COVID vaccine trials

Grappling with COVID-Themed Cyber Attacks: Pharmaceutical Sector

 

The pharmaceutical industry has been in the crosshairs of cyber attacks, more frequently than ever, in the last few years. The industry appeals to cybercrooks, who are motivated by financial gains, as they generate and manage some of the most sensitive data. State-sponsored actors, with the support of governments and with the intention of settling scores with other countries, target their healthcare industries. In the event of a full-scale cyberattack, the pharmaceutical sector could incur huge losses, both financially and in terms of its invaluable data. The data, which includes Intellectual Property (IP) of patients, is then invariably sold on the dark web or held “hostage” for ransom. 

As a result, the affected organization sustains:

  • Legal penalties, 
  • Fines, 
  • Damage to business, brand reputation,
  • Lack of confidence in customers,
  • Declining revenue,
  • Network, utility outages,
  • Risk of supply chain disruption.

Recent COVID- Themed Cyber Attacks Based on the Region

India and APAC

Indian pharmaceutical giant Lupin confirmed a security incident that impacted its IT systems in November 2020 after a similar ransomware attack targeted Dr. Reddy’s Laboratories. The recent surge in cyber attacks in the Indian pharmaceutical sector is also because they are in the process of delivering affordable medicine on a large scale, owing to COVID-19. 

Interestingly enough, the ransomware attack that hit Dr. Reddy’s was soon after the company had received DCGI’s (Drug Control General of India) approval to conduct clinical trials of the Russian Sputnik-V vaccine. The personal information of individuals who participate in clinical trials are also at a risk of data exposure. Such attacks aim to derail the race towards a successful vaccine in India as well as other countries. The surge in cyber attacks against pharmaceutical companies in the APAC (Asia-Pacific) region has cost the industry close to $23 Million. 

Europe

From a global perspective as well, cyber crimes are increasingly targeting pharmaceutical companies. Recently, several European pharmaceuticals such as Swiss giant Roche, were attacked by a hacking group dubbed Blackfly. The activities of this group was traced back to China and it points to the conclusion that these attacks were state-sponsored. Blackfly, also known as the Winnti Group, deploys Winnti malware in all of their attacks, a malware known for its supply chain attacks. European manufacturers BASF and Henkel were also victims of the same ransomware group. 

Moreover, drug regulators like EMA (European Medicines Agency) have also not been spared from cyber attacks. The EU Drug regulator EMA confirmed that it was hit by a cyber attack and that the actors managed to access documents related to a COVID-19 vaccine. German biotechnology company BioNTech is in the process of developing a vaccine to treat COVID-19 along with strategic partner Pfizer. The duo suffered a cyber attack earlier this month and confirmed that its regulatory submission was accessed. 

Although EMA didn’t agree to the nature of the attack, it stated that few documents related to the regulatory submission by Pfizer and BioNtech vaccine candidates, stored on the EMA server, have been viewed. The timing of these attacks was impeccable, as EMA was working on getting the approval for 2 COVID-19 vaccines and it could have had devastating effects on the entire process. 

America 

The US drug regulatory authority FDA (Food and Drug Administration), however, outsmarted threat actors looking to steal data from them and had COVID-19 related sensitive documents delivered to them physically through FBI agents. 

Experts across the globe have traced most COVID-related attacks on pharmaceuticals back to China, North Korea, and Russia. And although the victims of these attacks have not been named, we can confirm that at least some of these companies were infiltrated successfully. 

Countries like India, UK, US, Canada, France and South Korea are all at different stages of clinical trials and development of COVID-19 vaccine; and they have all been targeted by threat groups during this global health crisis. Reports have attributed the attacks to Russia-based threat group Strontium and North Korean threat actors Zinc and Cerium. Some of the methods believed to be part of their tactics are password spray and brute force attacks (by Strontium) to steal login credentials and spear-phishing, fake job offers (by Zinc). In one of the recent examples of phishing attacks, the operators behind Cerium sent spear-phishing emails masquerading as World Health Organization (WHO) officials. 

The Way Out 

Businesses should identify their most important digital assets as well as critical assets that facilitate smooth business operations and product development. This includes identifying critical data, its location, who has access to them, the network on which their mission-critical data resides, what are the attractive propositions for threat actors. Once the critical assets are identified, organizations should segregate and protect their assets. 

They should also allocate budget for a well-rounded security system which covers intrusion detection systems and threat intelligence software. This in turn keeps them updated regarding the status of their assets. With the help of a SaaS-based vulnerability alerting platform such as CloudSEK’s XVigil, your organization is equipped to protect their data, brand, and internet exposed infrastructure, against imminent cyber threats and breaches.

Analysing Third-Party App Stores for Modded APKs Through Signature Verification

 

Even after the ban of major Chinese apps like PUBG, they were available for download on third party app stores. Similarly, modified versions of apps such as Spotify and Hotstar, that offer access to premium services without intrusive advertisements, for free, are also popular on the third party app stores. Although such apps may look quite similar to their original versions, they are not developed by the same manufacturer. Users resort to third party app stores when certain apps are not available on official stores like Google Play store and Apple App Store, or if they are too expensive, or simply because they contain too many ads. Third party-app stores are popular among users due to the following features as well:

  • Provide access to the older versions of the app
  • Free games and applications as opposed to their expensive equivalent
  • Apps available in multiple languages
  • Downloads incentivized with perks such as virtual currency and other rewards
  • Access to beta versions of apps
  • Free-trial period for apps

 

High-Risk Modded APKs

Modded APKs are basically modified versions of genuine Android packages (APKs) that contain additional features, unlimited in-game currency, keys, or passes, etc. Such APKs may even contain backdoors that potentially compromise the device and its users. 

 

  • Hidden dangers in Spotify adfree apps

The third-party iOS app store TutuApp offers pirated versions of games/ apps, unauthorized games, as well as ad-free versions of applications like Spotify. In the particular case of Spotify, independent developers repackaged the original iOS app with a built-in ad blocker. Such applications request for independent permissions that allow threat actors to access different parts of a phone. 

TutuApp leverages Apple’s enterprise certificate program that allows other organizations to build and deploy in-house, proprietary apps for their employees. This is also another way to evade Apple’s screening process.

