Security Design Considerations

Security is a high priority for customers in a multi-tenant environment. While virtual infrastructures are relatively secure in their basic installation, additional changes are required to adhere to certain security audit requirements. This section provides an overview of some of the security measures considered within the reference design, as they are subject to the wider security protocols required in an offering for managed services.

Hypervisor Hardening

VMware ESXi 5 is a small-footprint version of VMware’s hypervisor. This minimal footprint also reduces the attack surface. ESXi implements support for Intel TXT. The capability is managed and controlled by xStream software for trusted compute pools, providing visibility to the integrity of the platform and enforcement of trust policies for deployment and migration of virtual machines. The ESXi installation comes with a number of additional security features:

  • • LDAP integration
  • • Management interface firewall
  • • Lockdown mode
  • • Logging

These features have to be enabled corrected to ensure hardening. With the high priority attached to security in the multi-tenant paradigm being used in the cloud platform, using ESXi 5.x is recommended. In addition to this, basic security measures such as setting a strong root password should be used and compliance requirements that are necessary for compliance with the security standards selected for the platform are checked.

Firewalls and Network separation

To provide end-to-end separation of client data, it is important to ensure that no element in the infrastructure allows data to comingle or be accessed by another client. This is especially true of the networking design and infrastructure.

In order to achieve this, the reference design prescribes the infrastructure to be entirely separate from the customer VPN landing zone, through to the individual virtual machines and at all points in between. To achieve this, the reference design uses of the following technologies:

  • • VLAN
  • • Virtual switches
  • • Virtual appliances
  • • Firewalls and routing infrastructure

Every cloud customer is assigned one or more individual VLAN, as needed. Customer network traffic remains isolated from each other within a VLAN. The switch to which a VLAN is attached is also assigned the same VLAN tag. The only way for machines in VLAN A to talk to machines in VLAN B (and vice versa) is for the router to be configured to allow that conversation to occur. To ensure that the switch configuration is unified across all hosts in a cluster, the reference design uses distributed virtual switches. These ensure that the switch configuration associated VLAN tagged switch port groups are the same across all attached hosts, thereby limiting the chances of a misconfiguration of VLAN tagging on the virtual switch.

In addition to the VLAN tagging, the reference design also makes use of other traditional networking separation and security tools. A key technology is firewalling. Both virtual and physical firewalls are needed to ensure separations throughout the environment, from access to the physical network, including DMZ separation using physical firewall devices, and virtual firewalls to ensure visibility and separation across virtual machines.

Firewalls are required to scale to the highest VPN session counts, throughput, and connection speed and capacity to meet the needs of the most demanding customers. Offering protocol-agnostic client and clientless access for a broad spectrum of desktop and mobile platforms, the firewall device delivers a versatile, always-on remote access integrated with IPS and Web security for secure mobility and enhanced productivity.

The reference design ensures that throughout the network, be it virtual or physical, industry standard separation is enabled, and further guaranteed and improved by the inclusion of specific industry leading technologies that ensure even greater levels of granularity and visibility within the system.

Management Network Firewalling

For additional security, putting the hosts and management servers behind firewalls provides additional security and separation of the management services. Ports will be required to be opened for VMware virtual infrastructure to work.

Virtual Networking

VMware virtual infrastructure implements a virtual networking component that allows for virtual switches and port groups to be created at the software layer and operate as if they were physical infrastructure. There are certain features and ways to configure the networking to improve network segregation and prevent possible network vulnerabilities.

These are:

  • • Use VLAN tagging
  • • Disable MAC address changes
  • • Disable forged transmits
  • • Disable promiscuous mode
  • • Prevent and monitor for spoofing

Note that some of the features need to be enabled for certain customers— for example, for internal IDS scans—but should only be changed explicitly from defaults on an individual basis. As mentioned earlier, all customers will be assigned their own VLAN, and this will remain enabled. As a recommended practice, the reference design calls for use of different vSwitches to physically separate network traffic, disable forged transmits, and segregate management network traffic from virtual machine traffic.

