Category Archives: Cybersecurity

Cybersecurity, Networks, News

The groundbreaking StormWall DDoS Sensor Appliance will be available on September 1, 2021

The developer of information security solutions StormWall releases the StormWall Sensor Appliance, which provides effective protection of business from DDoS attacks of any level. The solution will be available to all StormWall customers who use the Network Protection service from September 1, 2021. StormWall Sensor Appliance is an innovative product of the company that increases the transparency of the Edge infrastructure and allows you to detect DDoS attacks regardless of whether DDoS protection is active. The solution will be useful, first of all, for ISPs, hosting, and cloud providers. The product allows you to simultaneously ensure the maximum quality of service for users and optimize the costs of DDoS protection.

Before releasing the sensor to the market, StormWall conducted a successful beta testing of the product with a number of its major customers. The sensor will be available on a monthly subscription, its cost will depend on the total bandwidth of the analyzed traffic. The subscription will include updates and support, and the cost of using the sensor will be several times less than the cost of protection against DDoS threats itself. The solution is installed from an ISO image on the client’s infrastructure, even a small virtual machine would be enough.

The new sensor is part of a large new development of the company – a hardware solution for filtering DDoS attacks, which is limited by the functionality of a DDoS sensor for automatic activation of cloud protection. StormWall Sensor Appliance has several advantages that will be useful to many companies: the sensor allows you to analyze traffic both in real-time and over a historical segment, automatically detects DDoS attacks, provides detailed statistics for each attack, and a sample of attacking traffic. The sensor has the possibility of both manual and automated intelligent adjustment of attack detection thresholds based on historical data individually for different groups of hosts in the network.

The StormWall Sensor Appliance can make decisions based on traffic flows over NetFlow and sFlow protocols, as well as on a copy of the SPAN traffic (including Sampled SPAN). The sensor is easily integrated with the network infrastructure via the BGP protocol, and integration options via BGP Community and BGP FlowSpec are also supported. In addition, the sensor has an API for integration with existing automation systems.

“As part of the business development strategy, StormWall continues to expand its line of innovative products and services. We are proud to launch a new useful product on the market. The appearance of such a tool will allow companies that manage their network to make their protection against DDoS attacks as effective as possible, while the solution will be offered at an affordable price,” said Ramil Khantimirov, CEO and co-founder of StormWall.

Cybersecurity, News

Check Point Software’s Mid-Year Security Report Reveals a 29% Increase in Cyber-attacks Against Organizations Globally

‘Cyber Attack Trends: 2021 Mid-Year Report’ uncovers how cyber criminals have continued to exploit the Covid-19 pandemic and highlights a dramatic 93% increase in the number of ransomware attacks globally

 Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has released its ‘Cyber Attack Trends: 2021 Mid-Year Report’, which shows how cyber criminals have continued to exploit the global shift to hybrid working and target organizations across all sectors, including government, healthcare and critical infrastructure.

Organizations have experienced a 29% increase in cyber-attacks globally. The EMEA region showed the highest growth with 36%, followed by the Americas with an increase of 34% with APAC witnessing a 13% growth in attacks.  This year has also seen a new ‘Triple Extortion’ ransomware technique emerge.  While there have been successful international operations targeting cyber-crime, such as the take-down of the notorious Emotet botnet, threat actors launched sophisticated attacks which exploited organizations’ supply chains to cause widespread disruption.

Key trends revealed in the report include:

  • Global increase in cyber-attacks: In 2021, US organizations saw an average of 443 weekly attacks, marking a 17% increase compared to earlier this year. In EMEA, the weekly average of attacks per organization was 777, a 36% increase. APAC organizations saw 1338 weekly attacks, a 13% increase. Specifically within Europe there was an increase of 27% while Latin America saw an increase of 19%.
  • The rise of ransomware attacks and ‘Triple Extortion’: Globally, the number of ransomware attacks on organizations increased by 93% in H1 2021, compared to the same period last year. Increasingly, in addition to stealing sensitive data from organizations and threatening to release it publicly unless a payment is made, attackers are now targeting organizations’ customers and/or business partners and demanding ransom from them too.
  • Supply chain attacks step up: The well-known SolarWinds supply chain attack stands out in 2021 due to its scale and influence, but other sophisticated supply chain attacks have occurred such as Codecov in April, and most recently Kaseya.
  • The race to become Emotet’s successor: Following the botnet’s takedown in January, other malwares are quickly gaining popularity, namely: Trickbot, Dridex, Qbot and IcedID.
  • Predictions for H2 2021: Ransomware will grow, despite law enforcement stepping up. Increased use of penetration tools to give live hackers ability to customize attacks on the fly and a trend towards collateral damage well beyond the initial target victim calls for a collateral damage strategy.

