Meet the anti-antitrust startup club

When Congress called in tech CEOs to testify a few weeks ago, it felt like a defining moment. Hundreds of startups have become unicorns, with the largest worth more than $1 trillion (or perhaps $2 trillion). Indeed, modern tech companies have become so entrenched, Facebook is the only one of the Big Five American tech shops worth less than 13 figures.

The titanic valuations of many companies are predicated on current performance, cash on hand and lofty expectations for future growth. The pandemic has done little to stem Big Tech’s forward march and many startups have seen growth rates accelerate as other sectors rushed to support a suddenly remote workforce.

But inside tech’s current moment in the sun is a concern that Congress worked to highlight: Are these firms behaving anti-competitively?

By now you’ve heard the arguments concerning why Big Tech may be too big, but there’s a neat second story that we, the Equity crew, have been chatting about: Some startups are racing into the big kill zone.

They have to be a bit foolhardy to take on Google Gmail and Search, Amazon’s e-commerce platform or Apple’s App Store. Yet, there are startups targeting all of these categories and more, some flush with VC funding from investors who are eager to take a swing at tech’s biggest players

If the little companies manage to carve material market share for themselves, arguments that Big Tech was just too big to kill — let alone fail — will dissolve. But today, their incumbency is a reality and these startups are merely bold.

Still, when we look at the work being done, there are enough companies staring down the most valuable companies in American history (on an unadjusted basis) that we had to shout them out. Say hello to the “anti-antitrust club.”

Hey and Superhuman are coming after Gmail

Gmail has been the undisputed leader in consumer email for years (if not enterprise email, where Microsoft has massive inroads due to Exchange and Outlook). Startups have contested that market, including Mailbox, which sold to Dropbox for about $100 million back in 2013, but whenever a new feature came along that might entice users, Gmail managed to suck it up into its app.

Sutter Hill strikes ice-cold, $2.5B pre-market return with Snowflake’s IPO filing

Today is the day for huge VC returns.

We talked a bit about Sequoia’s coming huge win with the IPO of game engine Unity this morning. Now, Sequoia might actually have the second largest return among companies filing to go public with the SEC today.

Snowflake filed its S-1 this afternoon, and it looks like Sutter Hill is going to make bank. The long-time VC firm, which invests heavily in the enterprise space and generally keeps a lower media profile, is the big winner across the board here, coming out with an aggregate 20.3% stake in the data management platform, which was last privately valued at $12.4 billion earlier this year. At its last valuation, Sutter Hill’s full stake is worth $2.5 billion. My colleagues Ron Miller and Alex Wilhelm looked a bit at the financials of the IPO filing.

Sutter Hill has been intimately connected to Snowflake’s early build-out and success, providing a $5 million Series A funding back in 2012, the year of the company’s founding, according to Crunchbase.

Now, there are some caveats on that number. Sutter Hill Ventures (aka “the fund”) owns roughly 55% of the firm’s total stake, with the balance owned by other entities owned by the firm’s management committee members. Michael Speiser, the firm’s partner who sits on Snowflake’s board, owns slightly more than 10% of Sutter Hill’s stake directly himself according to the SEC filing.

In addition to Sutter Hill, Sequoia also got a large slice of the data computing company: its growth fund is listed as having an 8.4% stake in the coming IPO. That makes for two Sequoia Growth IPOs today — a nice way to start the week this Monday afternoon.

Finally, Altimeter Capital, which did the Series C, owns 14.8%; ICONIQ owns 13.8%; and Redpoint, which did the Series B, owns 9.0%.

To see the breakdown in returns, let’s start by taking a look at the company’s share price and carrying values for each of its rounds of capital:

On top of that, what’s interesting is that Snowflake broke down the share purchases by firm for the last four rounds (D through G-1) the company fundraised:

That level of detail actually allows us to grossly compare the multiples on invested capital for these firms.

Sutter Hill, despite owning large sections of the company early on, continued to buy up shares all the way through the Series G, investing an additional $140 million in the later-stage rounds of the company. Adding in the entirety of its $5 million Series A round and a bit from the Series B assuming pro rata, the firm is looking on the order of a 16x return (assuming the IPO price is at least as good as the last round price).

Outside Sutter Hill, Redpoint has the best multiple return profile, given that it only invested $60 million in these later-stage rounds while still maintaining a 9.0% ownership stake. Both Sutter Hill and Redpoint purchased roughly 20% of their overall stakes in these later-stage rounds. Doing some roughly calculating, Redpoint is looking at a return of about 12-13x.