Anti-Virus Software

Anti-virus and anti-malware software is always a consideration by any company when security is in question. For the management layer, anti-virus software is recommended on the virtual machine manager server and any other appropriate virtual machines. The definition of anti-virus policies and the deployment of anti-virus agents by a service provider to the tenant’s virtual machines fall outside the scope of this reference design. Tenant segregation and the use of security devices such as firewalls and IPSs—and, if selected, technologies such as virtual firewalls—will ensure that any viruses on a tenant’s virtual machines will not spread to other tenants. It is recommended that approved anti-virus software be installed on management layer virtual machines. Unless specified by the service provider, the tenant is generally responsible for installation of anti-virus software on production virtual machines.

Cloud Management Security

The cloud management layer provides the basis for all management functions surrounding the reference design. It ties into all the other technologies previously listed and provides some additional functionality to assist in the creation of a secure and auditable cloud environment. The security elements required by a cloud management portal are as follows:

  • • PCI/ISO/FedRAMP/NIST 800-53 associated security controls
  • • Governance, risk, and compliance (GRC)
  • • Trusted execution platform

Trusted execution platform is the one element that we have covered in depth in the earlier chapters, so we will not cover that here. Let’s cover the other two elements briefly in the next two sections.

Security Controls

The security controls implemented in the reference design are based on NIST 800-53/FedRAMP, GLB, iTAR/EAR, applicable security controls to measure and secure connectivity between data centres.

What is Cyber Warfare?

Definition for Cyber Warfare

A definition of Cyber Warfare is not easy. In fact definitions for Cyber or Warfare are both under debate. We will start with a simple definition of Cyber or Cyberspace. For the purpose of this chapter, we will frame the definition in the context of military environment. DoD defines cyberspace as the “notional environment in which digitized information is communicated over computer networks”. There is no official definition for just “cyber.” When you hear it by itself it could mean cybersecurity, computer network operations, electronic warfare or anything to do with the network. It is important to agree on what it means, for this book it will generally refer to cyberspace and be discussed in terms of computer network operations (attack, defend, and exploit).

The National Military Strategy for Cyberspace Operations defines cyberspace as the “domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures”. DoD (Joint Publication 3.0 Joint Operations 17 September 2006 Incorporating Change 2, 22 March 2010) defines cyberspace as a “global domain within the information environment. It consists of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” Within cyberspace, electronics and the electromagnetic spectrum are used to store, modify, and exchange data via networked systems. Cyberspace operations employ cyberspace capabilities primarily to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid (GIG).

United Nations (UN) defines cyber as “the global system of systems of Internetted computers, communications infrastructures, online conferencing entities, databases and information utilities generally known as the Net.” This mostly means the Internet; but the term may also be used to refer to the specific, bounded electronic information environment of a corporation or of a military, government, or other organization.

For a definition of warfarewe cannot turn to an authoritative source. TheUNdoes not have a definition, so we will default to the two historical standards for military doctrine: On War, the exhaustive work documenting tactics during the Napoleonic War period in 1873 and The Art of War a more condensed version of how to conduct warfare composed in sixth century BC. Are these definitions applicable to what is happening on the Internet today? Can these historical concepts be applied to the virtual world? Is the military perspective the right one to look at this problem through? The answer to all questions is a declarative: YES. That is where this book becomes applicable: to help solidify what cyber warfare means. First there is no governing body to determine what definition we should use, so the definition is normally based on the perspective of the person speaking. Governments, finance companies, Internet providers, international corporations, organizations with a specific cause, and lawyers all give us a different answer. As for historical concepts, there are many that are based on geography which no longer apply, but most principles and practices can be modified to be useful when it comes to the new World Wide Web’s Wild West. Finally, we think if we are going to use the term warfare we should use the military perspective but throughout this book we will take the time to explore the other options because our systems are connected to the same battlefield on which the nation states are fighting!

