NISTIR 8278, National Cybersecurity Online Informative References (OLIR)
Program: Program Overview and OLIR Uses, describes the
OLIR Program, what OLIRs are, what benefits they provide, how anyone
can search and access OLIRs, and how subject matter experts can contribute
OLIRs. This report includes:

• Additional Focal Document
  Templates
• Functional enhancements to the
  OLIR Catalog and Derived Relationships Mapping (DRM) display tool

NISTIR 8278A, National Cybersecurity Online Informative References (OLIR)
Program: Submission Guidance for OLIR Developers, replaces NISTIR
8204. The primary focus of NISTIR 8278A is to instruct Developers on how
to complete the OLIR Focal Document spreadsheet when submitting an Informative
Reference to NIST for inclusion in the OLIR Catalog. This report includes:

• Requirement guidance to include
  additional focal document templates introduced in NISTIR 8278.
• A “Strength of Relationships”
  section (3.2.11) that includes guidance for populating the magnitude field
  when evaluating focal and reference document elements.  Interested
  commenters should read the ‘Note to Reviewers’ (page iii) as we seek
  feedback on this requested feature describing additional detail about the
  relationship.

Both
publications are based on feedback received from early adopters as well as
discussions at the December 2019
OLIR workshop.

 

NISTIR
8278 details:
https://csrc.nist.gov/publications/detail/nistir/8278/final

NISTIR
8278A details:
https://csrc.nist.gov/publications/detail/nistir/8278a/final

OLIR
Workshop (December 2019):
https://www.nccoe.nist.gov/events/workshop-cybersecurity-online-informative-references

 Intel 471 recently released a report out-lining the most popular, up-and-coming, and some deep cuts in the ransomware world. They separate the groups into three tiers based on how prevalent and successful they have been. But all of these groups work by specializing and delegating tasks.

The lowest tier groups include the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, XINOF, and Zeoticus. These groups have had low publicity regarding their attacks, but their marketing exists and persists, so it stands to reason that they are func-tional and operating. The main deviation from the other groups is how they don’t publish the data from victims who refuse to pay the ransom and how little infor-mation there is about their supposed victims.

The next tier includes the rising stars of the Ransomware as a Service (RaaS) world: Avaddon, Conti, Clop, DarkSide, Pysa/Mespinoza, Ragnar, Ranzy, SunCrypt, and Thanos. These are the names to keep an eye on. They have had successful confirmed attacks and employ their own blogs for the “expose and shame” tactics which embarrass victims who don’t pay the ransom, and encourage further victims with a credibility to back their threats.

Their final group includes the heaviest hitters with whom all our readers should be familiar. This rogues gallery includes DoppelPaymer, Egregor/Maze, Netwalker, REvil, and Ryuk. DoppelPaymer runs the Dopple Leaks blog and was behind the first mortality due to malware. Egregor/Maze had announced their retirement from the cybercrime scene, but have had an impressive record in their attacks on Barnes & Noble, Crytek, and Ubisoft. Netwalker began in September of 2019 and has had an efficient pattern of spear phishing their targets to establish a foot-hold and following it up with a fileless attack that undermines Windows OSs of 7 and up. They also have an “individual mode” which locks a single device and offers only the key to that device, as op-posed to their “network mode” which encrypts an entire network and offers options for individual keys or a master key to use with their decryption tool. REvil has been seen leveraging the popular Blue-Gate vulnerability and working with other groups to help gain access to networks for infection. By separating the tasks they’ve seen increases in profits from the tens of thousands in profit per target to the mil-lions in profit. Lastly the Ryuk ransomware has been seen in conjunction with both Trickbo, Emotet, and, most recently, BazarLoader. Ryuk has been seen working with up to three teams: one to direct spam campaigns to infect victims, a team to spread the attack through corporate networks, and a last team to deploy the ransomware and conduct negotiations.

Criminals working together is always a concern as the age-old adage says, “Teamwork makes the dream work”. Keeping up to date and aware of the various groups is critical to maintaining vigilance against their tactics.

Sources:

• https://www.bleepingcomputer.com/news/security/dozens-of-ransomware-gangs-partner-with-hackers-to-extort-victims/

• https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer

 Attackers are persistent and motivated to continuously evolve – and no platform is immune. That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows. The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) now delivers protection on all major platforms.

Microsoft’s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks, as well as provide more tools to detect and respond to threats across domains and across platforms. Like all of Microsoft’s security solutions, these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats.

For example, we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms. The mobile ransomware is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

What’s innovative about this ransomware is how it displays its ransom note. In this blog, we’ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note.

To read the full article  on Microsoft SECURITY Blog go to  https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/

 For years I have talk about the security while papers and docs that talk about what’s happening in the world of IT and security… Here is a new report Cyber Threat Sophistication on the Rise..

Today, Microsoft is releasing a new annual report, called the Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices. Among the most significant statistics on these trends:

• In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
• Ransomware is the most common reason behind our incident response engagements from October 2019 through July 2020.
• The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and Virtual Private Network (VPN) exploits.
• IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.

Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling multi-factor authentication (MFA).  Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.

