The Good, the Bad and the Ugly in Cybersecurity – Week 4

With the U.S. 2020 election behind us and a new administration now in place, the good news this week is the announcement of four new appointments to federal cybersecurity positions and $10 billion in spending plans to help beef up the nation’s cybersecurity.

Rob Joyce has been picked by the Biden administration to be the next NSA Cyber Director, while Anne Neuberger, who formerly spearheaded the NSA’s effort to counter Russian election interference, has been tapped for a new position as Deputy National Security Adviser for Cyber and Emerging Technology. Michael Sulmeyer has also been named for the National Security Council’s position of Senior Director of Cyber, though it’s unclear as yet what his duties will be.

On Wednesday, Avril Haines was approved as Director of National Intelligence. Haines, who in 2013 became the first woman to serve as Deputy Director of the CIA, has spoken previously on the need for better basic cybersecurity training as well as better coordination on cybersecurity across the public and private sectors. In her confirmation hearing this week, Haines pointedly stated that “When it comes to intelligence, there is simpy no place for politics, ever”.

The good news for cyber continued with the announcement of ambitious plans to spend $9 billion to help CISA and GSA complete and modernize cybersecurity and IT projects. A further $1 billion has been earmarked for several projects including hiring additional cybersecurity experts and improving CISA’s ability to provide monitoring and incident response across federal agencies.

The Bad

Researchers this week disclosed details of a long-running phishing campaign that not only stole victims’ credentials but left them stored on public-facing internet sites for anyone else to discover and use.

Thought to have begun in August 2020, the campaign lured victims with fake Xerox (or Xeros) scan notifications that led to a spoofed Office 365 login page. Scraped credentials were then uploaded to legitimate but compromised websites and stored as text files. Apparently unknowing or uncaring, the attackers who set up the infrastructure failed to mark the text files in a way that would prevent them from being indexed by search engines. Consequently, the stolen credentials could easily be found by anyone through a simple internet search query.

Aside from this apparent carelessness, the campaign was sophisticated enough to bypas MS Office 365 Advanced Threat Protection and harvested credentials from over a thousand corporate employees. Due to the public nature of the stored credentials, the researchers were able to offer a breakdown of industries targeted:

  • Construction 16%
  • Energy 10.7%
  • IT 6%
  • Healthcare 4.5%
  • Real Estate 4.3%
  • Manufacturing 4.3%
  • Education 2.8%
  • Transport 2.4%
  • Finance 2.1%
  • Retail 2.1%

The Ugly

Data belonging to around 2 million Premium members of popular adult chat and streaming platform MyFreeCams has been stolen and sold on a hacker forum, reports confirmed this week. The stolen data includes usernames, email addresses and passwords in clear text.

The hacker, who apparently used an SQL injection attack, offered batches of 10,000 user records at a time for $1500 in Bitcoin and promised to only sell each batch once, meaning buyers were guaranteed to get unique data. The wallet used by the criminal to receive funds had amassed just over $22,000 from 49 transactions before being emptied.


Buyers of the data could use it to potentially extort users or gain access to other accounts that used the same password via credential stuffing attacks.

For their part, MyFreeCams confirmed the attack was genuine and had already notified affected users and reset their passwords. They also say the vulnerability that made the attack possible had been rectified and that no credit card details had been compromised by the breach. However, it is not clear at this point in time whether the hackers obtained details of other MyFreeCams users along with Premium members, so all users are advised to change their passwords. The site, ranked 619th most visited website on the internet and 335th most visited site in the U.S., receives over 70 million visitors each month.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Drupal’s journey from dorm-room project to billion-dollar exit

Twenty years ago Drupal and Acquia founder Dries Buytaert was a college student at the University of Antwerp. He wanted to put his burgeoning programming skills to work by building a communications tool for his dorm. That simple idea evolved over time into the open-source Drupal web content management system, and eventually a commercial company called Acquia built on top of it.

Buytaert would later raise over $180 million and exit in 2019 when the company was acquired by Vista Equity Partners for $1 billion, but it took 18 years of hard work to reach that point.

When Drupal came along in the early 2000s, it wasn’t the only open-source option, but it was part of a major movement toward giving companies options by democratizing web content management.

Many startups are built on open source today, but back in the early 2000s, there were only a few trail blazers and none that had taken the path that Acquia took. Buytaert and his co-founders decided to reduce the complexity of configuring a Drupal installation by building a hosted cloud service.