What Does Cyber Mean

The word cyber is generally believed to originate from the Greek verb κυβερεω (kybereo)—to steer, to guide, to control. At the end of the 1940s Norbert Wiener (1894–1964), an American mathematician, began to use the word cybernetics to describe computerized control systems. According to Wiener, cybernetics deals with sciences that address the control of machines and living organisms through communication and feedback. Pursuant to the cybernetic paradigm, information sharing and manipulation are used in controlling biological, physical and chemical systems. Cybernetics only applies to machine-like systems in which the functioning of the system and the end result can be mathematically modelled and determined, or at least predicted. The cybernetic system is a closed system, exchanging neither energy nor matter with its environment. (Porter 1969; Ståhle 2004) The prefix cyber is often seen in conjunction with computers and robots. William Gibson, a science-fiction novelist, coined the term cyberspace in his novel Neuromancer (Gibson 1984). Science-fiction literature and movies portray the Gibsonian cyberspace, or matrix, as a global, computerised information network in which the data are coded in a three-dimensional, multi-coloured form. Users enter cyberspace via a computer interface, whereafter they can ‘fly’ through cyberspace as avatars or explore urban areas by entering the buildings depicted by the data. Cyber, as a concept, can be perceived through the following conceptual model (Kuusisto 2012):

  • Cyber world: the presence of human post-modern existence on earth.
  • Cyber space: a dynamic artificial state formed by bits
  • Cyber domain: a precisely delineated domain controlled by somebody,
  • Cyber ecosystem: systems of a cyber-community and its environment
  • Cyber environment: constructed surroundings that provide the setting for human cyber activity and where the people, institutions and physical systems with whom they interact,
  • Cyber culture: the entirety of the mental and physical cyberspace-related achievements of a community or of all of humankind.

Many countries are defining what they mean by cyber world or cyber security in their national strategy documents. The common theme from all of these varying definitions, however, is that cyber security is fundamental to both protecting government secrets and enabling national defence, in addition to protecting the critical infrastructures that permeate and drive the 21st century global economy.

Global Threat Summary report Second Week December 2017

Here is the Second Week December 2017 Global Threat Summary reports which provides an overview of the current threat landscape from around the world.  The report includes a summary of the threats we’ve recently profiled, including:

  • Doppelganging process helps malware go undetected on Windows
  • Microsoft issues out of band patch for Security program flaw
  • TurkHackTeam Hacks And Defaces EU And UN Targets

The Global Threat Summary is designed to provide organizations with an overview of the current threat landscape from across the world. It combines assessment of the strategic picture with a thought leadership approach and is also a collated summary of all the threats that we have profiled each week. The report should be received at a high level within organizations to give an overview of risk and summary of trends.

1. Strategic insight

This section includes a review of significant reports that have been published and provides a strategic viewpoint on identified or high profile trends.

1.1 The Reality of Contemporary Cybercriminal Groups

MalwareByte’s The New Mafia: Gangs and Vigilantes report illustrates one perception of the strategic state of contemporary cybercrime. Dividing the threat landscape into four crude groups, MalwareBytes seeks to influence CEOs and C-Grades understanding of the different business risks posed by cybercriminal groups. In a more academic-styled report, MalwareBytes strikes a tone much supported in industry, namely that as cybercrime becomes more sophisticated, more businesses are vulnerable.

Strategic assessment:

MalwareBytes’ report makes cybercrime a business leader’s priority through exposing a wide contrast between business leaders and “technologists” recognition of the threat landscape. MalwareBtyes purports this contrasts to have been created by a shared idea that cybercrime is considered the domain of CIOs and IT departments. Dubbed as a flawed approach by the report, “the extent of cybercrime and the depth of the strategies needed to combat must be central to general business strategy – thus, it must become the domain of chief executives”.

This false belief has converged with intensifying and increasingly frequent cybercrime activity. As the report notes, ‘in the first 10 months of 2017, the number of attacks had already surpassed the total for all of 2016. The average number of monthly attacks has also increased by 23% in 2017. 2016 itself saw a spectacular rise in business-targeted cybercrime, with a 96% increase in attacks compared to the previous year”.

Therefore, the acknowledgement of divisions of cybercrime is a useful handrail to help identify and recognize part of the contemporary cyber threat landscape at a strategic level. The supposedly “new syndicates of cybercrime” are: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. These generalized divisions are not as “new” as the report suggests but remains a useful framework to unpack the complexities of malicious actors. In analysis, the divisions are academic only, with current actors not fitting so neatly into such partitions.

