Skip to content

Intro to Windows (Win32) API

Since I talked about how to enumerate Windows-based systems – a step you will have during an engagement, it is only natural to expand more on the topic (Windows, not enumeration, at least for now).

You might have successfully enumerated, exploited, established persistence, and maybe even exfiltrated data… but there’s much more to it, and a lot of stuff comes into play. In the upcoming articles, I will cherry-pick the stuff that is most interesting to me, but I will also try to provide you with a general overview so that you can more easily structure and map out the stuff I’ve been talking about.

This one is geared more towards red team type of activity, as the knowledge of the Windows API can be leveraged when you care about evasion e.g., as a red teamer (of course, it’s not only about evasion…); something a pentester usually doesn’t have to worry about. Just keep that distinction in the back of your mind.

However, in the case of red team engagements, since the emulation of an adversary is essential, you will see stuff that usually doesn’t get included in your pentests or vulnerability assessments. Phishing is permitted (out of scope in most of the pentests) and is usually something red teams will opt for (gotta keep that stuff realistic, right?); evasion is also vital since an adversary will try to stay on your corporate network as long as it is possible for them. It’s also kinda in the name; you are in the role of the red team, and the evasion pertains to throwing the blue team off your tracks. This is quite different and very interesting for us here, as it opens a plethora of new options you will think about and probably use during the engagement.

Terms like living off the land, phishing, bypassing UAC, bypassing AVs, C2, etc. all come into play! And more. Much more. This is terrifyingly fun, and even though the Windows API might not be the most attractive topic of the bunch here, its important to have a firm grasp on the stuff you’re abusing, and I wanted to give you just a brief overview of how one would abuse the system calls for their nefarious purpose.

Red teams will regularly abuse the Windows API to hide and evade the blue team, in the same way, they’ll use shellcode to evade AVs, or use the LOL (living off the land) methodology, and much more (evade runtime detection, logging and monitoring, generally employing tool agnostic approach in this endeavor).

Okay! So that’s a bit more of an intro, but I wanted to level with you here and set some expectations while also (hopefully) making the upcoming articles (as well as this one and the previous one) more sensible in the grand scheme of things.

The Windows (Win32) API

The first distinction to be aware of here is that Windows has two main modes through which it accesses hardware, the kernel, and the user mode. This goes back to the release of the Win32 API which is a library that’s used to interface between the user applications and the kernel.

The API here calls the interfaces and sends the info to the system which is then processed in the kernel mode. These two modes are essential because they determine how much access a driver or an application gets – kernel, memory, or hardware access. Also, note that with some languages and their interaction with the Win32 API, the application can go through the runtime first before going through the API.

The Win32 API breakdown can be briefly described as follows:

  • In/out parameters – these are the values that call structures define

  • API calls -this is the API called that’s used, with addresses to functions that are coming from the pointers

  • Call structures – this is what defines the API call and its parameters

  • DLLs – these are the DLLs for the Win32 API, we have core DLLs – KERNEL32, USER32, ADVAPI32, and other DLLs that are a part of the API like NTDLL, COM, NETAPI32, etc.

  • Headers – these are the libraries that get imported at runtime, they are defined through the header files or imports, function addresses are obtained through pointers

Since every API call of the Win32 library lives in memory and requires a pointer to a memory address the way you get those pointers for the needed functions is obscured because of the Address Space Layout Randomization – ASLR implementations. This is for security reasons as you guessed it. 

If an attacker can discover where a DLL is loaded in any process, the attacker knows where it is loaded in all processes. Which is a quote from Mandiant’s blog post about the ASLR. From the same blog post – A low-privileged account can be used to overcome ASLR as the first step of a privilege escalation exploit.

This is also why Microsoft implemented the Windows Header File.

From Wikipedia:

windows.h is a Windows-specific header file for the C and C++ programming languages which contains declarations for all of the functions in the Windows API, all the common macros used by Windows programmers, and all the data types used by the various functions and subsystems. It defines a very large number of Windows specific functions that can be used in C.

Basically, any Win32 function can be called once you’ve included the windows.h or the Windows Header File.

Another important implementation is the P/Invoke, which allows you to access structs, callbacks, and functions in unmanaged libraries from your managed code. Most of the P/Invoke API is contained in two namespaces: System and System.Runtime.InteropServices. Using these two namespaces gives you the tools to describe how you want to communicate with the native component.