 “In the first half of 2021, cyber criminals have continued to adapt their working practices in order to exploit the shift to hybrid working, targeting organizations’ supply chains and network links to partners in order to achieve maximum disruption,” said Maya Horowitz, VP Research at Check Point Software. “This year cyber-attacks have continued to break records and we have even seen a huge increase in the number of ransomware attacks, with high-profile incidents such as Solarwinds, Colonial Pipeline, JBS or Kayesa.  Looking ahead, organizations should be aware of the risks and ensure that they have the appropriate solutions in place to prevent, without disrupting the normal business flow, the majority of attacks including the most advanced ones.”

Top predictions for H2 highlighted in the report include:

The war on Ransomware will intensify – Ransomware attacks will continue to proliferate despite increased investment from governments and law enforcement, especially as the Biden Administration makes this a priority.  With such investment and ever more advanced tools, the authorities will enjoy some successes, but threat actors will evolve, and new groups will emerge in the ransomware arms race.

Man-in-the-Middle becomes the hacker in the network – Over the past two years, we have seen an acceleration in the use of penetration tools, such as Cobalt Strike and Bloodhound. These tools don’t just pose a real challenge from a detection point of view, they also grant live hackers access to compromised networks, allowing them to scan and scroll at will and customize attacks on the fly. Security professionals will need a whole new set of skills to detect this form of attack and prevent it from happening in the future.

Collateral Damage beyond the initial target – The growing trends of triple extortion, supply chain attacks and even just remote cyber-attacks may affect businesses more than ever. The triple extortion trend in ransomware now includes not only the original target organization, but also its customers, partners and vendors. This multiplies the actual victims of each attack and requires a special security strategy.

The ‘Cyber Attack Trends: 2021 Mid-Year Report’ gives a detailed overview of the cyber-threat landscape. These findings are based on data drawn from Check Point Software’s ThreatCloud Intelligence between January and June 2021, highlighting the key tactics cyber-criminals are using to attack businesses. A full copy of the report is available from here.

Cybersecurity, News

What Makes a Security Analyst Successful? Investigative Thinking

Written by Anthony Perridge VP International at ThreatQuotient

The new SANS 2021 Report: Top Skills Analysts Need to Master analyses the need for organisations to invest in improving their security operations and identifies the skills analysts must master to support this initiative. Characterising an analyst as essentially an investigator, the SANS report breaks the investigative process down into two primary areas: Investigative Tasks and Investigative Thinking.

One of the most important sources of intelligence to also bring into the process is human intelligence that comes from critical thinking. After all, what better way is there for organisations to validate data and findings and then determine the right action to take within their own environment than through their own people? As the SANS report points out, empowering humans so they have more time to engage in investigative or critical thinking is vital to effective and efficient detection and response. According to SANS, best practices for critical thinking include:

  • Asking questions to gather additional context and scope when facing a situation of uncertainty during an investigation.
  • Reasoning backward by using tools like MITRE ATT&CK to hypothesise what must have happened to arrive at the alert that is displaying on a security console.
  • Considering multiple plausible pathways instead of thinking linearly to detect and respond to new threats.
  • Remaining curious, flexible and agile within a highly dynamic environment such as a security operations centre (SOC).

This is where collaboration comes in, both passive and active collaboration. A security operation platform like the ThreatQ Platform serves as a central repository that includes internal threat and event data, augmented and enriched with global threat data. This central repository is at the heart of passive collaboration, or information sharing. When individual team members and different security teams can access the central repository for the intelligence they need to do their jobs as part of their workflow, passive collaboration just happens. As they use the repository and update it with observations, learnings and documentation of investigations, they get consistent threat intelligence. The repository can serve as a centralised memory to facilitate future investigations. Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture and the investigation process.

Active collaboration involves engaging with another person to accomplish a shared goal through tasking and coordination. It is what typically comes to mind when we think of collaboration, but traditional, siloed environments have made this extremely difficult and time-consuming for security professionals to do. The challenge is that most security operations or investigations are rife with chaos as teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead-end, or key information just falls through the cracks.

Likewise, a cybersecurity situation room, fuses together threat data, evidence and users to break down these barriers. All team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work, and they can share and benefit from the human intelligence they each bring to the table. Validating data and sharing their collective insights and understanding fosters critical thinking that drives successful investigations.

Furthermore, managers of all the security teams can use ThreatQ Investigations to see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results. Embedding collaboration into the investigation process ensures that teams work together to take the right actions faster.

At ThreatQuotient, we have always believed that to accelerate and improve security operations we must empower the human element with tools that enable them to identify the right data, share information and actively collaborate efficiently and effectively. That is why the ThreatQ Platform and ThreatQ Investigations are exactly what organisations need to help security analysts excel in the role of investigator.  If you are interested, why not download the SANS 2021 Report: Top Skills Analysts Need to Master for more details on the skills required.