MalwareBytes characterize the groups by: the presence of an organizational structure akin to crime families, the sophistication of hacking, the emergence of a highly professional service economy for cybercrime and the co-option of these services by ideological groups and nation-states.

Ideological groups, often referred to as hacktivists outside the report, are categorized by their motivation in perceived moral and ethical duty. Interestingly, MalwareBytes view these groups as attempting to use the threat of classified leaks to coerce governments and individuals to act in their favour. However, WikiLeaks aside, ideologically-motivated groups target a more diverse set of entities than just governments. For example, mid-2017 witnessed cyber divestment campaigns targeted against private businesses as part of anti-fracking demonstrations in Lancashire, UK.

The state-sponsored hackers were also slightly mis-defined in the report, given as “beyond the international espionage that typically comes to mind with state-sponsored activity, these hackers are increasingly interested in corporate theft and sabotage”. However, this definition is hard to substantiate when contrasted against the current APT-Cybercriminal relationship.

Historically, excluding cyberespionage as a motivation, the division between high-end cybercriminal actors and state-orchestrated groups, or APTs, is trivial as the groups are not mutually exclusive and often share individual actors. It is important to note, that groups that fall under this category, due to their geopolitical motivations, target private enterprise. For example, the Lazarus group targeting of Bangladesh banks or APT10’s CloudHopper operation. Although simple categorizations help understand the picture, it is important to understand that such divisions are a slightly distorted reality.


2. Threat Reporting

This section provides a summary of the threats that Security Threat Intelligence has profiled over the past week. These are categorized based on modules included in Threat Reporting which is covered in Section 2 whilst Section 3 covers Cybercrime and Hacktivism.

2.1 Malware analysis

Doppelganging process helps malware go undetected on Windows systems Threat 4a L M H
Target: Windows users (currently just a PoC) Attack Vector: RCE
Summary: A new malware evasion technique has been discovered and unveiled at the Black Hat Europe 2017 security conference in London. The technique, called Process Doppelganging, exploits a built-in Windows NTFS transaction function, allowing malware to be bundled into a Windows system undetected.

The process bears many similarities to Process Hollowing, a similar technique, which also replaced the memory of a legitimate process with malicious code. It deceives process monitoring tools and antivirus by replacing code in the original process.

Process Doppelganging differentiates itself though its exploitation of the Windows built-in function of NTFS Transactions. Firstly, Doppelganging utilises the NTFS transactions to make changes to an executable file, which is then executed but not committed to disk. This ensures the malware remains invisible to security products. Secondly, the undocumented implementation details of the process loading mechanism, which attackers must obtain. Details are used to load the executable file that has been modified using NTFS transactions and the changes are rolled back. As such, this creates a process from the modified file, without triggering any security processes.

Risk Assessment Summary:

The threat is assessed as 4a LOW. This is a Proof of Concept (PoC) and has not been seen in the wild. In order for an attacker to successfully exploit this flaw, they will need prior access to a machine.

If it can be achieved, it is very effective, however, the attacker needs a high level of knowledge on Windows systems and components to exploit this flaw. The flaw is not yet publicly disclosed. In a successful attack, any type of malware can be placed on the system, heightening the risk. However, it should be noted that once malware is placed on the system, it is no longer hidden. When the next scheduled security scan of the system runs, the malware will be discovered and most likely removed. Some systems also have real-time monitoring, scanning new files which are dropped on the system. While the malware may be able to get onto the system undetected, once it is there it will not be so easily hidden.