What P/Invoke does is give you a way to do the complete process of calling the Win32 API. You can then invoke the function as a managed method you created even though you’re calling an unmanaged function.

The structure of the API calls is well documented by Microsoft but you can also check out the pinvoke.net: the interop wiki! for more information.

Every API call has a pre-defined structure for its input/output parameters. For example the VirtualProtect function – memoryapi.h it looks something like this:

BOOL VirtualProtect(
 
  [in] LPVOID lpAddress,
 
  [in] SIZE_T dwSize,
 
  [in] DWORD flNewProtect,
 
  [out] PDWORD lpflOldProtect
);

For the parameters expected i/o and accepted values, Microsoft has the explanation within the docs.

Lastly, I will list some API calls that are known for their possible malicious use. Also, MalAPI.io tries to document these, so it might be worth checking out.

VirtualProtect – Changes the protection on a region of committed pages in the virtual address space of the calling process.

GetProcAddress – Retrieves the address of an exported function (also known as a procedure) or variable from the specified dynamic-link library (DLL).

GetComputerNameA – Retrieves the NetBIOS name of the local computer. This name is established at system startup, when the system reads it from the registry.

GetModuleFileNameA – Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process.

GetAdaptersInfo – The GetAdaptersInfo function retrieves adapter information for the local computer.

RegisterHotKey – Defines a system-wide hot key. Also, MalAPI says: RegisterHotKey is used to create a system wide hotkey. This function is commonly used by spyware or keyloggers to recieve a notification when a certain combination of keys are pressed.

Conclusion (for now)

I’ve just given a very brief overview here since the whole of the Win32 API is much larger. But for our purpose here, it should suffice. The main point I wanted to get across is for you to realize the potential options you might have with this and be aware of how some threat actors might leverage those system functions that are basically inseparable from the system itself.

A fun practice might be to check out what MITRE ATT&CK has documented on Native APIs and check out the Windows API calls known to be used for malicious purposes.

Cover image by Clint Adair

#win32 #API #windows

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

SafeDNS is a NAPPA Award winner

NAPPAA, which for over 32 years has been ensuring that parents purchase the highest quality products that help them connect and enjoy time with their families, highlighted SafeDNS as the best in the industry.

“This site offers many choices and can be set up on every device or just the child’s device. There are so many ways to use this program and what I really like is that it can be used to protect the elderly from becoming victims of fraud.”

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

GREYCORTEX Mendel 3.9.1. Now Available

September 20, 2022 – We have released GREYCORTEX Mendel 3.9.1 which brings minor improvements and bug fixes.

Enhancements

Event visibility level store its configuration on the user level (keep the last state before logout)

Improved performance and reliability for Failsafe mode

Improved subnet filtering by substring search in filter

Fixed issues with

  • Performance in the network capture module
  • Invalid license during Sensor&Collector upgrade
  • Default firewall configuration for an asset discovery tool
  • Checkpoint firewall rule policies
  • Detecting TOR traffic by IDS signatures
  • Resizing LVM storage on AWS
  • Two or more DNS servers on the management interface
  • Empty subnet graph for subnets filtered by tag(s)
  • User permissions
  • SSL configuration for Fortigate firewall plugin
  • Invalid CSV header in subnet import
  • Malformed input for network parsers
     

State of the Union’s Infrastructure Security According to CISA

On the heels of a few high-profile cybersecurity breaches in the civilian sector, comes a poignant operational technology/industrial control systems advisory published jointly by CISA and the NSA. Contrasting with the bland title of “Control System Defense: Know the Opponent,” you get the sense that CISA has gotten tired of ringing the control system cybersecurity bell since at least 2009. Though, according to Tom Temin of the Federal News Network, protecting the software we rely upon has been on politician’s minds since the 90’s.

OT/ICS assets that control critical infrastructure from nuclear power plants to the water processing to the air conditioning in government facilities have always been targets. With the merging of IT and OT/ICS over at least the past decade and a half, the attack surfaces of these critical systems have increased exponentially.

It’s also critical that these systems keep running “despite the fact that many systems are decades old and use insecure protocols and architectures” requiring nonstandard interface and protocol support, while the vendors that made the equipment could no longer exist.