Sequoia’s multiple on investment is capped a bit given that it only invested in the most recent funding rounds. Its 8.4% stake was purchased for nearly $272 million, all of which came in these late-stage rounds. At Snowflake’s last round valuation of $12.4 billion, Sequoia’s stake is valued at $1.04 billion — a return of slightly less than 4x. That’s very good for mezzanine capital, but nothing like the multiple that Sutter Hill or Redpoint got for investing early.

Doing the same back-of-the-envelope math and Altimeter is looking at a better than 6x return, and ICONIQ got 7x. As before, if the stock zooms up, those returns will look all the better (and of course, if the stock crashes, well…)

One final note: The pattern for these last four funding rounds is unusual for venture capital: Snowflake appears to have “spread the love around,” having multiple firms build up stakes in the startup over several rounds rather than having one definitive lead.

Palo Alto Networks to buy digital forensics consulting firm for $265M

It’s been quite a day in the tech world, with a bushel of S-1s being filed to go public. Not to be left out, the ever acquisitive Palo Alto Networks announced its intent to acquire The Crypsis Group, an incident response, risk management and digital forensics consulting firm, for a crisp $265 million.

Nikesh Arora, chairman and CEO at Palo Alto Networks, sees a company that builds on the foundation of services the cybersecurity giant already provides, giving customers a set of services to lean on when a breach happens.

“By joining forces, we will be able to help customers not only predict and prevent cyberattacks but also mitigate the impact of any breach they may face,” he said. While the kinds of tools that Palo Alto provides are designed to prevent attacks, the fact is no set of tools is foolproof, and it’s always going to be a cat and mouse game between companies like Palo Alto and the attackers trying to breach their defenses.

Crypsis can help figure out how a breach happened and ways to close up the cracks in the foundation to prevent access through that particular weak point in the future. “We have dedicated ourselves to creating a more secure world through the fight against cybercrime. Together with Palo Alto Networks, we will be able to help businesses and governments better respond to threat actors on a global scale,” Bret Padres, CEO of The Crypsis Group said in a statement.

When the deal closes, and The Crypsis Group is in the fold, Palo Alto will gain more than 150 highly trained consultants, who have been handling approximately 1,300 incidents a year. This gives Palo Alto some serious consulting fire power to deal with those times when attackers get through their defenses.

The Crypsis Group has up until now been part of a larger security consultancy called ZP Group. The deal is expected to close in the fiscal first quarter of 2021, which just started when Q42020 closed today. Per usual, the acquisition will be subject to regulatory scrutiny, as Palo Alto is a public company.

The Good, the Bad and the Ugly in Cybersecurity – Week 34

The Good

This week there were some significant updates surrounding the ongoing effort between Binance and the Ukraine Cyber Police. On August 18, new details were released, in a joint press release, from the collaborators. Through their combined efforts, dubbed “Bulletproof Exchanger”, law enforcement were able to track and ultimately arrest multiple individuals involved with malicious cryptocurrency exchanges, and the laundering of approximately $42 million in illicit funds. The individuals concerned were heavily involved in launching multiple malicious cryptocurrency exchanges, as well as advertising their services in various dark corners of the internet. The cybercriminals directly assisted ransomware groups and other fraudsters with masking and obfuscating transactions, allowing them to convert their tainted profits into usable currency.

Through the “Bulletproof Exchanger” program, Binance has been able to identify and track data and behaviors that are indicative of these criminal activities (malicious exchanges, transaction cleaning). This effort allowed Binance to build a dynamic database of indicators specific to these actors and their activities. Artifacts such as user traits, DNS events, and blockchain analytical data have all become powerful tools that can be used to counter this sort of criminal activity.

This case marks the first true victory for the “Bulletproof Exchanger” effort. Binance has indicated that they intend to continue to operate and expand the project, stating “Fighting money laundering, ransomware, and other malicious activity is of critical importance to the well-being of the community and industry growth.” At SentinelOne, we could not agree more and applaud and support this ongoing effort.

The Bad

This week, CISA (Cybersecurity and Infrastructure Security Agency) released an updated malware analysis report on the North Korean-backed remote access trojan (RAT) BLINDINGCAN. Malware Analysis Report AR20-232A describes details around the RAT, which is being used to target high-value government contractors and related entities, notably including those in the defense and energy industries.

