attractive vehicle for threat actors of all kinds. According to Verizon, an astounding 96% of attacks are still delivered via email.

Email threats might not be new or exciting, but all organizations, regardless of size, should be shifting email security to their highest priority.

The Era of Perimeter-based Security is Passé

Despite the prevalence of email attacks, enterprises often lack the proper safeguards when it comes to email security. It is not uncommon for organizations to rely on perimeter-based security, focusing on firewalls and intrusion detection to protect them from hackers. Unfortunately, this is not enough; research shows that secure email gateways (SEGs) consistently fail to protect against phishing attacks and 76% of infosec professionals claim their organizations experienced them in 2017.

In some cases, organizations don’t have any protection for their email at all, and only start taking preventative measures post-breach. Even for a large enterprise, the cost of a breach can be fatal. In 2018 alone, there were over 2 million cyber incidents that created a whopping $45 billion in losses, a number high enough to exceed a GDP of several European countries.

Cloud-based Emails Opened up the Floodgates

G-suite has taken the enterprise world by storm; its convenience, availability and simplicity makes it irresistible to businesses and private users. However, despite the significant efforts to raise awareness of cybersecurity threats, employees are often still not savvy enough to check links and attachments before clicking.

The growing sophistication of attacks, combined with the increased use of cloud-based email services, means that enterprises need to step up their email security efforts.

The Three Levels of Cloud-based Email Security

Broadly speaking, there are three layers of cloud-based email security that an organization can opt for to protect their corporate emails.

Level 1: Basic Security

These are the security measures that come built-in with an email platform. G-suite has some level of security protection out-of-the-box.

Organizations’ email admins can set up custom rules for the appropriate actions based on the type of threat that is detected. For example, they can move all suspicious emails directly to the spam filter (i.e., an email service feature designed to block spam from a user’s inbox) or opt for leaving such emails in the inbox with a warning.

As a result, the organization is aware of every problematic email, but the users will still receive or see potentially harmful emails, ultimately leaving security in the hands of the end-users.

Level 2: Middle-level Security

At this level, the organization can identify unauthenticated emails potentially spoofing their domain and choose to quarantine or delete such messages using the three pillars of email authentication: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC):

  • – SPF is an email validation protocol that detects and restricts emails from your domain.
  • – DKIM is used to create an encrypted signature that ensures the content of emails remain trusted and haven’t been tampered with.
  • – DMARC is an added authentication method that uses both SPF and DKIM to verify whether or not an email was sent by the owner of the domain that the user sees.

Level 3: Highest Level of Security

At this level, organizations are able to approach the cloud email security in a much more comprehensive manner by adding the ability to conduct advanced threat protection, such as:

  • – Protection against suspicious attachments: Identify attachments from untrusted senders or uncommon to the domain. Organizations can also Identify emails with unusual attachment types and choose to automatically display a warning banner, send them to spam, or quarantine the messages.
  • – Scan links and external images: Admins control how warnings work in Gmail when a person clicks on a link to an untrusted domain.
  • – Spoofing and authentication: This is an added protection against domain spoofing based on similar domain names.

Why Out-of-the-box Email Protection is Not Enough

As things stand, there are serious issues with even the highest level of protection offered by cloud-based email service providers. These include:

Choosing “rules” in advance: This approach leaves a higher chance of error if there’s an element the admins haven’t considered. As a result, a malicious email will look “legit” to the system, as it is indeed “legit” according to the rules set. This can lead to phishing and malicious emails getting through; if there’s a configuration, there is a chance that mistakes will be made.

Vulnerable to Account Takeover (ATO): Hackers can bypass even the highest levels of security by utilizing the ATO attack. By sending an email from an ostensibly trusted source such as a colleague, a supplier or a client, a hacker can override any rules set. This is a common way of spreading malware that bypasses the mechanisms of SPF\DMARC, since the protections can’t identify such emails as malicious. Usually, after ATO, the attacker replies to an existing thread with a malicious attachment, making the email appear completely legitimate.

Only protect against known or similar threats: Such measures only protect against already encountered and known threats. Since the threat landscape is always evolving, organizations need a system in place that will detect brand-new threats that do not meet pre-set criteria.

The Need for Comprehensive Email Security

Methods that were effective yesterday are simply no longer relevant today. For example, detecting attacks based on metadata and external features is something that used to be effective, but can easily be bypassed today.

As the threat landscape continues to evolve, organizations need comprehensive tools to protect against known threats, but even more so against the unknown ones. Rule-based security can be easily bypassed by a novel threat that you didn’t know existed, and therefore didn’t set up rules against. The standard measures deployed by cloud-email providers are not robust enough to withstand the onslaught of sophisticated threat actors. This is where BitDam comes in.

The BitDam cloud-based Advanced Threat Protection (ATP) blocks both known and unknown threats contained in any type of file or URL, protecting your Email, Cloud Drive, and Instant Messaging. The platform offers the highest detection rates of advanced attacks from within the communication stream, with no configuration, updates or patches needed. In addition, BitDam sits on top of your existing systems with no changes necessary to the existing security infrastructure.

Read more
Top 14 Cyber Security Influencers to Follow
Rotem Shemesh
Rotem Shemesh
7 minutes & 12 seconds read · July 29, 2019

Top 14 Cyber Security Influencers to Follow

When it comes to cyber security, the only constant is change. Both the number and the sophistication of cyberattacks is growing across the board, and the security industry is quickly evolving to address these challenges with innovative solutions. 