Napoleon Extension Added to Blind Ransomware Threat 4a L M H
Target: Standard users (none specific) Attack Vector: Compromised IIS server
Summary: A new variant of the “Blind” ransomware, named “Napoleon”, has emerged. As the predecessor to Napoleon, the original Blind ransomware was initially discovered in December 2017. When executed, it scans all available drives on a targeted user’s system, determines which files can be encrypted and then proceeds with the encryption of the targeted files with the .blind extension. Recently, however, an altered version of Blind has been spotted with the extension .napoleon. Attackers deploy the malware in a fairly uncommon way, by manually dropping it onto the targeted machine via a compromised Internet Information Services (IIS) web-server. After Napoleon is dropped, it will look through files on the system and add the .napoleon extension to every file it can encrypt. After the encryption is complete, a ransom note is left in HTA format. Unlike Blind, Napoleon is not currently removable without the attacker’s private key.
Risk Assessment Summary:

The threat is assessed as 4c LOW. As with most ransomware, the threat is the associated cost of losing access to files on the targeted system, with decryption highly unlikely. However, considering it must be manually deployed on a machine via an already compromised IIS server and is not expected to be wide-reaching, the likelihood of an average user being infected is low. Furthermore, actors employing Napoleon are currently using an emails address to collect payment for the campaign, suggesting it is not meant to be widespread.

2.2 Vulnerability reporting


Global Threat Summary report First Week December 2017

Here is the Global Threat Summary reports First Week December 2017 which provides an overview of the current threat landscape from around the world.  The report includes a summary of the threats we’ve recently profiled, including:

  • Q3 2017 Akamai State of The Internet report
  • Bitcoin’s exponential value brings increased threats to cryptocurrency
  • Kaspersky boycott crosses into Britain

The Global Threat Summary is designed to provide organizations with an overview of the current threat landscape from across the world. It combines assessment of the strategic picture with a thought leadership approach and is also a collated summary of all the threats that we have profiled each week. The report should be received at a high level within organizations to give an overview of risk and summary of trends.

1. Strategic insight

This section includes a review of significant reports that have been published and provides a strategic viewpoint on identified or high profile trends.

1.1 Q3 2017 Akamai State of The Internet report

Akamai’s State of the Internet Q3 2017 report highlights useful quarterly statistics on threat vector trends. Akamai used data obtained globally from its infrastructure and DDoS solution to detail the current level of network-based attacks. Overall, more attacks were detected, which is expected due to rising technological skill sets, tool availability and sophistication. However, the geographical nature of these threats, as discussed in the report, opens questions about the perceptions of “less risky” cyber security regions.

Strategic assessment:

Comparing Q3 2016 and Q3 2017, several key trends have emerged:

• Web application attacks have increased by 69%

• Attacks sourcing from the US increased by 217% (Q3 2017 Top Source Country)

• The US also bears the brunt of targeting – 11 times as many registered attacks as the second most targeted, Brazil.

Overall, they show that US IP addresses are most likely to be the source of an attack. According to Akamai, 39% of all recorded attacks were attributed to US IP addresses, trumping Russia with 7%. Geographical-based blocking or rule sets may need refining to account for this finding. This is especially prudent for US domestic markets as the report also details a much higher risk of attack. Netherlands, Ukraine and Brazil accounted for 6% each.

The report also detailed that the emerging market for DDoS activity is Germany with “22% (58,746) of the unique IP addresses used in volumetric DDoS attacks” traced to the country. The report does not say what is driving this increase in unique IPs but, on a strategic level, it suggests that Germany’s technology infrastructure is perhaps neglecting cybersecurity.

The report found 86% of DDoS attacks targeted gaming customers. Indeed, the statistic may be viewed as more of a reflection on Akamai’s customer base which has over-represented the gaming industry. The culture around the gaming industry means the sector is more susceptible to DDoS targeting, as the threat vector is used a means of score-settling. However, every sector should still plan and mitigate for a DDoS activity.

2. Threat Reporting

This section provides a summary of the threats that Security Threat Intelligence has profiled over the past week. These are categorised based on modules included in Threat Reporting which is covered in Section 2 whilst Section 3 covers Cybercrime and Hacktivism.

