Webinar presenter Stacey Wright answered a number of your questions after her presentation, "Cyberthreat Landscape (Spring 2018)." Here are some of her responses.
Audience Question: In terms of working with federal, state, and local agencies, your sensors is that hardware or software based?
Stacey Wright: Our sensors are hardware based. Depending on the different type of sensor, it can be placed in different areas of the network, but where it goes is up to the member. We're working on offering cloud-based sensors.
Audience Question: Does MS-ISAC work with local prosecutors and law enforcement agencies on forensic investigations and prosecutions of cybercrime?
Stacey Wright: This is a tricky answer. We certainly do work with prosecutors and law enforcement agencies, as we try to make sure that just like every other SLTT government employee you have as many resources to you as possible. We will not take on forensic cases for non-SLTT governments, but if you (an SLTT government) are effected we can help you. This means that if your local store gets hit, unfortunately, we can't do forensics for that. Part of this is quite simply because the forensic services we offer are provided at no-cost to you through our DHS Cooperative Agreement, which only covers SLTT governments.
Audience Question: Has there been success apprehending offenders or is that really difficult because most of them seem to be operating outside of the country?
Stacey Wright: Oh no, we catch them. It perhaps isn't as common as we’d really like it to be, but we certainly have had successes working with law enforcement to catch the bad guys and get them arrested in the U.S. I have a picture that I would love to show. It's one of the guys we caught in his orange jumpsuit. So, while many times the criminals are overseas, there are local offenders that you can go after. Also, if you have a local case it may tie-in into 4 or 5 other local cases across the country. In which case, the FBI or Secret Service may also be working in it, and you may be able to work in a joint investigation with them to target an overseas offender.
Audience Question: In terms of those joint investigations, are there signatures or is there like a clearinghouse that you use to be able to share investigative information and determine other agencies that are investigating these threats? How do you create these joint investigations?
Stacey Wright: We are not a law enforcement agency, so we don't get access to that type of information. What we do is call our law enforcement contacts – state police, the FBI or the Secret Service. We work with all 79 DHS recognized fusion centers and have contacts in a lot of the state police agencies around the country. Typically, when we run into something requiring a law enforcement investigation, we can put the word out fairly quickly and find out if somebody out there has an interest in knowing what we know. I would also invite if there's anybody on the phone listening that if you know of a case where we might have information that could assist, you are welcome to contact us directly.
Audience Question: Can you talk a little bit more about fileless malware? How it works, how it can get into a machine or network, and whether there are protections against fileless malware?
Stacey Wright: That’s probably a much longer conversation. Fileless malware gets on your machine just like any other type of malware. The way it works, for the most part, is it is putting an artifact in your random-access memory (RAM), which is the memory that saves everything while your computer is turned on. When you reboot your computer, RAM goes away.
Part of the reason why malware is called fileless is because it downloads there as opposed to downloading a classic file that is permanently stored someplace. That's really effective in avoiding detection because most antivirus products look for an actual file. So, it's much harder to detect fileless malware in a normal anti-virus environment. That isn't to say other things like signature- and heuristic-based detections, firewalls, and so on wouldn't detect it.
Audience Question: Are there any effective prevention against fileless malware?
Stacey Wright:Other than what I just mentioned, it comes down to the same classic recommendations – train your users, enable email filtering to keep spam out, make sure users close their browsers to prevent malvertising, and so on. And instead of relying directly on anti-virus that uses hashing as an algorithm, make sure your antivirus also uses heuristics to detect bad behavior. With signature-based detection make sure you’re getting updated signatures that look for traffic to known bad IP or domains. If you're really concerned about malicious activity, that's where you can get into whitelisting. But whitelisting is much harder to be successful at, so I would suggest that it should be a high-value system, because of the amount of effort it would take to whitelist allowed programs and websites, while blocking everything else.
Audience Question: Regarding the use of http, do all internal links within a website also have to reference the https prefix for it to be considered secure?
Stacey Wright: Yes. You are right. The entire unique address line that does everything from the HTTPS:// all the way to the very end where it probably says .html or .asp or .php. Every time that line changes, it still has to be https, or you will get that error message.
The way your website is set up probably means that you may need to change the website as a whole, not for each individual page.
Audience Question: Have there been any malware identified that uses text messaging as the initiation vector?
Stacey Wright: It is very uncommon but I have heard text messaging being used to transmit malware. I personally have received text messages that had suspicious links in them and I'm quite sure that if I click those links I would've downloaded malware. There are entire families of malware that target mobile devices of any type, be it a phone, tablet, Apple, Android, whatever. Text messaging is an effective technique, but it also is a slower technique because it is not as widespread as spam or malicious web pages are. So, yes, you need to be a little bit concerned if you're getting weird text messages. Don't go clicking on those links.
Click Here to View a Recording of Stacey Wright's presentation, "Cyberthreat Landscape (Spring 2018)."