Email remains a major vector for cyberattacks of all kinds with content-borne attacks being very common, while email security is a fast-moving field. Knowing the right thought leaders to follow is crucial to staying current on the latest trends and developments. Check out our list of top 14 cyber security influencers to follow on Twitter, LinkedIn and conferences and never miss out on an important update again.

1. Jeremiah Grossman 

Followers: 60K

Posting Frequency: 1-2 a day

Favorite topics: Ransomware, Cyber attacks, Ethical Hacking

Jerimiah is the CEO of Bit Discovery and a founder of WhiteHat Security, the biggest ethical hacker collective on the planet. Jerimiah amassed a number of industry awards and recognition from companies like Microsoft, Mozilla, Google and Facebook for uncovering critical vulnerabilities and security flaws in their systems. He is one of the world’s top experts when it comes to ethical hacking, and releases a lot of educational content on hacking and security. 

Over the span of his career, Jeremiah has discovered new ways to sidestep corporate firewalls, abuse online advertising networks to take any website offline, hijack email and bank accounts, and many other innovative cyberattack techniques. Thank god, he is one of the good guys!

2. Mikko Hypponen

Followers: 194K

Posting Frequency: 1-2 a day

Favorite topics: IoT, Viruses, Retro Technology

Mikko is a global security expert. He has worked at F-Secure since 1991, and his research and articles have been published in the New York Times, Wired, and Scientific American. A frequent guest on international TV, Mikko has lectured at the universities of Stanford, Oxford and Cambridge. He frequently tweets and talks about old-time technology from decades ago, the latest developments of today, and how the two connect to create the current complex landscape.

3. Andy Ellis

Followers: 19K

Posting Frequency: Daily

Favorite topics: Authentication, Cloud, Crypto, Malware

Andy Ellis is Akamai’s CSO on a mission of “making the internet suck less.”  A heavy Twitter user, Andy tweets about pretty much everything, from personal pet peeves to the latest updates on email security: “The real problem of links is that, for all intents and purposes, email clients are the trusted core of enterprises, and accept unsanitized inputs from just about anyone.”

4. Omar Santos

Followers: 10.5K

Posting Frequency: 1-2 a day

Favorite topics: Vulnerability research, Threat intelligence

Omar is an active member of the ethical hacking community who has amassed over 7,000 references on GitHub related to ethical hacking, penetration testing, digital forensics and incident response (DFIR), vulnerability research, and more. Omar releases a lot of educational content, including online courses on hacking and cybersecurity, and tweets frequently on the latest bugs, malware and vulnerabilities.

5. Troels Oerting 

Followers: 6K

Posting Frequency: 1-2 a day

Favorite topics: Privacy, Security

Troels is Head of the Centre for Cybersecurity at the World Economic Forum, with an extensive background in policy and a long career fighting cybercrime as Head of European Cybercrime Centre and Acting Head of the Counter Terrorist and Financial Intelligence Centre at Europol. His tweets are focused on macro trends and societal impact of technology on everyday life. By following him you will always stay up to date on the latest developments in cyber crime.

6. Joseph Blankenship

Followers: 1.5K

Posting Frequency: Daily

Favorite topics: Trends, Industry Research

Joseph is a leading research analyst at Forrester focusing on security infrastructure and operations, AI for cybersecurity, email security, distributed denial of service (DDoS), and network security. Joseph has over 12 years of hands-on industry experience including product marketing roles at Solutionary (NTT Security), McAfee (Intel Security), Vigilar, and IBM. He frequently tweets about the latest research, findings and developments in cybersecurity.

7. Mike Rothman

Followers: 9.7K

Posting Frequency: 1-2 a week

Favorite topics: Cloud Security, DevSecOps 

Mike specializes in cornerstone aspects of security, such as protecting networks and endpoints, security management, and compliance. He is a sought out speaker and the author of the highly regarded, “The Pragmatic CSO” book that you should definitely add to your reading list. His tweets focus on cloud security and DevSecOps, and he frequently talks about the way enterprises can achieve security maturity in the cloud.

8. Dr. Magda Chelly

Followers: 8K

Posting Frequency: 2-3 a day

Favorite topics: Cybersecurity, Privacy, Risk Management

Magda Lilia Chelly is a “CISO on demand” for a wide array of companies, from medium size enterprises to top Fortune 500 companies. Magda is passionate about human interaction with technology, diversity and cultural impacts on privacy and security controls.

Magda frequently tweets on women in security, diversity and inclusion, as well as the latest developments on the cyberfront and retweets interesting posts by other pros in the field.

9. Shira Rubinoff

Followers: 51K

Posting Frequency: Daily

Favorite topics: Blockchain, Cyber, Social Media, Human Factors of Cybersecurity

Shira is a world-renowned cybersecurity expert specializing in the human factors of information technology and security. A seasoned keynote speaker, influencer and serial entrepreneur, Shira holds several patents in areas related to the application of psychology in cybersecurity. Follow her for the latest updates on how humans fit into the cybersecurity puzzle.

10.  Raj Samani 

Followers: 9.6K

Posting Frequency: Daily

Favorite topics: Cybercrime, Malware

Raj Samani is Chief Scientist at McAfee. He specializes in cybercrime and has assisted multiple law enforcement agencies in a variety of cybercrime cases. Currently, he serves as a special advisor to the European Cybercrime Centre in The Hague. 

Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe Hall of Fame. He is also a prolific writer and  co-author of “Applied Cyber Security and the Smart Grid” and the “CSA Guide to Cloud Computing,” as well as technical editor for numerous other publications. Samani tweets on anything that deals with malware and ransomware and common attack vectors, including email and social media.

11. Samy Kamkar

Followers: 9.6K

Posting Frequency: 1-2 a week

Favorite Topics:

Samy Kamkar is an American privacy and security researcher, a celebrity computer hacker, and a famous whistleblower and entrepreneur. He is best known for high-profile hacking exploits, especially as the creator of the fastest spreading virus of all time, the MySpace worm Samy, and SkyJack, a method for hijacking drones. If that’s not enough, he also created Evercookie, a tool that was used by the National Security Agency (NSA) to track anonymous Tor users. 

In addition to Twitter, Samy writes a highly regarded cybersecurity blog where he publishes detailed research about the latest malware and vulnerabilities he discovers.

12. Kevin David Mitnick

Followers: 253K

Posting Frequency: 3-4 a week

Favorite Topics: Hacking, Vulnerabilities, PenTesting

Kevin Mitnick is probably the world’s best known hacker whose career is worthy of a Hollywood Blockbuster. He is a highly controversial figure within the cybersecurity space and notorious for his high-profile 1995 arrest and consequent sentence for various computer-related crimes.

Nowadays, Mitnick is a top paid security consultant, public speaker and author. In addition, Mitnick serves as a security consultant for a wide array of Fortune 500 companies and the FBI. He performs pentesting services for the world’s largest companies, and teaches Social Engineering classes to dozens of enterprises and government agencies all over the world. 

Kevin also created the world-leading cybersecurity awareness training. Follow him for the latest updates on spam, content-borne and email attacks, phishing, spear phishing, malware, ransomware and social engineering.

13. Adam Levin

Followers: 253K

Posting Frequency: 3-4 a day

Favorite Topics: Identity Theft, Phishing, Social Engineering, Hacking

Adam is an expert on identity management and identity theft resolution. He writes a weekly column for the Huffington Post and, and frequently contributes to other major media outlets. Adam has over 40 years of experience in security, privacy, personal finance, real estate and government service. Adam’s speaks and writes on a wide array of subjects, including a broad range of security and personal finance topics, privacy issues and the “Internet of Things,” protecting data in a world of connected devices and identity theft.  

14. Chuck Brooks

Followers: 10K

Posting Frequency: 3-4 a day

Favorite Topics: AI, IOT, Homeland security, cyber security

Named a “Top 50 social influencer in risk and compliance” by Thomson Reuters, Chuck is a recognized thought leader, influencer and technology evangelist. His articles are frequently published in Forbes, Huffington Post, InformationWeek, MIT Sloan Blog, and Computerworld. On Twitter, Chuck frequently shares articles from all over the web on cybersecurity topics, as well as his opinions on the latest developments in the field.

Can you think of someone who should be added to our list? Let us know in the comments below!



Read more
Rotem Shemesh
Rotem Shemesh
1 minute & 37 seconds read · July 23, 2019

The Hits Just Keep on Coming

Just when you thought your endpoints and data were safe, along comes a repeat performance of last year’s exploit.

Everybody understands that talented hackers will continue to create innovative malware that will attempt to exploit new vulnerabilities in our operating systems and third-party software. That’s a given. But isn’t it just a little bit mindboggling to think that well-known attacks from years ago, already included in all the leading threat intelligence and AVs, are still actively piercing our cyber defense armor and pilfering our data?

How is that even possible?

BitDam’s latest research explains the economics behind new types of hacker attacks and shows why yesteryear’s major malware hits continue to plague us. In our latest whitepaper, Still Vulnerable After All These Years, you will learn why hackers often prefer to tweak old and proven attack methods again and again rather than invent new techniques.

In Still Vulnerable, we will show you how observant hackers find the tiniest cracks in the security wall of the most tried and tested software. Even if you QA it a thousand times, hackers can still find a way in.

Which software packages are the most attractive hacker magnets? You might be surprised at what we have discovered.

Is there any connection between the number of attacks and actual data breaches? We present you with the numbers and trends over the last decade. The correlation is critical, and we do the math for you.

Did you ever wonder how attacks are identified, catalogued and distributed globally via public threat intelligence? Here is an opportunity to obtain an easy-to-understand background on the CVE system, how it is used and how it helps you.

But that’s not all.

What is the ultimate defense against recurring attacks against your standard Microsoft, Adobe and other packages? We have the answer and you can have it, too.

Download Still Vulnerable After All These Years to find out how to stop the hits that keep on coming.

Read more
Macro Obfuscation in Office Files
Alex Livshiz
Alex Livshiz
5 minutes & 33 seconds read · July 8, 2019

Macro Obfuscation in Office Files

In the world of cyber-security, some patterns never change. However, that doesn’t mean that they’re easy to detect. One of them is code obfuscation.

The typical reasons attackers use code obfuscation include:

  1. Evasion techniques – hiding their code from static analysis solutions
  2. Making their code harder to reverse engineer

At BitDam, we have encountered various types of obfuscated code, ranging from obfuscated strings in a malicious DLL dropped to the machine, all the way to obfuscated JavaScript in a pdf file. In this blog post, I’m going to focus on obfuscated macros in Office files.

Why Office Macros?