 

 

  • Suspicious Pokemon Go apps

Several applications associated with Pokemon Go have been repackaged and released into the wild, targeting both Android and iOS users. Here are the various categories these apps belong to:

  1. Repackaged versions of Pokemon Go, infected with Trojan (Android). For instance the Pokemon Go app injected with a RAT dubbed SandroRat.
  2. Repackaged versions of Pokemon Go, infected with adware (Android). 
  3. Malicious apps that masquerade as the Pokemon Go app, to carry out odd, unexpected activities such as enrolling oneself as the device admin (Android).
  4. Repackaged, modded versions of Pokemon Go that bypass in-app billing, spoof locations, etc. or disable jailbreak detection (Android and iOS).

Some of these apps are inherently malicious, made to target its users. While others have been tampered with and provide users with an advantage.

 

CloudSEK’s Analysis of Over 50 Third-Party Stores

For the purpose of an ongoing research, CloudSEK conducted an analysis on more than 50 third-party app stores. The main purpose of this study was to check the credibility of these stores and to detect whether the apps available on such stores contained any modded code that varied from the one in the official APK. In order to achieve this, the APKs of similar apps, belonging to the same version were downloaded from the official app store as well as the third-party app store. Then, we conducted signature verification on all third-party apps. 

 

The Process of Signature Verification 

By default, the Android OS requires all applications to be signed, to be installed. This signature allows you to identify the author of an application (which can be used to verify its legitimacy), as well as establish trust relationships between applications that share the same signature. Even though there are multiple versions of the APK Signature Scheme (V1 – V4), every application currently includes signature version V1 (dubbed JAR signature) to maintain backward compatibility.

 

Signature Verification Scheme V1

  1. Each APK contains a signature file in its META-INF/ folder.
  2. META-INF/<signer>.(RSA|DSA|EC) is the signature used to sign every file in the APK.
  3. The different RSA|DSA|EC options are for different crypto signatures, one META-INF folder might contain only one of these signatures.
  4. META-INF/ MANIFEST.MF contains a digest of signature for each file.

 

How does the verification process work?

  1. The process starts by searching for the signature file in the APK ZIP file within the META-INF folder.
  2. The OpenSSL is then used to extract the signature.
  3. Finally, the signatures are compared with that of the official APK and the results are returned.

 

Results of the Analysis

We verified around 990 third-party apps using the signature verification process. Some of the third party app stores that were analysed were allfreeapk, apkpure, apksfull, apktada.

We detected a total of 10 third-party apps that were modified or for which the signatures did not match and that contained a different code that’s different from the original APK. These are some of the apps that contained modded APKs:

 

App Store Name
Package Name
App Name
Oceanofapk
  1. com.picsart.studio
  2. com.spotify.music
  3. com.gaana
  1. Picsart Photo Editor
  2. Spotify
  3. Gaana
Aptoide com.truecaller Truecaller
Apk20 com.pinterest Pinterest

 

Analysis of the Modded APK

  • Picsart Photo Editor 

Package name
com.picsart.studio
Store Name
Oceanofapk
Version
PicsArt_v15.1.5

 

Vulnerabilities found 
  1. Android Fleeceware (PUA)

Apps that cajole users into buying a free trial of their services, and charges them exorbitant subscription fees once the trial period ends. Such fleeceware apps do not function unless provided with the users’ payment details. If users fall for this trick and supply their details, the app uses these details to debit the subscription fees after the trial period is over, without the consent of the user.

  1. Heur/HTML RefreshScript 

Heur/HTML.Malware is malware that is detected using a heuristic detection routine which is designed to find common malware scripts in HTML files. 

 

  • Spotify

Package name
com.picsart.studio
Store Name
Oceanofapk
Version
spotify-premium-8.5.80.1037

 

Vulnerabilities found
  1. Ewind Trojan 

The Ewind Trojan is essentially an adware that monetizes applications by displaying unwanted advertisements on the victim’s device. Adware also gathers device data and is also capable of forwarding messages to the attacker.  The adware Trojan could in fact even allow full remote access to the infected device.

  1. Riskware/Jiagu!Android

Riskware constitutes apps that are not inherently classified as malware. However, it may utilize system resources in an unexpected or annoying manner, and/ or may pose a security risk to the victim device. 

 

Users will notice screens similar to this one on their affected device
Users will notice screens similar to this one on their affected device

 

How do attackers modify official apps?

Apart from the prominent examples that we have shared above, there are quite a large number of modified apps lurking in third-party stores. And it’s only a matter of time before the next victim falls prey to one of these thousands of malicious apps. Let’s have a look at some of the methods by which attackers manage to modify official applications. 

  • Add a Debugging Flag in a Configuration File

The attacker adds “debug=true” to a .properties file in a local app, manually. The application then returns log files that are quite descriptive, upon its launch. These log files provide attackers with access to the backend systems. Which in turn enables the attacker to search for vulnerabilities within the system, so as to exploit them.

  • Code Manipulation

The attacker adds conditional jumps within the code which allows them to bypass the process of detecting a successful in-app purchase. This helps them obtain as many game artifacts and abilities as possible, without having to pay for them. The attacker may also inject spyware into the app to steal the identity of their victims. 

  • Unauthorized Access to Administrative Endpoint

An attacker could gain access to the administrative endpoint that the developers leave exposed during the process of endpoint testing. The attacker could perform string analysis of the binary to find out the hardcoded URL to the administrative REST endpoint. Followed by which the attacker could use ‘cURL’ to execute back-end administrative functions.

  • Usability Requirements

Usability requirements specify that the mobile app passwords can only be 4 digits long. Server code stores a hashed version of the password. As the password is very short, an attacker will be able to deduce the original password using rainbow hash tables. If the attacker manages to compromise the password file on the server, it could expose the user’s password.

  • Certificate inspection 

A secure channel is established when the app and the endpoint connects through a TLS handshake. If the app accepts the certificate offered by the server without inspecting it, it could disrupt the mutual authentication protocol between the endpoint and the app allowing man-in-the-middle (MiTM) attacks.

Third-party applications may thus seem innocent, but could in fact be nefarious and have grave implications on its users. However, third-party apps that are malicious can be identified with processes like signature verification. Users have to avoid or observe caution before installing apps that are not from the official app stores.

Browser extensions

How Browser Extensions can Exploit User Activities for Malicious Operations

 

What are browser extensions?

Browser extensions are mini-applications that add more features and functionalities to the browser. Some of the most common extensions are ad blockers, password managers, grammar check extensions, screenshot creators, and translators. They allow users to integrate their browsers with their preferred services. 

