Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Threat Management. Show all posts

Continuous Threat Exposure Management: A Proactive Cybersecurity Approach

 

Continuous Threat Exposure Management (CTEM) represents a significant shift in cybersecurity strategy, moving beyond the limitations of traditional vulnerability management. In an era where data breaches and ransomware attacks remain prevalent despite substantial cybersecurity investments, CTEM offers a comprehensive approach to proactively identify, prioritize, and mitigate risks while ensuring alignment with business goals and compliance requirements. 

Introduced by Gartner in July 2022, CTEM is a continuous program that evaluates the accessibility, exposure, and exploitability of an organization’s digital and physical assets. Unlike reactive vulnerability management, which focuses on patching known vulnerabilities, CTEM addresses potential threats before they escalate into major security incidents. It employs various tools, such as Penetration Testing as a Service (PTaaS), attack surface management (ASM), automated pen-testing, and red-teaming, to maintain a proactive defense posture. 

At the core of CTEM is its iterative approach, emphasizing integration, continuous improvement, and communication between security personnel and executives. This alignment ensures that threat mitigation strategies support organizational goals, thereby enhancing the effectiveness of security programs and fostering a culture of cybersecurity awareness across the organization. The CTEM process, as defined by Gartner, involves several stages: scoping, discovery, prioritization, validation, and mobilization. Scoping identifies the organization’s total attack surface, including internal and external vulnerabilities. 

Discovery uses ASM tools to detect potential threats and vulnerabilities, while prioritization focuses on assessing risks based on their likelihood of exploitation and potential impact. Validation confirms the existence and severity of identified threats through techniques like red-teaming and automated breach-and-attack simulations. Mobilization then implements remediation measures for validated high-priority threats, ensuring that they are aligned with business objectives and effectively communicated across departments. 

Exposure management, a critical aspect of CTEM, involves determining the attack surface, assessing exploitability, and validating threats in a continuous cycle, thereby minimizing vulnerabilities and enhancing security resilience. CTEM and exposure management are crucial for fostering a proactive security culture and addressing cybersecurity challenges before they escalate. By leveraging existing security tools and processes, organizations can integrate CTEM into their operations more efficiently, optimizing resource usage and complying with regulatory requirements. CTEM focuses on outcome-driven, business-aligned metrics that facilitate informed decision-making at the executive level. 

It recognizes that while complete risk elimination is impossible, strategic risk reduction aligned with organizational objectives is essential. By prioritizing vulnerabilities based on their impact and feasibility, CTEM enables organizations to navigate the complex cybersecurity landscape effectively. CTEM offers a pragmatic and systematic framework to continuously refine priorities and mitigate threats. By adopting CTEM, organizations can proactively protect their assets, improve resilience against evolving cyber threats, and ensure that their security initiatives align with broader business imperatives.

Here's Why Ransomware Actors Have a Upper Hand Against Organisations

 

Successful ransomware assaults are increasing, not necessarily because the attacks are more sophisticated in design, but because attackers have found that many of the world's largest companies lack adequate resilience to basic safety measures. Despite huge efforts in cybersecurity from both the private and public sectors, many organisations remain vulnerable to ransomware attacks.

Richard Caralli, senior cybersecurity advisor at Axio, has over 40 years of experience as a practitioner, researcher, and leader in the audit and cybersecurity fields. Based on his years of experience, he believes that there are two primary reasons of the lack of ransomware resilience that exposes numerous organisations to otherwise preventable flaws in their ransomware defences: 

  • Recent noteworthy intrusions, such as those on gaming companies, consumer goods manufacturers, and healthcare providers, highlight the fact that some organisations may not have implemented basic safety standards. 
  • Organisations that have put in place foundational practices may not have done enough to confirm and validate those practices' performance over time, which causes expensive investments to lose their efficacy more quickly. 