To understand why this is one of the most interesting issues, in my opinion, I’ll have to take you back to BitDam’s approach towards detecting malicious files. Generally speaking, there are three steps that take place in the process of malicious file exploitation:

    1. Identifying a vulnerability
    2. Exploiting that vulnerability
    3. Running the malicious code

Today, most security solutions focus on detecting the malicious code / Advanced Persistent Threat (APT). Why is that? Because it’s relatively easy to create static and dynamic signatures that would catch known APTs.

Why isn’t that good enough? Because this method works well for known APTs, but it is useless against zero-day exploits and unknown APTs.

How does BitDam do things differently? Unlike many other solutions, BitDam focuses on the most interesting phase – the exploitation – that leads to code execution.

Now that we have this in mind, we can move on to “why are Office macro interesting?”

Many Office macro attacks do not include the vulnerability and exploitation phases and start straight out running the malicious code. This way, attackers can do pretty much whatever they want. For example, an attacker can simply drop an EXE file to the %TEMP% folder and execute it. This in turn causes current cyber solutions to focus on static analysis to detect malicious macros. To deal with that, attackers obfuscate their macros and make them harder to find using a static scan.

They Get More and More Sophisticated

Macros were first introduced way before the concept of cyber-security existed, and were mainly used for running functions on Excel sheets. That changed when attackers started exploiting macros to their own advantage. According to the Microsoft Defender ATP Research Team, 98% of the Office-targeted threats in 2016 used macros, which is a crazy number! And to be honest, I don’t see a reason for this number to decrease.

The reason hackers to use this attack vector is that it allows them to do whatever they want in a scope of a macro. They can achieve code execution and persistency on the attacked machine, by using macro features such as:

  • Writing to the file system
  • Writing to the registry
  • Using Windows Management Instrumentation (WMI)

Some of today’s macro attacks are also known as fileless attacks – attacks that do not require the installation of a malicious program or writing a file to the file system. Instead, they inject their code into other processes so that the malware exists only in memory.

Obviously, Microsoft had to deal with this attack vector. As with every problematic feature the easiest solution is to disable it by default. Today, Office integrates mitigations to prevent macros from running by default. For example:

This may help in some cases, but attackers use social engineering to trick the user to approve the macro (which actually works):

In other cases, organizations with older Office versions are more in danger of being attacked by such files.

Diving into Macro Obfuscation

Let’s start with a basic example, which is also a very popular one. An attacker can simply create a WScript.Shell object and execute a powershell / cmd script. This can be used to fetch a payload from a remote server and execute it.

Have look at the following macro:

Sub Document_Open()
FileName = Environ("temp") & "\malicious.exe"
fileNo = FreeFile 'Get first free file number
textData = "My malicious content"
Open FileName For Output As #fileNo
Write #fileNo, textData
Close #fileNo
Set WshShell = CreateObject("WScript.Shell")
Set WshShellExec = WshShell.Exec(FileName)
End Sub

This code basically creates an EXE file and runs it. Note that the EXE can’t actually run, since its content is a simple text string. And yet, by uploading a .docx file that contains this macro to VirusTotalhalf of the vendors marked it as malicious.

If I were an attacker, I would not be happy, as that is a very miserable result. I definitely don’t want my malware to be detected by 50% of the end points. Luckily for attackers, there are ways to bypass security solutions and get under their radar. Not surprisingly, this drives attackers to become very creative with their string obfuscations.

Let’s explore another example, this time it’s something that we’ve recently seen in the wild (SHA-256 f5c51cff409b074e9aeb97d999a3e78bbd99a3b3b8ee3821018a4759670e845a). It demonstrates how sneaky attackers can be. Here’s how the file works:

First, there’s a creation of a powershell command. You can see the letters of the “powershell” marked in red.

Then, the macro runs the command line generated using WMI. It uses the winmgmts object to create a process, and does it differently from my sample earlier:

This obfuscated macro got a much lower VirusTotal score:

Obfuscation Detection: Why, Challenges and How

Now that we understand why attackers use obfuscation, and we have seen a real-life example, it’s pretty clear why BitDam, as a cyber-security vendor, would like to automatically detect obfuscated macros:

  • For our customers – by labeling obfuscated macros, we provide our users (SOC teams) with data that would help them further investigate malware blocked by BitDam
  • Internally for product enhancements – our detection engine utilizes this data as part of its file scoring mechanism.

While obfuscated code is quite simple to identify with the human eye (any developer or researcher who sees the code can immediately tell that it’s obfuscated), it isn’t that straightforward for machines to detect. Looking for suspicious keywords in a macro is not an option. As you can see in the example above, even detecting the keyword “powershell” is not simple. And let’s not forget that attackers get more and more creative as time goes on.

To overcome this, and automatically determine if a macro is obfuscated or not, we at BitDam came up with a unique technique, that uses dynamic scanning (and a bit of static) of the file. This helps our customers’ SOC teams investigate such attacks, and it helps our solution to detect sneaky attacks.

Want to check if we detect your obfuscated macro? Scan it now for free and let us know the result.

Read more
Rakesh Narasimhan Joins BitDam to head its North American Operations
Rotem Shemesh
Rotem Shemesh
1 minute & 30 seconds read · July 1, 2019

Rakesh Narasimhan Joins BitDam to head its North American Operations

We’re excited to announce that Rakesh Narasimhan has joined BitDam to expand the business presence of BitDam in North America and drive its growth.

