Category Archives: Cybersecurity

Cybersecurity, News, Tech

Leveraging MISP and TheHive When You Create Your CTI Practice

Written by Anthony Perridge, VP International at ThreatQuotient 

Many CISOs I speak with across Europe tell me their cybersecurity teams rely on two, primary open-source platforms within their security operations (SecOps). The first is Malware Information Sharing Platform (MISP), that allows the storing and sharing of indicators of compromise (IoCs) with other MISP users. The second is TheHive, designed for security incident response (IR). The two solutions are tightly integrated so that SOCs, CERTs and any security practitioner can act more quickly when incidents happen.  

For organisations with limited resources or just beginning to build a SecOps practice, MISP and TheHive are easy-to-use tools to help your teams react to malicious threats. The next step to proactively mitigate risk from the full breadth of threats your organisation is facing, is to leverage MISP and TheHive to create a cyber threat intelligence (CTI) practice. To do this, you need to consider a third platform that integrates with these two solutions and provides five essential capabilities for a CTI practice so your teams can get ahead of threats. 

Aggregate all the data you need. To gain a comprehensive understanding of the threats you are facing, you need to gather internal data from across the entire ecosystem – the telemetry, content and data created by each layer in your security architecture, on-premises and in the cloud. With the right internal threat and event data aggregated in a platform that serves as a central repository, you then need to augment and enrich it with external threat data from the multiple sources you subscribe to –open source (MISP and others), commercial, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Out-of-the-box connectors make this easy. But you also need custom connectors that can be written and deployed within hours to ingest data from new sources of threat data as new crises and outbreaks occur, for example the SolarWinds Orion security breach. With the ability to organise and structure relationships across the entire pyramid of pain – starting at the bottom with basic indicators and moving up to include, malware families and campaigns, adversaries, and tactics, techniques and procedures (TTPs) – the value security teams can derive from threat intelligence to understand the adversary increases dramatically.  

 Make threat data usable for analysis and action. With all your threat data in one manageable location, now you need to understand where to focus your resources to mitigate risk. To start, the platform must be able to automatically deduplicate and normalise the data so that it is in a uniform format for analysis and action. Because these threat feeds will inevitably contain some data that isn’t relevant to your organisation, you also need the ability to score and prioritise threat data based on your definition of priority to automatically filter out noise. Expiration strategies that consider that different pieces of intelligence have different life cycles, ensure threat intelligence is still accurate and timely. This allows you to focus on what matters to your organisation and send relevant threat intelligence directly to your sensor grid (firewalls, IPS/IDS, routers, endpoint, and web and email security) to harden security controls for better defensive posture.    

 Build organisational memory. This central repository is really a structured library that also serves as organisational memory for learning and improvement. As new data and learnings are added to the library, from the MISP community, TheHive, your internal tools, your analysts and other trusted sources, intelligence is automatically reevaluated and reprioritised. The CTI program continues to improve by maintaining trusted and timely information and the library helps accelerate actions. For example, an analyst who is new to a specific threat or campaign can benefit from this shared knowledge and prior techniques that have worked, to accelerate their analysis, decision-making and actions.  

 Support additional use cases. Because threat intelligence is the lifeblood of security operations, beyond the obvious use case of threat intelligence management, a CTI program allows you to address other top use cases. Integrating with TheHive you can support incident response, but you can also integrate with an ecosystem of tools to support other use cases, including spear phishing, threat hunting, alert triage and vulnerability management. In each of these use cases, context is critical to understanding the who, what, where, when, why and how of an attack. With the ability to analyse multisource threat intelligence, and determine relevance and priority, you can determine the right actions to take and take them faster. 
  Enhanced reporting. Within the platform, real-time dashboards provide the data, metrics and status updates that are important for each specific stakeholder to monitor. You can provide regular reports to executive leadership with KPIs that are important to them. You also have immediate access to relevant intelligence organised in one location for ad hoc reporting on the latest threat. When an attack happens, you can be ready with information about who is attacking you, what you know, and the steps you are taking to mitigate damage.  