 

Cybersecurity, News

ThreatQuotient Named 2021 TAG Cyber Distinguished Vendor

ThreatQuotient™, a leading security operations platform innovator, today announced the company has been recognised as a Distinguished Vendor by TAG Cyber in their Security Quarterly report for Q3 2021. TAG Cyber selected ThreatQuotient as one of only a handful of industry-leading cyber security solution providers to be featured in the report, which offers expert guidance, research and analysis, and education across the entire cyber security ecosystem.

In 2021, the frequency and scale of cyberattacks has increased and affected businesses and critical infrastructure ranging from hospitals to power plants. Amid the growing intensity and risks associated with these threats, enterprises, governments, and individuals are in need of more research and resources to protect against the damage cyber attacks can inflict on vital systems. To address security personnel shortages and an industry need for more curated and data-driven threat intelligence, ThreatQuotient recently announced two new capabilities built into the ThreatQ platform, ThreatQ TDR Orchestrator and ThreatQ Data Exchange.

“Existing approaches to security automation work for repetitive tasks, but to actually support detection and response needs, the focus of automation should be on the data and not the processes. ThreatQuotient is helping organisations focus on what is learned from their data, resulting in stronger detection and response,” said Leon Ward, VP Product Management, ThreatQuotient. “ThreatQuotient is building on this approach to improve overall security operations, as well as strengthen industry threat intelligence sharing. We are pleased to be included in TAG Cyber’s report as a distinguished vendor, and we appreciate their work to further educate the market on timely threats and leading solutions.”

Katie Teitler, VP of Research and Advisory at TAG Cyber, added, “We are thrilled to feature ThreatQuotient in this publication. Given the rise of ransomware, phishing and other attacks this year, their insights on achieving efficiency in security operations and curating data for effective automation to defend against attackers are of great interest and importance to IT and security professionals right now.”

To download TAG Cyber’s Q3 2021 Security Quarterly report for free, which includes an interview with Ward, click here. For more information about ThreatQuotient’s award-winning solutions, please visit www.threatq.com.

About ThreatQuotient

ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations with a platform that accelerates and simplifies investigations and collaboration within and across teams and tools. Integrating an organisation’s existing processes and technologies into a unified workspace, ThreatQuotient’s solutions reduce noise, highlight top priority threats and automate processes to provide greater focus and decision support while maximising limited resources. ThreatQuotient’s threat-centric approach supports multiple use cases including incident response, threat hunting, spear phishing, alert triage and vulnerability management, and also serves as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe and APAC. For more information, visit www.threatquotient.com.

 

About TAG Cyber

TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalised content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective. For more information, visit https://www.tag-cyber.com/.

Cybersecurity, IT Support, News

Clearvision Launches Experts on Demand Subscription Service

Experts on Demand gives customers the ability to plug skills gaps, focus on their business priorities and tap into guidance, advice and support as and when needed.

Clearvision, an ISO27001 and Cyber Essentials-certified software services company, today announced the launch of its Experts on Demand Atlassian Subscription Service.

Experts on Demand is a monthly subscription-based Atlassian consultancy service designed to provide teams with coaching, mentoring, and advice. Working on a credit basis, with each credit granting access to a solution expert for up to half a day, this unique service means that organisations can now access Atlassian experts and consultancy services on an ad-hoc basis.

The service offers a range of consultancy services such as one-to-one coaching and mentoring, optimisation and configuration, health checks and problem-solving, process improvements, consultant-led training sessions and Q&A sessions with an expert.

There are also a range of consultancy services in this new offering include solution design for digital transformation programmes, Agile/SAFe best practices, ITIL/ITSM/eSM best practices, continuous improvement, as well as prototyping and managed adoption.

“We launched this service in response to increasing customer demand and, in a matter of weeks, we already have a number of beta customers benefiting from it,” says Gary Blower, Solutions Architect, Clearvision.

“Knowing that it will typically be the small-to-mid sized organisations that will utilise the service most frequently, we based it on a subscription model as the cost per hour or day is lower. This enables customers to plan more effectively, as each credit grants access to a solution expert for up to half a day. Additionally, organisations can budget for this, rather than have unexpected costs at the end of the month, our fixed cost price puts them in control, and they aren’t hit with any nasty surprises,” Blower adds.

Experts on Demand is available in three packages: Starter, Annual, and Enterprise.

  • The Starter package is for small/medium teams looking to expand their Atlassian usage with minimal commitment and investment. It includes one credit per month for six months.
  • The Annual option is for teams with well-defined needs and objectives looking to benefit from the knowledge and availability of an Atlassian expert. It includes two credits per month on an annual basis.
  • The Enterprise package is for large teams with strategic requirements in need of bespoke solutions without limitations or constraints. It includes unlimited monthly credits on an annual basis.

