Wave Systems Corp. (fka WAVXQ)

[Genz2]

Hackers are increasingly destroying logs to hide attacks

https://www.zdnet.com/article/hackers-are-increasingly-destroying-logs-to-hide-attacks/

According to a new report, 72 percent of incident response specialists have came across hacks where attackers have destroyed logs to hide their tracks.

Hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks, according to a report released this week and containing information from 113 investigations performed by 37 Carbon Black incident response (IR) affiliate partners from across the globe.

According to the report, "politically motivated cyberattacks from nation-state actors have contributed to an ominous increase in destructive attacks: attacks that are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization's operations."

Carbon Black said that hacker groups are getting better at what the company calls "counter-incident response."

They said that hackers attempted counter-incident response in 51 percent of all incidents the company and its partners investigated in the last 90 days.

"We've seen a lot of destruction of log data, very meticulous clean-up of antivirus logs, security logs, and denying IR teams the access to data they need to investigate," an IR professional said.

In fact, according to the Carbon Black report, 72 percent of all its partner IR professionals saw counter-IR operations in the form of destruction of logs, which appears to have become a standard tactic in the arsenal of most hackers.

But in some cases, hackers took log destruction and other counter-incident response operations to a new level, and in some cases, their actions resulting in more lasting damage.

"Our respondents said victims experienced such attacks 32% of the time," Carbon Black said in its report.

"We've seen a lot of destructive actions from Iran and North Korea lately, where they've effectively wiped machines they suspect of being forensically analyzed," an IR professional said.

"Attackers want to cover their tracks because they're feeling the pressure from law enforcement," another IR professional said.

But Carbon Black also points out that the cyber-security industry, as a whole, has also gotten much better at incident response, hence attackers' increased focus on removing logs and even wiping systems, just to be on the safe side.

Other key findings:

The same Carbon Black report also touches on many other interesting topics, such as the use of legitimate tools for lateral movements inside compromised networks, the concept of "island hoping," and the increased focus on IoT devices as entry points into homes and companies. The summarized key findings are available below:
•China and Russia are responsible for nearly half of all cyberattacks. Of 113 investigations conducted by Carbon Black IR partners in the third quarter, 47 stemmed from those two countries alone, while Iran, North Korea, and Brazil were also the origin of a considerable amount of recent attacks.
•Half of today's attacks leverage "island hopping," whereby attackers target organizations with the intention of accessing an affiliate's network.
•An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can be a point of entry to organizations' primary networks, allowing island hopping.
•Around 54 percent of IR firms said they saw attacks on IoT consumer devices.
•Around 30 percent of respondents also saw victims' websites converted into a watering hole.
•An alarming 41 percent of respondents encountered instances where network-based protections were circumvented.
•Powershell was the primary tool used for lateral movements inside a network by attackers, found in 89 percent of incidents, followed by WMI (Windows Management Instrumentation).
•Around 27 percent of respondents chose a shortage of skilled security experts was the top barrier to incident response.
•The industry most frequently targeted by cyberattacks was the financial sector, followed by healthcare, retail, and manufacturing.
•Two-thirds of IR professionals believe cyberattacks will influence the upcoming US elections.
=================================================================
Incident response specialists wouldn't have to investigate/worry about logs (removed by the hacker) if their companies were using Wave ERAS and/or Wave VSC 2.0 since the hacker wouldn't be allowed on the network in the first place! This could save companies a lot of unproductivity and damage to their computer infrastructure as well as their reputation. Lateral movements inside the network could be prevented by Wave VSC 2.0 and the TPM!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Secure device & user authentication

Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.

Here’s how it works:

Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication

Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.

Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.

With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.

Token-free, password-free user authentication

We know you’ve dreamt about shredding your list of passwords. Go on and do it.

Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.