2.1 Malware analysis

Bitcoin’s exponential value brings increased threats to cryptocurrency


Threat L 3e


Target: Web users Attack Vector: JavaScript
Summary: In the cybersphere, Bitcoin has featured a great deal in reporting due to its incredible year of trading. Introduced in 2009, 2017 has seen it the value greatly increase, with stock rising from $1000 dollars at the start of the year to over $11,000 in November. Investors are willing to pay increasing amounts for the asset due to a fear of missing out on potential profit, similar to the dot-com bubble. In addition, the currency is being used at a growing rate with speculation that it may gain a foothold in the mainstream financial industry. At the moment it cannot be used to pay bills, taxes or settle debts. However, it can be used for a range of online activities, purchasing items on the dark web for example, as well as many everyday activities such as music downloads or gift cards. The digital currency, existing online, is a virtual token and there is no middleman in a transaction. This peer-to-peer characteristic is something that attracts many to the cryptocurrency market.

The rise of Bitcoin has inevitably also brought about a new wave of threat actors across the cryptocurrency spectrum attempting to reap the rewards of the rising stock through the illegal means of spreading malware. In order to obtain cryptocurrency, without actually buying it, they have to be “mined” using a high volume of computer power and resources. It involves solving large amounts of algorithms and, if successful, a user can gain currency. Due to the scale of processing power required, some miners work with several machines together to acquire currency.

This has also resulted in a shortage of affordable graphics cards, with the price of the stock rising far above RRP prices as they are extremely effective for crypto mining. While they have seen a rise in demand for many years, more recently their value has increased exponentially. This is due to certain types of mining cannot be carried out with specialized application-specific integrated chip (ASIC) mining hardware, leaving graphics cards, particularly AMD, as the only viable solution. The demand is so great that Nvidia has announced plans to release graphics cards specially designed for crypto mining.

A result of the increase in the value of cryptocurrency is threat actors infecting websites with coin mining code, designed to run in the background of the machine of any visitor to a targeted website. Once this is done, the threat actor can have hundreds, even thousands, of unsuspecting users helping mine for cryptocurrency on their behalf.

However, Bitcoin is notoriously difficult to mine and requires significant processing power, Other cryptocurrencies have been put at risk instead, with threat actors using victim’s machines to help them in their mining activities.

Risk Assessment Summary: It should be noted that this attack vector offers scope for a user to have their machine used for activities they are unaware of and undertaken without their permission. Additionally, this activity utilises RAM and CPU of the victims power without permission. Although coin-mining does not perform any malicious activity, it does expend a user’s CPU power and RAM without their permission. There are certain websites (detailed in this report) that have this code injected into their site and this is certainly increasing. Therefore a risk exists here but it is still reasonably low due to mitigations which can be put in place.

3. Cybercrime and hacktivism

3.1 Global geo-political threat analysis

Kaspersky boycott crosses into Britain Threat L 3e


Target: Businesses using Kaspersky products Attack Vector: Supply-chain
Summary: Since 2015, Russian Anti-Virus software company Kaspersky Lab has allegedly been working with the Russian government to aid interference into the 2016 US Election and pass Intel from the United States government to Moscow. Many professionals within the security industry believe it is probable that Kaspersky software; installed on the machines of NSA employees, helped obtain intelligence for the Russian government. When Israeli hackers breached Kaspersky systems, they uncovered stolen tools belonging to the NSA.

The resulting actions by US Homeland Security caused them to remove all Kaspersky products from all branches of the US Government, damaging the Russian antivirus providers’ market share, along with their reputation. This drastic decision lead to many other Kaspersky customers reviewing their partnership. In December 2017, Kaspersky has begun to lose business on this side of the Atlantic. The UK National Cyber Security Centre advised all government departments against using Kaspersky software for systems related to national security. Following this, all anti-virus products from Russia were effectively banned.

In addition, Barclays, who offer Kaspersky products to over 2 million customers, halted their distribution of Kaspersky as a free product and notified 290,000 customers who had taken up the offer.

Risk Assessment Summary: It appears the Russian government has already gained access into the NSA they may also be exploring access into other organisations. As the NSA, UK Government and Barclays have all taken steps to limit Kaspersky’s presence in their businesses, this indicates it is considered a tangible threat. Although highly likely, it is not confirmed that the attack vector is via Kaspersky. Since the NSA discovery, Russian government operations have been brought into the spotlight. This mitigates the threat to some degree and affords businesses the opportunity to review their vendors, limiting their attack vectors.