In the current economic climate, among the many ‘hard-to-fill’ and skills shortage vacancies in 2020 were IT programmers and software developers. As businesses look to digitally transform so demand for IT skilled professionals and developers continues to outperform supply. In fact, a recent article from Deloitte suggests that less than half of executives believe they have the skills to compete and lead within the digital economy.

Experts on Demand will help to fill that gap and ensure that organisations have the specialist skills, knowledge, support and expertise that they need in order to compete and remain relevant – both now and in the future.

For more information on Clearvision, visit www.clearvision-cm.com.

Cybersecurity, Tech Thought Leadership

Ransomware Resurgence: Is your Organization Prepared?

Written by By Rick McElroy, Principal Cybersecurity Strategist, VMware

Ransomware made mainstream news when cybercriminal group, DarkSide, launched an attack on U.S. fuel company Colonial Pipeline, which carries nearly half the fuel consumed along the U.S. East Coast. The disruption of critical infrastructure and the impact on our daily lives was a sobering reminder of the havoc that a successful cyberattack can wreak. 

While its scale and impact grabbed headlines, this attack is only symptomatic of a dramatic resurgence in ransomware campaigns over the past year. Alongside an increase in the number of attacks, VMware found ransomware groups are becoming even more organized and sophisticated, while the rise in ransomware-as-a-service is enabling a much broader cybercriminal base to execute attacks using existing tools.

Understandably, this adds to the pressure already felt by CISOs, who are defending a more distributed environment than ever before.

 

Ransomware is a leading cause of security breaches worldwide

VMware surveyed 3,542 CISOs across 14 countries for its recently published Global Security Insights report and found ransomware attacks were the dominant cause of breaches for organizations. The average number of ransomware attacks organizations experienced have doubled over the past year. Additionally, the VMware Threat Analysis Unit identified a 900% increase in ransomware over the first half of 2020.

Malicious actors have spent the pandemic capitalizing on the rapid adoption of an anywhere workforce and the use of personal devices and networks by remote workers.  Attackers now have an unprecedented opportunity to launch social engineering attacks, such as phishing, on unsuspecting employees.

No industry was off limits to attackers, either. The healthcare sector – already in the grip of pandemic response – was disproportionately targeted with ransomware in 2020. One in five breaches reported by the healthcare CISOs we surveyed were caused by ransomware. In the same way that DarkSide targeted critical national infrastructure, ransomware groups have looked to cash in on the healthcare sector, an industry more likely to pay due to their critical nature of their business. 

 

Double extortion tactics pile pressure on victims

New tactics are making ransomware a much more nuanced threat, too. Instead of locking up systems immediately, attackers are aiming to infiltrate systems undetected and establish persistence on the target network, moving laterally and extracting data that can be monetized even if no ransom is ultimately paid. A system encryption and ransom demand will not be made until the perpetrator has covered their tracks and established a route back into the target network.

This gives cybercriminals greater hold over victims. As well as needing to decrypt their systems, organizations also face the possibility that critical assets such as customer data or trade secrets will be released for sale to the dark web and the breach will be made public. The reputational and regulatory risk tied to ransomware means the pressure to pay ransoms is often significant. However, unless the attacker’s presence in an organization’s network is fully removed, they are likely to return for another strike on a target that has shown willingness to pay.

The cybercriminal community has capitalized on the growing profitability of this approach, with nearly 40% of security professionals saying double-extortion ransomware was the most observed new ransomware attack technique in 2020.

 

Strengthening defenses against ransomware

As businesses adapt to supporting the anywhere workforce and malicious actors continue to target the expanded threat landscape, CISOs have a once-in-a-generation opportunity to strengthen defenses against ransomware and protect their organization by:

Delivering security as a distributed service: To protect the anywhere workforce, regardless of the devices and networks workers are using, deliver endpoint and network controls as a distributed service that follows the assets being protected throughout the environment.

Prioritizing visibility: Better visibility over endpoints and workloads delivers contextual insight and situational intelligence to help defenders prioritize and remediate risk with confidence.

Conducting regular threat hunting: The first step of a multistage ransomware campaign is gaining undetected access to networks. Regular threat hunting can detect silent incursions and the presence of adversaries in the environment by spotting anomalous behavior.

Keeping monitoring “quiet” to avoid counter-incident response: Assume the adversary has multiple means of gaining access to the environment. Watch and wait before taking action – don’t start blocking malware or terminating C2 systems until you are sure you understand all possible avenues of re-entry.

Engaging with an incident response partner: It is not a matter of if, but when organizations will be targeted, so it is essential to be prepared. Engage with an IR partner to devise a response plan and retain them to put it into action when needed. This should include post-incident remediation and analysis to root out any remaining adversary presence and avoid repeat attacks.

As organizations rethink their approach to security, defending against ransomware should be a top priority as the impact and scope of attacks increases. The anywhere workforce must be supported by a security strategy that surrounds and protects employees to let them work safely and productively without putting the infrastructure, reputation, and competitive position of the business at risk.