To read the full blog and download the Digital Defense Report visit the Microsoft On-the-issues Blog.

Content from Microsoft

 I will be teaching at the New York Metro Joint Cyber-Security Conference (NYMJCSC.ORG).

This conference 2 day of security content that is being offered by the following Groups

Organizational Partners:

• InfraGard Members Alliance – New York Metro Chapter
• Information Systems Audit and Control Association (ISACA) – New Jersey Chapter
• Information Systems Audit and Control Association (ISACA) – Greater Hartford CT Chapter
• High Technology Crime Investigation Association (HTCIA) – New York City Metro Chapter
• Internet Society (ISOC) – New York Chapter
• Information Systems Security Association (ISSA) – New York Chapter

Community Partners:

• (ISC)² – New Jersey Chapter
• Information Systems Audit and Control Association (ISACA) – New York Metro Chapter
• Cloud Security Alliance (CSA) – New York Metro Chapter
• Association of Certified Fraud Examiners (ACFE) – New Jersey Chapter
• Association of Continuity Professionals (ACP) – New York City Metro Chapter

 Title: Find your unscanned and overexposed shares on-premises with an
on-premises scanner

URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/find-your-unscanned-and-overexposed-shares-on-premises-with-an/ba-p/1744783
Overview: Microsoft Information Protection is a built-in, intelligent, unified,
and extensible solution to protect sensitive data across your enterprise – in
Microsoft 365 cloud services, on-premises, third-party SaaS applications, and
more. Microsoft Information Protection provides a unified set of capabilities
to know your data, protect your data, and prevent data loss across cloud services,
devices, and on-premises file shares.

 

Title: Microsoft Information Protection and Compliance Resources
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-compliance-resources/ba-p/1184950
Overview: The Microsoft Information Protection and Compliance Customer
Experience (CXE) team work with Microsoft’s largest enterprise customers to
provide guidance and advisory services to help them deploy our information
protection and compliance solutions.

 

Title: Why integrated phishing-attack training is reshaping
cybersecurity—Microsoft Security
URL: https://www.microsoft.com/security/blog/2020/10/05/why-integrated-phishing-attack-training-is-reshaping-cybersecurity-microsoft-security/
Overview: Phishing is still one of the most significant risk vectors facing
enterprises today. Innovative email security technology like Microsoft Defender
for Office 365 stops a majority of phishing attacks before they hit user
inboxes, but no technology in the world can prevent 100 percent of phishing
attacks from hitting user inboxes. At that point in…

 

Title: Azure Sentinel To-Go (Part2): Integrating a Basic Windows Lab 🧪
via ARM Templates 🚀
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-to-go-part2-integrating-a-basic-windows-lab-via/ba-p/1742165
Overview: Most of the time when we think about the basics of a detection
research lab, it is an environment with Windows endpoints, audit policies
configured, a log shipper, a server to centralize security event logs and an
interface to query, correlate and visualize the data collected.

 

Title: 3 ways Microsoft helps build cyber safety awareness for all
URL: https://www.microsoft.com/security/blog/2020/10/05/3-ways-microsoft-helps-build-cyber-safety-awareness-for-all/
Overview: Learn how Microsoft is helping secure your online life through user
education, cybersecurity workshops, and continued diversity in hiring.

 

Title: Migrating from Exchange Transport Rules to Unified DLP – The
complete playbook
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/migrating-from-exchange-transport-rules-to-unified-dlp-the/ba-p/1749723
Overview: This document provides an overview of how enterprise customers can
migrate their existing Exchange Transport Rules to Unified DLP portal. It walks
through the different stages of migration and shows the effectiveness of the
unified DLP portal as a single place to define all aspects of your DLP
strategy.
In summary, this play book will help to
➢ Understand the
migration process.
➢ Understand the
unified console and interface.
➢ Develop a
strategy for the migration.
➢ Ensure a smooth
migration process.
➢ Find resources
to support the migration process. 

 

 Probably the largest hurdle when learning any new programming language is simply knowing where to get started. This is why we, Chris and Susan, decided to create this series about Python for Beginners!

Even though we won’t cover everything there is to know about Python in the course, we want to make sure we give you the foundation on programming in Python, starting from common everyday code and scenarios. At the end of the course, you’ll be able to go and learn on your own, for example with docs, tutorials, or books.

 Learning a new framework or development environment is made even more difficult when you don’t know the programming language. Fortunately, we’re here to help! We’ve created this series of videos to focus on the core concepts of JavaScript.

While we don’t cover every aspect of JavaScript, we will help you build a foundation from which you can continue to grow. By the end of this series, you’ll be able to work through tutorials, quick starts, books, and other resources, continuing to grow on your own.

The video series is designed to be consumed as you see fit. You can watch from start to finish, or you can dive into specific topics. You can always bookmark and come back as you need.

 An
elevation of privilege vulnerability exists when an attacker
establishes a vulnerable Netlogon secure channel connection to a domain
controller, using the Netlogon Remote Protocol (MS-NRPC).
An attacker who successfully exploited the vulnerability could run a
specially crafted application on a device on the network.