MISP is a great source for information sharing. And connecting with TheHive accelerates incident response which is a priority for many organisations. Leveraging the two solutions to create a CTI program takes your SecOps to the next level. With a platform that works with both and is purpose-built for threat-centric security operations, your security teams aren’t just reacting to threats but proactively mitigating risk and even anticipating and preventing attacks.  

Cybersecurity, News, Tech Thought Leadership

Hacker and online security concerns rise, following COVID-spurred digital transformations

With online services growing at an exponential rate, each requiring us to change our passwords every 6 months, Nicole Lin Managing Director of Synology UK explores how we should approach identity authentication and password management from individual and business perspectives in the long run.

Before 2020, remote working was a perk to employees, even a bandwagon some jumped on as it was how the future was supposed to be like. One pandemic and global lockdown later, lead the entire world to scramble to get to grips with Zoom meetings, cloud storage and VPNs, plus fast-tracking long overdue IT skills updates.

In this global rush to working remote, handling security particularly in the cloud has been the sword on which many an IT admin has fallen. Smart security providers have sensed an opportunity to market sophisticated tools to protect your network infrastructure. And let us be clear; these tools serve a vital purpose. Should we not have advanced security gateways, for example, which inspect every packet entering your network and flagging any potential threat? Of course we should! Should we not use advanced antivirus tools powered by AI and leveraging global databases to stay ahead of hackers and to stay protected from the latest forms of ransomware? Who would object?

Now with that disclaimer in mind, let’s address the elephant in the room namely, these sophisticated tools are a like a castle built on shaky foundations if IT admins leave the humans in the organisation to their own devices when it comes to security. Verizon investigation report on data breaches puts things into perspective: 61% leverage credentials. So where have things gone wrong?

Let us put ourselves in the shoes of a hacker. What will require the least amount of effort to breach an organisation’s security? Rather than spending hours identifying a system’s vulnerability to hit a target with ransomware, “guessing” a password is just as easy and allows entry without creating a fuss, potentially remaining undetected until it’s too late.

It is important to consider all aspects around passwords. We are told, reminded, encouraged to make passwords complicated. “123456”, anything containing your date of birth, names etc… are too obvious and constitute a risk. Increasing the complexity by making it longer, including special characters, is the logical solution. However, unless one has an eidetic memory, the temptation is great to re-use the same password for Gmail, Windows, Salesforce, Twitter and once one account is cracked, your whole privacy is at risk.

And to that the massive growth in computing capabilities means even entry level laptops can now be used to carry brute force attacks.

Making matters worse, password-reset functions can be easily hijacked: “What was your mother maiden name” may have been relevant in 1990, but with most of us posting our lives on social media, this can ever so easily be discovered by unscrupulous hackers.

This shows us one thing: passwords have served us well, but an arms race with hackers is not going to end well for corporations and honest netizens without a change of strategy. Preferably one that does not involve retreating from the web back to a bygone age of letters and carrier pigeons.

 

Password + 2FA for optimised protections

So, from an individual’s perspective, how can password complexity be enhanced with a growing number to remember as we use ever more online services?  Password vaults are a first step, centralising all passwords, as they also allow to generate strong, secure passphrases. But the more cynical of us will simply see this centralisation as a single point of failure: gain access to the vault, and every single account is then compromised.

This needs to be combined with a consistent use of multi-factor authentication methods. The concept is quite simple, with unauthorised logins being prevented by adding an extra layer of checks to ensure you are the right person. If we consider your password as “something you know” then an extra layer will be something you have. This is typically another device such as your phone, to which a one-time passcode is sent, and you need to enter within a short period of time to confirm you are not a hacker who has stolen the original password. Security can be pushed even further with “something you are” in the form a biometric identifier. In everyday life smartphone fingerprint recognition is the most common example.

 

Moving beyond passwords

With two-factor authentication increasingly common in the tech industry, from Gmail to Amazon accounts, one would think hackers would soon be running out of options. Well humans are remarkably creative, and to impersonate you and “something you own”, you may have heard of “sim-swapping”: Here a hacker fools your mobile provider into switching your SIM card information to a different phone – a process normally reserved for customers who just lost their phones – and the hacker is then able to access your verification code.