Cybersecurity, IoT

IoT security risks are real – this is how you mitigate them

Written by Martin Giess, CTO & co-founder at EMnify

IoT hacks are sadly becoming an increasingly regular occurrence as the world becomes more digitized and an ever greater number of devices are being connected to the Internet. The threat of security breaches and intrusions makes IoT security imperative for companies and consumers alike.

Hacks and breaches of and intrusions into smart device networks are becoming increasingly frequent. The recent cyber-attack on the Colonial Pipeline, the American oil pipeline system integral to the energy security of the Southeastern United States, is only the latest occurrence of criminal cyber breaches of Internet of things (IoT) enabled smart infrastructure.

The Colonial Pipeline hack had a devastating impact on commercial activity in several states, with many petrol stations being without fuel for several days. This was a criminal attack by a cyber racket that held the computerized equipment managing the pipeline for ransom. Whether it is done by a criminal organisation, a hostile nation state or an individual with bad intentions: hacks of IoT are a looming threat that will only become more prevalent in the future as more and more devices become smart.

Essentially any Internet-connected device is vulnerable to being hacked and misused. In the age of the Internet of Things, that means that malicious actors could potentially exploit vulnerabilities to billions of connected devices to access confidential data, spread malware or ransomware, assimilate devices into a botnet, shut down utilities and other pieces of infrastructure or even cause tangible harm.

What companies need to understand is that cybersecurity threats are continually evolving and that concomitantly their cyber defenses need to keep up with them. If companies are serious about protecting their organizational assets and their end users – and they should be – they should particularly do the following: 

  • Gain a greater understanding as to how their IoT applications could be vulnerable to hacking attempts
  • Do an in-depth analysis of past IoT security breaches, hacking attempts and failures and incorporate the lessons learned into their security strategy; and
  • Incorporate the solutions and strategies that make their applications more secure into the design and use protocols of new devices

 

Check the security of IoT application against potential hacking attempts

It starts with weak authentication

Perhaps the most common problem in cybersecurity – and the one that can most easily be mitigated by common sense – is the general human tendency toward laziness: people just use passwords that are too simple, like “123”, “ABC” or a combination of alphanumeric characters that are comparatively easy to “guess” or arrive at in a brute force attack. In essence, passwords are the first line of defense against malicious attackers trying to breach your network. But if an employee’s password isn’t strong enough, your devices and network aren’t secure. More worrisome is that in some cases passwords may even be publicly accessible or stored in an application’s source code. As such, the first rule of a proper “cybersecurity hygiene” has to be having strong passwords that brute force attacks cannot just simply guess.

 

A lack of encryption during data transmission can be costly

Ancillary to the above point, another substantial threat to the security of your IoT networks is a lack of encryption used for regular transmissions among devices. Many IoT devices that do not necessarily store sensitive data – such as thermostats – do not encrypt the data they send to other devices. Yet if someone manages to compromise the network, they could thereby still intercept credentials and other important information transmitted to and from that device.

 

Low processing power obstructs timely security updates

Many IoT applications are engineered in such a way that they use data economically, so that costs are reduced and battery life can be extended. However, this makes it difficult to send over-the-air (OTA) updates to these devices to update their security settings. As such, this leaves them vulnerable to hacking.

Other common issues are legacy assets that weren’t originally designed for cloud connectivity, shared network access with a multitude of devices with different security settings using the same network, inconsistent security standards stemming from a hitherto lack of common standards as well as missing firmware updates.

 

An analysis of past security breaches can provide you with valuable insights

While technology has evolved and every year a myriad different attack vectors and zero-day exploits come to light, analysing past security breaches can help you in predicting the behaviour and motivations of malicious actors. The aforementioned cyber attack on the Colonial Pipeline, for example, was about extorting a ransom payment.

Similarly, the 2016 Mirai botnet case became famous – or rather infamous – because the malware managed to assimilate over 145,607 video recorders and IP cameras into this botnet in order to wreak havoc. The botnet was created by a single hacker – a college student – and came about by the aggregation of unsecured IoT devices. In several attacks, the botnet firstly crashed Minecraft servers, but then quickly went on to launching attacks on French web hosting service OVH, as well as the websites of Netflix, Twitter, Reddit, The Guardian, and CNN. Yet more worrisome is that the malware’s code is apparently still out on the Internet and successors of Mirai have been created to do a host of nefarious things like hijacking cryptocurrency mining operations.

Yet more worrisome was the 2017 announcement by the US Food and Drug Administration (FDA)  that more than 465,000 implantable pacemaker devices by manufacturer St. Jude Medical were vulnerable to hacking. While there were no known hacks, and St. Jude Medica was quick to patch the devices’ security flaws, it was a disturbing revelation with potentially fatal implications. If a hacker would have come to control these pacemakers they could have literally killed people by depleting the battery or altering the bearer’s heart rate.

