Articles

Back

October events aim to protect Purdue in recognition of Cybersecurity Awareness Month

October is recognized as Cybersecurity Awareness Month, established in 2003 through a collaboration between the U.S. Department of Homeland Security and the National Cybersecurity Alliance.

To raise awareness across the Purdue University community, Purdue IT has scheduled a series of events in partnership with KnowBe4, JPMorgan Chase, the Big Ten Academic Alliance and the National Cybersecurity Alliance.

“Cybersecurity awareness is critical to enhance the organizational culture of current and ongoing cyber threats. The more we know, the safer we become,” said Senior Cybersecurity Awareness Specialist Nolyn Johnson.

2024 Cybersecurity Awareness Month Events

Throughout October

  • Student Cybersecurity Awareness Training (Optional) – KnowBe4 Deepfake Training
    Look for reminder emails sent via KnowBe4 (Cyber Hero)
  • Updated Annual Cybersecurity Awareness Training
    Look for reminder emails sent via SuccessFactors
  • New articles and tips weekly 
    • Security Hints & Tips
    • You are a Target
    • Cyber Smart
    • What are AI Chatbots
    • How to Block Mobile Attacks
    • QR Code Safety
    • Phishing Red Flags
    • Cybercrime Happens

Thursday, Oct. 17

  • Cybersecurity Awareness Informational Booth (11 a.m. – 1 p.m. EST)
    Location: Memorial Mall Fountain

Wednesday, Oct. 30

  • Level UP Your Cyber Game – College Gameday Edition! (1 p.m. EST)
    Big Ten Academic Alliance (BTAA)Cybersecurity Awareness Game Show, sponsored by the National Cybersecurity Alliance
  • Registerhere at this link: https://us06web.zoom.us/webinar/register/WN_q0NGfXZPQx-3NtMn6IUEsQ
    Description: Today, good cyber skills are the new good life skills, and we're here to put your mind through the motions! Join us for a turbocharged gameshow and test your abilities! We will engage you with thrilling challenges and strategic quandaries. Come for essential info and practical techniques to safeguard your digital life after the stadium lights have dimmed. COLLEGE GAMEDAY EDITION: Compete against your campus rivals for ultimate bragging rights and victory!
Cybercrime-Happens-Way-More-Than-You-Think_page-0001.jpg
How-To-Block-Mobile-Attacks.jpg
what-are-ai-chatbots.jpg
you-are-a-target.jpg

Ransomware Attacks Are Noisy. Learn How to Listen for Them.

Mark Bowling
Author: Mark Bowling, Chief Risk, Security, and Information Security Officer, ExtraHop
Date Published: 15 July 2024
Read Time: 7 minutes
Share

During the initial intrusion stage of a ransomware incident, the attacker has the advantage. It’s like the opening moves in a game of chess, when the white player advances first, choosing the Queen’s Gambit, perhaps. In a ransomware attack, as with a chess game, the attacker gets to choose how, when, and where he attacks an organization. He acts stealthy and cautious, as he waits for the perfect moment to strike.

The initial intrusion stage of a ransomware attack corresponds to the Reconnaissance, Weaponization, and Delivery phases of the Lockheed Martin Kill Chain (LMKC) and to the Reconnaissance, Resource Development, and Initial Access tactics of the MITRE ATT&CK Framework. During this period of activity, the attacker has the advantage.

However, once the attacker has achieved initial access to the defender’s network and entered the post-initial compromise stage, his control over the initiative and operational cadence weakens. The threat actor must loop through attack TTPs and move laterally in order to maximize impact and ensure the largest possible payout—without being detected and disrupted by defenders. The challenge for the attacker? Most of his techniques and activities are noisy, which increases his chances of getting caught.

At this point in a ransomware attack, defenders should control both the battle space and the environment. Yet this post-initial compromise stage is frequently overlooked by defenders. Using the chess analogy, this is where the midgame begins. The midgame corresponds to the Exploit, Installation, and Command & Control phases of the LMKC, and to the nine categories between and inclusive of the Execution and Command & Control tactics of the ATT&CK Framework.

In the midgame, the attacker must now operate within the defender’s environment, where the defender arguably should have full visibility, along with full control of data, identity, access and processes. If the defender knows and has visibility across her environment, she holds all the cards. As in a chess game, she controls the four squares in the middle of the board, giving her the ability to observe and respond to the moves of the attacker.

Unfortunately, most enterprises haven’t landed in the middle of the board, where they can watch for command and control (C2) beaconing, lateral movement, domain escalation, and other tell-tale signs of a ransomware attack. Instead, many enterprises continue to prioritize building a stout perimeter—a strategy that has repeatedly proven fallible against social engineering and phishing attacks, zero-day attacks, exploitation of software vulnerabilities, attacks on unsecured cloud assets and vulnerable mobile devices, and good old-fashioned brute force. Breaching the perimeter has become routine.

So, what is the alternative, and what is the solution? The answer: Deploy visibility, detection, and response measures inside the network environment, including on-premises, cloud, virtual, and hybrid environments, that you want to protect. This will give you command of the board, with the ability to see the attacker utilizing TTPs inside your environment throughout the attack process. Only then will you be able to disrupt the attack per the LMKC process.