It isn’t any secret that much of the United States’ critical-for-society-to-function infrastructure is out of date. Nor is it a secret that well-funded malicious actors are more than capable when it comes to disrupting critical sectors. We’ve seen the Russian attack on Ukraine’s electric grid and the 2017 NotPetya attack on Maersk that resulted in Los Angeles’ busiest port shutting down for two weeks.

Furthermore, design and device information are publicly available or easily attained through job listings and interviews that specify certifications and equipment knowledge. Open Source operational intelligence (OSINT) also makes it simple to track down emails, names, software in use, or remote access points. Shodan is a fun tool.

Thankfully, CISA’s advisory doesn’t just point at the problem and say “hey, doesn’t that look terrible?” It also lays out the tactics, techniques, and procedures that many cyber actors use along with mitigations. If anyone remembers David Bianco’s Pyramid of Pain,  he explains that one of the most effective ways to thwart attackers is to disrupt their gameplan. Make their tools and information useless so they’re back to square one.

But what’s the use of an advisory, if the recommended strategies therein aren’t enforced? Well, according to a Federal News Network article, Eric Goldstein, the Executive Assistant Director for Cybersecurity for CISA, stated that CISA has plans to “release performance goals starting in October that will address individual risks of the various sectors.” It seems that there might be some muscle to back up the advisory.

#CISA #ICS

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

CISAnalysis – September 23, 2022

And that’s a wrap for another week in cybersec! Phew! How did we make it through this one….first the Uber hack, then the Rockstar Games hack and now two vulns added to the ‘log amidst all the Mudge/Musk drama at Twitter! Another popcorn here! 🍿

Zoho RCE

First up is a remote code execution vulnerability in ManageEnginePAM360, Password Manager Pro, and Access Manager Plus. An attacker can obtain system level privileges with a successful exploit. You know what that means? Dun, dun, dunnnnnn 💀

As we know from last week’s additions, this vulnerability poses a significant amount of risk, given the nature of the resources available to system users. The vulnerability is currently being exploited in the wild and there is PoC publicly available. Zoho is one of the largest technology companies in the world with over 80 million users, so security engineers should not throw caution to the wind if they have products with the affected versions. The fix was released back in June, so it’s likely this has already been exploited. As is typical, the recommended action forward is to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus stat.

Sophos code injection

The other vuln is a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. Although this is basic perimeter defense, the fact that remote code execution is possible means you can Frankenstein the situation from afar. Who wouldn’t want to execute random scripts from the comfort of their basement? Hotfixes have been published for version v19.0 MR1 and older. If you’re not rocking those, make sure you are not exposed to the WAN and get that VPN up and running before sunset.

#cisa #cisanalysis #zoho #sophos #rce #vulnerabilities

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Unearthing Meta’s Quarterly Adversarial Threat Report (Q2 2022)

Summary 

  • The report offers a comprehensive view of Meta’s risks across multiple policy violations like Coordinated Inauthentic Behavior (CIB), inauthentic behavior, cyber espionage, and other emerging threats, like mass reporting.

  • The report discusses various actions Meta’s security team took against two ongoing cyber espionage operations in South Asia.

  • As part of its campaign against new and emerging threats, the report discusses how Meta removed a mass reporting network in Indonesia, a brigading network in India, and coordinated violating networks (CVNs) in Greece, India, and South Africa.

  • Under its Inauthentic Behavior policy targeting artificially inflating distribution, the report says Meta took down numerous accounts, Pages, and Groups worldwide.

  • The report also discusses how Meta removed three networks engaged in CIB operations in Israel, Malaysia, and Russia.

Introduction

All of us are active Social Media users, which is exerting a greater influence on our lives in today’s technological age. But as the number of active users increases, so does the sophistication of threat actors, who continue to devise newer ways to compromise accounts, steal credentials, dictate their agenda, etc. For example, there are groups of people trying to flood comment streams and attack the post owner and other users to push forward their agenda and intimidate users with dissenting views. The evolving threat landscape compels social media giants like Meta to define robust security policies and take proactive steps to protect their communities. The Quarterly Adversarial Threat Report Q2 dives deeper into Meta’s actions against malicious activities.