However a more fundamental flaw with passwords, even with 2FA methods, is that no matter how vigilant we are as users trust is a fundamental part of the equation. It’s often assumed for example, that the company hosting the website or service will follow strict security practices to keep the stored passwords safe. And no company is safe, particularly as we know big names like Dropbox or Facebook have had customer credentials leaked due to poor practices.

Since passwords will always present a certain level of vulnerability, the logical conclusion is to move beyond them. Which is what came from a meeting between PayPal and Validity Sensors back in 2009 where when discussing the use biometrics for identification of online users, it appeared clear that the first bricks for an industry standard would be needed. This would soon become the FIDO alliance, for Fast IDentity Online.

The concept is simple enough: contrary to passwords where authentication is initiated by the user who sends information to the website’s servers, the FIDO approach is device-centric, with no personal / biometric information ever leaving the user’s device. This is achieved by using a public-key cryptography model. When registering to a website, a public key is provided rather than a password. Later, when the user wishes to log in the website’s server will initiate a challenge to the user’s device, which can only be solved using the private key which was kept on the device. Security is further enhanced by ensuring that the public / private key is issued for the website in question. Importantly, this removes the threat of phishing scams where a fake website, visually similar to a mainstream one, is used to collect a customer’s credentials without their knowledge.

 

Last thoughts.

The staggering growth seen since last year in the use of malware, up by 358%, as well as ransomware, up by 435% shows how essential it becomes to spread best practices around online security, be it by standardising extra password complexity and 2-factor authentication, to a more fundamental shift in attitudes with the adoption of public-key authentication methods. To accompany this shift in attitudes, websites and platforms, as well as manufacturers of servers, must make these safer authentication methods available.

 

Cybersecurity, News

Cabinet Office boosts cyber spending by 500% amidst Whitehall CCTV security fears

Michael Gove’s department splashes out over £300,000 on training courses including ethical hacking, digital forensics and cyber skills

The Cabinet Office has splashed £274,142.85 on cyber security training for staff in the most recent financial year (FY 20-21) – a 483 per cent increase on the £47,018 in the previous year (FY 19-20), according to official figures. The total spend over the two year period was £321,161.66.

The data, obtained by the Parliament Street think tank using Freedom of Information (FOI) legislation, is revealed amidst a series of security issues plaguing Whitehall, including CCTV of former Health Secretary Matt Hancock and his mistress in a passionate clinch being leaked by an unknown whistleblower.

The Cabinet Office, which is run by Michael Gove MP, and his close team of special advisers, is responsible for supporting the Prime Minister and Cabinet of the UK.

The full FOI response included a complete breakdown of the courses attended by Cabinet Office staff and revealed that 428 separate cyber training courses were booked in FY 20-21, compared to just 35 in FY 19-20.

By far the most popular course, which received 332 bookings, was for NCSP Foundation e-Learning – this course provides introductory level training on how to prevent, detect and respond to cyber-attacks.

The second most popular course was for a Foundation Certificate in Cyber Security, attended by 33 staffers in FY 20-21. 33 employees also attend this course in FY 19-20.

Some other cyber training courses attended in FY 20-21 included training in ‘the art of hacking’, attended by 12; ‘digital forensics fundamentals’, attended by two; ‘ethical hacking’, attended by one. Also, four staffers underwent training to become a certified Lead Auditor, and one joined a ‘CyberSec First Responder’ course.

Cyber expert Andy Harcup, senior director at Gigamon, said: 

“The Cabinet Office is tasked with managing some of the most sensitive data imaginable, so increasing cyber training and resources is a wise move, particularly with hackers relentlessly targeting government departments. However, far too many public sector organisations continue to operate without full visibility into network traffic, making it harder to spot hostile threats and take action before the damage is done. Large organisations with overstretched IT teams require complete visibility in order to manage complex cloud environments as well as identifying security threats to keep critical data safe, so taking action in this area must be a top priority.”

Security specialist Edward Blake, Area Vice President EMEA, Absolute Software said: “It’s encouraging to see the government levelling up its cyber defences, particularly at a time when recent CCTV leaks are raising fresh questions about security standards across Whitehall. In addition to training staff with the latest cyber skills, it’s also critical to ensure government devices containing confidential data like laptops are properly protected, so they can be tracked, wiped or frozen in the event of loss or theft. Additionally, staff should be urged to report incidents of data loss or suspected hacking with immediate effect so action can be taken to recover or remedy the situation.”