 

Familiarize yourself with the strategies and solutions that secure your applications

So what can companies do to keep their IoT devices secure? Well, companies should take their cues from previous incidents and incorporate the solutions that secure their applications into the design and use protocols of new devices right from the start.

For one thing, companies should make the best use of physical security – fences, doors, shutters –  to keep their devices secure. Another issue, specific to cellular IoT devices, is that a lot of the critical information is stored on the SIM card. In general, form factors for SIMs are removable, which makes this data more vulnerable. However, using an eSIM is the better option as the eSIM is soldered directly onto the circuit board and thus much harder to physically access.

Likewise, it pays for companies to include remote access security into their products that lock SIM functionality to specific devices and gives them the ability to remotely disable connections if there’s a physical security breach.

Similarly, being aware of the risks inherent in public networks, companies should consider building private networks on top of existing security mechanisms to ensure that data never crosses the public Internet.

Furthermore, it is recommended to include abnormality detection and IMEI locks, to encrypt all data transfers, have a network based firewall and limited connectivity profiles for all devices.

 

Securing devices takes effort from both manufacturers and users

Ensuring IoT security requires manufactures and users to make a conscious and constant effort. An important part of IoT security is building up a separate, controllable environment that is not integrated into a customer’s incumbent networks (e.g. Wifi or Ethernet) – i.e. environments that may already have security flaws like weak Wifi passwords or outdated operating systems – as this may in turn compromise the security of the new IoT network. Companies can get around this issue by using a cellular IoT network, because with a cellular network all devices are in a separate network, which can be controlled.

Besides this, managed security services such as a network firewall or a virtual private network (VPN) can be used to protect against malicious data filtering.

Furthermore, using a Secure Access Service Edge (SASE) is an effective way of controlling all data connections to an intranet, a SaaS-cloud and remote workers. With SASE, the software-defined networking keeps a company’s data local – something that ingeniously complements equipment like data access brokers, network firewalls and VPNs.

In summary, it boils down to having standardized managed security services, like firmware updates, firewalls, etc. in place,  that provide comprehensive security and take the pain of securing the devices away from the device manufacturers. Customers are naturally more aware of their security requirements as the device manufactures themselves and so they should implement as many of the industry best practices as possible.The threat of security breaches is ever evolving and companies need to keep up to date.

 

About the author

Martin Giess is CTO and co-founder at EMnify, a leading cloud communication platform provider for IoT. In his role, he oversees the technical execution of EMnify’s product vision. Martin brings 20 years of experience as a technology expert in agile development of innovative telecom services. Before founding EMnify, he held technical VP positions at Syniverse and MACH.

Cybersecurity, News, Tech Thought Leadership

eCrime industrialisation – how ransomware groups are lowering the bar of entry and maximising profitability

Written by VMware Security Business Unit

Wherever there is disruption, cyber criminals see opportunity. Alongside the devastating health and economic impacts of the global coronavirus pandemic, we have also seen a huge escalation in ransomware attacks as people shifted to working from home. VMware threat researchers have recorded a 900% year on year increase in ransomware attacks in the first half of 2020.

Attacks are not only more frequent, they are also more sophisticated, as adversaries strive to maximise the revenue potential from each hit. As modular and more extensive malware has become ubiquitous, adversaries are diversifying and adopting more strategic and multi-stage tactics. They’ve identified factors such as high financial and regulatory penalties and reputational damage that offer more leverage to extort money from victims. As a result, it is now easier than ever for criminals with minimal skill to execute highly impactful attacks.

Destructive attacks and the sale of direct access into corporate networks are also rising trends and the lucrative payoff potential from all these is changing how adversaries approach their craft; a typical ransomware attack today is designed to do a lot more than simply encrypt data.

 

Shift from spray and pray to cultivate and curate – rise of the hands-on ransomware attack

In the past, a ransomware attack typically originated in a phishing email where the victim unwittingly opened an infected document or clicked a link that executed actions to immediately encrypt the environment and demand a ransom. Adversaries launched high volumes attack campaigns, on the assumption that some would make it through defences and pay-day would follow.

The current approach is much more hands-on-keyboard, with the attacker actively involved in orchestrating targeted attacks that will deliver multiple opportunities to monetise the results. In the attacks we’re seeing today, the eventual encryption and ransom demand comes a long way down the line; victims should assume that attackers have been inside their network for a significant period, have mapped out their infrastructure, and have already exfiltrated their most sensitive assets. The new evolution of ransomware attacks involves:

 

Research phase: the adversary gathers intelligence about your organisation through open source intelligence gathering (OSINT)  – everything from social media, geographical footprint, publicly exposed IP addresses found on Shodan. Paying special attention to an organisations employees. All of this helps to establish an attack plan, most commonly targeted towards unsecured edge-devices, with Microsoft’s Remote Desktop Protocol (RDP) being leveraged by far and away

 

Reconnaissance: Adversaries scan your organisation from the internet, looking at edge devices that could be a potential entry point, extrapolating what the rest of your environment might look like and what resources are worth targeting. They might identify home users with publicly exposed devices and target them with a phishing email, but more typically we see adversaries go after poorly configured edge devices, such as a Windows server with Remote Desktop Protocol exposed and no multifactor authentication in place as an ideal access vector.