Cyber Espionage Networks

Cyber espionage actors target internet users to collect intelligence, manipulate them to reveal sensitive information and compromise their accounts and devices. Some of them deploy advanced malware that incorporates exploits, while others use basic low-cost tools that require lesser technical expertise to deploy. Thus Meta believes, as per the report, it democratizes access to surveillance and hacking capabilities since the barrier to threat actors’ entry becomes lower. Furthermore, it allows the threat groups to gain plausible deniability and hide in the “noise” when security researchers scrutinize them.

Steps Meta Took:

Meta took down accounts, notified users targeted by malicious groups, and blocked the groups’ domain infrastructure from getting shared on Meta’s services. Furthermore, they shared findings with security researchers and industry peers to help them stay vigilant about the activity. 

Bitter APT (Advanced Persistent Threat) Group

Meta took action against a hacker group called Bitter APT, which operated from South Asia and targeted users in New Zealand, the United Kingdom, India, and Pakistan. While the group’s activity was low in operational security and sophistication, it was well-resourced and persistent. Bitter deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used a mix of malicious domains, link-shortening services, third-party hosting providers, and compromised websites to distribute their malware. Security researchers at Meta discovered that their platform was used as an element of a wider cross-platform cyber espionage campaign. They found the following noteworthy TTPs (tactics, techniques, and procedures) used by the threat actors:

  1. Social engineering: Bitter threat actors created fictitious personas and posed as young women, activists, or journalists across the internet. They tried to build trust with users to trick them into visiting malicious links or downloading malware.

  1. iOS application: Meta’s recent investigation discovered Bitter deploying an iOS chat application for users, who could download it through Apple’s Testflight service for developers, ensuring that it will help beta-test their new applications.

  1. Android malware: The researchers discovered Bitter using a custom Android malware family they named Dracarys. It used accessibility services, the Android operating system feature, to assist users with disabilities, allowing them to automatically click and grant the application certain permissions.

  1. Adversarial adaptation: This Bitter group aggressively responded to Meta’s detection and blocking of its domain infrastructure and activity.

APT36

Meta discovered another threat group whose activity was low in sophistication, but it persistently targeted many services over the internet – from social media and email providers to file-hosting services. APT36 deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used malicious and camouflaged links and fake Android and Windows-run apps to distribute their malware. Meta’s security team took action against the APT36 threat actors active in Afghanistan, Pakistan, UAE, India, and Saudi Arabia. They targeted government officials, military personnel, students, and employees of non-profit and human rights organizations. Furthermore, the report suggests that Meta’s investigation linked the activity to state-linked actors in Pakistan. They discovered the following noteworthy TTPs used by the threat actors:

  1. Social engineering: APT36 threat actors created fictitious personas and posed as recruiters for fake and legitimate organizations, military personnel, or women looking for romantic connections. 

  2. Real and spoofed websites: The report suggests that the APT36 threat actors used various tactics, including using custom infrastructure to inject their malware. Some domains masqueraded as generic app stores or photo-sharing websites, while others were spoofed domains of applications like Microsoft’s OneDrive, Google Play Store, and Google Drive.

  3. Camouflaged links: The group utilized link-shortening services and disguised malicious URLs. Furthermore, they used preview sites and social cards (the online marketing tools to customize the displayed image when a particular URL gets shared on social media) to mask the ownership and redirection of domains APT36 controlled.

  4. Android malware: APT36 did not directly share malware on Meta platforms but used the above tactics to share links to spoofed websites.

The “Emerging Harms” Networks

The report states that Meta’s threat disruption began by tackling inauthentic operations where users hide who’s behind them and advanced to authentic actors engaging in harmful and adversarial behaviors on its platform. This section of Meta’s report discusses how it is taking proactive steps to stay ahead in this adversarial space. 

Steps Meta Took:

Meta deployed control levers to enforce against networks having broadly varying aims and behaviors like:

  1. Groups that coordinated women’s harassment

  2. Decentralized movements that collaborate a call for violence against government officials and medical professionals

  3. An anti-immigrant group inciting harassment and hate

  4. An activity cluster focused primarily on spreading misinformation

Mass Reporting

Under its Inauthentic Behavior policies, Meta removes activity when it finds adversarial networks coordinating an abuse against its reporting systems to get content or accounts incorrectly taken down from the platform. Threat actors do it intentionally to silence others. In Q2 of 2022, the report states that Meta removed a network of 2,800 accounts, Pages, and Groups in Indonesia. They coordinated to report users for violations like impersonation, terrorism, hate speech, and bullying to get them wrongfully removed from Facebook. Meta researchers found that the reports mainly focused on Indonesian users, particularly the Wahhabi Muslim community. Factors considered while investigating Mass Reporting:

  1. Coordination Signals

  2. High Report volume

  3. Misleading and abusive nature of reports.

Brigading

Under its Bullying and Harassment policies, Meta removes activity when it discovers adversarial networks engaging in repetitive behavior, for mass-commenting on their target’s posts or sending them direct messages. The report suggests that the behavior intends to harass, overwhelm or silence the target. 

