mcafee-blog2-1

McAfee Labs 2020 Threats Predictions Report

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against us.

Continuing advancements in artificial intelligence and machine learning have led to invaluable technological gains, but threat actors are also learning to leverage AI and ML in increasingly sinister ways. AI technology has extended the capabilities of producing convincing deepfake video to a less-skilled class of threat actor attempting to manipulate individual and public opinion. AI-driven facial recognition, a growing security asset, is also being used to produce deepfake media capable of fooling humans and machines.

Our researchers also foresee more threat actors targeting corporate networks to exfiltrate corporate information in two-stage ransomware campaigns.

With more and more enterprises adopting cloud services to accelerate their business and promote collaboration, the need for cloud security is greater than ever. As a result, the number of organizations prioritizing the adoption container technologies will likely continue to increase in 2020. Which products will they rely on to help reduce container-related risk and accelerate DevSecOps?

The increased adoption of robotic process automation and the growing importance to secure system accounts used for automation raises security concerns tied to Application Programming Interface (API) and their wealth of personal data.

The threatscape of 2020 and beyond promises to be interesting for the cybersecurity community.

–Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Predictions

Broader Deepfakes Capabilities for Less-skilled Threat Actors

The ability to create manipulated content is not new. Manipulated images were used as far back as World War II in campaigns designed to make people believe things that weren’t true. What’s changed with the advances in artificial intelligence is you can now build a very convincing deepfake without being an expert in technology. There are websites set up where you can upload a video and receive in return, a deepfake video. There are very compelling capabilities in the public domain that can deliver both deepfake audio and video abilities to hundreds of thousands of potential threats actors with the skills to create persuasive phony content.

Deepfake video or text can be weaponized to enhance information warfare. Freely available video of public comments can be used to train a machine-learning model that can develop a deepfake video depicting one person’s words coming out of another’s mouth. Attackers can now create automated, targeted content to increase the probability that an individual or groups fall for a campaign. In this way, AI and machine learning can be combined to create massive chaos.

In general, adversaries are going to use the best technology to accomplish their goals, so if we think about nation-state actors attempting to manipulate an election, using deepfake video to manipulate an audience makes a lot of sense. Adversaries will try to create wedges and divides in society, or if a cybercriminal can have a CEO make what appears to be a compelling statement that a company missed earnings or that there’s a fatal flaw in a product that’s going to require a massive recall. Such a video can be distributed to manipulate a stock price or enable other financial crimes

We predict the ability of an untrained class to create deepfakes will enhance an increase in quantity of misinformation.

Adversaries to Generate Deepfakes to Bypass Facial Recognition

By Steve Povolny

Computer-based facial recognition, in its earliest forms, has been around since the mid-1960s. While dramatic changes have since taken place, the underlying concept remains: it provides a means for a computer to identify or verify a face. There are many use cases for the technology, most related to authentication and to answer a single question: is this person who they claim to be?

As time moves onwards, the pace of technology has brought increased processing power, memory and storage to facial recognition technology. New products have leveraged facial recognition in innovative ways to simplify everyday life, from unlocking smart phones, to passport ID verification in airports, and even as a law enforcement aid to identify criminals on the street.

One of the most prevalent enhancements to facial recognition is the advancement of artificial intelligence (AI). A recent manifestation of this is deepfakes, an AI-driven technique producing extremely realistic text, images, and videos that are difficult for humans to discern real from fake. Primarily used for the spread of misinformation, the technology leverages capabilities. Generative Adversarial Networks (GANs), a recent analytic technology, that on the downside, can create fake but incredibly realistic images, text, and videos. Enhanced computers can rapidly process numerous biometrics of a face, and mathematically build or classify human features, among many other applications. While the technical benefits are impressive, underlying flaws inherent in all types of models represent a rapidly growing threat, which cyber criminals will look to exploit.

As technologies are adopted over the coming years, a very viable threat vector will emerge, and we predict adversaries will begin to generate deepfakes to bypass facial recognition. It will be critical for businesses to understand the security risks presented by facial recognition and other biometric systems and invest in educating themselves of the risks as well as hardening critical systems.

Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

By John Fokker

In McAfee’s 2019 threat predictions report, we predicted cyber criminals would partner more closely to boost threats; over the course of the year, we observed exactly that. Ransomware groups used pre-infected machines from other malware campaigns, or used remote desktop protocol (RDP) as an initial launch point for their campaign. These types of attacks required collaboration between groups. This partnership drove efficient, targeted attacks which increased profitability and caused more economic damage. In fact,  Europol’s Internet Organised Crime Threat Assessment (IOCTA),  named ransomware the top threat that companies, consumers, and the public sector faced in 2019.

Based on what McAfee Advanced Threat Research (ATR) is seeing in the underground, we expect criminals to exploit their extortion victims even more moving forward. The rise of targeted ransomware created a growing demand for compromised corporate networks. This demand is met by criminals who specialize in penetrating corporate networks and sell complete network access in one-go.

Here are examples of underground ads offering access to businesses:

Figure 1 RDP access to a Canadian factory is being offered

Figure 2 Access to an Asian Food, Consumer and Industrial company being offered

For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks. In the first stage cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.

During our research on Sodinobiki we observed two-stage attacks, with cryptocurrency miners installed before an actual ransomware attack took place. For 2020, we predict that cybercriminals will increasingly exfiltrate sensitive corporate information prior to a targeted ransomware attack to sell the stolen data online or to extort the victim and increase monetization.

Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

By Sekhar Sarukkai

A recent study showed that more than three in four organizations treat API security differently than web app security, indicating API security readiness lags behind other aspects of application security. The study also showed that more than two-thirds of organizations expose APIs to the public to enable partners and external developers to tap into their software platforms and app ecosystems.

APIs are an essential tool in today’s app ecosystem including cloud environments, IoT, microservices, mobile, and Web-based customer-client communications. Dependence on APIs will further accelerate with a growing ecosystem of cloud applications built as reusable components for back-office automation (such as with Robotic Process Automation) and growth in the ecosystem of applications that leverage APIs of cloud services such as Office 365 and Salesforce.

Threat actors are following the growing number of organizations using API-enabled apps because APIs continue to be an easy – and vulnerable – means to access a treasure trove of sensitive data. Despite the fallout of large-scale breaches and ongoing threats, APIs often still reside outside of the application security infrastructure and are ignored by security processes and teams. Vulnerabilities will continue to include broken authorization and authentication functions, excessive data exposure, and a failure to focus on rate limiting and resource limiting attacks. Insecure consumption-based APIs without strict rate limits are among the most vulnerable.

Headlines reporting API-based breaches will continue into 2020, affecting high-profile apps in social media, peer-to-peer, messaging, financial processes, and others, adding to the hundreds of millions of transactions and user profiles that have been scraped in the past two years. The increasing need and hurried pace of organizations adopting APIs for their applications in 2020 will expose API security as the weakest link leading to cloud-native threats, putting user privacy and data at risk until security strategies mature.

Organizations seeking improvement in their API security strategy should pursue a more complete understanding of their Cloud Service APIs through comprehensive discovery across SaaS, PaaS and IaaS environments, implement policy-based authorization, and explore User and Entity Behavior Analytics (UEBA) technology to detect anomalous access patterns.

DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to ‘Shift Left’

 By Sekhar Sarukkai

DevOps teams can continuously roll out micro-services and interacting, reusable components as applications. As a result, the number of organizations prioritizing the adoption of container technologies will continue to increase in 2020. Gartner predicts that “by 2022, more than 75 percent of global organizations will be running containerized applications in production – a significant increase from fewer than 30 percent today.” 1 Container technologies will help organizations modernize legacy applications and create new cloud-native applications that are scalable and agile.

Containerized applications are built by assembling reusable components on software defined Infrastructure-as-Code (IaC) which is deployed into Cloud environments. Continuous Integration / Continuous Deployment (CI/CD) tools automate the build and deploy process of these applications and IaC, creating a challenge for pre-emptive and continuous detection of application vulnerabilities and IaC configuration errors. To adjust to the rise in containerized applications operating in a CI/CD model, security teams will need to conduct their risk assessment at the time of code build, before deployment. This effectively shifts security “left” in the deployment lifecycle and integrates security into the DevOps process, a model frequently referred to as DevSecOps.