Given this, organisations can take three simple activities to boost fundamental resilience to ransomware: 

Recommit to core practices

According to Verizon's "2023 Data Breach Investigations Report," 61% of all incidents used user credentials. Two-factor authentication (2FA) is currently regarded as an essential control for access management. However, a failure to apply this additional layer of security is at the heart of UnitedHealth Group/Change Healthcare's ongoing ransomware nightmare. This intrusion affects not only patients, but also service providers and professionals, who face severe barriers to obtaining treatment authorisations and payments. An entire sector is under attack as a result of a major healthcare provider's failure to adopt this foundational control.

Ensure fundamental procedures are institutionalised

There is a "set and forget" approach that handles cybersecurity during the installation stage but fails to ensure that procedures, controls, and countermeasures are long-lasting throughout the infrastructure's life, particularly when these infrastructures expand and adapt to organisational change. 

For example, cybersecurity procedures that are not actively adopted with characteristics that enable institutionalisation and durability are at risk of failing to withstand developing ransomware attack vectors. But what exactly does institutionalisation mean? Higher maturity behaviours include documenting the practice, resourcing it with sufficiently skilled and accountable people, tools, and funding, supporting its enforcement through policy, and measuring its effectiveness over time. 

Implementing the basics 

The issue of implementing and maintaining essential cybersecurity measures is numerous. It necessitates a commitment to constant attention, active management, and a thorough understanding of emerging hazards. However, by confronting these obstacles and ensuring that cybersecurity procedures are rigorously established, measured, and maintained, organisations may better protect themselves against the ever-present threat of ransomware attacks. 

Focussing on the basics first — such as implementing foundational controls like 2FA, developing maintenance skills to integrate IT and security efforts, and adopting performance management practices — can lead to significant improvements in cybersecurity, providing robust protection with less investment.

Here's What Businesses Can Learn From a $2 Million Ransomware Attack SEC Settlement

 

Business leaders and security teams can learn a lot from the recent $2.1 million settlement reached between the Securities and Exchange Commission and R.R. Donnelly & Sons Co. regarding a ransomware assault. The settlement brought RRD's negligence to light and emphasises how crucial it is for publicly listed firms to have robust safety policies and procedures in place. 

Here are key takeaways that private and public organisations can use to improve their cybersecurity posture and comply with SEC standards. 

RRD ransomware attack overview 

RRD is a publicly listed international provider of marketing and corporate communication services. The organisation used a third-party managed security services provider (MSSP) to safeguard and monitor their infrastructure. In late November 2021, RRD's intrusion prevention systems identified odd behaviour and sent notifications to both RRD and their MSSP supplier. Following assessment of these signals, the MSSP opted to escalate three issues to RRD's security personnel. 

  • Similar behaviours were observed on multiple computers throughout the RRD network, indicating that a threat actor was either making lateral movements or had compromised multiple endpoints.
  • Activities had some connection to a larger phishing campaign. 
  • It was revealed by open-source intelligence that the malware could allow arbitrary code to be executed remotely. 

Unfortunately, RRD decided not to remove the compromised devices from the network and did not carry out their own investigation to prevent further compromise until nearly a month later. Between November and December, the MSSP identified at least 20 more security alerts connected to the same incident, but failed to elevate them to RRD, including malware execution on the domain controller. 

The attacker then installed encryption software on RRD machines and stole 70 gigabytes of data, including financial and personal data from 29 of RRD's 22,000 clients. RRD eventually launched its ransomware response actions on December 23, 2021, and filed their 8-K on December 27, 2021. 

Overview of SEC's findings and judgement 

The SEC's filing cites RRD's incompetence in the following areas: 

  • RRD's policies and controls were not intended to ensure that all relevant information about security alerts and incidents were reported to RRD's disclosure decision makers on a timely basis. 
  • RRD failed to offer guidance to its internal and external people on reporting safety incidents and responding to them.
  • Even though RRD got alerts and escalations from its systems and service provider about three weeks before the encryption, it failed to analyse them and take appropriate investigative and remedial action. 

Based on these findings, the SEC claimed that RRD violated the disclosure controls and procedures requirements of Exchange Act Rule 13a-15(a) and the internal accounting controls provisions of Exchange Act Section 13(b)(2)(B). The SEC evaluated a $2.125 million penalty on RRD. 