Upon installation, extensions require permissions such as access to read, edit, and alter data on the websites that the user visits. Permissions that allow extensions to read the user’s browsing history or modify the data that the user copies and pastes is a surefire way to enable the extension to monitor all your activities. However, for well-functioning browser extensions users usually grant such permissions or overlook the extension’s default settings.

Browser extensions Permissions

Most browser extensions offer features that interact with the current web page, such as  password managers that fill in passwords for different websites, or dictionary extensions that provide instant definitions for words. For the same reason, users do not concern themselves with permissions. 

Some extensions require broader permissions. For example, the Web Developer extension for Chrome requires the permission to read and change users’ data on the websites they visit and their browsing history, modify the data that users copy and paste, and change user settings that control the website’s access to features such as cookies, Javascript, plugins, geolocation, microphone, camera, etc.

Browser Extensions Web Developer

If an extension is allowed to access all the web pages that the user visits, the user could be opening the door to malicious attacks. It could function as a keylogger and capture sensitive information, insert advertisements, redirect the search traffic to malicious sites, etc. This doesn’t mean that every extension is malicious, but they can surely be dangerous.

Browser extensions that work statically and don’t connect to external servers are generally safe. Extensions that require a connection to the server to retrieve data are more sensitive because cybercriminals may capitalize on this feature; they can hijack the server or the domain name to further their malicious scheme.

Few extensions may display ads:

Browser Extensions Ads
Extensions are part of a long-running ad-fraud and malvertising network. When Chrome’s add-ons were first announced in 2009, initially most extensions focused only on certain areas, but primarily they were used to block ads. However, currently, those same extensions display advertisements.


Is it safe to let your browser manage passwords?

Internet usage has skyrocketed over the last decade, and today an average user spends 6.5 hours online, on a daily basis. Online services such as  email, social media, online stores, and streaming services are the most popular platforms users spend their time on. However, for convenience, most users save their passwords on browsers to enter the password for that site upon login, automatically. Trying to memorize multiple passwords can be tricky. Therefore, more and more browsers ask users whether they would like the browser to save their credentials. If users enable this option, their passwords are saved and synchronised locally and on other devices that the user has used to login.


Your secure extensions can transform into malware  

In some cases, popular browser extensions that are trusted to be secure are sold to shady organizations or even hijacked. Malicious groups who take charge of such extensions set up updates that can turn seemingly harmless extensions into malware. The compromised extensions connect the browser to a command and control architecture, to exfiltrate sensitive data of unaware users, and expose them to further risks.

 

Underground marketplaces that sell fingerprints

The unauthorized data collected may include sensitive information like login credentials to the user’s online payment portal accounts, e-banking services, file-sharing or social networking websites. It may also steal cookies associated with these accounts, browser user-agent details, and other browser and PC details.

Cybercriminals, very recently, realized the value of unique fingerprints of users, where these digital identities are being sold on underground marketplaces such as the Genesis Store and Russian Market.

Genesis Store operators have developed a .crx plugin for Chromium- based browsers to make it easier to use stolen identities, in any way they want. The plugin installs stolen digital profiles into the cybercriminal’s browser, allowing the actor to activate a doppelgänger of the victim. Then, the attacker only needs to connect to a proxy server with an IP address from the victim’s location to bypass the anti-fraud system’s verification mechanisms, pretending to be a legitimate user.

A snapshot of available Genesis bots:

Genesis Bots


Conclusion

  • Fewer the extensions on your browser, the better. Do not install extensions that raise even the slightest suspicion in your mind. Fewer extensions would only help your browser to be faster. Extensions not only affect your computer’s performance but it can also be a potential attack vector. 
  • Install extensions only from official Web stores. The extensions available in such stores undergo security tests, with security specialists filtering out those that are malicious from head to toe. Even though this does not guarantee safe browsing experience, they are better than the extensions from external sources. 
  • Observe the permissions that extensions require. If an extension that is already installed on your computer requests a new permission, it could be a red flag. There is always the possibility that the extension might’ve been hijacked or sold.
  • Before installing any extension, it’s always a good idea to go through the permissions they require and make sure that they are appropriate for the functionality offered by the extension. If the permissions requested do not seem logical in correspondence to the extension’s functions, it’s probably better not to install that extension at all.

Contemporary Single-Page Applications and Frontend Security

 

The past decade witnessed a meteoric rise in the number of applications adopting the Single-Page Application (SPA) model. Such applications are designed in such a way that the content on every new page within the application appears on a single web page, without having to load new HTML pages. Single-Page Applications leverage JavaScript capabilities to manipulate Document Object Model (DOM) elements, allowing to update all the content on the same page. 

A more traditional web page architecture loads different pages as the user attempts to open a new web page. In this case, each HTML page is usually linked to other pages. Upon each page load, the browser fetches and displays a fresh page.

Whereas, Single-Page Applications are enabled by JavaScript frameworks such as React, Angular, and VueJS. These frameworks help to conceal the complex functions that SPAs perform. They also provide additional benefits such as modular reusable components, state management, etc. Such modern frameworks help SPAs execute web pages effortlessly, as compared to multi-page applications that use Vanilla JavaScript. Using plain JavaScript makes it difficult to keep the UI updated with dynamic state changes. 

The emergence of such frameworks causes changes in the security implications it may have on the frontend. Therefore, it is necessary to understand their internal machinery while disassembling client-side code and how modern frameworks change the attack vectors. 

 

Build Process

As is customary, a developer creates a web page by defining the page structure in an HTML file and its styling in a CSS file. Then, it is linked in HTML using tags such as <style> or <link>, by embedding JavaScript code with <script> tags. However, building Single-Page Applications is more complicated than this. 

Frameworks such as React and Vuejs provide a virtual DOM, which allows you to steer clear of raw HTML. A virtual DOM, unlike a normal DOM, is a concept in which the representation of the UI is stored in memory, instead of rendering it on the browser with every change. This allows faster changes to DOM. The code is also written in modular JavaScript files which is then processed in the build process.

Here’s a diagram overviewing the build process:

 

Single-page application build process

 

Transpiling

JavaScript is a dialect of ECMAScript and it isn’t a fixed standard; new features are added to ECMAScript with newer standards, every few years. While newer standards are released frequently, no browser JavaScript engine (Chromium V8, Safari Javascript Core, Firefox SpiderMonkey) fully implements all the ECMA specifications, each having certain differences in features they support. Also your code needs to be compatible with older browsers released to support older specifications alone.