Additionally, threats to containerized applications are introduced nor only by IaC misconfigurations or application vulnerabilities, but also abused network privileges which allow lateral movement in an attack. To address these run-time threats, organizations are increasingly turning to cloud-native security tools developed specifically for container environments. Cloud Access Security Brokers (CASB) are used to conduct configuration and vulnerability scanning, while Cloud Workload Protection Platforms (CWPP) work as traffic enforcers for network micro-segmentation based on the identity of the application, regardless of its IP. This approach to application identity-based enforcement will push organizations away from the five-tuple approach to network security which is increasingly irrelevant in the context of ephemeral container deployments.

When CASB and CWPP solutions integrate with CI/CD tools, security teams can meet the speed of DevOps, shifting security “left” and creating a DevSecOps practice within their organization.  Governance, compliance, and overall security of cloud environments will improve as organizations accelerate their transition to DevSecOps with these cloud-native security tools.

McAfee-Its-about-time

It’s About Time: Cybersecurity Insights, Visibility, and Prioritization

As McAfee Chief Executive Officer Chris Young said in his 2019 MPOWER Cybersecurity Summit keynote address, time is the most valuable resource that we all share. But time isn’t always on our side – especially when it comes to cybersecurity.

“Time is the one constant that we cannot change. It’s the one constraint that we cannot ignore. Every second counts,” Young said. “… Our adversaries are using time to their advantage. It’s the single greatest weapon they have. It’s taken over the language of our industry. Persistence. Dwell time. Used to describe the time the work that our adversaries do as they run up the clock until they try to exfiltrate our most sensitive information. Versus ransomware, which applies time pressure to run down the clock. If you don’t pay the ransom you’ll lose your data forever. Zero-day attacks. Mean time to detect. Mean time to respond. These are just a few of the many, many examples of the way time is woven into the fabric of our industry.”

Time is a major challenge for organizations attempting to keep pace with cyber threats that are rapidly increasing in volume and complexity. Elevated efficiency is cybersecurity’s counterpunch against agile and elusive adversaries weaponizing time. Organizations that constantly find themselves in reactive mode struggle to maintain staff efficiency—but time and resources can be saved by using improved visibility and prioritization to get ahead of the threat curve.

The findings of an ESG paper commissioned by McAfee concurred: “Organizations want more visibility into cyber-risks so they can tailor and prioritize their threat response and risk remediation actions in alignment with threats that may hit them,” said Jon Oltsik, ESG fellow. “Many firms want to be more proactive but do not have the resources and talent to execute.”

Better cybersecurity intelligence and insights can enable organizations to assume a more proactive cybersecurity program without dramatically upgrading resources and talent.

Better Visibility Through Next Generation Open Architecture

Modern adversaries are using next-generation tools, tactics and techniques to evade traditional reactive security systems. The next generation of open cyberthreat identification, investigation, and response capabilities paired with human and artificial intelligence can enable organizations to answer key questions about how to respond to threats. Open architecture can enable security teams to add their own expertise and analytics, empowering insight into the high-impact threats that matter. Security analysts will need the right technology to do the analysis, a combination of human expertise and the most advanced artificial intelligence and machine-learning capabilities that provide insight as to which actions to take.

The diversity of the raw materials an organization uses matters. If you only have one type of sensor, such as endpoint, you’re limited in what you can see. Gaining insight requires the ability to look at a wide range of capabilities from traditional on-premise environments to the cloud. Sensors should cover on-premise, perimeter, network, endpoint, and cloud environments. From the data gathered by these sensors, security teams can then extract context, detecting the characteristics, structure, and behavior of suspicious activity. Efficiencies are empowered through diverse telemetry at scale.

Prioritization: Decoding the DNA of Cyber Threats

“We and the rest of the cybersecurity industry have to move beyond the hash,“ said Steve Grobman, senior vice president and chief technology officer. “Features are a lot like markers in DNA and biology. By understanding the markers and characteristics, we can understand the structure, the behavior. We can understand what a threat is even if we’ve never seen it before. We can basically see the characteristics of a threat we’ve never seen before and have a very good understanding of what it actually is.”

Most security teams are constrained by the available data and traditional indicators of compromise such as hashtags and IP addresses. An open architecture consisting of a variety of sensors provides the capability to gather more and richer information on a threat’s DNA.

The goal goes beyond a simple patch or remedy. It’s about being better able to understand the unknown through improved data and intelligence. To enhance efficiency in dealing with the things that matter. The threats that are inherently difficult to detect. The threats that are engineered to target you.