That seems like a no-brainer now, but consider at the time in 2009, AWS was still a fledgling side project at Amazon, not the $45 billion behemoth it is today. In 2021, building a startup on top of an open-source project with a SaaS version is a proven and common strategy. Back then nobody else had done it. As it turned out, taking the path less traveled worked out well for Acquia.

Moving from dorm room to billion-dollar exit is the dream of every startup founder. Buytaert got there by being bold, working hard and thinking big. His story is compelling, but it also offers lessons for startup founders who also want to build something big.

Born in the proverbial dorm room

In the days before everyone had internet access and a phone in their pockets, Buytaert simply wanted to build a way for him and his friends to communicate in a centralized way. “I wanted to build kind of an internal message board really to communicate with the other people in the dorm, and it was literally talking about things like ‘Hey, let’s grab a drink at 8:00,’” Buytaert told me.

He also wanted to hone his programming skills. “At the same time I wanted to learn about PHP and MySQL, which at the time were emerging technologies, and so I figured I would spend a few evenings putting together a basic message board using PHP and MySQL, so that I could learn about these technologies, and then actually have something that we could use.”

The resulting product served its purpose well, but when graduation beckoned, Buytaert realized if he unplugged his PC and moved on, the community he had built would die. At that point, he decided to move the site to the public internet and named it, which was actually an accident. Originally, he meant to register because “dorp” is Dutch for “village or small community,” but he mistakenly inverted the letters during registration.

Buytaert continued adding features to like diaries (a precursor to blogging) and RSS feeds. Eventually, he came up with the idea of open-sourcing the software that ran the site, calling it Drupal.

The birth of web content management

About the same time Buytaert was developing the basis of what would become Drupal, web content management (WCM) was a fresh market. Early websites had been fairly simple and straightforward, but they were growing more complex in the late 90s and a bunch of startups were trying to solve the problem of managing them. Buytaert likely didn’t know it, but there was an industry waiting for an open-source tool like Drupal.

Extra Crunch roundup: Digital health VC survey, edtech M&A, deep tech marketing, more

I had my first telehealth consultation last year, and there’s a high probability that you did, too. Since the pandemic began, consumer adoption of remote healthcare has increased 300%.

Speaking as an unvaccinated urban dweller: I’d rather speak to a nurse or doctor via my laptop than try to remain physically distanced on a bus or hailed ride traveling to/from their office.

Even after things return to (rolls eyes) normal, if I thought there was a reliable way to receive high-quality healthcare in my living room, I’d choose it.

Clearly, I’m not alone: a May 2020 McKinsey study pegged yearly domestic telehealth revenue at $3 billion before the coronavirus, but estimated that “up to $250 billion of current U.S. healthcare spend could potentially be virtualized” after the pandemic abates.

That’s a staggering number, but in a category that includes startups focused on sexual health, women’s health, pediatrics, mental health, data management and testing, it’s clear to see why digital-health funding topped more than $10 billion in the first three quarters of 2020.

Drawing from The TechCrunch List, reporter Sarah Buhr interviewed eight active health tech VCs to learn more about the companies and industry verticals that have captured their interest in 2021:

  • Bryan Roberts and Bob Kocher, partners, Venrock
  • Nan Li, managing director, Obvious Ventures
  • Elizabeth Yin, general partner, Hustle Fund
  • Christina Farr, principal investor and health tech lead, OMERS Ventures
  • Ursheet Parikh, partner, Mayfield Ventures
  • Nnamdi Okike, co-founder and managing partner, 645 Ventures
  • Emily Melton, founder and managing partner, Threshold Ventures

Full Extra Crunch articles are only available to members
Use discount code ECFriday to save 20% off a one- or two-year subscription

Since COVID-19 has renewed Washington’s focus on healthcare, many investors said they expect a friendly regulatory environment for telehealth in 2021. Additionally, healthcare providers are looking for ways to reduce costs and lower barriers for patients seeking behavioral support.

“Remote really does work,” said Elizabeth Yin, general partner at Hustle Fund.

We’ll cover digital health in more depth this year through additional surveys, vertical reporting, founder interviews and much more.

Thanks very much for reading Extra Crunch this week; I hope you have a relaxing weekend.