The malware is being attributed to the North Korean-backed threat actor known variously as Hidden Cobra / Lazarus / APT38. The malware analysis report focuses on malicious documents and DLLs associated with the BLINDINGCAN RAT. The documents are Microsoft Word documents which, upon opening, attempt to connect to an external server to download additional payloads. Both 32 and 64 bit versions of the payloads exist. The documents also initiate keylogging routines, and attempts to gather basic system information.

Of note, this is the 12th alert issued by CISA this year. SentinelOne Endpoint Protection is capable of preventing / detecting malicious behavior associated with BLINDINGCAN and artifacts cited in AR20-232A.

The Ugly

The week would not be complete without mention of another high-value ransomware target. Unfortunately, our highlight this week revolves around Carnival cruise lines. In a recent SEC 8-k filing, Carnival disclosed very limited details around the attack. Carnival also released a joint press release with PLC concerning the ransomware incident, with data nearly identical to that stated in the SEC filing.

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files. “

Promptly upon its detection of the security event, the company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals. While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address the situation and reinforce the security of its information technology systems.

Details around the family of ransomware, or any sort of attribution for that matter, have yet to be publicly disclosed. This attack highlights a few interesting things. First of all, as we know, highly-motivated ransomware operators are still very active and will target their resources wherever they see the most potential for profit and/or disruption.

The other, lesser known, bit here is that remediation becomes a huge hurdle for these types of attacks. The topology of a network like Carnival’s differs quite a bit from more than land-based entities. Having to rely on slower or more segmented networks (as they do with the cruise ships out at sea) can greatly complicate the process of remediation. How do you approach remediation when you can only connect to the ships’ systems during limited times each day? How do you approach remediation when your bandwidth is severely limited? This should serve as a reminder that prevention is absolutely critical. This is especially true in a time where ransomware authors are more innovative, aggressive and greedier than ever.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

As the pandemic creates supply chain chaos, Craft raises $10M to apply some intelligence

During the COVID-19 pandemic, supply chains have suddenly become hot. Who knew that would ever happen? The race to secure PPE, ventilators and minor things like food was and still is an enormous issue. But perhaps, predictably, the world of “supply chain software” could use some updating. Most of the platforms are deployed “empty” and require the client to populate them with their own data, or “bring their own data.” The UIs can be outdated and still have to be juggled with manual and offline workflows. So startups working in this space are now attracting some timely attention.

Thus, Craft, the enterprise intelligence company, today announces it has closed a $10 million Series A financing round to build what it characterizes as a “supply chain intelligence platform.” With the new funding, Craft will expand its offices in San Francisco, London and Minsk, and grow remote teams across engineering, sales, marketing and operations in North America and Europe.

It competes with some large incumbents, such as Dun & Bradstreet, Bureau van Dijk and Thomson Reuters . These are traditional data providers focused primarily on providing financial data about public companies, rather than real-time data from data sources such as operating metrics, human capital and risk metrics.

The idea is to allow companies to monitor and optimize their supply chain and enterprise systems. The financing was led by High Alpha Capital, alongside Greycroft. Craft also has some high-flying angel investors, including Sam Palmisano, chairman of the Center for Global Enterprise and former CEO and chairman of IBM; Jim Moffatt, former CEO of Deloitte Consulting; Frederic Kerrest, executive vice chairman, COO and co-founder of Okta; and Uncork Capital, which previously led Craft’s seed financing. High Alpha partner Kristian Andersen is joining Craft’s board of directors.

The problem Craft is attacking is a lack of visibility into complex global supply chains. For obvious reasons, COVID-19 disrupted global supply chains, which tended to reveal a lot of risks, structural weaknesses across industries and a lack of intelligence about how it’s all holding together. Craft’s solution is a proprietary data platform, API and portal that integrates into existing enterprise workflows.

While many business intelligence products require clients to bring their own data, Craft’s data platform comes pre-deployed with data from thousands of financial and alternative sources, such as 300+ data points that are refreshed using both Machine Learning and human validation. Its open-to-the-web company profiles appear in 50 million search results, for instance.

Ilya Levtov, co-founder and CEO of Craft, said in a statement: “Today, we are focused on providing powerful tracking and visibility to enterprise supply chains, while our ultimate vision is to build the intelligence layer of the enterprise technology stack.”

Kristian Andersen, partner with High Alpha commented: “We have a deep conviction that supply chain management remains an underinvested and under-innovated category in enterprise software.”

In the first half of 2020, Craft claims its revenues have grown nearly threefold, with Fortune 100 companies, government and military agencies, and SMEs among its clients.