About the Parliament Street think tank

Founded in 2011, the Parliament Street think tank produces policy papers and research into how technology can improve public services.

http://www.parliamentstreet.org/

Cybersecurity, News

2021 Cybercrime and Protecting your Data

Written by Sarah Doherty, Product Marketing Manager, iland

2020 was a difficult year all around. Many organisations are still adjusting to the new landscape while trying to plan for the future. Cybercrime was at its prime in 2020 with global costs climbing as high as $1 trillion, according to CSIS research. Unfortunately, with the pandemic dragging on and an extremely drained remote workforce that still needs to be secured, there is every chance that cybercrime will be an even bigger headache in the months ahead.

Numerous aspects are aligning to create even more dangerous situations. Organisations that fail to identify and address these impending hazards will be at risk from increased cyber-attacks and data breaches. But these types of imminent disaster can be averted with the right plans. By aligning security efforts with business goals, redesigning infrastructure, and looking at new technologies, organisations can build resilience while setting themselves up for future success.

 

Cyber-criminals are Prospering

With the pandemic triggering a swift acceleration of working from home, the potential of attacks for cyber-criminals has grown immensely. People are working in less secure environments, they are more distracted, and the pandemic has provided cover for an increasing number of scams. The possibility of the vaccine is certain to be exploited by ruthless attackers and the likelihood of an economic downturn will create larger numbers of these criminals.

It has never been easier for an aspiring criminal to purchase ransomware complete with technical support. These cyber-criminals are not who they used to be, but in reality, organisations are under attack from disciplined, professional, determined factions employing increasingly sophisticated strategies.

 

Insider Threats are on the Rise

Social engineering tactics have made it that much more difficult for weary and over stressed remote workers. Malicious insider threats continue to be a concern, but carelessness and simple human error can cause just as much damage to the data of any organisation. With the increase in remote working, the line between work and home has become increasingly blurred during the pandemic. This pressure adds to the already fragile state of many employees which can then lead to mistakes. For example, sending an email to the wrong person, attaching the wrong file, or falling victim to what seems to be a reasonable request which can then turn out to be a scam, are all potential risks.

It is critical to be prepared for this developing threat and organisations must continue to support remote workers, encourage a healthy separation between work and home life, and set clear policies on how social media and different kinds of technologies can be used. Continuous education and rigorous security awareness training are vital.

 

Be Aware at all Times

Third-party cloud providers and the use of personal devices can create unforeseen difficulties for security professionals. As organisations design a new architecture, it is crucial to be aware of what’s going on across the extended network. It’s key to review potential points of failure and build that into not just resilience planning, but also risk assessments.

 

Be Prepared and Plan Ahead

Securing the integrity of assets throughout an organisation isn’t just about properly configuring and integrating the right technologies, it’s also about supporting your greatest asset, your people. Focus on collaboration will earn rewards across your organisation, and business security alignment is an important aspect for success. Build awareness internally and work collaboratively with your partners and don’t be afraid to work with their teams who should have years of experience and expertise to share with you and your teams.

 

Look to the future and prepare response plans that clearly define the various roles that will be needed from all business teams. Working together within the organisation and with your technology partners can aid in your ability to effectively respond to any new threats while also maintaining a high level of service. Creating business resilience while maintaining business goals will continue to help build confidence among customers and employees.

 

Cybersecurity, News

A new incarnation of the Layer7 botnet attacks online games

StormWall experts revealed that at the beginning of Q2 2021 the number of powerful DDoS attacks on online games increased 30 times. The maximum power of attacks at the moment reaches 1 Tbit/s. According to StormWall experts, DDoS attacks were carried out using a new incarnation of the famous Layer7 botnet, which consisted of 25,000 infected IoT devices. The main targets of the cybercriminals were game servers, since they have maximum liquidity to monetize DDoS attacks, hackers can quickly cause large losses and quickly get money through blackmail.