Rakesh brings more than 25 years of executive experience in high-growth technology industries, building, operating, and scaling multiple USD Billion businesses. His vast experience includes a range of senior executive roles at Microsoft Corporation, Oracle Corporation and Citrix Systems. Most recently, Rakesh has been scaling businesses at startups in the Software and Space sectors.

From our CEO and Co-founder, Liron Barak:

“We are excited to have Rakesh join us during this critical stage of growth for BitDam. We see an increasing need in customers seeking advanced cybersecurity solutions to protect their communication and collaboration platforms such as email, cloud storage and messaging systems. Rakesh’s vast experience in delivering customer value will come in handy as we help enterprises protect themselves from content-borne threats and hence scale business growth for BitDam.

From Rakesh:

“In an increasingly connected world, organizations show no signs of slowing down their adoption of communication and collaboration solutions at work. Unfortunately, the bad guys are also increasing their attacks with sophistication, magnitude and evasiveness. Despite the heavy investment in top-notch cybersecurity solutions till date, organizations are NO better at meeting the serious challenges of protecting themselves from new, unknown cyber threats. A new approach is necessary to address the detection of and protection from content-borne malware. One that is unconventional in its technological approach to address forward-looking threats, rather than backward-looking security posture. BitDam, at its core, is about implementing this unconventional approach, and one that I believe will impact the cyber landscape in a big way. That is what convinced me to get involved with BitDam”.

Indeed, exciting times here at BitDam. Stay tuned for more updates.

You may follow Rakesh on Twitter: @rakeshnarasimha

Read more
Introducing BitDam’s Breach & Attack Simulation (BAS)
Alex Livshiz
Alex Livshiz
3 minutes & 45 seconds read · June 25, 2019

Introducing BitDam’s Breach & Attack Simulation (BAS)

At BitDam, we always try to provide our customers with the most comprehensive solutions to cope with cyber threats. As such, we perceive it important to not only provide them with protection against the most sophisticated attacks, but also help organizations assess their existing security gaps and act accordingly. This is why we introduced the BitDam penetration testing tool a while back. This PenTest tool got TONS of positive feedback, so we decided to go bigger, and are happy to introduce BitDam’s Breach and Attack Simulation(BAS).

Breach and Attack Simulation vs. Penetration Testing

Until recently, the common practice when an organization wanted to test its security, was to pen test its various defenses. This process is usually done manually by repeating the following cycle:

–  Search for an attack vector (e.g. file attachments in emails).

–  Find an exploit for attacking (e.g. an exploit for code execution in a PDF, running a malicious macro in an Office file etc.).

–  Provide an “attack POC” that bypasses the defense (e.g. sending an email with a malicious macro that bypasses the email security scan, while the file can’t really make any harm).

Although this is a very useful tool, it has some serious drawbacks:

– The process is mostly manual, meaning it’s costly and not scalable.

– No automated “executive summary” showing the current security’s weaknesses and strengths. This is crucial in order to understand which defenses need more attention or require upgrading. This is done manually, and again, makes the process expensive and inefficient.

– Requires heavy investment in R&D red teams (internal or outsourced) that focuses solely on pen testing the organization’s defenses.

This is where Breach and Attack Simulation comes in.

Breach and attack simulation (BAS) is a technology that simulates cyberattacks in order to test a network’s cyber defenses. It enables organizations to assess security effectiveness by simulating hacker breach methods to ensure security controls are working as expected. BAS technologies are fully automated enabling organizations to assess security continuously in real production environments, eliminates guesswork, incorporates business risk context, and provides actionable results.

BitDam’s Breach & Attack Simulation

BitDam’s E-mail-Centric Breach & Attack Simulation is offered as a free service allowing organizations to assess how vulnerable they are to email cyberattacks. Getting access to BitDam’s dashboard, users gain visibility into the Breach & Attack Simulation results within a few minutes from signing in. Through the dashboard, they can see their current level of email protection, the types of cyberattacks to which they are vulnerable and the type of threats that they are protected from.

What makes BitDam Breach & Attack Simulation a good email security assessment tool?

– As some of you may know, BitDam’s Advanced Threat Protection solution shows one of the highest detection rates in the industry (I can write a whole other post about the reasons for that…). Maybe the most important thing about BitDam’s solution is the fact that it identifies the most sophisticated and camouflaged attacks that bypass most other security solutions. These are the attacks that we include in our Breach & Attack Simulation. In other words – the quality of the attacks is what matters and you can be assured that BitDam Breach & Attack Simulation includes the most sophisticated, high quality attacks that are out there, and the ones that might show up next.

– More about quality? Many of our researchers used to work in the offensive side of the cyber world. And they used to be good at that. Some of the “attacks” in our Breach & Attack Simulation are developed by these experts.

– And hey, it’s not just what we develop in-house and what we see at our customer-base, we also make sure to be updated on new cyber techniques, trends and attacks that are out there on a daily basis, as active players in the global cyber community.


All that allows us to build a powerful database of files and attacks to use in our Breach & Attack Simulation solution.

How to use it?

Our Email-Centric Breach & Attack Simulation platform allows an organization to test its current email security defense with a click of a button and identify attack vectors that bypass current defenses and puts them in risk:

It takes just a few minutes to set up, requires no IT overhead, and hey – it’s free!

Try it yourselves here and evaluate your current email security gaps within less than 15 minutes.