Box CEO Aaron Levie says thrifty founders have more control

Once upon a time, Box’s Aaron Levie was just a guy with an idea for a company: 15 years ago as a USC student, he conceived of a way to simply store and share files online.

It may be hard to recall, but back then, the world was awash with thumb drives and moving files manually, but Levie saw an opportunity to change that.

Today, his company helps enterprise customers collaborate and manage content in the cloud, but when Levie appeared on an episode of Extra Crunch Live at the end of May, my colleague Jon Shieber and I asked him if he had any advice for startups. While he was careful to point out that there is no “one size fits all” advice, he did make one thing clear:

“I would highly recommend to any company of any size that you have as much control of your destiny as possible. So put yourself in a position where you spend as little amount of dollars as you can from a burn standpoint and get as close to revenue being equal to your expenses as you can possibly get to,” he advised.

Don’t let current conditions scare you

Levie also advised founders not to be frightened off by current conditions, whether that’s the pandemic or the recession. Instead, he said if you have an idea, seize the moment and build it, regardless of the economy or the state of the world. If, like Levie, you are in it for the long haul, this too will pass, and if your idea is good enough, it will survive and even thrive as you move through your startup growth cycle.

FBI, CISA Echo Warnings on ‘Vishing’ Threat

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.

“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification,” the alert reads. “In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting — with the end goal of monetizing the access.”

As noted in Wednesday’s story, the agencies said the phishing sites set up by the attackers tend to include hyphens, the target company’s name, and certain words — such as “support,” “ticket,” and “employee.” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk.

The joint FBI/CISA alert (PDF) says the vishing gang also compiles dossiers on employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. From the alert:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

The alert notes that in some cases the unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, the attackers were able to intercept the one-time codes by targeting the employee with SIM swapping, which involves social engineering people at mobile phone companies into giving them control of the target’s phone number.

The agencies said crooks use the vished VPN credentials to mine the victim company databases for their customers’ personal information to leverage in other attacks.

“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the alert reads. “The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”

The advisory includes a number of suggestions that companies can implement to help mitigate the threat from these vishing attacks, including:

• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.

• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

• Verify web links do not have misspellings or contain the wrong domain.

• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Defending macOS Against Sophisticated Attacks

Recently, SentinelOne researcher Phil Stokes joined Dave Bittner from CyberWire to discuss macOS security for Recorded Future’s Inside Threat Intelligence podcast. Phil discusses his journey into macOS Security and the recent release of SentinelOne’s free eBook for enterprise macOS Threat Hunting and Incident Response.

Listen to (or read) the full interview below, and get the SentinelOne macOS Threat Hunting and Incident Response eBook here!

170 Defending MacOS Against Sophisticated Attacks was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

This is recorded Future Inside Threat Intelligence for Cyber Security.

Dave Bittner:
Hello, everyone, and welcome to Episode 170 of the recorded Future podcast, I’m Dave Bittner from The Cyber Wire. Our guest today is Phil Stokes. He’s a security researcher at SentinelOne, where he specializes in the analysis of attacks against macOS. In our conversation, Phil Stokes shares his professional journey, how he came to focus on the Mac platform, as well as insights on the state of security on Apple’s desktop operating systems. He tracks the growing sophistication of those seeking to attack macOS and provides tips for security professionals looking to bolster their defenses. Stay with us.

Phil Stokes:
I’ve come from a kind of unusual background, I guess, for somebody in cybersecurity, in the sense that I started I mean, I’ve been involved with the Mac platform for something like 15 years or more, but I didn’t really start getting into it in a kind of technical way until about 10 or 11 years ago. And I just started out on Apple’s support forums, troubleshooting, you know, sort of volunteering, troubleshooting advice to people. And after a while, that led me to most of the problems that were coming up back then were or it started to be when we started to see security issues coming up, like adware and things like that. And that sort of in a roundabout way led me to develop my own software to basically deal with all these issues instead of answering people’s questions all the time.
And so for about five or six years, I was developing my own software and doing that. And then about two years ago, I joined SentinelOne.
Basically, they were looking for somebody who had a background in macOS security issues to sort of help with with research and somebody who kind of knew the threat scape and had sort of seen it evolve. So that’s kind of how I got to today.

Dave Bittner:
Where do we find ourselves today when it comes to macOS and and sort of the state of things when it comes to security? What’s your estimation of where we are?