In Q2 of 2022, Meta took down a brigading network of 300 Facebook and Instagram accounts in India that collaborated to mass-harass people, including actors, activists, comedians, and other influencers. The network actively posted across the internet, including Instagram, Facebook, Twitter, YouTube, and Telegram. Factors considered while investigating Brigading:

  1. Repetitive targeting to silence or harass people, with unsolicited comments or messages

  2. Coordination Signals

  3. A high volume of activity

  4. Efforts to evade enforcement

Coordinated Violating Networks

Meta’s Account Integrity policies remove coordinated violating networks (CVNs) when it finds people (with authentic or fake accounts) coordinating to violate or evade its Community Standards. Hence, Meta removed two clusters of Pages and accounts on Facebook and Instagram in Greece that collaborated to repeatedly violate its policies against hate speech, misinformation, and incitement to overthrow the government violently. Factors considered while investigating Coordinated Violating Networks.

  1. Coordination signals showed an organized group directly working under centralized directions.

  2. Systematic violation of Meta’s community standards.

  3. Efforts to evade enforcement

Inauthentic Behavior

Meta defines Inauthentic behavior (IB) in its Community Standards as something that misleads the platform and the users about the popularity of the content, the people’s identity behind it, or the purpose of a community (i.e., Events, Groups, Pages). The report suggests that the behavior is centered around increasing and amplifying content distribution and is mostly (not exclusively) financially motivated. IB operators mainly focus on the quantity and not the quality of engagement. For example, they use many low-sophistication fake accounts for mass-posting or liking their content — commercial, social or political. 

Steps Meta Took:

In focus: Philippines

  1. Manual investigations and disruptions:

Ahead of the Philippines election, Meta’s investigative teams took down over 10,000 accounts for violating its IB policy. The accounts used IB tactics to increase the distribution of content like election-related posts, including others using politics as a spam lure when people showed interest in following these topics. The report states that Meta used threat intelligence and continued working on identifying repetitive behavior patterns showing characteristics of IB clusters in the region.

  1. Automated detection at scale:

Working on the actionable insights, Meta automated the detection of IB patterns and complemented the manual investigations. Consequently, the security teams consulted experts to identify numerous IB clusters in the Philippines and enforced quick action against 15,000 accounts. Meta researchers concluded that most IB clusters were not more than six months old when they got disabled. 

  1. Automated enforcement:

Complimenting automated detection and manual disruptions, Meta focused on automating enforcement against these IB patterns, relying on its rigorous election preparation in the Philippines. Hence, the security teams could tackle specific repetitive and high-confidence inauthentic behavior (IB) in the Philippines and worldwide.

Coordinated Inauthentic Behavior (CIB)

Meta views CIB as a coordinated effort to manipulate the public discourse for a strategic goal, having fake accounts at the center of the operation. The report says that in these cases, people coordinate and use fake accounts to mislead others about what they do and who they are. 

Steps Meta Took:

Meta’s security team investigated and removed the CIB operations by focusing on behavior rather than content. According to the report,  it did not matter who was behind them, what they posted, or whether they were foreign or domestic. 

Malaysia

Meta removed 596 Facebook accounts, 72 Instagram accounts, 180 Pages, and 11 Groups for violating their policy on coordinated inauthentic behavior. The network originated in Malaysia, targeting its domestic audiences.

Israel

Meta removed 259 Facebook accounts, 107 Instagram accounts, 42 Pages, and 9 Groups for violating its policy on coordinated inauthentic behavior. The network originated in Israel, targeting Nigeria, Angola, and the Gaza region in Palestine.