By gaining this understanding, you’ll be more able to answer strategic questions such as:

  • Am I protected from this threat?
  • What do I need on my platform in to defend against this threat?
  • What is the technology?
  • What is the content?
  • What is the configuration I need to defend myself?
  • Was I protected when this threat impacted my environment on that very first day or the day that threat emerged?
  • What did I need to have zero-day protection?
  • Did I have the right real-protect model?

Intelligence that helps answer these questions can provide insight into not only how a threat fared against one organization’s security but how a security plan can proactively prepare for next-generation threats.

Anticipating Next-Generation Threats

Understanding threats is not just about protection but also anticipation, both of threats in your environment and on a global scale. Improved insights can leave organizations with a complete view of how a threat is impacting their environment.

Decoding the DNA of threats through an expanded variety of sensors can help organizations recognize and anticipate the next generation of threats:

  • Using machine-learning algorithm that recognizes potentially malicious activity, extracts characteristics and recognizes its similarities to threats we’ve seen before.
  • Finding outliers that allow us to find things that have uncommon characteristics.
  • Finding things that appear to be engineered for things in your environment. The fact that this only in your environment and it has characteristics that really look different from anything we’ve ever seen before. That tells us you really need to pop this to the top of your stack of investigation priorities because this could be targeting you.
  • Identifying targeted attacks by mapping threats tied to specific industrial sectors and being able to cluster the highest level of intensity by sector.
  • Separating the noise from the signal.
  • Triaging the priority and raising the urgency on threats critical to your organization.

Gaining cybersecurity efficiency via visibility and prioritization isn’t only about gathering richer data. It’s also about having the right technology to do the analysis. It’s not just about being able to identify the things that matter, it’s about being able to take action with your current security staff. It’s about saving time against an adversary using time as a weapon.

Read more on how the McAfee MVISION Insights platform’s integration into the McAfee architecture provides better intelligence capable of empowering better insights

Source: https://www.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/

mcafee cloud workload security

McAfee Cloud Workload Security

As corporate data centers evolve, more workloads are migrated to cloud environments every day. Most organizations have a hybrid environment with a mixture of on-premises and cloud workloads, including containers, which are constantly in flux. This introduces a security challenge as cloud environments (private and public) require new approaches and tools for protection. Organizations need central visibility of all cloud workloads with complete defense against the risk of misconfiguration, malware, and data breaches.

McAfee® Cloud Workload Security (McAfee® CWS) automates the discovery and defense of elastic workloads and containers to eliminate blind spots, deliver advanced threat defense, and simplify multicloud management. McAfee provides protection that makes it possible for a single, automated policy to effectively secure your workloads as they transition through your virtual private, public, and multicloud environments, enabling operational excellence for your cybersecurity teams.

Modern Workload Security: Use Cases

Automated discovery

Unmanaged workload instances and Docker containers create gaps in security management and can give attackers the foothold they need to infiltrate your organization. McAfee CWS discovers elastic workload instances and Docker containers across Amazon Web Services (AWS), Microsoft Azure, OpenStack, and VMware environments. It also continuously monitors for new instances. You gain a centralized and complete view across environments and eliminate operational and security blind spots that lead to risk exposure.

Gaining insights into network traffic

By utilizing native network traffic provided from the cloud workloads, McAfee CWS is able to augment and apply intelligence from McAfee® Global Threat Intelligence (McAfee® GTI) data feeds. The enriched information is able to display properties such as risk score, geo-location, and other important network information. This information can be used to create automated remediation actions to protect workloads.

Integration into deployment frameworks

McAfee CWS creates deployment scripts to allow the automatic deployment and management of the McAfee® agent to cloud workloads. These scripts allow integration into tools such as Chef, Puppet, and other DevOps frameworks for deployment of the McAfee agent to workloads running by cloud providers, such as AWS and Microsoft Azure.

Consolidate events

McAfee CWS allows organizations to use a single interface to manage numerous countermeasure technologies for both on-premises and cloud environments. This also includes integration into additional technologies, like AWS GuardDuty, McAfee® Policy Auditor, and McAfee® Network Security Platform.