Phil Stokes:
Generally, the Mac is a safe platform. I don’t think there’s a big argument about that. But I think that the issue really is that there is a malware problem on macOS, which never existed maybe five or six years ago. And it’s actually even escalated again in the last couple of years, I think. And I think part of that is to do with the fact that Macs are now far more often found in business environments where, as you know, they probably weren’t going back those five or six years. They weren’t really popular business machine. And I think it’s also that just to use a sort of vague general term threat actors, have realised there is money to be made from Mac users. I think, you know, possibly it comes with the, you know, the development of the iPhone from 2007. But the fact that people now have their Macs connected to so many other devices, they are a rich hunting ground for people who want to gather data, serve adware, and we also have some more targeted actors as well with the business environment. So, I think the situation today really is that there is a lot more threats for Macs than there’s ever been before, but I think there’s also not a great awareness of it. If you compare that to, say, Windows, you can ask even the most basic Windows user and they probably know what an AV is or probably know that they need to have Windows Defender turned on or something like that. But with Mac users, I don’t generally get that sense of awareness. You know, this is sort of general feeling that, oh, well, it’s a market. You know, it’s safe by design. You know, I think that’s something that people really need to have. Second, think about with the kind of threats that we see these days.

Dave Bittner:
It’s my perception from the folks that I’ve talked to that the majority of the the malware hitting Mac users seems to be adware, you know, people. It’s that it’s that classic, you know, update your copy of Flash and then something gets installed that shows ads. Is that an accurate perception on my part?

Phil Stokes:
I would say so. I think I wouldn’t like to give figures because I don’t really have the data to to say it up. But, you know, it sort of. Off the off the top of my head, I would say probably 70, 80, maybe even 90 percent of the stuff I actually see on a day to day basis is is going to be adware.
And it’s kind of cousin, which is the stuff we call Bundleware, you know, all the kind of potentially unwanted software that gets installed alongside, you know, it says download some software manager and you get like 10 things like mackeeper and, you know, all these sort of utilities that are not really offering any any value that often get installed through hidden or very, very difficult to see checkboxes and things like that. Crypto miners are also a thing we’ve had Loudminer and Birdminer in the last couple of years so that they’ve been in terms of detections. We see those on the rise quite a lot and to a much lesser extent, there’s bits of sort of spyware and data stealing stuff. And of course, the things that get the headlines every now and again is that, you know, the things like Lazarus or APTs, you know, very, very targeted things that are going after specific users. So, yeah, I mean, I think that’s a fairly accurate way to think about it. In terms of the general user, I think the the most threats that they’re looking at are adware and bundle where the other problem that I’m I see developing is when we look at these adware and bundle where actors and there’s there’s an actor in the media generally called Schleyer, which has been kind of pretty proactive in the last 18 months or so.
What you see is a lot of interaction between between themselves and a lot of swapping. So you get adware that’s also installing Bundall where and you get bundle where downloads that are that are serving up hardware. And it’s it’s kind of difficult, actually a lot of time to pull apart the different players, you know, all these sort of paper install kind of things. Some of them are self serving hardware and some of them are serving genuine malware. So. It seems as if there is, you know, a lot of sort of interaction with these guys in terms of helping each other out to. You know, serve this. I mean, I just called a whole lot malware, basically. It’s something that the user doesn’t want and doesn’t know and is not in their interests. And as you know, as far as I’m concerned, you might as well call it all malware. The number of these things is what’s really quite shocking when you look at just how much more of this is occurring. It is more this year than it was last year, you know, almost exponentially. And this seems to be more players as well.

Dave Bittner:
Well, so you and your team recently published an ebook in one of the among the things you focused on were Incident Response and threat hunting on macOS. Can you take us through share share with us some of the insights that are in that e-book when it comes to those topics?

Phil Stokes:
Our idea with the e-book was really in a sense was that, you know, we deal with a lot of SOC teams, a security operation, centers that are very familiar with Windows. And I know that, you know, their way around all the Windows devices, but maybe they’ve got, you know, a very small percentage of of Macs in their fleet. And this is not necessarily a topic that they’re very familiar with. So what we wanted to do was basically produce a book that would guide them through, you know, how do you triage a Mac device that comes into, you know, the IT team or the soccer team? And it looks like it’s either had malware on it or could have malware on it or, you know, been behaving in some some way it’s suspicious. So basically, the idea is to try to educate people who are not familiar with Macs about all the different places and the different ways that malware can get itself inside a Mac device. So we talk particularly about persistence agents in the ebook. That’s for me. When I’m trying to get a machine, the first thing I want to look at is what is the persistance mechanism? Because 99 percent of all malware is going to have some way that it wants to stay on the system. So we talk about all the different persistance mechanisms that are possible on a Mac. So there’s kind of a whole chapter on that. And then we talk about how to actually look at a Mac and and determine whether it’s been manipulated in some way.

