The actor behind the sophisticated cyberespionage tool dubbed “Regin” has not given up on its operations after its activities were exposed last year by security firms. The malware, which has been around since at least 2008, has been used by a threat group to target private individuals and organizations in sectors such as hospitality, telecoms, energy, research, and aviation. A report published by Symantec in November 2014 revealed that most Regin infections had been spotted in Russia (28%) and Saudi Arabia (24%), but the malware had also been seen in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. News website The Intercept linked the platform to US and British intelligence agencies. The malware, apparently referenced in documents leaked by Edward Snowden, is said to have been used in attacks against government agencies in the EU and the Belgian telecoms company Belgacom. Regin, considered one of the most sophisticated espionage tools discovered to date, has a six-stage architecture. Attacks start with a dropper that installs the malware onto the targeted machine. In the first stages, drivers are loaded and the malware’s internal services are configured, while in the last stage the main payloads and deployed. The platform has a modular structure that allows its operators to add and remove features depending on the targeted entity. Symantec has kept a close eye on the threat and today revealed that it has uncovered 49 new modules, which brings the total number to 75. However, experts have pointed out that other such components likely exist based on references found in the analyzed modules. An updated version of the security firm’s original report reveals that the newly discovered modules can be used for logging, keylogging, impersonation, file system forensics and monitoring, network packet capturing, hooking, system and network information harvesting, credentials theft, email reading and writing, and many other functions. According to Symantec, Regin is backed by an extensive command and control (C&C) infrastructure that involves peer-to-peer (P2P) communications between infected computers. “Regin’s P2P communications capability sees each Regin infection assigned a virtual IP address, forming a virtual private network (VPN) on top of the physical network of the infected computer,” Symantec explained in a blog post. “This P2P capability allows the attackers to maintain deep access to critical assets within compromised organizations and mask core infrastructure belonging to the group. Traffic between nodes can be configured to match expected protocols based on where the nodes are placed on a network, adding a further degree of stealth to communications.” Communication between the various Regin modules is powered by a custom-built remote procedure call (RPC) mechanism that enables the attackers to remotely install, update, and configure modules. “Despite the threat’s exposure last year, it is unlikely that the group behind this malware has ceased operations,” Symantec noted. “Its track record and available resources mean it is probable that the group will re-equip itself with a new threat or upgrade Regin in a bid to evade detection. The latter is the most likely course of action, given the time it would take to develop an equally capable malware framework from scratch.” Researchers believe Regin is far more sophisticated than other malware and it might be used as a source of inspiration by less advanced threat groups looking to improve their arsenal.

Digital rights management might be coming back to the enterprise, experts say, as long as usability issues don't get in the way.

You might remember the technology from a decade or so ago. Companies were worried about employees accidentally sending sensitive files to the wrong recipients -- or to the right recipients, who then shared them with others without permission.

But it turned out that enterprises had much bigger security issues to worry about. Employees or partners accidentally sending a document to the wrong person accounted for less than 1 percent of all security incidents, according to the most recent Verizon Data Breach Investigation Report.

Partners deliberately stealing data accounted for about half of 1 percent of incidents.

Meanwhile, according to a recent report from Frost & Sullivan, eDRM systems have historically been siloed by their abilities to handle different file formats, were difficult to use, and expensive to deploy and customize.

But with renewed interest in cyber security, increased compliance requirements and significant advances in usability and pricing models, enterprise DRM has a new opportunity to make its mark.

"I am seeing growth in this area," said David Monahan, research director at Enterprise Management Associates. "Since the Snowden releases, there has been a significant increase in the desire and use of encryption and other services to protect data by various means."

According to Monahan, vendors in this area are reporting significant double-digit growth, with some seeing 50 percent to 100 percent and higher revenue growth.

Eric Ogren, founder and principal analyst at Ogren Group, also said that he's seen growth in this area.

"I am seeing upticks in growth in this category, mostly driven by the need for employees to easily share sensitive information," he said. "Files are always distributed outside the range of corporate security, typically up and down the supply chain. So this trend extends file security beyond the walls of the enterprise."

According to Frost & Sullivan, the biggest adoption of this technology is in the financial services industry, in the government sector and in healthcare.

The big, established players, like IBM, Microsoft, Citrix and Box, have or are working on enterprise-level security for their file sharing platforms.

And there are dedicated vendors as well, such as Vaultize, WatchDox, Accellion, Fasoo, Syncplicity, Seclore and Egnyte.

One of the newest vendors in this space is FinalCode, which makes a product that encrypts and locks down files so that recipients can be prevented from printing, sharing or saving local copies while still allowing them to view the files, or even edit them, using standard business applications like Microsoft Word.

