Category: Security

Holiday, fishing, and phishing

Mid-summer is near and so is summer vacation, especially for Finns. Time to travel to summer cottage to relax and to spend time fishing. Lakes occupy roughly 25% of Finland. Thus, Finland is also known as Lakeland. Lakeland as 187888 lakes, if we define lake to be a body of standing water which is larger than 500 square meters. A lot lakes lakes with plenty of fish.

Unfortunately, as we have seen during past summers, the vacation time also lures malicious actors to phishing waters. I know we all know this. Yet, every summer several employees of several companies get victimized. Therefore, it is vital to remind employees of the danger as awareness is the key to avoid successful attack caused by human mistake.

It is a bit late to check if every that can be done is done, but for the future here’s my shortlist, especially for companies using O365, what should at least be done to decrease the odds of employees getting victimized:

– Identity protection using multifactor authentication and conditional access is in place

– SPF, DKIM, and DMARC configured

– O365 ATP malware, spam, and phishing detection and blocking capabilities enabled

– Domain and key users of company protected against impersonating attacks

– Monitoring of alerts and incidents is done using up-to-date playbooks

– Make sure every employee is aware of the increased probability of targeted phishing attacks during vacation time and every employee knows what to do with suspicious emails.

It never too late to check the actual posture of the cyber security in your company and make needed small adjustments. If nothing else can be done, at least make sure the last item on my checklist will be done.

For your convenience below is a short message (in English & in Finnish) you may use as template to increase the awareness of phishing attacks within your company.

Template in English:

“The holiday season is attracting malicious actors and criminals to create and send phishing messages, especially to those parts of organizations that handle corporate payment processes. According to the Finnish police, since the autumn of 2018, companies in Finland lost millions of euros as victims of phishing crimes. In some criminal cases, banks were able to stop remittances before the money was fallen into the hands of criminals, but not always. [local information for your country is the best example here]

In phishing messages, the attacker attempts to deceive the victim, with the goal of obtaining the victim’s username and password. This is done typically via email, with a deceptively genuine-looking link or call to action to go to a website managed by the attacker. This site has a login window that allows the attacker to obtain the victim’s username and password.

If you notice strange emails or phone calls, we encourage each of our employees to do the following [the company’s own instructions here].”

Template in Finnish:

“Lomakausi houkuttelee vihamielisiä osapuolia luomaan ja lähettämään kalasteluviestejä eritoten niihin organisaatioiden osiin, jotka käsittelevät yritysten maksuprosesseja. Poliisin mukaan 2018 syksyn jälkeen suomalaiset yritykset ovat menettäneet kalastelurikosten uhreina miljoonia euroja. Osissa rikostapauksia pankit ovat saaneet pysäytettyä rahansiirrot ennen kuin rahat ovat päätyneet rikollisten käsiin, mutta eivät aina.

Kalasteluviesteissä hyökkääjä pyrkii hämäämään uhriaan, tavoitteena saada haltuunsa uhrin käyttäjätunnus ja salasana tyypillisesti sähköpostin välityksellä, jossa on hämäävästi aidon näköinen linkki tai toimintakehotus siirtyä hyökkääjän hallinnoimalle www-sivustolle. Tällä sivustolla on kirjautumisikkuna, jonka seurauksena hyökkääjä voi saada haltuunsa uhrin käyttäjätunnuksen ja salasanan.

Mikäli havaitsette outoja sähköpostiviestejä tai puheluja, kehotamme jokaista työntekijäämme toimimaan seuraavasti [yrityksen oma ohje tähän].”


Marko Mikkola
Senior Consultant, ICT & Cyber Security. Marko has been working in the field of IT in several national and international companies over 20 years in several roles. Currently he is also a researcher at Tampere University, Social Sciences, writing his doctoral dissertation on cybercrime and cybercrime victimization from social psychological viewpoint. Senior Consultant, ICT & Cyber Security. Marko on toiminut yli 20 vuoden ajan erilaisissa asiantuntija- ja konsultointitehtävissä, vastannut palveluliiketoiminnasta sekä toiminut kouluttajana. Sähköposti: marko.mikkola@sulava.com

Coronavirus and Crime: Where are we now?