Key takeaways for security teams

The RRD verdict highlights the SEC's tightening grasp on cybersecurity controls and laws. Here are some significant takeaways for security teams in publicly listed companies: 

Ensure close oversight of service providers: In your contracts and meetings with MSSPs, be clear about security requirements and adherence to security processes. Streamline the process for increasing notifications. All such contracts, protocols, and processes must be evaluated annually or on a regular basis to ensure that there are no gaps. 

Implement effective disclosure processes: RRD was fortunate that the new SEC disclosure standards were not in existence when this incident occurred. If those restrictions had been in effect, they may have faced far more severe fines. The present disclosure requirements compel organisations to file a disclosure (Form 8-K) within four days of the material determination of an incident. As a result, it is vital that organisations adopt rigorous disclosure procedures. 

Train your staff: There is a direct correlation between phishing and ransomware. Phishing emails are often successful because busy users are distracted by various jobs and communication channels, making them less vigilant in identifying phishing efforts. The Conti ransomware group, suspected to be responsible for the RRD attack, is known to use normal phishing tactics as an entry point. 

Phishing is clearly the result of poor security awareness, judgement, and consciousness among users. Organisations that use phishing simulation exercises and gamification can significantly reduce phishing attacks. Employees should also receive training on security escalation and incident response procedures.

The settlement between the SEC and RRD is a big wake-up call for organisations that have failed to prioritise cybersecurity enforcement and regulatory compliance. It is critical for organisations to actively supervise security providers, periodically train personnel on security awareness practices, update escalation and incident management policies, and prioritise security alerts and notifications. By implementing these key best practices, businesses can assure compliance with the most recent SEC standards while also improving their overall security posture.

Researchers Demonstrate How Attackers Can Exploit Microsoft Copilot

 

Security researcher Michael Bargury revealed serious flaws in Microsoft Copilot during the recent Black Hat USA conference, demonstrating how hackers might be able to use this AI-powered tool for malicious purposes. This revelation highlights the urgent need for organisations to rethink their security procedures when implementing AI technology such as Microsoft Copilot. 

Bargury's presentation highlighted numerous ways in which hackers could use Microsoft Copilot to carry out cyberattacks. One of the most significant findings was the use of Copilot plugins to install backdoors in other users' interactions, allowing data theft and AI-driven social engineering attacks.

Hackers can use Copilot's capabilities to discreetly search for and retrieve sensitive data, bypassing standard security measures that focus on file and data protection. This is accomplished via modifying Copilot's behaviour using prompt injections, which alter the AI's responses to fit the hacker's goals. 

One of the most concerning parts of this issue is its ability to enable AI-powered social engineering attacks. Hackers can utilise Copilot to generate convincing phishing emails or change discussions to trick victims into disclosing sensitive information. This capability emphasises the importance of robust safety protocols in combating cybercriminals' sophisticated techniques.

To demonstrate these flaws, Bargury created a red-teaming program called "LOLCopilot." This tool allows ethical hackers to simulate attacks and better understand the possible vulnerabilities posed by Copilot. LOLCopilot runs on any Microsoft 365 Copilot-enabled tenant with default configurations, allowing ethical hackers to investigate how Copilot might be abused for data exfiltration and phishing attacks while leaving no traces in system logs. 

The demonstration at Black Hat showed that Microsoft Copilot's default security settings are insufficient to avoid such vulnerabilities. The tool's ability to access and handle enormous amounts of data carries significant risk, especially if permissions are not properly updated. To mitigate these threats, organisations should establish robust security policies such as frequent security assessments, multi-factor authentication, and strict role-based access limits.

Furthermore, organisations must educate their staff on the risks associated with AI tools such as Copilot and have extensive incident response policies. Companies can better protect themselves from the misuse of AI technologies by strengthening security procedures and developing a safety-conscious culture.

Generative AI is Closing The Tech Gap Between Security Teams And Threat Actors

 

With over 17 billion records breached in 2023, data breaches have reached an all-time high. Businesses are more vulnerable than ever before due to increased ransomware attacks, third-party hacks, and the increasing sophistication of threat actors. 