Read more
Rotem Shemesh
Rotem Shemesh
2 minutes & 45 seconds read · June 17, 2019

The Hacker Mindset Exposed

Jack likes to call himself a “ransomware activist”, but, in reality, he is a seasoned hacker. So seasoned, in fact, that he knows all the tricks of the trade and has tried many of them himself. That’s how he got to ransomware for fun and profit.

Jack doesn’t think like you and I. He actually believes that breaking into your computer and encrypting your files until you pay a ransom is ethical as long as he allows you to get your files back—after he makes off with the bitcoins, of course. In the real world, Jack would be considered a thief, tracked down by the police, arrested, tried and put away for years. But in our crypto-cyber environment, there isn’t an effective digital police force. The guardians of the law can seldom locate the criminal, let alone punish him for his evil deeds.

Not only does Jack think differently about ethics, but he and tens of thousands of his cohorts have created a highly developed, out-of-sight social network – sort of like the Pirates of Penzance but without the songs.

Jack and his friends hail from all over the world, wherever there is an Internet connection. They actually have their own Internet called “the Dark Web” and frequently visit it to trade stories, techniques and code snippets. They are as knowledgeable about cyber exploits and defense methods as Symantec, Check Point and Palo Alto Networks put together. The best among them more so. They innovate faster than you can say, “Who moved my healthcare data?”.

Across their social networks, hackers not only share knowledge but millions of valid email addresses too, accumulated through their many successful exploits. These absconded email addresses are traded over an exchange to be used again and again. Have you ever received an email from someone you know and were directed to click on a bizarre attachment? Your friend didn’t send you that email. It was one of Jack’s colleagues trying to trick you.

Some of Jack’s hacker-friends like to get physical. They walk around a company parking lot handing out memory sticks. Did you ever get a free one with some cool software? Oops! That might have been a prelude to another cyberattack.

To understand the motivations of these cyber assailants, you need to get into their heads and learn how they think. How do they strategize and implement their plans? We’ve done the research and we’re going to share it with you.

In our latest eBook, How Hackers Plan Their Attacks, we look at the psychological roots of hackers and explain how they go about their sinister business in five stages:

  1. Planning
  2. Dropper
  3. Payload
  4. C2
  5. Execution

In each of the stages, we get into the head of the hacker and describe his thinking process along with the various choices he faces and the considerations that bring him to his ultimate attack vector. You will learn all about the hacker’s goals, what he thinks of your cyber defenses and how he uses the Dark Web and other sources to break into your endpoints and networks. You might be shocked to find out how refined the professional hacker’s methodology is and how vulnerable your endpoints still are.

Have a look at our eBook to have a peek inside the fascinating world of hacking from the hacker’s perspective.

Read more
New OLE Office Attack Vector
Alex Livshiz
Alex Livshiz
3 minutes & 46 seconds read · June 5, 2019

New OLE Office Attack Vector

We’ve recently encountered and caught an interesting file sent to one of our customers. In this post, I’ll walk you through this attack and what makes it so interesting. The file I’m going to review(SHA-256 “2a85f00afee44b4aced32f4222fc516d3a1dae856411dfdeafa5c09e44162ea5“) had only four detections on VirusTotal (VT) when caught by our engine, as you can see on VT’s new slick GUI:

Moreover, it appears that some of the signatures are quite generic:

Short History

This file uses a feature that was first introduced when CVE-2017-11882 became popular and was exploited in the wild quite frequently. In CVE-2017-11882, attackers used an embedded OLE object that would auto-open Microsoft’s equation editor, exploit a vulnerability in it, and allow remote code execution (RCE). Running the OLE automatically was done using an embedded object with an objupdate feature. A while after that, Microsoft patched the equation editor and published a general recommendation for organizations to disable the equation editor from running.

OLE Walk-through

OLE can be used for either creating objects or containers. They are implemented over Microsoft’s COM (Component Object Model) infrastructure, which provides an interface for exporting functionality and inter-process communication. COM is an integral part of the Windows OS, and this can be used for attackers’ advantage.

Although CVE-2017-11882 was patched, the feature of objupdate remained as is. In the file that we’ve encountered, there’s an inner OLE object with the objupdate feature, but this time – it opens an Excel document that is embedded into the object:

In this image you can see:

  • – The start of the OLE object data (the object keyword)
  • – The objupdatefeature, which causes this OLE object to run when Word opens
  • – The class of the object – sheet.8 (this is padded using spaces and dots)


When Office’s Word opens the .rtf file, it loads the OLE object automatically and sends it to a DCOM (Distributed COM) server to handle the loading of the object, as you can see by the following stack trace:

At the bottom, the OLE object runs automatically, and in turn, calls combase’s SendReceive function to communicate with the DCOM server.

What is a DCOM server? It’s a svchost.exe process that’s launched at Windows start-up and is responsible for DCOM communication. It starts with the command line:

C:\Windows\system32\svchost.exe -k DcomLaunch


The svchost.exe handles the OLE request, and opens Excel.exe as it’s sub-process. This makes it harder to detect the behavior dynamically:

When the Excel is opened, it auto-runs macros for infecting the machine.