Mid-March, merely a few months ago, I wrote my blog text regarding how the changes in our daily routines during COVID-19 pandemic will attract malicious and criminal actors’ attention. At that time, we had already seen COVID-19 related phishing and other ambiguous emails from offenders and ill-doers. Now that few months has passed it has become quite clear the prolonged situation is attracting more and more criminals to take advantage of the situation.

We have also noticed the change in our security workshops with our customers. With most of our customers the majority of COVID-19 related phishing and malware email based attacks are being stopped by O365 ATP solutions, but as always, a small number of these attack emails find their way through all the filters ending in recipients inboxes. And it is these emails we should be worried about – especially from the point of what the recipient did with the malicious email they received.

The fact the recipient received a malicious email does not necessarily mean the recipient lost their credentials to attackers or their computers are now full of malware. No, it only tells us the fact the email was delivered.

Follow the URL use

To understand what happened next after the delivery, organizations need totally new set of security tools. O365 ATP Safe Links and Safe Attachments will enable an extra layer of protection before the email or attachment in it will be delivered to a recipient.

In case the email avoids the extra detection layer and gets delivered to a recipient, the Safe Links functionality will give organizations security experts an enhanced view to what the recipients did with the email: did they delete it or did they click the link on the email. And if they clicked, the security experts can now concentrate on those emails and recipients to avoid further problems such as recipients losing their credentials to malicious actors.

Monitoring and governing enormous amounts of emails and acting upon only the ones which need security experts’ attentions is undoable without right security and monitoring tools without forgetting the right kind of training to security experts and employees of an organization.

This is where Sulava can help you. We can deliver online training to both experts and employees; we can help to implement O365 ATP with all its’ options in use. Also, we can help you to understand the current risks to your cloud environment by delivering our Security Workshop.

Do not hesitate to contact us. We can have a short discussion e.g. on Teams or phone about your situation after which we will propose you an appropriate approach to your problem and help you to secure your O365 email situation.

For further reading:

Open-sourcing new COVID-19 threat intelligence – Microsoft 14.5.2020
d

Marko Mikkola

Senior Consultant, ICT & Cyber Security. Marko has been working in the field of IT in several national and international companies over 20 years in several roles.  Currently he is also a researcher at Tampere University, Social Sciences, writing his doctoral dissertation on cybercrime and cybercrime victimization from social psychological viewpoint. Senior Consultant, ICT & Cyber Security.

Protect your users from phishing when working from home with Microsoft 365

“Hard times arouse an instinctive desire for authenticity”, said Coco Chanel once. Unfortunately, tragedies like COVID-19 are always exploited by malicious actors. As Microsoft recently shared, themed phishing attacks are on the rise. Microsoft 365 organizations need to ensure authenticity of their e-mails.

Protecting the users from phishing still relies on two main topics: anti-spoofing and anti-phishing. When preventing spoofing, we need to make sure that forged sender address cannot be used. The current framework for this is DMARC, which encapsulates SPF and DKIM checks together with from field verification. This needs to be combined with Anti-Phishing Policies in your Microsoft 365 tenant.

The best part of DMARC is in my opinion the aggregate reporting functionality. With our customers we use DMARCIAN for aggregate reporting of e-mail authentication, to identify legitimate unprotected sending systems and get visibility for spoofing attempts. Whether you are currently using DMARC or not, implicit DMARC checks are in any case done for your e-mails by major vendors such as Microsoft and Google, so better take control of it straight away.

For phishing, the main prevention technology is Office 365 Advance Threat Protection. This gives you real-time tools to prevent users from accessing phishing site links, investigate phishing campaigns and clean up the damage. In multi-layer defense strategy, deploying Azure AD Conditional Access with multi-factor authentication and legacy authentication block is essential for mitigating the results of successful phishing.

The last line of defense is always the end-users. They need constant security awareness to be able to distinguish fraud attempts, and to have the courage to contact support in case of any doubt about authenticity of e-mails. Just like Coco!