Russia

The report has a detailed sub-section on how the security researchers investigated the CIB in Russia. Meta took down an Instagram account network operated by a troll farm in Russia’s St. Petersburg that targeted global public discourse regarding the Ukraine war. The report underlines that the campaign was a poorly executed attempt and that threat actors publicly coordinated through a Telegram channel. They wanted to create a grassroots online support perception for Russia’s invasion and used fake accounts to upload pro-Russia comments on influencers and media content. The researchers linked the activity to a self-proclaimed entity, “Cyber Front Z,” and individuals associated with the Internet Research Agency (IRA). Meta has banned Cyber Front Z from its platforms. 

Conclusion

The Meta Quarterly Adversarial Threat Report Q2 offers insight into the risks Meta sees globally and across multiple policy violations. It covers Meta’s expanded threat reporting areas like cyber espionage, inauthentic amplification, mass reporting, brigading, and other malicious behaviors. Furthermore, It alerts people who Meta believes were targeted by these campaigns. Thus, it is a reliable guide for tech companies, governments, law enforcement, and security researchers in helping them understand the social media threat landscape and preventive measures that can be taken to limit the damage caused by malicious actors.

Reference

Ben Nimmo, David Agranovich, Margarita Franklin, Mike Dvilyanski, Nathaniel Gleicher. (2022, September 8). Quarterly Adversarial Threat Report. About.fb.com. Retrieved September 8, 2022, from  

https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf

Photo by Dima Solomin on Unsplash

#meta #facebook #adversary #CIB #threats #security #espionage

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

How Keepit puts User Experience first

Keepit is known for delivering a certain quality of User Experience (UX), which is reflected in customer feedback examples, such as: 

Keepit’s user-friendliness is a financial win-win’ and ‘I like to call Keepit a Steady Eddie. I know it’s working; I know it’s running, and I don’t have to sweat it.’.

Behind Keepit’s simple design and ease of use lies a deliberate approach, rooted in the idea that our whole system, from the deepest backend layers to the user interface, is built to support a solid User Experience.

However, in the software field, UX has been interpreted in various ways and caused confusion in how it differs from User Interface Design. So, what is UX to Keepit? And how does Keepit go about all this in practicality?

Foundation

UX goes beyond the immediate visual impression and beyond isolated interactions within the product. It is a silent ambassador that ensures a seamless experience throughout any touchpoint. A journey sprinkled with an undefined X factor that leaves our user with instant recognition without the need for explanation -a quality that flows through every vein of Keepit.

An experience starts before the product is even used by our customers. As Don Norman, the inventor of UX, puts it, ‘No product is an island […] It is a cohesive, integrated set of experiences […] Make them all work together seamlessly.’

Leveled circulation

On both conscious and unconscious levels, a human experience is perceived and processed as a sum of different events. The more you know about people, the better experience you will be able to design. To translate such a complex sum into a consistent Keepit experience, we use our Design System as a single documented source.

Here all Keepers will find Design Principles, components, guidelines, patterns, and themes. However, the UX circulates on more levels. To grasp this in a software context, mapping out different levels of the experience can help.

Interaction level

On this level, we work with both look and feel when interacting with the product, from visual design to Information Architecture to navigation. The focus is to design the experience of a certain interaction that a user has with Keepit to perform a task, such as restoring data in Keepit’s application.

However, a user interaction can also exist outside the product interface. One example is receiving support. Each of these interactions are single strokes of experiences that play a role in the relationship with our customer.

On the interaction level, our Design Principles, guidelines, and patterns play a central role. We operationalize this with a pyramid logic in layers, with a theme on the top level and dos and don’ts on the bottom level. Here is an example:

Design Principle: Keepit Sets Me Free

  • What users should feel: In every interaction, I as a user should feel the freedom of being in control. This means being offered the most relevant choices at the right time. The choices should lower my cognitive load so that I feel enabled to effortlessly succeed at my tasks.
  • Examples of what users should think: ‘I control the situation’ – ‘This is unbelievably easy’- ‘Keepit makes me better at my job’- ‘I get what I need when I need it’
  • Examples of what users should see: Recognizable patterns – An easy first entry to the system – Understandable language
  • What designers should do: Always give feedback – Build a strong visual hierarchy – Know and understand the user – Always remember what problem we are solving for the user
  • What designers should not do: Don’t make the user wait, don’t speak in system language, don’t overload the user with information

Journey level

Zooming into the journey level, we recognize that putting UX first is not isolated in the product interaction itself. The key word here is ‘journey’. Mapping out journeys enables us to discover user needs and pain points, in the quest of providing seamless and consistent experiences across Keepit’s channels.