The most powerful DDoS attacks were recorded over UDP. According to the StormWall situational center, the Layer7 botnet can launch powerful, but at the same time fairly primitive attacks. An attacker can only change the length of a packet and fill it with random data; no means of bypassing protection or adapting it to a specific application is provided. However, there is a ready-made protection profile for TeamSpeak3, a popular voice service among gamers.

The new version of the botnet can be bought from cybercriminals for as little as $250 per week and provides access to attacks of up to 1 Tbps. Before purchase, a free test of the attack is offered. There’s also Telegram support for customers.

“New technologies are helping to improve the world, but new cybersecurity threats usually arise with them. Hackers are using new technologies to create more powerful botnets, and the Internet of Things is a charming target for them. IoT devices allow the creation of incredibly powerful botnets. Most IoT devices are practically not protected from hacker attacks and contain serious vulnerabilities. Using a tremendous abundance of unprotected IoT devices, attackers can create powerful botnets and launch massive DDoS attacks.” – Ramil Khantimirov, CEO and co-founder of StormWall.

 

 

Cybersecurity, News

West Midlands Cyber Resilience Centre announces collaboration with the Federation of Small Businesses (FSB)

The West Midlands Cyber Resilience Centre (WMCRC) is delighted to announce it has joined forces with the Federation of Small Businesses (FSB) in the West Midlands.

The collaboration will see the two organisations working together to help encourage small to medium-sized businesses across the region to be more cyber secure.

The WMCRC brings together the expertise from law enforcement, private sector and academia to offer guidance to organisations across Herefordshire, Shropshire, Telford & Wrekin, Worcestershire, Staffordshire, West Midlands, West Mercia and Warwickshire, in protecting themselves against cybercrime.

It is part of a network of centres being established across the country and provides businesses and organisations with an affordable way to access cyber security services and consultancy to safeguard themselves from cyber-attacks.

Commenting on the relationship, Director of the West Midlands Cyber Resilience Centre, Alison Hurst, said: “We are delighted to have the opportunity to work with the FSB. The organisation and its network will be crucial in assisting us to extend our reach in order to help support businesses across the region.

“The FSB is a resource that helps many small businesses achieve their ambition and we aim to support this further by working in collaboration to maximise the cyber resilience of micro businesses and SMEs within the West Midlands.”

The FSB is the UK’s largest business group with 160,000 members across the country, made up of small business owners and the self-employed. The not-for-profit organisation offers a range of business services including legal protection, health and safety advice, employment protection, insurance services and crisis management. It also provides a variety of networking events and opportunities for its members as well as being a powerful government lobbyist, continually campaigning for better conditions and resources for small firms and individuals.

Hollie Whittles, West Midlands Chair of the Federation of Small Businesses, and an owner of two Telford-based SMEs herself, commented: “Crime against business hurts the wider economy, including in particular small businesses, of which there are 5.9 million in the UK and around 400,000 in the Midlands. They are almost always less able to invest in the cost of the latest IT equipment and security software so can be particularly susceptible to cybercrime.

“This situation is exacerbated by local and national Government-mandated requirements – such as ‘Making Tax Digital’ – which require small businesses to increasingly share their technical and financial data online. In 2019, FSB launched ‘Calling Time on Business Crime’, which highlighted many of the threats facing small businesses.

“We are delighted to see new impetus being given to addressing these issues, so look forward to working closely with the West Midlands Cyber Resilience Centre to raise awareness of the latest threats – and the latest measures that can be taken to counter them.”

The WMCRC offers a range of membership options depending on what level of support businesses need. Core membership is free and provides businesses with access to a range of resources and tools to help them identify risks and vulnerabilities, as well as providing guidance on the steps they can take to increase their levels of protection.

Businesses can find out more information about the WMCRC, how to get involved and sign up to receive e-news at www.wmcrc.co.uk . To keep updated with all the latest WMCRC developments on social, follow @WestMidlandsCRC on Twitter or on LinkedIn.

 

Cybersecurity, HR News, News

As new survey reveals high risk of security breaches, how can you protect your business from a disgruntled ex-employee?

As high-profile ex-employee Dominic Cummings rages a very public war with his former boss, a new study has revealed that employers in the UK are exposing themselves to unnecessary security risks from ex-staff members.