 

Watch the webinar!

Want to know more how to Protect your users from phishing? See a recording from our webinar!

 

 


Arttu Arstila

Coronavirus and Crime: How To Reduce Odds of Victimization?

Coronavirus COVID-19 has caused tremendous problems worldwide. The whole world is paying its attention on COVID-19 on how the virus is progressing from one country to another, from one person to another hoping and fighting for it to fade away.

COVID-19 and the changes in our daily routines has caught also the attention of fraudulent, malicious, and criminal actors. So far, we have already seen COVID-19 related emails containing viruses, ambiguous email requesting charitable donations, and phishing emails related to COVID-19. In Finland perpetrators managed to cheat an elderly person who lost they bank card and pin-code to the criminals. The perpetrators were disguised as maintenance workers installing new air filters capable to stop coronavirus.

Even though most of the crimes done offline or online are opportunistic by nature, the changed situation is creating new opportunities especially for criminals committing online crime.

Existing security solutions are capable to stop most of the email containing malicious attachments, phishing emails, and other types of fraudulent messages but not all. The rest of the emails and messages will be found on recipient’s Inboxes. Now it is all about recipient capability to notice which emails are valid and which are at once to be reported to IT Security department before deleting the message permanently from the Inbox.

What to do? Few Easy to Follow Ideas

Personally, I urge every company to contact all their employees and share this message. Yes, you may freely distribute this blog text within your organization or use it as bases of your own awareness message.

  • Keep your employees informed on evolving threats and prevension strategies
  • Also, for those people monitoring the IT security I would recommend to pay special attention on users email flow and not relying just on alerts coming from security solutions.
  • Are you seeing abnormal amount of email coming in?
  • Are you receiving more reports from employees than normal on fraudulent emails?
  • Has number of alerts raised from what can considered to be normal level?

Now that more than ever people are working from home, you need to pay attention on where your people are logging into your services, especially if you don’t have Conditional Access and Multi-Functional Authentication in use for employees. If you need further help, we are here for you, stay safe!


Marko Mikkola
Senior Consultant, ICT & Cyber Security. Marko has been working in the field of IT in several national and international companies over 20 years in several roles. Currently he is also a researcher at Tampere University, Social Sciences, writing his doctoral dissertation on cybercrime and cybercrime victimization from social psychological viewpoint. Senior Consultant, ICT & Cyber Security. Marko on toiminut yli 20 vuoden ajan erilaisissa asiantuntija- ja konsultointitehtävissä, vastannut palveluliiketoiminnasta sekä toiminut kouluttajana. Sähköposti: marko.mikkola@sulava.com

Corporate VPN using Microsoft offerings

Cloud technologies, like for example Office 365, are great for many reasons. One of them is that they enable people to work basically from anywhere, office, home, airport, hotel, café and so on. But if organization still has some legacy apps that cannot be moved to the cloud, or securely published to the Internet to allow their usage from anywhere, there is a need still to securely connect to those applications inside corporate network.

In these cases, there are several different ways to provide a secure access to those applications. Using Microsoft solutions this access to remote users can be provided by using different features. One would be using a Remote Desktop Services servers in on-premise network to provide virtual desktops and applications to users. Another, quite new, would be to use Windows Virtual Desktop feature from the cloud to provide those virtual desktop machines. While these features are great and (especially in case of Windows Virtual Desktop) provide a number of cool possibilities, there is also an older and familiar technology, called VPN or Virtual Private Network, that can be set up, securely and in an inexpensive manner, using pure Microsoft technologies and making use of existing hardware and licenses.

Using Windows Server as a VPN server makes it easy to set up and configure a VPN in a matter of hours with existing hardware, software and licenses. If Windows server is used as a VPN server, only licenses needed are the license for the actual VPN Server(s) (Windows Server License) and Windows server client access licenses that we probably already have if we are using Windows Servers for any other workload, like file servers or Active Directory. On the client side, in most cases, all the software that is needed is already included in the client OS, so in these cases no additional software needs to be installed, only configuration needs to be done in the client side. This can be done manually, or by deploying the configuration, as is or by using script, with Group Policy, SCCM, Intune or some other system that is used to manage the end-user devices.