Walter Thompson
Senior Editor, TechCrunch

8 VCs agree: Behavioral support and remote visits make digital health a strong bet for 2021

Woman having a medicine video conferencing with her doctor using digital tablet. Senior woman on a video call with a doctor using her tablet computer at home.

Image Credits: Luis Alvarez (opens in a new window) / Getty Images

Lessons from Top Hat’s acquisition spree

Image Credits: Bryce Durbin

In the last year, edtech startup Top Hat acquired three publishing companies: Fountainhead Press, Bludoor and Nelson HigherEd.

Natasha Mascarenhas interviewed CEO and founder Mike Silagadze to learn more about his content acquisition strategy, but her story also discussed “some rumblings of consolidation and exits in edtech land.”

How VCs invested in Asia and Europe in 2020

Last year, U.S.-based VCs invested an average of $428 million each day in domestic startups, with much of the benefits flowing to fintech companies.

This morning, Alex Wilhelm examined Q4 VC totals for Europe, which had its lowest deal count since Q1 2019, despite a record $14.3 billion in investments.

Asia’s VC industry, which saw $25.2 billion invested across 1,398 deals is seeing “a muted recovery,” says Alex.

“Falling seed volume, lots of big rounds. That’s 2020 VC around the world in a nutshell.”

Decrypted: With more SolarWinds fallout, Biden picks his cybersecurity team

Image Credits: Treedeo (opens in a new window) / Getty Images

In this week’s Decrypted, security reporter Zack Whittaker covered the latest news in the unfolding SolarWinds espionage campaign, now revealed to have impacted the U.S. Bureau of Labor Statistics and Malwarebytes.

In other news, the controversy regarding WhatsApp’s privacy policy change appears to be driving users to encrypted messaging app Signal, Zack reported. Facebook has put changes at WhatsApp on hold “until it could figure out how to explain the change without losing millions of users,” apparently.

Hot IPOs hang onto gains as investors keep betting on tech

A big IPO debut is a juicy topic for a few news cycles, but because there’s always another unicorn ready to break free from its corral and leap into the public markets, it doesn’t leave a lot of time to reflect.

Alex studied companies like Lemonade, Airbnb and Affirm to see how well these IPO pop stars have retained their value. Not only have most held steady, “many have actually run up the score in the ensuing weeks,” he found.

Dear Sophie: What are Biden’s immigration changes?

lone figure at entrance to maze hedge that has an American flag at the center

Image Credits: Bryce Durbin / TechCrunch

Dear Sophie:

I work in HR for a tech firm. I understand that Biden is rolling out a new immigration plan today.

What is your sense as to how the new administration will change business, corporate and startup founder immigration to the U.S.?

—Free in Fremont

Hello, Extra Crunch community!

Hello in Different Languages

Image Credits: atakan (opens in a new window) / Getty Images

I began my career as an avid TechCrunch reader and remained one even when I joined as a writer, when I left to work on other things and now that I’ve returned to focus on better serving our community.

I’ve been chatting with some of the folks in our community and I’d love to talk to you, too. Nothing fancy, just 5-10 minutes of your time to hear more about what you want to see from us and get some feedback on what we’ve been doing so far.

If you would be so kind as to take a minute or two to fill out this form, I’ll drop you a note and hopefully we can have a chat about the future of the Extra Crunch community before we formally roll out some of the ideas we’re cooking up.

Drew Olanoff

In 2020, VCs invested $428m into US-based startups every day

Last year was a disaster across the board thanks to a global pandemic, economic uncertainty and widespread social and political upheaval.

But if you were involved in the private markets, however, 2020 had some very clear upside — VCs flowed $156.2 billion into U.S.-based startups, “or around $428 million for each day,” reports Alex Wilhelm.

“The huge sum of money, however, was itself dwarfed by the amount of liquidity that American startups generated, some $290.1 billion.”

Using data sourced from the National Venture Capital Association and PitchBook, Alex used Monday’s column to recap last year’s seed, early-stage and late-stage rounds.

How and when to build marketing teams at deep tech companies

Pole lifting rubber duck with hook in its head

Image Credits: Andy Roberts (opens in a new window) / Getty Images

Building a marketing team is one of the most opaque parts of spinning up a startup, but for a deep tech company, the stakes couldn’t be higher.

How can technical founders working on bleeding-edge technology find the right people to tell their story?