According to the survey by Digital ID , the UK’s leading access control and security provider, just over a third of employers surveyed (mainly SMEs) (34%) admitted to never changing sensitive login and password details. Including for emails, cloud systems, building entry access codes and social media accounts. A further 23% said they only changed them once a year, even if there was a high turnover of staff.

A worrying statistic given that 1 in 5 of the past employees surveyed admitted to having tried to access old accounts to see if they could.

Only 45% of the employers interviewed said they had procedures in place to ensure all equipment, including staff ID badges, were returned when a person left the company.

And a quarter of the employees surveyed admitted to taking sensitive information like contact details, dates, price lists and plans for new products with them when they left a job.

“Our research indicates that lots of companies are leaving themselves wide open to all kinds of security breaches,” said Adam Bennett of Digital ID, the company behind the research.

“The UK has watched on aghast at Boris Johnson’s former aide Dominic Cummings’ attempts to take down his ex-boss. And celebrated in equal measure when a former HSBC cleaner posted a resignation letter shaming her boss for unfair treatment on social media, only for it to go viral.

“What these situations illustrate is that for many businesses, especially SMEs with inadequate security systems and HR procedures in place, ex-employees can pose a very real threat. Especially if they leave on bad terms.

“Nobody likes to think that a relationship will turn sour when they start out, but a quick internet search will reveal plenty of cases of rogue employees causing all kinds of havoc. And in the age of social media, crises can very quickly escalate. In many instances, it’s completely avoidable with the introduction of some simple security procedures.”

How to protect a business from an ex-employee

According to Digital ID, cyber security, access control, staff ID and visitor ID cards are the main security processes SMEs should review.

Adam Bennett shares some steps that employees can do to protect themselves.

  • Start as you mean to go on – “Protection against an ex-employee actually starts from the moment you hire them. Contracts should be watertight with a confidentiality clause included. It’s wise to get proper legal advice on contracts of employment ahead anything being signed.”

 

  • Get password savvy – “It’s really surprising how many companies have never changed their passwords and passcodes. We’d recommend this is done quarterly and at the very earliest convenience after a staff member leaves. It can be a pain, especially if there is a high staff turnover, but it certainly needs to be done more than once a year otherwise companies are leaving themselves open to security breaches.”

 

  • Shut down access – “When an employee leaves the company, no matter how amicable, access control cards and credentials should be blocked immediately. Sounds like common sense, but again you’d be surprised how many employers don’t take this very simple action. Access cards can be set by a system administrator to work up until the employees’ last day, and this can be done way ahead of them actually leaving. It ensures there will be no issues once the employee has left.”

 

  • Keep track of tech – “Tag and track staff equipment using systems such as MyTAG, which allows companies to monitor and track assets such as computer equipment and other expensive items. It’s great for protection and lets you know who is accountable for what at all times. So, for example, a disgruntled staff member who has “forgotten” about that really expensive piece of equipment can easily be tracked.”

 

  • Allow them to air their views – “There is of course a HR side to managing an employee leaving. If somebody has a vendetta, it’s usually because they weren’t given adequate opportunity to air grievances during their employment. An exit interview is a formal way for them to ‘let off steam’ but in a professional setting. Any issues should then be dealt with appropriately. It’s wise for senior staff to also be trained in conflict resolution. Very often when employees leave on bad terms the issue could have been settled in a more positive way earlier in the chain of events.”

 

  • Keep tabs on your online presence – “Finally, no matter how well managed their exit, some employees simply want revenge and it’s not unusual for that to take place publicly on social media channels or forums. Having in place, proper monitoring to watch out for mentions of your company name will help you to manage your reputation and deal with defamation in a timely manner.”

 

Cybersecurity, News

Scammers Access 50% of Compromised Accounts Within 12 Hours According to New Research

Email Security Company Agari Identifies How Cybercriminals Use Compromised Accounts with New Insight Into Credential Phishing Scams

Agari by HelpSystems, the market share leader in phishing defense for the enterprise, unveiled today the results of an investigation into the anatomy of compromised email accounts. The threat intelligence brief, titled Anatomy of a Compromised Account, is the first research of its kind, showcasing how threat actors use credential phishing sites to gather passwords, and what they do with them post-compromise.