The VPN solution built on top of Windows Server offers a range of choices in VPN protocols, authentication protocols and encryption method and level used. The VPN protocol used can be SSTP (SSL), IKEv2, L2TP or PPTP, or any combination of these. The authentication can be done by username/password or user or machine certificates using a number of authentication protocols like PEAP or EAP, or even older (but not necessarily so secure) MSCHAPv2 or PAP. Again, any combination to support a wide variety of end user devices, not just Windows 10 machines, can be configured. The user accounts can be in Active Directory, or if RADIUS is used for authentication, basically in any directory service that can support RADIUS authentication.

For encryption of the data transferred over the VPN, we can use 128 or 256 bit AES, or if needed for compatibility, DES/3DES. Even the VPN server itself does not have to be a state-of-the-art server hardware. Either hardware or VM server can be used. The number of CPU cores and RAM needed is more depended of the throughput needed than the actual number of concurrent users, but even a VM with 2-4 a bit older AMD or Intel CPU cores and 2-4 GB of RAM can easily handle hundreds of megabits of traffic. Of course if higher level of throughput is required, the server can have more cores and RAM, or you can deploy several servers that work as a cluster and also achieve high availability and fault tolerance for the system.

The high-level setup would consist of following tasks:

  • Set up a Windows Server, either a hardware server or a VM
  • Install Remote Access role to the server
  • Configure Routing and Remote access for VPN use
  • Configure required VPN Protocols
  • Configure authentication settings
  • Configure network settings for VPN connections
  • Specify and configure a public DNS name to be used
  • Obtain a certificate for the system (if needed)
  • Install and configure the certificate (if needed)
  • Configure User accounts to be able to use the VPN
  • Configure client device settings, as a deployable package or script, or as documentation end users can easily follow and configure the VPN for their own machines.

For all these steps step-by-step documentation can be found from Microsoft’s documentation, or in several good blog articles in the Internet. If needed (either right a way or as later evolution for the environment) additional features can be configured as needed. Some of these features can include:

  • Automatic Single-Sign-ON or SSO
  • Always-on-functionality which automatically opens the VPN connection when needed, or when specified applications are used, or every time the device has a network connection
  • MFA
  • Device compliance check
  • Etc.

All in all, using Windows Server as a VPN solution in your network can give you a low cost (as few or none additional licenses are needed), high security and easy to deploy VPN solution.


Heikki Bergius

Heikki Bergius
Heikki Bergius on toiminut yli 25 vuoden ajan erilaisissa tietotekniikan koulutus- ja konsultointitehtävissä. Uransa aikana hän on hankkinut laajaa osaamista ja kokemusta monista Microsoft- ja muista teknologioista. Nykyään hänen erikoisosaamisalueitaan ovat mm. Azure IaaS -tekniikat, Azure-hybridiratkaisut, System Center -tuotteet, Windows-palvelimet sekä erilaiset automatisoinnit ja vianetsintä.

 

How does the cloud-native Azure Sentinel SIEM work?

As cloud services become more commonplace, there’s an increasing need for data security in the cloud. Complex hybrid environments often provide organisations with more adaptable solutions, yet they also pose a challenge with regard to data security and its maintenance in a complex environment.

When servers are running both locally and in the cloud in multiple machine rooms, it can be difficult to obtain a centralised overview. And if you include all of the firewalls and alert tools, you’re already looking at quite a laborious list of things to monitor. This is why Microsoft has introduced its own SIEM – a cloud-native solution that can be easily integrated into both local and cloud environments. Azure Sentinel monitors disturbances in both Microsoft’s own tools and third-party software, and also allows for centralised monitoring when necessary.

Sentinel is a response to the huge demand for a cloud-native SIEM. As a public cloud platform, Azure brings substantial advantages to Sentinel’s functionality that provide unprecedented agility and scalability. Notably, the service is quick to set up thanks to pre-built data connectors and Log Analytics, which is the driving force behind Sentinel. Technical deployment is extremely rapid, as the required resources can be created in Azure and Sentinel provides user-friendly interfaces. With only a few clicks, you can obtain logs of anything from users’ login credentials to server security events.