If you work at a post-revenue, early-stage deep tech startup (or know someone who does), this post explains when to hire a team, whether they’ll need prior industry experience, and how to source and evaluate talent.

Bustle CEO Bryan Goldberg explains his plans for taking the company public

Bustle Digital Group CEO Bryan Goldberg

Bustle Digital Group CEO Bryan Goldberg. Image Credits: Bustle Digital Group

Senior Writer Anthony Ha interviewed Bustle Digital Group CEO Bryan Goldberg to get his thoughts on the state of digital media.

Their conversation covered a lot of ground, but the biggest news it contained focuses on Goldberg’s short-term plans.

“Where do I want to see the company in three years? I want to see three things: I want to be public, I want to see us driving a lot of profits and I want it to be a lot bigger, because we’ve consolidated a lot of other publications,” he said.

It may not be as glamorous as D2C, but beauty tech is big money

Directly Above Shot Of Razors On Green Background

Image Credits: Laia Divols Escude/EyeEm (opens in a new window) / Getty Images

The U.S. Federal Trade Commission is not a huge fan of personal-care D2C brands merging with traditional consumer product companies.

This month, razor startup Billie and Proctor & Gamble announced they were calling off their planned merger after the FTC filed suit.

For similar reasons, Edgewell Personal Care dropped its plans last year to buy Harry’s for $1.37 billion.

In a harsher regulatory environment, “the path to profitability has become a more important part of the startup story versus growth at all costs,” it seems.

Twilio CEO says wisdom lies with your developers

SAN FRANCISCO, CA – SEPTEMBER 12: Founder and CEO of Twilio Jeff Lawson speaks onstage during TechCrunch Disrupt SF 2016 at Pier 48 on September 12, 2016 in San Francisco, California. Image Credits: Steve Jennings/Getty Images for TechCrunch

Companies that build their own tools “tend to win the hearts, minds and wallets of their customers,” according to Twilio CEO Jeff Lawson.

In an interview with enterprise reporter Ron Miller for his new book, “Ask Your Developer,” Lawson says founders should use developer teams as a sounding board when making build-versus-buy decisions.

“Lawson’s basic philosophy in the book is that if you can build it, you should,” says Ron.

Stopping Cyberattacks on Remote Workers Starts at the Endpoint

The sudden shift to remote work turned our previously embedded assumptions about how work should be done upside down — and cybercriminals noticed. With many companies forced to suddenly embrace work-from-home on a condensed timeline, security fell to the backburner because a.) organizations assumed this would be short-lived, and b.) they figured they could circle back to security once everything was up and running.

During this time, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that preyed on the fears and uncertainties of the global population. These ranged from fraud schemes related to economic stimulus programs offered by the U.S. Small Business Administration to the Maze ransomware hacking group attacking a British research company that was preparing to conduct trials of a COVID-19 vaccine. Throughout COVID-19, cybercriminals have continued to capitalize on unsecured work-from-home computing to deliver new malware and test new techniques.

Many company leaders intend to permit remote working some of the time as employees return to the workplace. As we continue to embrace working from home, here are a few tips to ensure you keep your people, data, customers and organization safe.

1. It All Starts at the Endpoint

In simple terms, an endpoint is one end of a communications channel – it’s any device that is physically an “end point” on a network. It refers to parts of a network that don’t simply relay communications along its channels or switch those communications from one channel to another. An endpoint is the place where communications originate, and where they are received. Endpoints can be anything from desktops, laptops, servers, and virtual environments, to IoT devices like wearable fitness devices, printers, smart TVs and even toaster ovens.

Today’s challenge is that everything is digital, and protecting the endpoint isn’t as easy as it used to be. Virtually any device can be connected to your network. And therefore, just as physical items can be stolen or broken, today’s precious assets are increasingly susceptible to cybercrime that seeks to halt business activity, steal data, and steal money – all digitally.

2. Understand What Is On Your Network

Protecting the endpoint is your primary task, but ask yourself this question: do you know how many devices are connected to your network? You may be surprised to learn that beyond traditional endpoints (think desktops, laptops, and servers), most organizations are running completely blind. It doesn’t have to be that way.

You can’t protect what you can’t see, so it’s imperative for organizations to be able to map what is on a network and fingerprint devices to see what is connected — and more importantly, unprotected. With the help of an AI-driven endpoint protection platform, organizations can easily identify and see each and every device connected to the network.