Transpiling enables you to write modern code which is then converted to standards and features that are supported everywhere, for e.g. ES6 -> ES5. You might use const, let to define your variables but the transpiler helps to convert it to var, internally.

Transpiling is also used to convert code in JavaScript dialects such as Typescript and Coffeescript to plain JavaScript. Each dialect contains its own transpiler such as tsc for Typescript. Babel is the most prevalent transpiler.

 

Bundling

A typical modern app contains hundreds of external dependencies when you look at it recursively and it isn’t practical to load each of those separately in a script tag.

Through the process of bundling, you can take each import or require statement, find the source files and bundle them all into one single JavaScript file, applying appropriate scoping.

With the help of this process, all of the code that makes the application work is bundled together; the business logic code as well as the boiler-plate code are bundled together.

 

Minification/ Obfuscation

The final JavaScript output usually can be very large due to extra spaces or unnecessary, redundant data. Therefore, the final step in the build process is to minify the code. During the process of minification, comments/ whitespaces are removed, identifiers are renamed to shorter variants, and certain routines are simplified. This process then leads to obfuscation, wherein the final code is unreadable and differs highly from the source code.

Bundling and minification is usually done using Webpack.

 

Single-page application: Original code - easy to read
Original code – easy to read

 

Single-page application: Transpiled, Bundled, Minified final output - unreadable
Transpiled, Bundled, Minified final output – unreadable

 

Reverse engineering code

Once the code has been minified in the build process, security researchers will have to de-minify it to study the app. As most of the information such as variable names are lost during the process of minification, there isn’t a straightforward way to do this. However, there are certain tools to aid you in the process such as jsnice.org

jsnice

This tool uses machine learning to restore minified variable, function names and infer type information. It also formats the code and adds comments.

After this step, you are still left with a bundled code, but the main logic would be readable.

To debundle it into modules, we need to know how Webpack or any other bundler works.

 

Debundling

A bundler starts with an entry point file – the root of your application logic – and traces import and require statements. It then builds a dependency graph, module A requires B which requires C and D, and so on. 

If you look through the Webpack chunks after they have been passed through jsnice, you’ll find a lot of calls to “__webpack_require__(<number>).”

__webpack_require__” is similar to the require JavaScript syntax in functionality, except it contains the logic to load modules from the chunks.

The only way to unbundle a bundle is to construct the abstract syntax tree (AST) manually, as there have been attempts to debundle that aren’t maintained anymore.

You could use these resources to study in depth how a bundle file works and to know the internals of Webpack. In this video, Webpack founder Tobias Koppers shows us how bundling is done manually.

 

Security Tip

Single-page application security

How do these frameworks change attack vectors?

Reduced XSS

React does not render dynamic HTML; it sanitizes content coming from all variables, even if they do not contain dynamic content. Here XSS is all but eradicated unless the developer uses an unsafe function such as dangerouslySetInnerHTML.

In that case, even if you find data reflection you would not be able to insert HTML.

 

CSP-Bypasses

You could use certain gadgets available in Angular to bypass Content Security Policy (CSP) in certain cases.

<img src=”/” ng-on-error=”$event.srcElement.ownerDocument.defaultView.alert($event.srcElement.ownerDocument.domain)”

  />

Here, if CSP is blocking inline scripts but the page is using Angular, you could use the ng-on-error attribute to get Angular to execute the JavaScript. These types of gadgets are often patched but discovered regularly in Vuejs and Angularjs. 

 

Why programming skills are essential for pen-testers

Why programming skills are essential for penetration testers

 

Some security professionals across the world would say that one does not need to learn coding to hunt for bugs in web applications. In fact, some experienced security professionals would go even further to suggest that entry-level positions in cybersecurity and hacking does not require extensive knowledge of programming.

Although this holds true to some extent, a career in hacking and pen-testing web applications demands in-depth knowledge in programming.

 

Where do many researchers go wrong?

In case of Cross-Site Scripting (XSS) attacks, for instance, researchers report the bugs by triggering an alert. This clearly does not call for advanced understanding of programming. 

But they may lack the skills to exploit the same bug to create a javascript code so as to steal cookies or leverage the XSS bug to carry out other malicious activities. 

Inspired by such bounty hunters, beginners in the field assume that all they have to do is fire up Burp Intruder, add a list of payloads, and prompt an alert on the browser to earn a quick buck. 

 

Why do you need to learn programming in security testing?

Understanding the application:

Awareness and proficiency in programming can help a researcher understand an application’s infrastructure and the implementation of its many functionalities. Once you are familiar with the workings and technicalities of web applications, even entry-level programmers can certainly outsmart amateur coding enthusiasts. 

 

Attack automation:

Hackers use tools such as Nmap, Metasploit, Amass, etc. to automate enumeration and exploitation processes. Automation of enumeration attacks saves them a lot of time and effort. By learning how to code, you are also opening yourself up to vast knowledge, which can guide a beginner to build such tools on their own. Apart from that, while pen-testing, a programmer at some point will have to write a code that can exploit a vulnerability; for instance, when you have to pass the current timestamp along with a request, you need to automate it using coding. This requires that you are well versed with programming.

 

Conclusion

Programming is said to be the future of innovations, and a necessary skill to master. Therefore, a security professional should undergo training and have adequate knowledge regarding programming. Anyone pursuing a career in penetration testing should consider programming as an essential part of their occupation. It does not merely set you apart from peers, but also gives you a competitive advantage over them. 

 

Happy Automation! 

What makes web applications an easy target for hackers?

 

Web applications form a major part of an organization’s attack surface and according to Verizon’s 2020 Data Breach Investigation Report, web applications are the single most significant cause for data breaches. Web application attacks account for 43% of all successful data breaches. 

These websites contain several vulnerabilities such as Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), Server Side Template Injection (SSTI), and more. Some of these vulnerabilities allow intrusion of corporate networks. These vulnerabilities are the result of mistakes that programmers make. Developers trust and hope that their applications will end up in the right hands, which often turns out to be the biggest mistake they ever made. 

In this multi-part series about web apps, we explore the common mistakes and threats affecting web applications, as well as point out factors regarding applications that appeal to threat actors. The first part of this multi-part series focuses on web app user input and the pitfalls of not validating or sanitizing it. The article also sheds a light on the steps one can take to prevent application attacks and reduce vulnerabilities.