Network Visibility and Detection Enable Proactive Ransomware Defense

The time between initial intrusion and ransomware deployment is crucial for defenders. This increasingly small-time interval provides defenders with the most opportunities to detect and disrupt attacks before threat actors can achieve their objectives. Why? Because threat actors, as stealthy as they try to be, have to communicate over the very corporate network they’re trying to compromise. Any transaction or activity remotely executed by the attackers must, by definition, be visible on the network. Ransomware attacks require at least five actions, all of which are visible from network telemetry. These five actions include:

  1. Movement and reconnaissance internal to the defender’s network to locate and identify the defender’s critical data artifacts for exfiltration and encryption;
  2. Establishment of an exfiltration path;
  3. Creation of a remote control framework, either through an independent C2 node with escalated privileges or through acquisition of an identity that provides escalated privileges;
  4. Replication, transmission, and exfiltration of the defender’s critical data out of the defender’s environment; and
  5. Command to execute, followed by execution of encryption routines to remotely encrypt the defender’s critical data.

In each of these actions, the network plays an essential role in threat detection because it’s where the attacker must operate. It’s where the attacker establishes C2 communication, expands his access, and escalates privileges. Thus, the network alone has the ability to observe and identify the ground truth of what attackers are doing. And unlike logs and endpoint detection and response (EDR) agents, the network can’t be evaded or disabled. An out-of-band and virtually undetectable network telemetry monitoring solution cannot be disabled because the attacker cannot gain access to a completely passive monitoring solution that works by viewing network traffic through taps or port spanning/mirroring.

Many early midgame attacker behaviors, such as C2 beaconing, discovery, lateral movement, privilege escalation, and domain escalation, are best detected on the network. I would argue that the only solution that can detect those actions and TTP categories is a network-based solution. To detect those activities without full network visibility, organizations will need a combination of both server syslogs or event logs, and analysis of processes from endpoints.

Later midgame ransomware activities, including data staging and data exfiltration, are also best detected on the network. Every MITRE ATT&CK Framework tactic associated with the midgame encompasses techniques that are only visible via network monitoring and analysis. Because most of these activities only take place in the East-West corridor, internal to the enterprise network, they can’t be detected by next-gen firewalls, which only monitor North-South traffic.

And on-premises, network-oriented perimeter solutions are unable to defend cloud assets in a hybrid, virtual or private cloud. In addition, because most TTPs are behavior-based, signature-based security tools such as IDS, IPS and antivirus cannot observe the attacker’s actions. Meanwhile, EDR tools only provide visibility into processes on endpoints, and thus, can only detect the behaviors originating from endpoints protected and monitored by an EDR agent.

Observing attacker behavior on the network requires the ability to monitor and analyze raw network traffic feeds, including packets, in real time. It is vital to understand and be able to observe three elements of network traffic:

  1. Protocols – Some types of protocols used by defenders, such as HL7 and ICCP, are industry specific; these could provide indications of atypical protocols used by attackers. These indications would also include the use of protocols frequently utilized by ransomware attackers, such as RDP.
  2. Traffic volume – The sheer volume of network traffic can be an indicator of an attack, especially if the high volume occurs at an unusual time.
  3. Volume and protocols combined – Trends in both volume and the use of protocols are an indicator of a gradual deployment of capabilities by ransomware actors in the defender’s business environment.

Decryption Matters

Defense against ransomware actors also requires the ability to decrypt encrypted network traffic (SSL, TLS 1.3, Kerberos, NTLM, MSRPC, LDAP, WINRM, SMBv3) for two reasons. One, in most environments, as much as 70% of an organization’s network traffic is encrypted. Two, since many ransomware actors often utilize custom or atypical encryption techniques to obfuscate their activity, defenders must be able to see both what should be encrypted and to identify unexpected encryption.

The ability to decrypt encrypted protocols like Kerberos, MSRPC, WINRM, and SMBv3 is essential to detecting PowerShell remoting, living off the land techniques, and lateral movement—activities that have been repeatedly documented in ransomware and other attacks. Only network visibility enables a full awareness of both the use and misuse of encryption in the defender’s environment.

It’s important to note that modern methods of decryption don’t decrypt any packets on the wire, so they preserve end-to-end encryption. They also don’t rely on “man-in-the-middle” or “break-and-inspect” approaches, so they don’t degrade network performance.

Granular, packet-level data and decryption capabilities are also essential to incident response and forensic investigation, as only full packets can tell incident responders exactly how a ransomware attack took place.

Prepare for Increased Ransomware Activity with Network Visibility

Ransomware attacks appear to be growing increasingly inevitable. Data from the ExtraHop 2024 Global Cyber Confidence Index shows that 95% of respondents experienced at least one ransomware incident in the 12 months prior to the survey and 91% paid at least one ransom over the same period. As the U.S. general election grows closer and geopolitical tensions continue to rise, cybersecurity experts predict ransomware attacks will only intensify.