So that might be, of course, looking at running processes that are actually live at the time but also looking at historical things. How do you investigate the file system on a Mac? It’s not the same as on a Windows device, obviously. How do you check what’s what the network configuration is and has it been manipulated in any way? And Max, ah, I mean, Max is special in a one very specific way that different from all other computing devices in the sense that that hardware and software is all built by the same people. So there is this huge integration that you don’t see on Windows device you don’t see on Linux devices. And for that reason, there are lots of things hidden away that the operating system knows that you can find out about the history. And many people don’t know about these things. Lots of hidden Ezekial databases, lots of little obscure utilities that only exist on macOS, even though Mac is a Unix based system or Unix type system with lots of command-line utilities that you won’t find on on Linux or Unix based system. So, you know, we try to talk through all these various different tools and databases that are useful. If you want to basically find out what’s happened on the system and where can I find evidence that the system has been manipulated.

Dave Bittner:
So what are your recommendations for folks who are out there and have, you know, a fleet of machines that they’re charged with looking after? Perhaps they have a handful of Macs, perhaps they have a lot of Macs. And any suggestions towards the wisdom?

Phil Stokes:
Sure. Well, I think, you know, the main thing that you need, especially if you’re talking about, you know, business, enterprise situation, the main thing that you need is visibility, because the one thing that you don’t get I don’t know windows. I don’t know if it’s true that the one thing that you don’t get on a Mac is any way to be able to tell what’s going on in an easy way. For example, I mean, if you thought you had malware or I often have this conversation with people where they just say, oh, you know, my Macs, great, it never gets any infections. And I say, so how do you know? How would you check? What tool would you use that could give you that confidence? And normally, you know, if people know anything about the Mac, the only thing they’ll know is like, well, I can open up the activity monitor. And I’m like, yeah, but, you know, there’s crypto miners that go to sleep when you open up the activity line for macOS, you know the program to do exactly that. So, you know, this is I mean, Apple have their own sort of built-In security tools, OK? But they leave a lot of gaps. And one of the main things that they don’t have is they don’t offer if you’re in it, if you’re an admin, they don’t offer you any visibility into what’s going on.

So I think you need some kind of software that’s going to be able to give you that visibility that you’re going to be able to easily look at. How is this machine different today than it was yesterday? What’s happened on this machine if you find, you know, some suspicious launch agent or something, where did it come from? How do I see what it’s connected to? So, you know, my main advice is that, I mean, there’s lots of solutions out there that can do this. And this is one of the things that, as I said earlier, I originally started out as a software developer. And this is one of the things that I developed. But the point is to ask yourself the question and then go find out the answer. How would I find out if my Mac had malware? That would be my first piece of advice. My second piece of advice would be to think about again, if you’re thinking more about it, teams and admins think about how do you control what your users do? Because almost all malware, 99 percent of it is coming through user interaction. Certainly, on the Mac, I can’t speak for other platforms, but on the Mac, you know, there might be some rare case where, you know, Apte actor steals your laptop and inserts something on the book, you know, on the logic board. But in reality, 99 percent of malware is coming through user interaction.

The user is downloading something, as you were talking about before, being convinced that they need some fake flash player update. So the question is, how can you want to see what users are doing and to how can you control them? And, you know, there’s various things you can do in terms of controlling devices. You can Apple have this MDM platform and there’s third party solutions like JAMF and Fleetsmith, where you can control various aspects of what users can change from a sort of admin perspective. And I think that’s, you know, certainly in an enterprise environment, I think that’s important. Of all of your security posture, because. The thing with Macs is that almost every user by default is an admin user, and as soon as you download something and run it as an admin user, if it’s not a sandbox stop, you know, from the App Store that. The process has an enormous power to do things without you knowing what it’s doing, so it comes back to what I was saying earlier about visibility, but also, you know, if you’re looking at it from a SOC or IT team. The perspective you really want to be thinking about how can you get some kind of control to stop people infecting themselves basically? And the last thing I would just say is I think this is a big one. And it comes back to where I started, I think is user education, because as I say, you know, Windows users have kind of got the idea that there are threats there, that they need to have Windows Defender running or whatever, you know, and I think Mac users haven’t got there yet.
I think there’s a very wide I see this even with, you know, some of the thought leaders or influencers on Twitter and various social media platforms. Now, they will argue that, oh, there’s no real malware for macOS. And, you know, nobody needs security software. And, you know, how would you know if you had some? So I think just this idea that you know, it’s not a myth anymore, that there is you can go on VirusTotal and just do you know, for those that have access to it, you can just do a search tag for Mac-O and just see how many new malware to going up on on a repository like VirusTotal every day. So, you know, people just need to be aware that, yeah, you can be safe if you are educated. As you say, there’s a lot of the adware and stuff that we see there is just manipulating users who, you know, just don’t know better. They trust stuff and they just need to know that, you know, the situation has changed. It’s not necessarily a trustworthy world out there.