The Agari Cyber Intelligence Division (ACID) completed a six-month investigation by seeding more than 8,000 phishing sites mimicking Microsoft Account, Microsoft Office 365, and Adobe Document Cloud login screens. After successfully submitting credentials, the team linked individual phishing attacks to specific actors and their post-compromise actions in order to better understand the lifecycle of the compromised account.

Specific stats uncovered in the extensive research include:

●       91% of all accounts were manually accessed by threat actors within the first week

●       Half of compromised accounts were accessed within the first 12 hours

●       23% of phishing sites used automated account validation techniques

●       Threat actors were located in 44 countries worldwide, with 47% in Nigeria

According to Agari, once attackers gained access to the compromised accounts, it became apparent that they wanted to identify high-value targets who have access to a company’s financial information or payment system so that they could send vendor email compromise scams more effectively. The accounts were also used for other purposes, including sending malicious emails and using the accounts to register for additional software from which to run their scams.

“Business email compromise or BEC remains the most prevalent threat in email security, and when cybercriminals gain access to legitimate email accounts, the problem is magnified,” states Patrick Peterson, founder of Agari and executive strategy director at HelpSystems. “This research provides key insights into how cybercriminals use these accounts, and underscores the importance of securing your email environment against credential phishing attacks from the beginning.”

In one instance, a threat actor used their compromised account to upload two financial documents to the associated OneDrive account—a rental balance sheet and wire instructions for their bank account. Based on the content of these documents, it is likely that they were intended to be used as part of a BEC attack, presumably one impersonating the real estate investment trust and targeting the senior living community operator, trying to trick them into paying more than $200,000 in outstanding rent.

In another example, cybercriminals targeted employees at real estate or title companies in the U.S. with an email that appeared to come from an U.S.-based financial services company that offers title insurance for real estate transactions. When targets opened the email, they were encouraged to view a secure message, which sent them to a webpage mimicking the company’s actual homepage. From there, they were encouraged to view additional documents and enter their account information—leading to the compromise. This shows the self-fulfilling growth cycle where credential phishing attacks lead to compromised accounts, which lead to more credential phishing attacks and more compromised accounts, and so on.

“Without measures in place to protect against BEC and account takeover-based attacks, the problem will only continue,” said Peterson. “The insight uncovered by the ACID team is a sobering reminder of the scale of the issue—compromised accounts lead to more compromised accounts, and only by preventing the first compromise can we suppress BEC at an early stage.”

To view a complete copy of the research findings, download the threat intelligence brief.

Cybersecurity, News

The Remote Workforce has led to a rise in cyberthreats according to VMware Global Security Insights Report

At Security Connect 2021, VMware revealed the findings from the fourth instalment of the Global Security Insights Report, based on an online survey of 3,542 CIOs, CTOs and CISOs in December 2020 from across the globe. The report explores the impact of cyberattacks and breaches on organisations and highlights the opportunity for security leaders to rethink and transform cybersecurity strategies.

The report shows that the pandemic and shift to anywhere work have undoubtedly changed the threat landscape requiring security teams to transform their cybersecurity strategies and stay one step ahead of attackers. Key focus areas for the coming year must include improving visibility into all endpoints and workloads, responding to the resurgence of ransomware, delivering security as a distributed service, and adopting an intrinsic approach to cloud-first security.

Rick McElroy, Principal Cybersecurity Strategist at VMware said: “Legacy security systems are no longer sufficient. Organisations need protection that extends beyond endpoints to workloads to better secure data and applications. As attacker sophistication and security threats become more prevalent, we must empower defenders to detect and stop attacks, as well as implement security stacks built for a cloud-first world.”

The reports key findings include:

Accelerated digital transformation has caused security teams to face evolving threats as cybercriminals seize the opportunity to execute targeted attacks exploiting fast-tracked innovation and the anywhere workforce. Close to 80% of organisations surveyed experienced cyberattacks due to more employees working from home, highlighting the vulnerabilities in legacy security technology and postures.