In response, many organizations are investing in solutions that promise to detect initial intrusion tactics during the opening moves of the game. But some of that budget would be more wisely spent on solutions that detect post-initial compromise tactics where defenders have the greatest advantage. Network detection and response tools allow you to detect and respond to threats during nearly every stage of the attack chain, including post-initial compromise and beyond. When you have network visibility, you can protect against a wide variety of advanced threats, including ransomware, with greater accuracy, and you can respond with confidence.

QR-Code-Article.jpg

 

 

Phone Scammers Impersonating CISA Employees

06/12/2024 12:00 PM EDT

 

Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.

If you suspect you are a target of an impersonation scammer claiming to be a CISA employee: 
•    Do not pay the caller.
•    Take note of the phone number calling you.
•    Hang up immediately.
•    Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.
 

IT-Email-Procedure-Pic.JPG
Level-Up-Your-Cyber-Defense.jpg
Defending-Against-Trojan-Malware-Countermeasures.png
Navigating-Digital-Safety-A-Compact-Guide-for-Women.jpg

                               Email-Security.jpg

                                        A-Students-Guide-to-Cybersecurity-Protecting-Your-Data.png

Overview

By default, Chrome, Edge, and Firefox browsers automatically download all files to a user’s Downloads folder when saving files from the Internet. This folder resides on the C: drive of a computer (“C:\Users\username\Downloads) and is set by the vendor, but individuals can change this setting.

Sensitive files being downloaded should be stored in a secure location and not in a user’s Downloads folder.

Best practice recommends that staff/users change this setting within their respective browsers and toggle the button to the right to “Ask where to save each file before downloading.” This ensures the user is prompted and can act accordingly by browsing to a secure location (i.e. W: drive) when saving sensitive files.

Details

The following images are screenshots of the setting for each browser where users can enable this.

Chrome:

Click the three dots in the top right corner then click Settings. Click Downloads on the left.

Chrome settings menu with Downloads highlghted

Edge:

Click the three dots in the top right corner then click Settings. Click Downloads on the left.

Edge settings menu with downloads highlighted

 

Firefox:

Click the three horizontal lines in the top right corner then click Settings. Scroll down to Files and Applications.

Firefox settings menu with downloads highlighted

 

Still need help?  Click the 'Purdue IT Request' button to start a ticket.

 

https://service.purdue.edu/TDClient/32/Purdue/KB/ArticleDet?ID=564

Cybersecurity-and-IOT-1.jpg
Cyber-Safe-Holidays-A-Guide-for-University-Students.jpg
Data-Theft---Article.jpg
Vishing_page-0001.jpg
Screen-Shot-2023-08-02-at-1.39.33-PM.png
News-Article---May-1.jpg
Searching-with-Caution-Staying-safe-in-Web.jpg
Tiktok-Article.jpg

Phishing is a form of Social Engineering attack that targets the user to reveal sensitive information like login credentials, Bank details, credit card numbers, etc. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, freezing of the system (as part of a ransomware attack), or revealing of sensitive information.

Picture1.png

Email Phishing:

Among many types of Phishing, the most common one is Email phishing. Where the attacker sends a pseudo legitimate mail which will try to fool the user into giving personal information like login information and credit card numbers.

Spear Phishing:

Spear Phishing is more of a targeted type of phishing where the attacker targets a particular person/group. It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss

How to Identify Them?

Picture2.png

How to stay safe?

  • Strong Password and 2FA

It is a best practice to have strong passwords which is of:

  • Minimum of 8-40 character length
  • Has both uppercase and lowercase character with one special character and digits

Also, it is advisable to Two Factor Authentication along with strong password where along with username and password verification, an OTP is sent to the registered mobile number.

  • Antivirus:

One best advice to avoid phishing attack is to think twice before giving sensitive information or clicking the links that are sent to us. It is also of best practice to have some good Antivirus software and Firewalls installed in our system to identify such malicious programs that gets installed in case we click some malicious links. Antivirus software will quarantine such malicious software from getting installed in our systems.

Limit the amount of personal information you post :

Be aware of what you post online. Make sure that you do not information such as Address, phone number, and other personally identifiable information that would leave you in vulnerable position

Be wary of strangers :

The internet crawls with may dangerous strangers, it is best to stay vigilant in such websites. Do not share any personal information with stranger whose identity is questionable or appears fake.

Evaluate Sites privacy settings :

The default settings for some sites may allow anyone to see your profile, but you can customize your settings to restrict access to only certain people. There is still a risk that private information could be exposed despite these restrictions, so do not post anything that you would not want the public to see. Sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Use Strong Passwords :

Protect your account with passwords that cannot easily be guessed. It is a best practice to have strong passwords which is of:

  • Minimum of 8-40 character length
  • Has both uppercase and lowercase character with one special character and digits

Keep Software updated and use Anti-virus software :

We should install software updates so that attackers cannot take advantage of known problems or vulnerabilities. Also it is advisable to have updated anti-virus software installed in our system which will help us detect and protect against virus attacks.

sec.png