Dave Bittner:
What are your thoughts as Apple has announced that they’re going to be shifting to arm chips, is do you have any is it a shift you’re you’re looking forward to? What do you think we’re in for?

Phil Stokes:
Yeah, I, I don’t know. Actually I am personally. I’m looking forward to it. As I told you, you know, I started off with Acorn Risk Machines and that’s basically where I am itself comes from.
So this is reduced instruction set, CPUs, Right. So as a reverse engineer, I’m absolutely. Yeah. Let’s you know, let’s go. This is great stuff. So great to get away from Intel. But I don’t know. I mean, you know, in terms of your listeners, I don’t know yet at this point. I think it’s too early to say what that will mean in terms of, you know, the security situation. It’s fairly clear with Big Sur and 10.16 Or 11, whichever they finally decide on, it’s fairly clear that there’s a lot more lockdown coming.
You know, they’re locking down the there’s COL integrity protection coming. They’re locking down the system volume so much now that you won’t even need five file volts on it.
So it’s clear that you know, Apple have got this whole concept, if you like, of philosophy about locking down the system and things like notarization that came in in 10.14, I think are all part of that. How that transitions into ARM kind of remains to be seen. Sorry, I could be much more informative at the moment, but we don’t have that much info on it. Yeah. So quite recently we saw one of the very few instances of ransomware on the Mac and it was kind of very unusual ransomware in the sense that it never really looked like the threat actors were that serious about making money and in fact, from our investigation, didn’t look like they made any money whatsoever. But the threat itself was interesting as a development because they actually included multiple different kind of capabilities. In fact, all the kind of capabilities that you typically associate with Windows malware. So there’s a back door in there. You know, there was spyware data, exfiltration stuff in there that was privileged escalation in there, as well as the actual ransomware component, you know, that got all the headlines. And that to me and and to my colleagues was something what struck us mostly about that was. Just how developed now these actors are becoming on the Mac platform, I mean, a few years ago.
Anything that you saw on a Mac was very poorly conceived and it was clear that the developers probably didn’t come from a Mac background. And I think now that that particular item was called EvitQuest or ThiefQuest, I think they was finally named. That particular piece of malware was clearly developed by people who were Mac developers. And the same story with the recent Lazarus. We did a post recently on four different families of Lazarus malware, and I think Kaspersky had done one on a framework as well a week before they attributed to Lazarus. And again, when you look at the code underneath, you know, from a reverse engineering standpoint, you can see that these are not developers from another platform are just trying to pull something over. You know, these are Mac developers. These are people that know Apple’s APIs and Apple’s coding languages inside out. And they’re using everything from basic C libraries to object to C to Swift and, you know, the whole gamut of things that are available for Mac developers. So this, again, is part of my perception that I think the whole malware scene on Mac is what we can see, that it has increased over the last few years. But I think it is developing as well. And as Apple develop their responses, it’s clear that there are teams, threat actors that are out there that are, you know, responding in kind. So I think this is a problem that, you know, it’s not going to go away with that with a quick solution from Apple changing, you know, some technology, their side. I think that the threat actors are heavily invested in the platform.