 

Rule #1: Never trust user input

While developing an application, web programmers should refrain from accepting data from users and in fact should presume all data is bad until proven otherwise. This is how threat actors leverage different vulnerabilities:  

 

Remote Code Execution

In an instance where the Image File Upload functionality of an application uploads the filename and contents onto a server, the server processes it further. However, if the application doesn’t validate user inputs, it permits the attacker to upload the server side language extension file, such as the .php file. This further allows the attacker to execute OS commands on the server.

 

Local File Inclusion 

Similarly, when web applications are coded poorly, hackers can inject local files into the include statements. For instance, an attacker can exploit the Local File Inclusion vulnerability by changing the path of a PDF file with that of another sensitive file such as passwd. If the application doesn’t validate the input, the attacker can simply read internal server files.

 

Example

Test URL: https://vulnerable.site/somefile.php?file=validpdffile.pdf

To 

Attacking URL: https://vulnerable.site/somefile.php?file=../etc/passwd

 

Server Side Request Forgery

In an attack that exploits this vulnerability hackers gain partial or complete access to the requests sent by the application, to abuse a functionality. This allows them to make the server-side application to configure HTTP requests that lead to malicious domains of the attacker’s choice. If the website does not validate the user input, the hacker can access internal server files and more.

 

Example

Test URL: https://vulneralbe.site/somefile.php?filetocall=https://external.site/somefile.js

To

Attacking URL: https://vulneralbe.site/somefile.php?filetocall=file:///etc/passwd

 

SQL Injection

This vulnerability allows hackers to insert or inject a query into an entry field, so as to execute malicious SQL statements. This enables actors to retrieve sensitive data from the database evading any security measures.

 

Example

Test URL:https://targetsite.com/somefile.php?id=2

However, if the web application does not validate the user input, the attacker can submit something like this:

Attacking URL: https://targetsite.com/somefile.php?id=’ OR ‘1’=’1’–+

From the above instances and scenarios it is clear that if the user input is not properly validated or sanitized, most web app vulnerabilities can be exploited, eventually leading to breaches and data loss.

 

How can you reduce vulnerabilities and prevent attacks

Let us look at the issue at hand before we suggest a solution. The following instance summarizes the problem:

This is a test application that accepts the user input and returns results based on it.

Web App normal search

An average user looks up topics such as Python or JAVA, while hackers with a malicious intent would submit something like this:

Web App unvalidated

There are a number of symbols we can inject, such as a single quote(‘), double quotes (“), open, closed angle brackets (<>), equals to (=), and open, closed brackets [()], and if the web application accepts these without validating them, attackers can used this as a weapon to steal session cookies of other people, by using advanced XSS payloads (Cross-Site scripting payloads).

Now, let’s try to understand the logic of the code:

Web App coding gone bad

The GET variable named $_GET[‘vulnparam’] at the TOP accepts the user input, which then allows the webapp to proceed with that variable name $vulparam. As you may have noticed, the user input variable $_GET[‘vulnparam’] is not validated. The web application is using it as it is.

The right way to code

In order to validate the user input first, we use the htmlentities() function that converts characters and symbols to HTML entities. This helps to prevent Cross-site Scripting (XSS) attacks and the web app proceeds further with the encoded user input.

 

Summary

Almost every OWASP Web Vulnerability is exploited in real world websites as web applications fail to properly validate user input, before processing it. Therefore, it is important that app developers and security testers regularly collaborate with each other. Once the programmer has built a particular feature or an app, security testers can test it before deploying them on the prod servers. Ultimately, this will save them a lot of time and prevent any data loss that could have resulted from exploitation. 

Cyber Trivia - Cybersecurity Quiz CloudSEK

[Quiz] Weekly Cyber Trivia Quiz Contest #4

Cyber Trivia Quiz is here!

Find out if you’re up-to-date on your cybersecurity news from across the world.

If you’re behind on the news, fret not. We’ve sprinkled in some hints to help you along.

We will select 3 people in random who submitted the quiz and got all 10 questions right.
Prize: Amazon Vouchers worth 100 INR to each winner.

Get cracking! #CyberTrivia

Why you should be worried about a cyber pandemic that could take over the cyberspace

 

Companies of all sizes and sectors fall prey to data breaches and ransomware attacks. Security incident(s) that result in data leakage can stain the reputation of the concerned organization, let alone the legal battle that follows. Enterprises spend millions of money on security products to attain a comprehensive security posture, yet attackers are able to  compromise networks and exfiltrate data. Threat actors as well as state sponsored actors craft sophisticated attack vectors that are undetectable and develop zero-day exploits for applications used by victim organizations. 

Quite often, the RaaS [Ransomware as a Service] model for ransomware developers are advertised on underground hacker forums. Today, anyone can make use of the RaaS platform and become a ransomware operator. Companies pay the ransom amount, when it becomes the only viable option. This emboldens threat actors to carry out more campaigns against organizations.

State sponsored APTs are more dangerous since they are backed by nation states. Their funding never runs dry, which in turn enables them to develop complex infrastructure. Target objective is another factor that makes APTs stand out, since geopolitical factors are their primary motivation and not financial factors.

Ransomware rate

Threat Landscape

Recent trends in the cyber threat intelligence landscape involves ransomware and banking trojans. Multistage complex malware downloaders can also be found in the wild. They facilitate further dissemination of ransomware and other spyware/ trojans. Certain ransomware groups also engage in looting cryptocurrency by compromising crypto exchanges.

 

Ransomware

Ryuk

Ryuk has been spotted in various attacks targeting enterprise organizations worldwide, demanding ransom payments ranging from 15 to 50 Bitcoins (BTC); which translates to between US$97,000 and $320,000 at the time of valuation. 

 

Fig1. Popular attack vectors
Fig1. Popular attack vectors

 

Ransomware targets Windows

REvil/ Sodinokibi

REvil/ Sodinokibi ransomware was first detected in 2019, targeting the health and IT sectors. Later, it began auctioning off sensitive data over the dark web, stolen from companies using its malicious code. As part of their tactics, this ransomware group threatens to release their victims’ data, unless their ransom demands are met.

 

Dharma/ CrySiS

Dharma ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.

 

STOP/ djvu

Djvu is a high-risk virus that belongs to the STOP malware family. Firstly discovered by Michael Gillespie, this virus is categorized as ransomware and is designed to lock (encrypt) files using a cryptography algorithm. 