3. Secure Company Devices

Even though employees won’t be working out of the office, it doesn’t mean they’ll necessarily always be working from home. We’re seeing employees take their work with them, whether that means working in a socially distanced park or working out of their hotel on vacation. When choosing to work from any public network, employees are exposing themselves to the risk of potentially exposing company data that resides on their laptop locally.

Here’s a few tips to help keep your company devices secure:

  • Make sure all company devices use full disk encryption so that if a laptop happens to get lost or stolen, the data on the device will not be accessible to thieves.
  • Use password management so that all accounts on the device require unique login credentials.
  • Remind employees to log out whenever the system is not in use, even at home.

While these may seem like basic security practices, it’s always a good idea to remind your employees not to be that Starbucks customer who goes to the counter for a refill while leaving an open laptop on the table.

Cybersecurity for the remote workforce
Every threat. Every device. Every second.

4. Be Smart When Accessing Company Networks

Providing remote access to your corporate network always increases the risk of your organization’s data getting into the wrong hands. This often happens when employees let their guard down and engage in behaviors they normally wouldn’t at the office, such as using their company device for personal activities.

To better protect your data, use a zero-trust security solution to connect remote employees to your organization’s networks and servers. A zero-trust solution creates a direct connection as if the device were connected to the organization’s LAN. And, don’t be afraid to remind employees that a laptop used at home is still company property, and should only be used by the employee themselves for work-related activities. Any non-work-related activity should be conducted on the employee’s own devices.

5. Beware of Phishing Campaigns and Malware

With the increase in email and other text-based communications to stay connected while working remotely, it can be hard for employees to differentiate what emails and communications are legitimate, and what are not.

As phishing and malware campaigns continue to rise, be sure to remind your employees to inspect links before clicking by hovering over them with the pointer to see the actual URL destination. Another easy way to help your employees protect themselves from falling victim to such campaigns is to use an automated endpoint detection and response security solution that can block malicious content if it is executed by the user.


With the vast majority of the workforce changing its habits, securing the world’s commerce, communications, and precious digital assets has never been more critical. As we embrace our new normal, enterprises can secure work-from-home computers and ensure that all surrounding IoT devices are prohibited from communication with enterprise assets — by having the correct tools and strategies in place to defend every endpoint against every type of attack, at every stage in the threat lifecycle.

Learn more about how endpoint protection can help protect your remote employees, the company, and your sensitive information here, or contact us for more information or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Soci raises $80M for its localized marketing platform

Soci, a startup focused on what it calls “localized marketing,” is announcing that it has raised $80 million in Series D funding.

National and global companies like Ace Hardware, Anytime Fitness, The Hertz Corporation and Nekter Juice Bar use Soci (pronounced soh-shee) to coordinate individual stores as they promote themselves through search, social media, review platforms and ad campaigns. Soci said that in 2020, it brought on more than 100 new customers, representing nearly 30,000 new locations.

Co-founder and CEO Afif Khoury told me that the pandemic was a crucial moment for the platform, with so many businesses “scrambling to find a real solution to connect with local audiences.”

One of the key advantages to Soci’s approach, Khoury said, is to allow the national marketing team to share content and assets so that each location stays true to the “national corporate personality,” while also allowing each location to express  a “local personality.” During the pandemic, businesses could share basic information about “who’s open, who’s not” while also “commiserating and expressing the humanity that’s often missing element from marketing nationally.”

“The result there was businesses that had to close, when they had their grand reopenings, people wanted to support that business,” he said. “It created a sort of bond that hopefully lasts forever.”

Khoury also emphasized that Soci has built a comprehensive platform that businesses can use to manage all their localized marketing, because “nobody wants to have seven different logins to seven different systems, especially at the local level.”

The new funding, he said, will allow Soci to make the platform even more comprehensive, both through acquisitions and integrations: “We want to connect into the CRM, the point-of-sale, the rewards program and take all that data and marry that to our search, social, reviews data to start to build a profile on a customer.”

Soci has now raised a total of $110 million. The Series D was led by JMI Equity, with participation from Ankona Capital, Seismic CEO Doug Winter and Khoury himself.