 

Access and consolidation: On entry the attacker conducts initial post exploitation reconnaissance to gain access to a credential and elevate their privileges so they can pivot from the Demilitarised Zone into the internal systems and map out the internal infrastructure. At this point most ransomware groups we’ve been following will try to back-door additional systems with redundant access to a secondary command and control server, additionally with the goal of infecting the back-up server even getting their payloads deployed within the backups themselves. They probably won’t use this – it’s insurance in case their initial route gets cut off – but from a victim’s perspective this is something you need to look out for in incident response.

 

Slow and steady data exfiltration: to avoid triggering the controls companies have in place to prevent large scale data exfiltration, attackers will look for a discreet way to get the data out of the organisation. This might be through a user within the environment, moving files slowly or overtly to a compromised user and offloading the files to another server – such as a compromised webserver – which serves as a collection point for the stolen data. Or they might move the data out slowly through protocols such as DNS.

By now the attacker has achieved the first part of their goal. They have stolen data that they can monetise directly, and they have persistence on the victim’s systems. The victim is still unaware and now the attacker starts to plan for the next stage of their attack.

 

Extortion – reputations and data held to ransom

This is where we are seeing the convergence of data theft and ransomware. Once attackers launch the encryption phase of the attack, they lock up the victim’s data and demand payment in a traditional ransomware style.

Businesses with good data back-ups and recovery capabilities might be tempted to call the attacker’s bluff – until the extortion starts. Attackers threaten to release parts of the stolen data on the web to publicise the exploit if payment is not forthcoming. So even if the business can recover its data, its reputation and company secrets are still on the line.

The Maze Cartel is an arch-exponent of this technique. When victims don’t pay, they publish stolen data on their website. It is bold and shows the capabilities and power these groups exercise. We’re also seeing these groups collaborating and sharing infrastructure and code, which is making attacks harder to attribute and increasing their overall capabilities.

If the victim bows to pressure and pays the ransom their data has still been breached and is for sale on the dark web, adding another revenue stream for the attacker. Of equal concern should be the fact that the adversary still has a redundant command and control access that they can sell or use to conduct further attacks.

 

How to combat evolving ransomware attacks

You have to treat ransomware like you would any other breach – this is someone who is in your environment, and they have access to a lot of sensitive data. You need to conduct full incident response and recovery following each of these attacks, looking especially for signs of residual access to your environment following ransomware data theft.

To protect networks, defenders need to deploy endpoint protection, making sure they are blocking ransomware and have layered visibility of what is happening within the network. Understand the details of what your processes are doing and segment your networks effectively so that the scenario described above is not easy for an attacker to achieve.

Watch for evidence of initial access reconnaissance activity, configure alerts for large-scale data exfiltration, look for redundant command and control access and bear in mind that attackers are playing the long game. They are aiming to retain their foothold in the environment for as long as possible, so you might be looking for something that activates on a weekly or even monthly cycle, so is easy to miss. If you have suffered an attack, you should hire an incident response firm to look for these hard-to-find indications that your network is still being curated for future attacks.

It’s important to understand that this new approach is bespoke work. It’s targeted and long-term tradecraft and the pay-off is higher as a result; attackers will use every means at their disposal to get the most return on their efforts and grow their profits in the current highly disrupted environment.

Cybersecurity, News

ThreatQuotient Advances Industry Threat Intelligence Sharing With Stronger Data Curation Capabilities

ThreatQ Data Exchange allows analysts to easily share curated threat intelligence within and between related organisations

ThreatQuotient™, a leading security operations platform innovator, is addressing an industry need for more curated and data-driven threat intelligence with the availability of ThreatQ Data Exchange. Built on the foundation of ThreatQuotient’s flexible data model and support for open intelligence sharing standards, ThreatQ Data Exchange makes it simple to set up bidirectional sharing of any and all intelligence data within the ThreatQ platform and scale sharing across multiple teams and organisations of all sizes.

ThreatQ Data Exchange provides the ability to granularly define data collections for sharing, and easily connect and monitor a network of external systems with which to share data. Data collections are built using the existing Threat Library™ user interface and allow users to define the groupings of data they want to share, and can incorporate any data available in the Threat Library and are not limited to specific object types or attribute types. These data collections can be used for single connection feeds, reused for feeds to multiple external systems, and also used for internal analysis within the Threat Library and Custom Dashboards.

