You know what is worse than all these HUGE Credit Card breaches? The fact that it is ridiculously easy to detect! All BackOff malware uses the %AppData% variable directory. Translated - C:\Users\
If you are not watching for NEW directories being created and/or executables being dropped here (like CryptoLocker did), then your doing SecOps all wrong. This is one of the Top 5 locations you should monitor for malware. Enabling auditing on this directory alone would have caught these HUGE breaches.
These failures in SecOps are partly our own InfoSec industries fault. InfoSec Cons do not prioritize talks for defense which 90% of us attending do, nor demand defensive content, nor set aside 10-25% for defensive talks to teach our industry stuff like I stated above. #InfoSecConFailure
Please ask and demand that your InfoSec Cons set aside more time to REAL Defense in their talk selection and promote the Con is and wants defensive talks to help our own industry catch up. Because we are WAY behind and falling further back each breach that happens.
The image below is how I felt at Vegas Con week... All focused at breaking the gate, not defending the obvious gaps.
Dan Geer at the BlackHat Keynote was dead on when he said if InfoSec were a soccer game it would be 464 to 452, all offense, no defense.
Help our industry by not attending exploitation, hackery and offensive talks if your job is to defend your company. We need to evolve quickly before it is too late for us and our companies.
And yes, I have submitted 2 talks to multiple Cons on the subject of logs and malware and turned down. There were 3 Logging vendors at BlackHat, ZERO talks on logging for APT/PoS type attacks... Sad... VERY sad.
Under the current black cloud we are all under, you would think Cons would be begging for defensive content.
Ohh... And the other 4 of the Top 5 locations to monitor...
3. C:\Windows - Explorer injection
4. C:\Windows\System32 - NEW dropped files
5. C:\Windows\System32\WBEM - #1 on my list
If you practiced The Malware Management Framework then this information would be obvious. Read the Kaspersky report on BackOff that proves my point.
And yes, I monitor all the above and MUCH MUCH more and share in the presentations I give.
Kaspersky/Securelist Article on BackOff malware
#InfoSec #HackerHurricane #EducationOpportunity