  • Administrators can leverage the continuous monitoring and unauthorized behaviors identified by AWS GuardDuty, providing yet another level of threat visibility. This integration allows McAfee CWS customers to view GuardDuty events, which include network connections, port probes, and DNS requests for EC2 instances, directly within the McAfee CWS console.
  • McAfee Policy Auditor performs agent-based checks against known or user-defined configuration audits for compliance such as Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), Center for Internet Security Benchmark (CIS Benchmark), or other industry standards. McAfee CWS reports any failed audits for instant visibility into misconfiguration for workloads in the cloud.
  • McAfee Network Security Platform is another cloud security platform that performs network inspection for traffic in hybrid as well as AWS and Microsoft Azure environments. It performs deeper packet-level inspections against network traffic, and it reports any discrepancies or alerts through McAfee CWS. This provides single-pane visibility against multicloud environments for remediation.

Enforcement of network security group policies

McAfee CWS permits users and administrators to create baseline security group policies and audit the policies that are running on the workloads against these baselines. Any deviations or changes from the baseline can create an alert in the McAfee CWS console for remediation. Administrators also can manually configure native network security groups from McAfee CWS, which enables them to directly control cloud-native security group policies.

What Sets McAfee Cloud Workload Security Apart: Key Features
and Technologies

Cloud-native build support

Using McAfee CWS, customers can consolidate management of multiple public and private clouds in a single management console, including AWS EC2, Microsoft Azure Virtual Machines, OpenStack, and VMware Vcenter. McAfee CWS can import and allow customers to run in the cloud with new cloud-native build support for Amazon Elastic Container Service for Kubernetes (Amazon EKS) and Microsoft Azure Kubernetes Service (AKS).

Simple, centralized management

A single console provides consistent security policy and centralized management in multicloud environments across servers, virtual servers, and cloud workloads. Administrators can also create multiple role-based permissions in McAfee® ePolicy Orchestrator® (McAfee ePO™) software, enabling them to define user roles more specifically and appropriately.

Network visualization with microsegmentation

Cloud-native network visualization, prioritized risk alerting, and micro-segmentation capabilities deliver awareness and control to prevent lateral attack progression within virtualized environments and from external malicious sources. Single-click shutdown or quarantine capability help alleviate the potential for configuration errors and increases the efficiency of remediation.

Superior virtualization security

McAfee CWS suite protects your private cloud virtual machines from malware using McAfee® Management for Optimized Virtual Environments AntiVirus (McAfee® MOVE AntiVirus). And it does this without straining underlying resources or requiring additional operating costs. McAfee MOVE AntiVirus allows organizations to offload security to dedicated virtual machines for optimized scanning of their virtualized environment.

Users gain anti-malware protection via McAfee® Endpoint Security for Servers. This solution can intelligently schedule resource-intensive tasks, such as on-demand scanning, to avoid impact to critical business processes.

Tag and automate workload security

Assign the right policies to all workloads automatically with the ability to import AWS and Microsoft Azure tag information into McAfee ePO software and assign policies based on those tags. Existing AWS and Microsoft
Azure tags synchronize with McAfee ePO software tags so they’re automatically managed.

Auto-remediation

The user defines McAfee ePO software policies. If McAfee CWS finds a system that is not protected by the McAfee ePO software security policies, and it is found to contain a malware or virus, this system will automatically be quarantined.

Adaptive threat protection

McAfee CWS integrates comprehensive countermeasures, including machine learning, application containment, virtual machine-optimized anti-malware, whitelisting, file integrity monitoring, and micro-segmentation that protect your workloads from threats like ransomware and targeted attacks. McAfee® Advanced Threat Protection defeats sophisticated attacks that have never been encountered before
by applying machine learning techniques to convict malicious payloads based on their code attributes and behavior.

Application control

Application whitelisting prevents both known and unknown attacks by allowing only trusted applications to run while blocking any unauthorized payloads. McAfee® Application Control provides dynamic protection based on local and global threat intelligence, as well as the ability to keep systems up to date, without disabling security features.

File integrity monitoring (FIM)

McAfee® File Integrity Monitoring continuously monitors to ensure your system files and directories have not been compromised by malware, hackers, or malicious insiders. Comprehensive audit details provide information about how files on server workloads are changing and alert you to the presence of an active attack.

What Sets McAfee Cloud Workload Security Apart: Key Features
and Technologies

McAfee CWS ensures that you maintain the highest quality of security while taking advantage of the cloud. It covers multiple protection technologies, simplifies security management, and prevents cyberthreats from impacting your business—so you can focus on growing it. Below is a feature comparison of the available package options.