Blog

With the escalating cyber threats that affect the U.S. Government, the U.S. Department of Commerce issued a Defense Federal Acquisition Regulation Supplement (DFARS) to safeguard the U.S. Department of Defense’s (DoD) unclassified information. The regulation now requires all aerospace and defense companies to be compliant.

Roadmap to DFARS Compliance

In order to be considered DFARS compliant, organizations need to pass a readiness assessment according to the NIST SP 800-171 guidelines.

On average, it will take an organization about six to ten months to become compliant, depending on the organization’s current security status and the available resources they have at their disposal.

Planning is the key to ensure success in your DFARS compliance expedition. It is essential to treat this as a major project, with the mindset of having the needed resources and funding set ahead of time. Many companies hire specialists and consultants and this can really expedite the process, plus it can help an organization to avoid common errors.

Let’s look at an action plan or roadmap to guarantee your cloud environment is safe and compliant according to the DFARS mandate.

Step 1: Calculate Your Organization’s Applicability

Key Question: How can your organization stay relevant?

Using the controls listed in NIST SP 800-171, document the gaps between your current position and the expected end goal.

To ensure your organization is applicable, check off these essentials for Step 1:

• Review all contracts to pinpoint important DFARS clauses and provisions.
• Review DFARS to determine the type of CDI or CUI (see Clause 252.204-7012) that applies.
• Check your applicability with the Contracting Officer as needed.
• Define what systems, processes, programs, applications, hardware, software, people, etc. fall under the scope of your NIST 800-171 compliance.

Step 2: Build a Remedial Plan to Safeguard against Non-Compliance

Key Question: What is your current Security Status?

In order to stay NIST SP 800-171 compliant, make sure you can put a check next to these measures:

• Conduct a control gap analysis against NIST SP 800-171.
• Develop solutions for the identified defects that you find.
• Meet with your subcontractors and other business partners to make sure you are both on track and in step for compliance.

Step 3: Implement Your Remediation Plan to Ensure Compliance

Key Question: Have you developed a plan of action to track your progress?

Developing a system security plan will give you the peace of mind in knowing that you are going to be compliant. You won’t have to worry about fines and penalties.

• Develop or revise controls as needed to remedy the control gaps with NIST SP 800-171.
• Organize your validation testing after remediation is completed to confirm controls are designed and operating effectively (You then need to make sure you have the agreement of your Contracting Officer).

Step 4: Continuously Monitor and Follow-Up

Key Question: How do you maintain constant monitoring to ensure compliance?

Establishing a plan to effectively monitor your compliance can be achieved by doing the following:

• Use tools, templates, reports, and metrics to develop an ever-flowing monitoring program.
• For accountability, organize monitoring activities and provide status updates to significant investors on your performance and progress.

Conclusion:

To Be DFARS Compliant, it is important to remember to set controls in place for current systems and data, while remembering the need to cover new systems and data as they are created. If you fail to keep this in mind, you will assuredly find yourself falling short of compliance.

There is a propensity within organizations to place an emphasis on the controls during the implementation phase, but once the system is up and running, they tend to take their foot off the gas and eyes off the road. Sustaining constant compliance is a never-ending process. You must continuously make sure that new data and systems are effectively classified and that the correct controls are applied. Once DFARS is running and business returns to normal, a high level of attentiveness must be maintained to guarantee the safety and compliance of your organization.

The acquisition of user IDs has become much easier for cybercriminals in the globalization era. A variety of methods can be used to steal passwords, including spyware, keyloggers, and phishing attacks. This can lead to the total loss of essential data held in company or private databases. Most of the methods used by these cyber criminals involve the use of malware that has been designed to steal user credentials. Based on the objectives of a particular cybercriminal, a variety of malware methods are applied to fulfill those goals.

A significant proportion of methods used to steal user credentials consider the use of malware. Additionally, phishing attacks use malicious attacks through communication channels such as emails where malware-loaded websites are disguised as genuine ones to trap unsuspecting users. Other types of attacks include spyware and keylogging which, for a variety of incidences, has been observed to continually grow in both complexity and frequency of attacks.

Signs of a Malware Infected PC

One of the diagnosis methods of identifying whether a computer is infected with a virus is through the observation of random pop-ups and significantly increased booting time. Instances like these are associated with spyware configured to steal essential data from users without them noticing.

The objective of using spyware on user PCs is to ensure that information stored in browsers and other sensitive areas is well camouflaged. This includes communication channels such as email. Cyber crooks will attempt to acquire your passwords without you noticing that anything is wrong. Though this seems like a flawed technique that wouldn’t work all the time, the truth is that it works exceptionally well. For instance, 158 million social security numbers were stolen in 2017. That doesn’t include all the other types of records and data stolen from individuals and companies.

Malware Injection Technique

For reliable security dodging methods, process injection is a method of integrating malware and lifeless adversary strategy in trade-crafting accounting for the integration of custom codes within the address bars of other processes. The variety of injection techniques includes the following methods.

Portable Executable Injection

Shellcodes and Create Remote Threads are among strategies used in malware injection where malicious codes are copied into accessible active processes commanding them to execute as the originals. Through this strategy of attack, the malware does not require writing malicious code on a disk. Instead, it does so by calling Write Process Memory on the host procedure. The impact of this procedure is that the injected code copies its PE to another process with an unidentifiable base address commanding it to re-compute the original addresses of its PE.

Process Hollowing

Process hollowing is a technique that malware applies to take into account the mapping or hollowing out of the primary code from within the memory of the target’s procedure while overwriting the memory target process with an executable malicious code. The function of the malware is to create a new process designed to host the malicious code presenting it in a hanging form awaiting for the Resume Thread Function to be called in order to execute.

This process leads to the switching of the original file contents with the malicious payload. Processes used for mapping the memory include two API examples, the ZwUnmap and the NtUnmap Views of Section. In order to succeed in assigning new memory for the malware, this procedure takes advantage of the malware’s unmapping of the memory and proceeds to execute the loader, VirtualAllocEx that facilitates the application of the malware to the Write Process Memory on the identified vulnerable target.

Classic DLL Injection Through Create Remote Thread And Load Library

This technique is among the most popular method used in malware injection into other processes. By commanding the implicit address space to process the malware code using the dynamic-bond library, the approach facilitates the creation of Remote Threads in the target process through process loading.

The primary objective of the malware is to target a process for injection. This procedure is generally performed through a search of the processes to call a trio of APIs that include CreateToolHelp32Snapshot, Process32 1st, and 2nd. The specific functions of each of these APIs include the cataloging of heaps and returning a snapshot, retrieval of the first process, and the iteration through the previous two processes respectively. After successfully allocating the target process, the malware is able to execute through Open Process calling.

Conclusion

This article reported on a number of techniques used by malware attackers in concealing unauthenticated activities in other processes. Two procedures are observed to facilitate the functionality of malware and include open injection of a shellcode on another processor or the command of other processes to load malicious libraries on behalf of the malware. Cyber thieves are constantly updating their attack procedures to stay one step ahead of IT professionals. That makes locating and eliminating malware threats a full-time job.