Still, many security teams are ill-equipped, particularly given new data from our team shows that 55% of IT security leaders believe modern cybercriminals are more advanced than their internal teams. The perpetrators are raising their game as they adopt and weaponize the new generation of emerging artificial intelligence (AI) technology, while companies continue to slip behind. Security teams require the necessary technology and tools to overcome common obstacles and avoid falling victim to these malicious actors. 

It takes minutes, not days, for an attacker to exploit a vulnerability. Cybersecurity Ventures predicts that by 2031, a ransomware assault will occur every two seconds. The most powerful new instrument for fuelling attacks is generative AI (GenAI). 

It enables hackers to find gaps, automate attacks, and even mimic company employees to steal credentials and system access. According to the findings, the most concerning use cases for security teams include GenAI model prompt hacking (46%), LLM data poisoning (38%), RaaS (37%), API breaches (24%), and GenAI phishing. 

Ultimately, GenAI and other smart technologies are catching security personnel off guard. Researchers discovered that 35% feel the technology used in hacks is more sophisticated than what their team has access to. In fact, 53% of organisations fear that new AI tactics utilised by criminals are opening up new assault spots for which they are unprepared. Better technology will always win.

As attack methods evolve, it is logical to expect additional breaches, ransomware installations, and stolen data. According to 49% of security leaders, the frequency of cyberattacks has increased over the last year, while 43% think the severity of cyberattacks has increased. It's time for security teams to enhance their technology in order to catch up and move ahead, especially while other well-known industry pain points linger. 

While the digital divide may be growing due to new criminal usage of AI, long-standing industry issues are making matters worse. Despite the steady growth of the cybersecurity industry, there are still an estimated 4 million security experts needed to fill open positions globally. One analyst now performs the duties of numerous. Lack of technology causes manual labour, mistakes, and exhaustion for understaffed security teams. Surprisingly, despite the ongoing cybersecurity talent need, our team found that only 10% of businesses have boosted cyber hiring in the last 12 months.

Here's How to Safeguard Your Smart Home Connected Devices

 

In a time where digital devices influence our daily lives, it is normal for households to have multiple smart home devices. Statistics show that each person owns at least three devices, with North Americans owning an average of nine. It is critical to understand that having a large number of devices and users on a single network could present serious issues. If a single device becomes infected, the entire network can be compromised. Certain measures must be taken to limit the implications and reduce the likelihood of cyberattacks. 

Here are three essential cybersecurity tips for securing smart home devices and safeguarding your network. 

Update software: It's critical for security that you keep the firmware and software on your smart devices updated. Updates are released by manufacturers to address vulnerabilities, fix issues, and occasionally add new features. If you don't update your devices, hackers may be able to take advantage of known vulnerabilities on them. 

Automatic update features are available on many devices; if they are, you should activate them. Without the need for human interaction, automatic updates make sure that your devices get the most recent security fixes as soon as they are made available. Updates can also improve your devices' general operation and performance, making them more dependable, efficient, and safe. 

Change default password: Devices from manufacturers typically come with default credentials that are public knowledge and easy to get hold of. Because these default passwords—like "admin" or "password123"—are often weak and predictable, brute-force assaults target them frequently. Thus, the first step is to make sure you secure the security of your smart gadgets and change them. 

A password manager may be useful for generating and storing complex passwords, making sure that each device has a unique password. Furthermore, ensure that you periodically update your passwords and avoid reusing old ones. 

Monitor devices: Regular monitoring of your connected smart devices is critical for detecting any strange or unauthorised behaviour early. Use network monitoring software to keep track of any devices that are linked to your home network. Applications such as Fing or built-in router tools can give you insight into your network. 

Make sure you set up alerts for new device connections and suspicious activity. Many modern routers include this feature, which notifies you of any new devices joining your network. This allows you to quickly discover and address any unwanted connections.

New EDR Bypass Tool Advertised by FIN7 Hacking Group

 

SentinelOne researchers warn that the financially motivated group FIN7 is utilising various pseudonyms to promote a security evasion tool on several criminal underground forums. FIN7 created a tool called AvNeutralizer (also known as AuKill) that can circumvent safety measures. The researchers discovered that the tool was employed by multiple ransomware operations, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. 