Now that we understand OLE and how it was used in the file, let’s recap all the steps:

  1. A malicious .rtfis sent to an organization.
  2. Upon opening the file, the objupdate feature is utilized to load the inner OLE object automatically.
  3. The OLE loading is done by the svchost.exe process, that in turn opens Excel as a sub-process.
  4. The Excel file auto-runs a malicious macro

The Malicious Macro

Let’s have a look at the macro:

The Workbook_Open function mentioned above runs automatically as Excel starts. You can also see that the macro is very obfuscated. The function uses a switch-case (or select-case in VB) on the parameter defined with value 19. By debugging the macro, we find the relevant case:

The called function is a very obfuscated one:

This function opens powershell, which I caught by using Procmon:

Once the powershell is being ran, the attacker gains full control by achieving persistency on the machine and running the malicious code.

Conclusions and Mitigations

In this blog post we dived into a new OLE attack which is getting more and more popular. We’ve already seen this attack at several customer environments, and expect it to become even more common. Another interesting thing to note is that its positive detections on VT jumped from 4 to 23 in less than 24 hours. While it’s nice to know that security solutions are being updated within hours, it’s important to remember that the first few hours during which a malware is released are critical.

What should you do to be more protected?

  • – Make sure that macros are disabled in your organization by policy.
  • – Don’t open files that you receive via Email if they look suspicious
  • – Make sure that you use an attack-agnostic Advanced Threat Protection solution that detects malware from first sight.


To check how protected you are right now, try our Breach & Attack Test.


Read more
While the Cat’s Away, the Cyber Mice Will Play
Liron Barak
Liron Barak
5 minutes & 54 seconds read · May 22, 2019

While the Cat’s Away, the Cyber Mice Will Play

The mice don’t ever give up on the cat-and-mouse cybersecurity game and there is no reason why cybersecurity personnel should continue to play it. The mice—in this case, cyber attackers—have most of the advantages. They are relentless. They have numbers. They are mostly invisible. They can attack when and as often as they want. Stealthily, the mice can alter their attack ever so slightly to test and then defeat the latest security mechanisms of the cat. If one try fails, the mice can make another attempt at their leisure. Cats, on the other hand, can hardly put up a permanent defense against the numerous mice-assailants. The best they can do is catch one here and chase one there. But the mice are always back for more.

The cat-and-mouse game reflects the reality of hackers and cybersecurity. The company network is an attractive target that invites the next attack. Hacker mice can show up at their discretion with any new trick while the best the cat can do is to ward off the attack. Even capturing a mouse from time to time hardly puts an end to the game—there are always more mice and more attacks.

We want the cats to win!

A long history of misery

Mice have been invading our homes for a long, long time just as hackers have been invading our endpoints and networks. Hackers have been sending CISOs and security analysts into a panic ever since the first successful cyberattack decades ago when a researcher realized that it was possible for a computer program to move across a network, leaving a small trail as it went. The very first worm, called “Creeper“, transited terminals on the ARPANET (the pre-cursor of the Internet), leaving behind the clever message: “I’M THE CREEPER: CATCH ME IF YOU CAN.”

Almost from the very beginning of cyber history, email has been the main medium for delivery of malicious payloads. In fact, the very person who invented email liked this idea of malware and made the Creeper program self-replicating—the first computer worm. He subsequently created another program, Reaper, the first antivirus software that would chase Creeper and delete it.

Thus began the first cat-and-mouse cybersecurity contest and we haven’t taken a break until now.

Relentless Search for the Next Target

The cybersecurity cat-and-mouse game consists of hacker mice from all over the world continuously inventing new methods and sharing knowledge vs. defender cats devising effective resistance only after significant damage has occurred somewhere in somebody’s cyberspace. Then, the hacker mice tweak their latest method and cause the defender cats to scramble in another futile chase. And on and on. It never ends.

Here is a brief history of cyber cat-and-mouse wars:

  • Static (or Payload-based) Signatures. The hacker attacks with a malicious file. Upon encountering and deciphering this malicious file, the security solution creates a static signature—a binary sequence unique to the malicious file—to identify this file. The security team rapidly shares the signature with their colleagues to enable them to identify this hack attack. Another hacker tries again with a different malicious file with its unique signature. The security team counters by adding the new signature to their security database. As the number of such malicious files increases, so does the signature database, now known as malware blacklists. Hackers keep altering their malware files to change their signatures and escape detection, and the defenders have to find the altered files, add the new signatures to the blacklist and quickly distribute them. This happens thousands of times each and every day.
  • Heuristic Signatures. To try to be more proactive, the defenders attempt to implement heuristic signatures—essentially applying signatures not on malware files but on malware behavior. For example, upon initialization, viruses might run a check for the presence of any running anti-virus (AV) processes. An advanced AV will notice this check and take action to defeat the virus. But it won’t take long for the attackers to try a new trick—they change the virus’s behavior by altering its AV check from looking for the presence of running AV processes to looking for the presence of AV files. The defenders have to respond.
  • Sandboxing. The defenders then came up with the brilliant idea of “sandboxes” where they could open files and start applications in a controlled environment separate from the actual company network—kind of like having a robot take a suspicious object to a remote location and checking it out over there. If it blows up, nobody gets hurt. However, soon enough, hackers discovered that sandboxes have characteristics that distinguish them from the real network, so they devised mechanisms whereby the malware would know when it is in a sandbox and then they developed sandbox-evasion techniques.

    For example, sandboxes are implemented with a limited amount of time to run. Knowing this, attackers implement a sleep function, delaying malware activity by instructing the CPU not to react for X minutes. The defenders counter by detecting the sleep function and fast-forwarding the CPU clock, forcing the malware to run in the sandbox after all.