 

Ransomware strains reported

Fig2. Ransomware strains Q1 2020 (incl. STOP)
Fig2. Ransomware strains Q1 2020 (incl. STOP)

Cooperation between ransomware families has also been noticed to increase lately, enforcing more efficiency in operating Ransomware as a Service [RaaS] offerings.

Fig3. Ransomware strains Q1 2020 (excl. STOP)
Fig3. Ransomware strains Q1 2020 (excl. STOP)

STOP, Dharma, Phobos, and REvil have had major roles to play in the RaaS sector. They are very active, even today, carrying out their campaigns, especially Dharma and REvil.

Phishing and ransomware

Malware attacks vs. Malware-free attacks

Malware attacks are simple use cases where a malicious file is written to disk. This can be easily detected and blocked by Endpoint Detection and Response (EDR). Malware-free attacks are more in-memory code execution and credential spraying attacks that require more sophisticated detection mechanisms. We have seen an increase in malware-free attacks as part of campaigns since 2019. They successfully evade security measures and defenses set up by the enterprises.

 

Cost of a Ransomware Attack

The total cost of a ransomware attack includes the ransom amount (if paid), costs for network remediation, lost revenue, and the cost of a potential damage to the reputation of the brand. Recent trends in attacks indicate that more businesses are targeted and threatened to release data, for a ransom. 

It seems that ransomware groups have evaluated the long-term impacts of their attack on the brand image, trust, and reputation of organizations that refuse to pay up. Ryuk ransomware is largely responsible for the massive surge in ransomware demands. Ransomware operators demand an average of $288,000 for the release of systems.

Ransomware affectes business

Fig4. Largest amount of ransom reported in 2019
Fig4. Largest amount of ransom reported in 2019

 

Fig5. Largest avg. ransom pay-offs 2020
Fig5. Largest avg. ransom pay-offs in 2020

 

Ransomware statistics for 2020

Taking into account the current trend and statistics, ransomware + downtime costs for the top five countries for 2020 are estimated to be:

  • Italy: $1.1 billion – $4.3 billion
  • Germany: $1 billion – $4 billion
  • Spain: $830 million – $3.3 billion
  • UK: $469 million – $1.9 billion
  • France: $121 million – $485 million

 

Hidden Costs of ransomware

  • Downtime of Information systems
  • Loss of Reputation
  • Penalties/Fines[Compliance]
  • Legal Action from user

Avg. ransom payment

 

Cyber security during COVID-19

“WHO reports fivefold increase in cyber attacks, urges vigilance”

Threat actors have exploited COVID-19 extensively to carry out phishing attacks, masquerading as WHO and similar agencies, to deliver malware-laced emails. COVID-19-related phishing attacks went up by 667%, scams increased by 400% over the month of March 2020, making Coronavirus the largest-ever security threat. To make things worse, social distancing guidelines observed across countries forced organizations to work from remote locations, putting the security of such organizations at risk. Remote work exposed user endpoints to external threats and had the following impacts:

  • Increased security risk from remote working/ learning
  • Potential delay in cyber-attack detection and response
  • Business Continuity Plans (BCP) to feature global pandemics

 

Effective Threat Intelligence

For an average company earning $10K/ hour, operating 8 hours a day, and 5 days a week, the downtime cost is estimated at $1,760,000 each month. Estimated average downtime is 1-2 hours. Cost of 1.6 hours average downtime/ week for a Fortune 500 company is approximately $46M per year. 

A Distributed Denial of Service [DDoS] attack that temporarily disrupts the activities of a website, can last for a few days or even longer. According to the IDG DDoS report, 36% of companies that have experienced more than five DDoS attacks, suffer an average downtime of 7-12 hours.

An experienced Cyber Threat Intelligence (CTI) team gathers information from different sources and converts it into intelligence to safeguard client corporations. If an effective CTI is not part of a company’s mature security model they can fall prey to any attack at any time.

A CTI team can actively monitor and create actionable intelligence on the following areas of your business:

  • Supply chain 
  • Dark web monitoring for data leaks 
  • Zero-days
  • New emerging attack vectors

Threat intelligence must be actionable. Threat Intelligence provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) to the security team, especially to the Security Operation Center (SOC) team, for proactive/ reactive measures to counter cyber threats.

 

Indicators of Compromise

These are some of the common Indicators of Compromise:

  • IP addresses, URLs and Domain names used by malware
  • Email addresses, email subject, links and attachments used by malware  
  • Registry keys, filenames and file hashes and DLLs of malware 
Examples
  • hxxp://45.142.213.230/bssd [sectopRAT Trojan]
  • hxxp://45.142.213.230/blad [SectopRAT Trojan]
  • [email protected] [djvu ransomware]
  • [email protected]     [djvu ransomware]
  • ef95c48e750c1a3b1af8f5446fa04f54 [maze]
  • f04d404d84be66e64a584d425844b926 [maze]

 

Tactics, Techniques, Procedures/ TTPs

TTPs define the behaviour of a threat actor or group and explain how the actor carries out an attack against the network and makes a lateral movement within the intranet. 

MITRE ATT&CK is the most widely used, open-source threat intelligence framework to understand adversary tactics and techniques. There are 11 tactics and 291 techniques listed in this framework.

 

Example of Tactic and Technique

 

Tactic 
Techniques
Initial Access T1193: Spear Phishing Attachment
Execution T1059: Command-Line Interface

T1086: PowerShell

T1085: Rundll32

T1064: Scripting

T1204: User Execution

T1028: Windows Remote Management

 

The efficacy of a CTI team to predict the possibility of an occurrence and ensure effective implementation of mitigation measures is essential to the survival of any organisation in their current realm of operations.

 

Conclusion

To further their nefarious intentions, threat actors arm themselves with sophisticated tools and advanced capabilities. It is quite difficult for the law enforcement as well as cyber security practitioners to keep pace with these actors. An effective CTI system can help organizations contain the attack within the network, reduce associated costs, and minimize data loss. Investing in a strong CTI system will allow security operation centers to predict and mitigate attacks proactively. However, a CTI system is only as strong as its weakest link: humans. Human errors can cause even the most impenetrable, robust security system to fail. A good security system monitors information systems and applications and conducts regular vulnerability assessments and pentesting. But, a comprehensive security system prioritizes employee/ user training and updation on cyber hygiene and best practices.