The researchers identified a new version of AvNeutralizer that uses a novel way to interfere with and bypass security mechanisms, exploiting the Windows driver ProcLaunchMon.sys. 

“New evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its criminal operations in the underground market,” the researchers explained . “FIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting public-facing applications.” 

Last year in November, SentinelOne reported a potential link between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta group. 

The cybersecurity firm's analysis revealed that the "AvNeutralizer" tool (also known as AuKill) targeted several endpoint security solutions and was utilised exclusively by one group for six months. This supported the hypothesis that the FIN7 group and the Black Basta gang had a close relationship.

Starting in January 2023, the experts detected the deployment of upgraded versions of AvNeutralizer by multiple ransomware gangs, implying that the programme was made available to multiple threat actors through underground forums. The researchers discovered numerous adverts on underground forums encouraging the sale of AvNeutralizer.

On May 19, 2022, a user named "goodsoft" advertised an AV killing tool for $4,000 on the exploit[.]in forum. Later, on June 14th, 2022, a person named "lefroggy" placed a similar ad on the xss[.]is forum for $15,000. A week later, on June 21st, a user known as "killerAV" advertised the tool on the RAMP forum for $8,000. 

SentinelOne researchers focused on the tool's innovative technique for disabling endpoint security solutions. The unpacked AvNeutralizer payload employs ten approaches to compromise system security systems. While multiple strategies have been reported, such as removing PPL protection using the RTCore64.sys driver and the Restart Manager API, a recently discovered technique includes utilising a Windows built-in driver capability that was previously unknown in the wild. 

“Our investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks,” the researchers concluded. “Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.”

Phishing Kit FishXProxy Equips Online Criminals for Success

 

Phishing campaigns have always been a threat, but a new toolkit called FishXProxy is making it alarmingly easy for even inexperienced cybercriminals to carry out sophisticated scams. 

SlashNext Email Security researchers have disclosed exclusive details about FishXProxy, a new phishing kit that was found on the Dark Web, in their most recent report. With its advanced features like antibot setups, Cloudflare Turnstile integration, an integrated redirector, and page expiration settings, FishXProxy is an end-to-end solution that lowers the bar for cybercriminals. 

The kit is advertised as "The Ultimate Powerful Phishing Toolkit," since it can simply neutralise technical hurdles associated with phishing campaigns, allowing cybercriminals to launch attacks that bypass security defences and go undetected. FishXProxy is especially damaging because it makes phishing possible for individuals with limited technology expertise. It is a comprehensive solution for creating and managing phishing sites in order to avoid detection and increase the success rate of credential theft attempts. 

“FishXProxy equips cybercriminals with a formidable arsenal for multi-layered email phishing attacks…Even if one attack fails, cross-project tracking allows attackers to persistently target victims across multiple campaigns,” SlashNext’s researchers stated in their report. 

Using this kit, phishing emails with unique links and dynamic attachments can avoid security checks. Advanced anti-bot technology discards automated scanning and potential victims. Worse, FishXProxy includes traffic management features that mask the true destination of links and distribute traffic across multiple pages. Short-lived frauds can also be made to expire after a certain amount of time, putting pressure on victims to act fast. A cookie system enables attackers to identify and target users across many campaigns, personalising schemes and creating profiles of subsequent victims. 

Mr Mika Aalto, Co-Founder and CEO of Hoxhunt, a Helsinki-based Human Risk Management Platform, commented on the recent trend, stating that phishing kits make it easy for even less competent and resource-limited criminals to carry out advanced phishing attacks. 

“Phishing kits are lowering the barrier of entry to advanced cybercrime even for low-resourced and not clever criminals. As more phishing attacks consequently bypass filters, we need to make sure our people are equipped with the skills and tools to keep themselves and their colleagues safe,“ Aalto noted. 

To mitigate this threat, organisations require modern security solutions that can detect threats through numerous channels. Employees should also be trained on the most recent phishing techniques, and strong authentication protocols should be established.