"Not only is the encrypted file only available to authorized persons, but usage can be tracked," said Hiroshi Wada, IT manager of corporate planning, Pioneer Service Network, a Japanese car and home electronics services company. "More so, as a file is taken, it can be deleted remotely."

For example, FinalCode can be used DropBox-style, where employees drop files into a network folder. FinalCode can be deployed to monitor the folder and automatically secure any files dropped into it. FinalCode can also be used in combination with existing file-sharing infrastructure, including that of Box, DropBox, EMC, Oracle, and Microsoft.

"It eliminates the setup of secure file transfers, credentials, and other cludgy or complicated technology," said a CISO at a Boston-based financial firm who did not want to be quoted by name.

For example, he said, executives can drop in legal documents that need to be communicated with outside counsel, he said.

Another use of FinalCode is integration with data loss prevention software -- an outgoing document containing sensitive information would be automatically encrypted and secured without any additional action required on the employee's part.

"We want to keep our confidential data confidential but we don't want to kludge up the workflow process," he said.

The company has been testing out FinalCode for the past few weeks, and will be rolling it out to the highest-risk users first, then in a phased approach to everyone else at the company.

How it works

Different vendors approach the problem in different ways. Some allow browser-based access to the shared documents, for example.

FinalCode does not. It requires first-time recipients to install the FinalCode application, which then processes security and encryption for the most common business document types -- Office documents, PDFs, video, audio and image files, and some CAD documents.

FinalCode can be used to, say, allow recipients to edit documents but not to save local copies, make printouts, or take screen shots.

The full client application is available for Windows, and a limited client is available for iOS and Android mobile devices that allows viewing but not editing.

The company plans to release a Macintosh version as well.

There are no plans for browser-based access, however.

"In a browser-based application, people can copy and paste data, take screenshots, and forward the information," said FinalCode COO Scott Gordon. "The browser has limited security controls."

Another restriction is that the documents can only be accessed while the recipient is online. This could be problematic for people working outside the office, or while traveling.

"We're working on a way to open the files if you're in an airplane," he said. "It's on the road map, but not in the product right now."

When it comes to usability and security, he said, there will always be some trade-offs.

"There's no such thing as complete frictionless security," he said. "Security always comes with a level of friction. We're trying to balance user experience and control."

A high degree of transparency is required to gain wide acceptance, said Ogren Group's Ogren.

"Users have to be able to use any document creation tool they want, any storage capability they want, and any distribution mechanism they want," he said -- requirements that would be hard for any security vendor to meet.

"Inconvenienced users will revolt, throw out the product, and disparage IT," he said.

But if a vendor is able to overcome the usability obstacles, the business benefits are compelling, he added.

"The business can send out sensitive or regulated information without having to sweat disclosure issues from the endpoint," he said. "The files can even be automatically deleted when they become superseded or otherwise obsolete."

The crucial parts are user friction at both the sender and the recipient end, agreed Enterprise Management Associates' Monahan, who will be publishing a study this fall about interest in enterprise digital rights management.

"People indicated that they are happy to use security if it doesn't cause a problem with the parties they are trying to share it with, as that impacts their business revenues," he said. It also can't impact internal users because that could hurt productivity.

"If security gets in the way, people will bypass it to do what they think they need to," he said. "A solution that embeds itself into the existing technology, processes and workflows is crucial for acceptance."

In the study, based on an enterprise survey about file collaboration security, 75 percent of respondents expressed a high or very high level of concern about the risk of data leakage of sensitive files being shared, and half said that there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information in their organization.

"Companies like FinalCode that protect data at the file and operating system level are in a good place right now," Monahan said. "With the recent impacts on Sony, there is a resurgence of attention on protecting internal data. This is going to keep expanding. The crucial point is the user friction at both ends. That is why many previous data protection solutions have not gotten popular support and are only used by those organizations requiring the utmost in protection."

Stolen Laptop Issues

As the CTO of a data protection and encryption company, I hear many a tale of woe as other CTOs and CEOs confess to me the stories of how various laptops within their companies have gone astray and the destruction these lost laptops have caused in their wake.

Social Networking

Once upon a time, instant messaging was a consumer technology. That consumer toy worked its way into the corporate network and was eventually not just accepted, but embraced and leveraged as a valuable tool. Social networking is on that same path, but still has some security growing pains to go through on the way.

photocopiers secrets

At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.

Nearly every digital copier built since 2002 contains a hard drive
Advertise your events and products at CISSP.COM

We Recommend

 

 







We use cookies to maintain login sessions, analytics and to improve your experience on our website. By continuing to use our site, you accept our use of cookies, Terms of Use.