There are methods to identify key needs and transform them into design challenges. Apart from organized methods, such as usability tests, analytics, and organized customer interviews, there are also more organic user dialogues. From support, through live events, from sales, and so on. In all these touchpoints there are chances to identify key user needs and discover how the Keepit product can solve real user problems.

The key point here is to identify where the needs and pain points are rooted; define the root problem and translate this into design challenges. Further down the road, when ideating on design solutions, the user experience should be consistent in every chosen design solution. Again, this is where the User Experience pyramid, with its design principles at the top, plays its role as a foundation for the other experience levels.

A level connecting the dots

This means that UX is related to the spirit of Keepit, across the whole company. Throughout the different areas of expertise of Keepit, UX connects the dots and remembers to keep the users’ needs at the core of what we do: to deliver simple and safe backup solutions that can set our customers free from the worries of losing data. Keepit’s UX delivers this X factor in its tone of voice, the product’s look and feel, user touchpoints, and customer dialogues.

Keepit’s UX goal is to deliver a consistent heartbeat of look and feel throughout the user journey, anytime, anywhere – pumping it through Keepit’s veins.

UX metrics

As designers, we recognize the challenge in measuring UX, since we are dealing with human behavior and attitude. Here we use deliberate approaches such as confirmation bias. When working on improvements to Keepit’s UX, our main goal is to gather insight, combined with quantitative results.

We want to understand the context and situation that the user is in when encountering Keepit, as well as how this context affects the user.

We also want to know what works, what doesn’t, and why. These insights are gathered through activities such as user interviews and observations. The outcome should be an understanding of user values, supported by quantitative data on average numbers or rates. Additionally, usability metrics give value to the work of measuring. Our different approaches have the common mission of delivering an excellent User Experience, based on data-informed decisions.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Enhancing OT Security Without Disrupting Operations

What is Operational Technology?

Cybersecurity has come a long way in the recent past. Its importance is felt in all aspects of modern life, both personal and industrial. The current digital and network advancements are steadily pushing Information Technology (IT) and Operational Technology (OT) towards integration. While IT systems interact with each other for data-centric computing, OT systems involve hardware and software that monitors or controls physical devices and processes to detect or cause changes in an industrial environment or enterprise.   

OT plays a significant role in Industrial Control Systems (ICS) and encompasses a wide variety of programmable systems such as Supervisory Control and Data Acquisition systems (SCADA) and Distributed Control Systems (DCS). These are found in many aspects of the environments we interact with daily, which makes keeping these systems secure a top priority.  

Industrial systems traditionally have relied on human monitoring and management through proprietary control protocols and software. Today, however, more industrial systems are automating these processes in a bid to boost efficiency and deliver better and smarter analytics through the convergence of OT and IT systems. This fills in the  gap that previously that isolated OT from IT. This bridge ensures that the information passed down to the people, sensors, devices, and machines is accurate and on time.  

How IoT Adoption Affects OT Systems

Anyone who has been around long enough to see how the internet and modern technology have changed the world can attest to its benefits. The shift to making most aspects of human life ‘smart’ has had both positive and negative effects. In a bid to make OT systems more efficient and reliable, most people have adopted integrated enterprise software and analytic data services. This makes processes and systems such as cooling efficient and also monitoring devices easy and more cost-effective. 

This action comes with one main downside; an increase in security risks. The connection of these systems leaves industrial networks and components vulnerable to OT security deficiencies such as lack of encryption, buffer overflow, backdoors and other tailored attacks on physical components. 

The digital attack surface also grows massively. For instance, in a configuration where things go through a switch, it would be difficult to monitor the traffic or detect changes. This makes the network vulnerable to targeted attacks. Some economies or communities could face utter devastation should their industrial systems be attacked due to the high cost of some of the industrial equipment.  

On the brighter side, industrial networks can be protected without risking non-compliance or disruption of operations. While IT security deals with data flow and its protection, OT security is focused on the safety and efficiency of industrial operations. By implementing proper security strategies and policies that ensure the visibility of all network control traffic, you can effectively reduce security risks and protect operations. 