Worst cybersecurity strategies and how we can overcome them

 

Towards the end of March 2020, almost all businesses across the globe had enforced remote work policy. And as governments are easing the social distancing rules and restrictions, some organizations have gradually reopened over the last few weeks. However, the pandemic has clearly had an adverse impact on small businesses and large corporations alike, and business leaders are not aiming for a quick comeback. Whether they have decided to resume work from the office or extend the remote work policy to 2021, companies in various sectors are strategizing for a transformation in the way they work and communicate. 

Cybersecurity witnessed a dramatic change during the last couple of months and unsecure remote workforces have forced organizations to recognize the importance of cybersecurity preparedness. Cyber attacks have increased multifold since the Coronavirus outbreak where cyber criminals preyed on an unready, unaware workforce. There has been a spike in the number of phishing attacks and malware, ransomware campaigns. So, as more organizations plan their comeback, hopefully every company’s plan and strategy prioritizes information security. It is also important that organizations steer clear of any security blunders that could cost them their reputation and financial standing. 

In this article we list some of the worst cybersecurity practices and strategies that could be detrimental to your organization, and compare them with alternate solutions and best practices.

 

Achieving 100% security vs. Minimizing risks

Although 100% security might sound like the perfect answer to emerging threats, it is likely that an entirely secure system is possible only when it is disabled. So the best alternate solution is to identify technological and financial resources your organization can spare, and minimize the risk of incidents that may occur. Simply being aware of this can help you build a better strategy of detecting the threat, establishing a mechanism to respond to the threat or prevent it, thereby minimizing the impact of the threat. It is also essential to understand the various attack vectors that actors use to infiltrate your organization, and to allocate available resources to address all these threats.

 

Lax with security updates vs. Regular software fixes

Security vulnerabilities are found on a daily basis and developers release patches frequently. However, businesses that have integrated such software usually fail to apply these patches and update the software. This could be because of stretched resources or lack of awareness. Harmful software vulnerabilities can create a security weakness/ holes which allows attackers to exploit and infect your systems, gaining access to your sensitive, personal information. The solution to this is a dedicated IT team to ensure that network and software are updated regularly. 

 

Pursue attackers vs. Prevent attacks

Attackers, these days, are pretty sophisticated and are quick to come up with new technologies that enable them to hack into your systems. Staying ahead of these actors is critical to save your organization from the humiliation and loss the attacks could cost you. This is why it is important to take proactive measures to prevent attacks and outrun cyber criminals, instead of pursuing them. Organizations should also be aware of the implications of a possible attack and should be able to defend their valuable assets. 

An assessment of the following attack vectors and technologies that could assist you in avoiding attacks altogether. Employees form a major part of the threat vector, thus making it important to keep them aligned with the organization’s cybersecurity practices.

  • Security vulnerabilities
  • Firewall settings
  • Anti-malware and anti ransomware technologies
  • Data egress points
  • Creating awareness among employees 
  • Training them to combat social engineering tactics
  • Practice good internet hygiene

 

Weak passwords vs. Password management programmes

Despite the increasing number of cyber attacks most users tend to fall back on weak or easy passwords, sometimes reusing the same passwords for multiple accounts. An online security survey by Google indicates that 52% respondents reuse the same passwords for several accounts. The Ponemon research, “The 2019 State of Password and Authentication Security Behaviors Report,” reports that 69% respondents have shared their credentials among colleagues. Also, 57% respondents have not changed their passwords even after enduring phishing attacks. Which also means that they have not considered alternate solutions such as Password Manager. 53% respondents mentioned that they rely on memory to manage their credentials. 

Password Managers assists users in memorizing passwords of all their accounts, for which the users simply have to remember the master password of the Password Manager. Password management programmes will also generate random, strong passwords when you create a new account. Organizations should also make sure that the access to company-related documents and software is limited. Password Managers also support two factor authentication methods, which adds an extra layer of security. 

 

Assume you’re not a desirable target vs. Prepare for the worst

Although it is true that cyber criminals target popular brands and companies, companies that are part of any industry are vulnerable to cyber attacks regardless of its size. In fact, small businesses are soft targets, considering the lack of resources allocated to protect their systems. Data breach of any scale is significant and the ramifications can be devastating. Privacy, data breaches can cost you more than a financial loss, it can tarnish your reputation and leave yourself wide open to lawsuits and legal action. 

Therefore, it is important for organizations to gear up against emerging cyber threats. Companies should resort to cyber threat monitoring solutions such as CloudSEK’s XVigil, to detect and prevent undesirable actors trying to target your security posture.

 

Using public Wi-Fi and unknown devices vs. Network Security

Unauthorized access to your computer network can lead to several forms of attacks such as Man-in-the-middle attacks, malware delivery, snooping, sniffing, breaches, etc. A major concern regarding public as well as home Wi-Fi is unencrypted networks which exposes your online activities to hackers. Similar is the case with unknown devices and unsolicited software. The use of such devices and software opens the door to malicious actors looking to abuse your systems. 

Establish a secure network and secure communications (SSL connections) over the network, and also make sure to log out of all your accounts once you’re done using them. While on a public network avoid accessing any sensitive information, including PII, addresses, banking information, etc. 

 

Coronavirus has brought about an extensive change in the workplace and in the way we work. Technology will surely have a significant role to play in all of it. Meetings, conferences and collaborations are increasingly conducted over the internet, adapting to a more decentralized organizational structure. These changes can also contribute to an undesirable impact on cybersecurity. When organizations are busy building contingency plans to accommodate COVID-19 into the way they work, we hope their plans won’t fall short of cybersecurity strategies.

How to build a secure AWS infrastructure

 

Every day more businesses migrate from their traditional IT infrastructure, while the pandemic has only accelerated the adoption of cloud technologies among remote workforces. Cloud services such as Amazon Web Services (AWS) have been widely accepted as a channel for cloud computing and delivering software and applications to a global marketplace, cost effectively and securely. However, cloud consumers tend to wash their hands of the responsibility towards securing their cloud infrastructure. 

Cloud service providers and consumers share the responsibility of ensuring a safe and secure experience on the cloud. While service providers are liable for the underlying infrastructure that enables cloud, users are responsible for the data that goes on the cloud and who has access to it. 