The power of queries

After Sentinel has been deployed, you can set up KQL analytics rules to automatically seek out anomalies in logged data. Sentinel provides a considerable number of predefined rules, but it is possible – and even recommended – to create your own query rules. This will not only enable you to respond effectively to new threats on the fly, but also to adapt Sentinel to suit your needs. Query rules can, for example, detect anomalies in users’ login credentials or alert you to suspicious email forwarding rules.

In addition to automatic analytics, Sentinel also includes a “threat hunting” feature that enables you to perform the same query rules in real time at the press of a button. This enables effective troubleshooting and reactive investigation whenever it is required. Active threat hunting plays a major role in modern data security. It is therefore one of Sentinel’s core functionalities and has been made as easily accessible as possible.

What are cloud-native SIEMs made of?

On a technical level, Sentinel is based on two Azure resources: Sentinel itself and the background service Log Analytics. The Log Analytics Workspace acts as a storage space and management platform for logged data. Sentinel is provisioned on top of it, and is responsible for receiving and analysing data and saving it in Log Analytics. These two resources make Sentinel transparent and cost-effective to manage.

When deploying Sentinel, it’s a good idea to carefully plan what log data you intend to collect and how you want to process it. Do you need to store data for legal reasons or do you need to analyse and investigate certain events? How long do you need to store each type of log data and how will it be stored?

As a SIEM, Sentinel is able to collect data, detect disturbances, and investigate the cause of a disturbance. From the outset, Sentinel has always sought to provide an automatic option that will make maintenance and threat response as easy as possible.

It’s easy to send an automatic message to a Teams channel whenever a new incident is detected, but other measures are also available, such as closing a compromised user account or shutting down a virtual machine. Naturally, it’s not compulsory to take advantage of every phase. However, when drawing up your deployment specifications, it’s recommended that you analyse the needs you are trying to address with the SIEM and identify the opportunities afforded by its logged data.

“But how much will it cost?”

So how much does it cost to use Sentinel? This is naturally a question that occurs to everyone who’s interested in the service, and is also one of the most common questions I encounter. The cost of using Sentinel is not that straightforward to determine, so I’ll open things up a little for you. In principle, the costs are billed using a “Pay-As-You-Go” model, that is, entirely based on actual usage.

Costs are calculated per gigabyte of incoming data and per gigabyte of data stored. As the service consists of two resources – Sentinel itself and the background function Log Analytics – you will have to calculate the cost for using both of them to get the total price. This may sound complicated, but the final price can be calculated very quickly and accurately as long as you can estimate the volume of data that needs to be logged.

In order to optimise costs, it’s important to accurately specify which data sources are to be used with the SIEM rather than simply including all possible data right away. Logs from firewalls or servers typically generate large volumes of data. However, if you’re monitoring users’ login credentials or data generated by Office, this will typically result in very low bit volumes and therefore low costs. For SMEs, it’s not at all unusual for the costs of using Sentinel to be in the range of only a couple of dozen euros per month. It’s also worth noting that all of the data fed into Sentinel can always be stored free for a period of ninety days.

If you want to estimate the cost of using Sentinel for yourself, you can easily find the per-gigabyte price on the Microsoft website: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/.

If you like the sound of Sentinel, I heartily recommend getting better acquainted with this solution. As the technical environment is quick and easy to set up, it’s easy to organise a several-month demo at little cost. Likewise, Sentinel can also be deactivated as quickly as it can be deployed.

At Sulava, we’ve already implemented several Sentinel deployments and we’re happy to help you with any questions you may have about the solution itself or setting up the technical environment. So don’t hesitate to contact us and start harnessing cloud security in your environment!


Oliver Lahti
Consultant. I’m particularly interested in implementing cloud-native infrastructure solutions in Microsoft Azure. Cloud-native services provide a practical way of scaling and administering solutions, making things easier for both customers and service providers.