    The attackers quickly figure out the trick and they switch from using sleep functions to implementing time-consuming loops, once again escaping exile to the sandbox. The defenders develop a response for that as well—breaking loops that run too long.

    The attackers respond by coding some time-wasting mathematical calculations or by implementing some logic that runs the malicious code only if the lengthy loop finishes normally.

    And so the game continues.

Spin Control

Hacker mice are always looking for nooks and crannies—some vulnerability—and devising methods to defeat current security solutions. Defending cats are vigilant—always on the lookout to thwart the latest attack methods.

It’s hard to gain the upper hand in the cat-and-mouse game, but BitDam has an effective weapon: a whitelist approach that puts an end to this ceaseless competition.

BitDam researches the proper behavior of applications, file types and links at the CPU level. Our signatures are not the ever-growing database of malware (already in the billions and growing by leaps and bounds every day), but the opposite: the proper behavior of good stuff. Whenever the behavior of any application, file type or link diverges from that proper behavior, we mark it as malicious and we don’t let it get onto your computer.

Most attacks arrive via files and malicious website links. You click on any of those and you can quickly infect your computer and even your company network. When someone shares a link or a file with you, BitDam invisibly steps in. Unlike traditional mousy security solutions, we don’t wait until the actual malware is delivered in order to detect it. BitDam automatically takes the potentially malicious file or link out into the desert and compares its CPU flows while opening, to our whitelist of how it should behave. If there is a match, we deliver it as if nothing happened. But when there isn’t a match, we “blow it up in the desert” and don’t allow it to reach your computer.

Let the security cats win!

Read more
How to Automate Investigation in IDA Python Scripting
Alex Livshiz
Alex Livshiz
4 minutes & 16 seconds read · April 29, 2019

How to Automate Investigation in IDA Python Scripting

As a researcher in the Cybersecurity field, IDA is a tool that I use almost on a daily basis. IDA allows me to reverse engineer executables in order to deeply understand what happens under the hood.

If you’re like me, the first time you opened IDA blew your mind. I’m not just talking about their GUI (which I think is great), but the sheer amount of data IDA is able to extract from a Portable Executable (PE) file:

  • – Strings inside the PE
  • – Imports, Exports
  • – Functions, with their parameters and flows
  • – And so much more

In this post I’m going to discuss IDA Python scripting, why I needed it, and why you should use it too.

Why did I use it?

IDA Python is great for scripting, especially when you can’t just search manually for what you’re looking for. When investigating a suspicious behavior in a certain DLL, or extracting specific data, I find it very convenient.

After working and analyzing various malicious EXEs and DLLs, I noticed that my methodology doesn’t change too much. It always starts with:

  • – Search for interesting strings
  • – Search for WinApi uses that may indicate an attempt for achieving persistency on the machine
  • – Detect obfuscated content
  • – Etc.

IDA Python provides scripting capabilities, which allows me to extract this data, and saves a lot of manual hastle. Moreover, if there’s interesting info I want to extract (like size of code section, debug section info, etc), I can add it to the script for future uses.

Of course, there’s a lot more you can do with IDA. Everything that IDA displays, and much more, can be accessed using scripting.

Since IDA Python lacks a lot in documentation, here are few code samples.

IDA Python Tutorial

To run a python script on IDA, you need to make sure that you have IDA Python installed. I’m using IDA 6.5 and Python 2.7.

There are two ways to run your script:

1. Run your script directly from IDA, in the lower output window:

2. Inject your python code to IDA.

To do so, you create a .py file, write your code, and run IDA in the following way:

                                   idaq64.exe -c -A -T”Portable executable” -S”<<Your scipt path>>”

I’ll try to summarize the most useful\undocumented APIs by providing a few examples.

Example 1 – Print All Functions

Let’s say I want to print all existing functions in the DLL. Here’s all the code you need:

from idaapi import *
from idautils import *
from idc import *
# Wait for IDA to finish loading
# get the entry point of the PE file
start_address = BeginEA()
# If there’s no start address, there’s probably no .text section for the PE file
if start_address == BADADDR:
# Go over all the functions
for funcea in Functions(SegStart(start_address), SegEnd(start_address)):
    function_name = GetFunctionName(funcea)
    function_start = funcea
    function_end = FindFuncEnd(funcea)
print “function name – {0}, start address – {1}, end address – {2}”.\
, str(function_start), str(function_end))

Example 2 – Opcodes And Operands

IDA Python also provides you with API to go through opcodes and their operands. In this example, we iterate over all instructions in the “.text” section and print all addresses referenced by another address. Basically, this will print all function and location addresses.

from idaapi import *
from idautils import *
from idc import *
# Wait for IDA to finish loading
# This returns the entry point of the PE file
start_address = BeginEA()
# If there’s no start address, there’s probably no .text section for the PE file
if start_address == BADADDR:
# Go over all the instructions
for address in Heads(SegStart(start_address), SegEnd(start_address)):
if isCode(GetFlags(address)):
# Check if there are references to the address
has_ref = False
for ref in XrefsTo(address):
            ref_type = XrefTypeName(ref.type)
if ref_type.startswith(CODE_REFERENCE) or ref_type.startswith(DATA_REFERENCE):
                has_ref =
print address


IDA Python is a great tool for extracting data from PE files, it enables basic scripting as well as many cool APIs. In this post I showed the rationale behind using this tool, and provided two easy-to-use code samples. Enjoy.

Read more

Schedule a Demo

Enter your email to get a free trial invitation