AWS cloud service

The AWS Well-Architected Framework is a guide/ whitepaper issued by Amazon on AWS key concepts, design principles, and architectural best practices. Security is one of the five pillars that this Framework is based on, upholding the fact that protecting your data and improving security is crucial for AWS users. This blog intends to summarize the whitepaper on the security pillar and discuss:

  • Design principles for AWS
  • Few use case scenarios, and 
  • Recommend ways to implement a securely designed AWS infrastructure. 

 

AWS provides a variety of cloud services, for computation, storage, database management, etc. A good architecture commonly focuses on the efficient methods for reaching peak performance, scalable design, and cost saving techniques. But other cloud infrastructure design aspects are given more importance, quite often, compared to the security dimension.

The security of the cloud infrastructure can be divided into five phases:

  1. Identity verification and access management with respect to AWS resources.
  2. Attack detection, identification of potential threats and misconfigurations.
  3. Controlling access via defining trust boundaries, applying best practices in operation.
  4. Classifying all data, protecting data at all states: rest and transit.
  5. Incident response: Pre-defined mechanisms to respond and mitigate any surfacing security incident.

 

The Shared Responsibility Model

As I mentioned earlier, it is the collective responsibility of the user and the AWS service provider to secure the cloud infrastructure. It is important to keep this in mind while we explore the different implementation details and design principles. 

AWS provides plenty of monitoring, protection and threat identification tools to reduce the operational burden of its users, and it is very important to understand and choose an appropriate service to achieve a well secured environment.

AWS offers multiple services of different nature and use cases such as EC2 and Lambda. Each of these cloud services have varying levels of abstraction that enable users to focus on the problem to be solved instead of its operation. The share of each party’s responsibilities similarly vary based on the level of abstraction. With higher levels of abstraction, the share of responsibility to provide security in the cloud shifts further to the service providers (with some exceptions).

AWS - Shared Responsibility Model
AWS – Shared Responsibility Model

 

Management and Separation of User Accounts to Organise Workload

Based on the nature of processes that are run on AWS, and the sensitivity of the data that is processed, workloads can change. They must be separated by a logical boundary and organised into multiple user accounts to make sure that different environments are isolated. For instance, the production environment commonly has stricter policies, more compliance requirements, and must be isolated for the development and test environments.

It is important to note that the AWS root user account must not be used for common operations. And using AWS Organizations one could simplify things and create multiple users under the same organisation, with different access policies and roles. Also, it is ideal to enable Multi-Factor Authentication, especially on the root account.

 

Managing Identity and Permissions

AWS Resources can be accessed by humans (such as developers or app users) or machines (such as EC2 instance or Lambda functions). Setting up and managing an access control mechanism based on the identity of the requester is very important, as these individuals seeking access could be an external or internal part of the organization. 

Each account should be granted access to different resources and actions using IAM (Identity and Access Management) roles, with policies defining the access control rules. Based on the identity of the user account and the IAM attached, certain critical functionalities can be disabled. For example, denying certain changes from all the user accounts, with exceptions for the Admin. Or preventing all users from deleting Amazon VPC flow logs.

For each identity added on AWS Organisation, they should be given access to only a set of functions that are necessary to fulfil the required tasks. This will limit unintended access to functionalities. And unexpected behaviours arising from any identity will only have a small impact. 

 

Leveraging AWS Services to Monitor and Detect for Security Issues

Regular collection and analysis of logs generated from each workload component is very important to detect any unexpected behaviour, misconfiguration or a potential threat. However, collection and analysis of logs is not quite enough. The volume of incoming logs can be huge, and an alerting and reporting flow should be set up along with an integrated ticketing system. AWS provides services such as these to ensure automated and easy processes:

  • CloudTrail: Provides the event history of the AWS account activity which includes all AWS services, Management console, SDKs, CLIs, etc.
  • Config: Enables automated assessment, auditing, and evaluation of the configuration of each AWS resource.
  • GuardDuty: Continuous security monitoring service that flags malicious activity surfacing within AWS environments by analysing log data and searching for patterns that may indicate any sort of privilege escalation, exposed credentials, established connections to malicious IPs, or domains.
  • Security Hub: Presents a comprehensive view of the security status of AWS infrastructure by enabling aggregation, prioritization, deduplication of security alerts from multiple AWS services and even third party products.

 

Protecting the Infrastructure: Networks and Compute

Obsolete software programmes and outdated dependencies are not unusual and it is essential to patch all systems in the infrastructure. This can be done manually by system administrators, but it is better to use the AWS Systems Manager Patch Manager which basically automates the process of applying patches to the OS, applications and code dependencies.

It is crucial to set up AWS security groups in the right way, mainly during the phase when the infrastructure is growing at a fast rate. Things often go wrong when unorganized, messy security groups are added to the infrastructure. Creation of security groups and assignment of them should be dealt with caution, as even a slight overlook can result in the exposure of critical assets and data stores, on the internet. Security groups should clearly define ingress and egress traffic rules, which can be set under the Outbound traffic settings. 

If some assets are required to be exposed on the internet, make sure your network is protected against DDoS attacks. AWS services such as Cloudfront, WAF, and Shield help to enable DDoS protection at multiple layers. 

 

Protecting the Data

The classification of all data stored at multiple locations inside the infrastructure is essential. Unless it is clear which data is most critical and which ones can be directly exposed on the internet, setting up protection mechanisms can be a bit of a task. Data resting inside all the different data stores must be classified in terms of sensitivity and criticality. If the data is sensitive enough to prevent direct access from users, policies and mechanisms for ‘action at a distance’ shall be put in place. 

AWS provides multiple data storage services, the most common ones being S3 and EBS disks. Application data can usually be found lying around inside data stores self hosted on EBS volumes. Also, all sensitive data that goes into S3 buckets should be properly encrypted prior to that. In fact, it would be better to enable encryption by default on these.

Protecting in transit data is also equally important, and to do that, secure connections are required, which can be obtained using TLS encryptions. Making sure that data is transferred over secure channels should be enough. AWS Certificate Manager is a good tool to manage SSL/ TLS certificates.

 

Preparing and Responding to Security Incidents the Right Way

Once all the automation has been set up, and security controls are put in place, designing incident response plans and playbooks becomes easier. A good plan must cover the response, communication, and recovery steps following any security incident. This is where the logs, snapshots and backups, GuardDuty findings play a critical role. They make the task relatively more efficient. Overall, the aim should be to prepare for an incident before it happens and to iterate and train the entire team to thoroughly follow the incident response plan.