“An analyst’s ability to efficiently share focused, curated threat intelligence has a significant impact on the success of their organisation’s overall security operations. ThreatQ Data Exchange is a powerful new component of the ThreatQ platform and is critical for achieving more control over the collection and dissemination of threat data,” said David Krasik, Director of Product Management, ThreatQuotient. “ThreatQ Data Exchange allows our customers to create custom data feeds with their aggregated data to share within and external to their organisation. By providing the flexibility to share specific threat data without limitation or worry of exposing data that organisations prefer not to share, ThreatQuotient enables a collective understanding of threats and fosters a safer way to collaborate and share intelligence.”

Any multi-tiered threat intelligence sharing network where control and monitoring must be available to a global administrator will gain a faster and easier way to operationalise threat intelligence by using ThreatQ Data Exchange. For example: larger government entities with distinct intel teams and missions who continuously collaborate and share relevant intel; MSSPs that provide multi-sector or geo coverage to end customers; and large or medium-sized commercial organisations with a global presence or segmented business units. Individual teams can operate according to their specific requirements and missions, and collaborate with partners without limiting the breadth of data they want to share or leaking data they want to keep private.

A principal cyber security analyst within the U.S. Department of Defense (DOD) shares, “ThreatQ has enabled us to organise our Cyber Threat Intelligence into a structured database that lets us use it in ways we previously could not. The consolidation and sharing of information related to each piece of intelligence and the automated ingest of many intelligence feeds has also increased the speed at which awareness is achieved throughout the organisation. We continue to pursue new ways to further push the automation and integration of ThreatQ into other security products to further utilise the intelligence we obtain through ThreatQ.”

Today, the DOD is leveraging the ThreatQ platform to support the warfighter in tackling the vast amounts of data they have access to, understanding relevance and priority, and effectively and efficiently taking action. With ThreatQ Data Exchange, those services can share curated, vetted threat intelligence with their peers across the DOD. Because the exchange is bi-directional and point-to-point, any one of the participating partners has the ability to identify and share threat intelligence in the form of Indicators of compromise and known related indicators to the central aggregation point for distribution to the other partners. The ability to share curated threat intelligence with security counterparts creates a force multiplier for all participants. To learn more about how the U.S. Department of Defense (DOD) is leveraging ThreatQ Data Exchange, please click here.

ThreatQ Data Exchange is now available for users of the ThreatQ platform. To learn more about ThreatQuotient’s award-winning solutions and market-leading capabilities, please visit www.threatquotient.com.

About ThreatQuotient

ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations with a platform that accelerates and simplifies investigations and collaboration within and across teams and tools. Integrating an organisation’s existing processes and technologies into a unified workspace, ThreatQuotient’s solutions reduce noise, highlight top priority threats and automate processes to provide greater focus and decision support while maximising limited resources. ThreatQuotient’s threat-centric approach supports multiple use cases including incident response, threat hunting, spear phishing, alert triage and vulnerability management, and also serves as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, APAC and MENA. For more information, visit https://threatquotient.com.

Cybersecurity, Finance and Banking, News

The Institute of Directors and Gemserv join forces to upskill a generation of directors in cyber security

Gemserv Ltd, an expert provider of professional services, and The Institute of Directors (IoD) are developing an innovative programme that will provide cutting-edge cyber security training for all IoD members, fellows and Chartered Directors to support them in addressing cyber risk in today’s evolving threat landscape.

The IoD has supported directors, boards and their organisations worldwide for over 100 years, which strengthens Gemserv’s established role of providing cyber security services to these markets.

Senior executives are ultimately responsible for their organisation’s data and that the impact of poor cyber security can be damaging on an organisation’s reputation and systems. A recent IoD survey reinforced this and revealed that 30% of businesses are more vulnerable to cybercrime since the pandemic. Gemserv and the IoD are co-creating an innovative programme of training that will provide an exceptional learning experience.

Through a series of two-hour professional development workshops, attendees worldwide will develop the knowledge and skills to better understand cyber security at board level and how it applies to their organisations. Using case studies with real-world examples, Gemserv’s specialist cyber consultants will provide advanced training methods, including scenario-based education and threat analytics which participants will be able to immediately apply in the context of their role and board.

Jon Geldart, IoD Director General said:

“It has never been more crucial for directors to ensure sufficient company-wide cyber security protocols.

We are delighted to be working with Gemserv on this innovative workshop, ensuring that our members continue to have access to the very best professional development programmes.”

Mandeep Thandi, Gemserv’s Director of Cyber & Digital, said:

“We know how important security of data is for organisations and their customers. This is a great opportunity for Gemserv’s cyber team and the IoD to partner and combine our expertise to offer strategic cyber security training, ultimately supporting organisations to improve their security posture.”