Modern OT Security Approaches

The integration of OT and IT systems has led to the development of OT security. This is done in a bid to protect lives and assets and ensure that there is no operating downtime leading to production losses. The common standards and practices for secure OT systems are detailed by bodies such as The National Institute of Standards and Technology and the UK’s National Cyber Security Center. Their reports have detailed information on OT risk management, vulnerabilities, recommended practices and guidelines. These form the framework for different ways to secure OT systems.

When protecting OT systems, one must first understand the vulnerabilities that they face. Now that OT, IT, and IoT systems have become part of an indistinguishable system, any margins of error could mean a collapse in the whole network. Some of the ways OT networks are compromised by malignant elements include:   

  • Unauthorized Changes: This could consist of disabling safety sensors and alarms. This also increases the risk of bad actors inputting instructions that could lead to downtime. 
  • Interference With Critical Infrastructure: Access to sites and operational systems should only be granted to authorized personnel. Interference of control units and equipment protection systems could lead to irreparable damage, 
  • Manipulation or Modification of Sent Information: Hackers use this technique to disguise unauthorized changes and breaches as they penetrate the system. 

It is always essential to understand that attacks could come from within. It could be rogue employees with infected USBs or even poor coding. This means that industrial security has to be both preventive and offensive. Apart from the conventional security protocols, OT protection must be based on a fully visible IT/OT infrastructure. This means employing monitoring and analysis tools that can detect even the most minute anomalies.  

Best Practices for OT Security

An efficient OT security plan should incorporate three main levels of protection and include the following practices: 

Using Next-Generation Firewalls (NGFW) in OT Networks

Traditional firewalls had their drawbacks in terms of network speed, awareness limitations and their inability to adapt to new threats. Next-Generation Firewalls (NGFWs), on the other hand, offer the best security against threats by giving you complete control of the industrial systems. These firewalls are made to meet any configuration in the ICS for maximum visibility and monitoring. Organized architecture in terms of control ensures efficient and uninterrupted workflow.  

Having Efficient System Restore Plans

Should there be any breaches or failures of certain components within the OT network, there should be protocols to restore functionality without delaying operations. The SRP should take the least amount of time. Moreover, despite the conditions or challenges faced, the industrial environment should be designed in a way that ensures operations can continue running, awaiting restoration. This means enabling the workforce access to manual control and emergency operations.  

Risk-Based Vulnerability Management

The RBVM system provides comprehensive information on possible threats and the extent of their effects. In collaboration with network analytics such as mapping constant monitoring, it is possible to anticipate the risks that the threats pose and prepare the security team with efficient responses or possible SRP.  

These layers of protection also need to be coupled with other general security practices. For instance, access to OT network devices and systems should be restricted to unauthorized parties. This can be achieved by separating the cooperate network from the OT network. On the other hand, remote access solutions should be available.  

Remote access is a contentious security measure. One of the channels used by bad actors is the backdoors that remote access leaves. To counter this vulnerability, remote access sessions can be restricted and monitored by time and user activity. When it comes to safeguarding data, the best solution is encryption. Backups and restore points also need to be in place. Using these tools and security protocols means that the OT network remains secure while the industrial environment remains fully operational. 

What the Future Holds for OT Security

The best part of technology is its nature and tendency to evolve. This means that cybersecurity will only get better. At the moment, OT security faces a couple of minor setbacks primarily due to its nature. A fact that is evident in the design of these systems. Since they are meant to run for years, the focus is placed more on their reliability rather than security. As more OT systems are connected to a network, their lack of initial security and use of legacy protocols poses significant risks.  

As mentioned, however, the beauty of technology is adaptation. To maneuver these challenges, businesses are adding newer devices to their OT enterprises and taking OT cybersecurity seriously. It is clear that the future of OT security is bright due to the growing investment in OT security. Professionals in this sector are increasing in number every day after its necessity was realized.  

Cloud technology has also improved the industrial environment by connecting workplaces. This game-changer is poised to boost production and ensure efficiency while still maintaining low production costs. 

Controversial as it may sound, even hacking and other unauthorized breaches help increase OT security. This inverse effect is due to the fact that by revealing the gaps and vulnerabilities in the system, light is shed on the areas that require patching or even upgrading.

Final Thoughts on OT Security

In conclusion, every party involved in this industry must acknowledge the need for upgraded and efficient OT security solutions. There is a need to pool resources and specialize in OT Cybersecurity if its development is to be sustainable and future-proof.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。