Dave Bittner:
Our thanks to Phil Stokes from SentinelOne for joining us. Don’t forget to sign up for the recorded future cyber daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. You can find that and recorded future dot com slash intel. We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The recorded Future Podcast Production Team includes coordinating producer Caitlin Madingley, executive producer Greg Barrett. The show is produced by The Cyber Wire with executive editor Peter Kilbey. And I’m Dave Bittner. Thanks for listening.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Better audio means a higher transcript accuracy rate. Lawyers need to transcribe their interviews, phone calls, and video recordings. Most choose Sonix as their speech-to-text technology. Automated transcription is getting more accurate with each passing day. Automated transcription is much more accurate if you upload high quality audio. Here’s how to capture high quality audio. More computing power makes audio-to-text faster and more efficient. Are you a podcaster looking for automated transcription? Sonix can help you better transcribe your podcast episodes. Sonix has the world’s best audio transcription platform with features focused on collaboration. Are you a radio station? Better transcribe your radio shows with Sonix.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it’s fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//sonix.ai/widget.js”,”//sonix.ai/widget.css”);
Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Figma CEO Dylan Field discusses fundraising, hiring and marketing in stealth mode

You’d be hard pressed to hang out with a designer and not hear the name Figma .

The company behind the largely browser-based design tool has made a huge splash in the past few years, building a massive war chest with more than $130 million from investors like A16Z, Sequoia, Greylock, Kleiner Perkins and Index.

The company was founded in 2012 and spent several years in stealth, raising both its seed and Series A without having any public product or user metrics.

At Early Stage, we spoke with co-founder and CEO Dylan Field about the process of hiring and fundraising while in stealth and how life at the company changed following its launch in 2016. Field, who was 20 when he founded the company, also touched on the lessons he’s learned from his team about leadership. Chief among them: the importance of empowering the people you hire.

You can check out the full conversation in the video embedded below, as well as a lightly edited transcript.

Raising a Series A a year behind schedule while still in stealth

I actually had approached John Lilly from Greylock in our seed round. For those who don’t know, John Lilly was the CEO of Mozilla and an amazing guy. He’s on a lot of really cool boards and has a bunch of interesting experience for Figma, with very deep roots in design. I had approached him for the seed round, and he basically said to us, “You know, I don’t think you guys know what you’re doing, but I’m very intrigued, so let’s keep in touch.” This is the famous line that you hear from every investor ever. It’s like “Yeah, let’s keep in touch, let me know if I can be helpful.” Sometimes, they actually mean it. In John’s case, he actually would follow up every few months or I would follow up with him. We’d grab coffee, and he helped me develop the strategy to a point that got us to what we are today. And that was a collaboration. I could really learn a lot from him on that one.

When we started off the idea was: Let’s have this global community around design, and you’ll be able to use the tool to post to the community and someday we’ll think about how people can pay us. Talking with John got me to the point where I realized we need to start with a business tool. We’ll build the community later. Now, we’re starting to work toward that.

At some point, John told me, “Hey, if you ever think about raising again, let me know.” A few weeks later, I told him maybe we would raise because I just wanted to work with him. We talked to a few other investors. I think it’s pretty important that there’s always a competitive dynamic in the round. But really, it was just him that we were really considering for that round. He really did us a solid. He really believed in us. At the time, it wasn’t like there were metrics to look at. He had conviction in the space, a conviction in the attack, and he had conviction in me and Evan, which I feel very, very honored by. He’s a dear mentor to this day, and he’s on our board. And it’s been a really deep relationship.

How to recruit while in stealth mode

Zoom UX teardown: 5 fails and how to fix them

Valued at over $60 billion and used by millions each day for work and staying in touch with friends and family, the COVID-19 pandemic has helped make Zoom one of the most popular and relevant enterprise applications.

On one level, its surge to the top can be summed up in three words: “It just works.” However, that doesn’t mean Zoom’s user experience is perfect — in fact, far from it.

With the help of Built for Mars founder and UX expert Peter Ramsey, we dive deeper into the user experience of Zoom on Mac, highlighting five UX fails and how to fix them. More broadly, we discuss how to design for “empty states,” why asking “copy to clipboard” requests are problematic and other issues.

Always point to the next action

This is an incredibly simple rule, yet you’d be surprised how often software and websites leave users scratching their heads trying to figure what they’re expected to do next. Clear signposting and contextual user prompts are key.

The fail: In Zoom, as soon as you create a meeting, you’re sat in an empty meeting room on your own. This sucks, because obviously you want to invite people in. Otherwise, why are you using Zoom? Another problem here is that the next action is hidden in a busy menu with other actions you probably never or rarely use.

The fix: Once you’ve created a meeting (not joined, but created), Zoom should prompt and signpost you how to add people. Sure, have a skip option. But it needs some way of saying “Okay, do this next.”

Steve O’Hear: Not pointing to the next action seems to be quite a common fail, why do you think this is? If I had to guess, product developers become too close to a product and develop a mindset that assumes too much prior knowledge and where the obvious blurs with the nonobvious?