A lack of urgency despite surge in material breaches. 81% of respondents have suffered a breach in the last twelve months with 4 out of 5 breaches (82%) considered material. Yet, security professionals have underestimated the likelihood of a material breach. Only 56% say they fear a material breach in the next year, and just over one-third (41%) have updated their security policy and approach to mitigate the risk.

Resurgence of ransomware and remote work creates unpredictable attack surface. 76% of respondents said attack volumes had increased – with majority pointing to employees working from home as the cause – and 79% said attacks had become more sophisticated. Cloud-based attacks were the most frequently experienced attack type in the past year, whereas the leading breach causes were third-party apps (14%) and ransomware (14%).

Cloud-first security strategies are now universal. 98% of respondents already use or plan to use a cloud-first security strategy. But the move to cloud has expanded the threat surface. Nearly two thirds (61%) agree they need to view security differently now that the attack surface has expanded. 43% of respondents said they plan to build more security into their infrastructure and apps and reduce the number of point solutions.

Applications and workloads are top CISO concerns. Applications and workloads are viewed as the most vulnerable points on the data journey. 63% of respondents agree they need better visibility over data and apps in order to pre-empt attacks. 60% of respondents also shared that their senior leadership team feel increasingly worried about bringing new applications to market because of the growing threat and damage of cyberattacks.

Security concerns are holding back adoption of AI. The next frontier for business innovation may be artificial intelligence, but more than half of respondents (56%) say that security concerns are holding them back from embracing AI and machine learning.

For a clearer picture on the evolving threat landscape as well as actionable guidance and recommendations for this year and beyond, download the full report here.

 

Cybersecurity, Data, Tech Thought Leadership

James Costanzo: How secure is your data pipeline?

Written by James Costanzo, Content Strategist at iland

As you may have heard, the latest high-profile case of cybercrime hit the headlines recently — and the results have not been pretty.

On Friday, May 7, Colonial Pipeline Co., which operates the 5,500-mile network of pipes responsible for roughly 45 percent of the gasoline and diesel fuel consumed on the East Coast, was forced to close following a ransomware attack. It took five days for the company to begin restarting operations, and even then, fully restoring the flow of fuel will not be immediate.

The impact has been felt nationwide, with frenzied runs on fuel resulting in long lines and shortages up and down the East Coast, surging gas prices, and volatility across the energy market. It even prompted an emergency response from the Biden administration, which addressed the growing threat of ransomware by name.

While the specifics of the attack, and the true extent of its damage, are still being sorted, we can say this for certain: It succeeded in putting a world-wide spot line on cybercrime, exposing everyone, not just those in IT, to our vulnerability when it comes to threats like ransomware.

 

(Cyber)crime Wave

If it feels like cybercrime is becoming more and more prevalent, that’s because it is. Beyond highly publicized examples, like the attacks on Colonial Pipeline and SolarWinds, a simple Google search reveals just how widespread the problem has become.

In part because of the COVID-19 pandemic and sudden increase in remote work, 2020 was a cybercrime record breaker. According to Forbes, we’ve never seen the sheer numbers of attacks on companies, government, and individuals or had more data lost in breaches than in the last year. The numbers paint a bleak picture.

Malware increased by 358 percent in 2020. Not to be outdone, ransomware kept pace as the fastest growing type of cybercrime. One in five Americans have been the victim of ransomware with one new victim being added to their ranks every 10 seconds. Making matters worse, the average cost of a data breach rose to $3.86 million. Meanwhile, 80 percent of senior IT and IT security leaders believe their organisations lack sufficient protection against cyberattacks. All totalled, cybercrime is expected to cost the world approximately $10.5 trillion annually by 2025.

 

Shall we continue?

In the wake of the Colonial Pipeline attack, a top Biden administration cybersecurity official warned against the now-obvious — that cyberattacks were “growing more sophisticated, frequent, and aggressive.” We’ve been saying that very thing at iland for quite some time. The good news is, we also know how to help.

 

Securing Your Data Pipeline

Given the circumstances, it’s a tad ironic that fuel has often been used as an analogy for data — in that both use pipelines. Today, we use a vast network of digital pipelines for our data, but many companies do so without the proper protections in place. The increase in cybercrime frequency, sophistication, and impact means security needs to be top of mind for all your workloads and data.