“All signs point to an equally difficult first few months of this year for restaurants and other businesses dependent on their communities,” said JMI’s Suken Vakil in a statement. “This means there will be a continued need for localized marketing campaigns that align with national brand values but also provide for community-specific messaging. SOCi’s multi-location functionality positions it as a market leader that currently stands far beyond its competitors as the must-have platform solution for multi-location franchises/brands.”

Cloud infrastructure startup CloudNatix gets $4.5 million seed round led by DNX Ventures

CloudNatix founder and chief executive officer Rohit Seth

CloudNatix founder and chief executive officer Rohit Seth. Image Credits: CloudNatix

CloudNatix, a startup that provides infrastructure for businesses with multiple cloud and on-premise operations, announced it has raised $4.5 million in seed funding. The round was led by DNX Ventures, an investment firm that focuses on United States and Japanese B2B startups, with participation from Cota Capital. Existing investors Incubate Fund, Vela Partners and 468 Capital also contributed.

The company also added DNX Ventures managing partner Hiro Rio Maeda to its board of directors.

CloudNatix was founded in 2018 by chief executive officer Rohit Seth, who previously held lead engineering roles at Google. The company’s platform helps businesses reduce IT costs by analyzing their infrastructure spending and then using automation to make IT operations across multiple clouds more efficient. The company’s typical customer spends between $500,000 to $50 million on infrastructure each year, and use at least one cloud service provider in addition to on-premise networks.

Built on open-source software like Kubernetes and Prometheus, CloudNatix works with all major cloud providers and on-premise networks. For DevOps teams, it helps configure and manage infrastructure that runs both legacy and modern cloud-native applications, and enables them to transition more easily from on-premise networks to cloud services.

CloudNatix competes most directly with VMware and Red Hat OpenShift. But both of those services are limited to their base platforms, while CloudNatix’s advantage is that it is agnostic to base platforms and cloud service providers, Seth told TechCrunch.

The company’s seed round will be used to scale its engineering, customer support and sales teams.


South African startup Aerobotics raises $17M to scale its AI-for-agriculture platform

As the global agricultural industry stretches to meet expected population growth and food demand, and food security becomes more of a pressing issue with global warming, a startup out of South Africa is using artificial intelligence to help farmers manage their farms, trees and fruits.

Aerobotics, a South African startup that provides intelligent tools to the world’s agriculture industry, has raised $17 million in an oversubscribed Series B round.

South African consumer internet giant Naspers led the round through its investment arm, Naspers Foundry, investing $5.6 million, according to Aerobotics. Cathay AfricInvest Innovation, FMO: Entrepreneurial Development Bank and Platform Investment Partners also participated.

Founded in 2014 by James Paterson and Benji Meltzer, Aerobotics is currently focused on building tools for fruit and tree farmers. Using artificial intelligence, drones and other robotics, its technology helps track and assess the health of these crops, including identifying when trees are sick, tracking pests and diseases, and analytics for better yield management. 

The company has progressed its technology and provides to farmers independent and reliable yield estimations and harvest schedules by collecting and processing both tree and fruit imagery from citrus growers early in the season. In turn, farmers can prepare their stock, predict demand and ensure their customers have the best quality of produce.

Aerobotics has experienced record growth in the last few years. For one, it claims to have the largest proprietary data set of trees and citrus fruit in the world, having processed 81 million trees and more than a million citrus fruit.

The seven-year-old startup is based in Cape Town, South Africa. At a time when many of the startups out of the African continent have focused their attention primarily on identifying and fixing challenges at home, Aerobotics has found a lot of traction for its services abroad, too. It has offices in the U.S., Australia and Portugal — like Africa, home to other major, global agricultural economies — and operates in 18 countries across Africa, the Americas, Europe and Australia. 

Image Credits: Aerobotics

Within that, the U.S. is the company’s primary market, and Aerobotics says it has two provisional patents pending in the country, one for systems and methods for estimating tree age and another for systems and methods for predicting yield.  

The company said it plans to use this Series B investment to continue developing more technology and product delivery, both for the U.S. and other markets. 

“We’re committed to providing intelligent tools to optimize automation, minimize inputs and maximize production. We look forward to further co-developing our products with the agricultural industry leaders,” said Paterson, the CEO in a statement.

Once heralded as a frontier for technology centuries ago, the agriculture industry has stalled in that aspect for a long while. However, agritech companies like Aerobotics that support climate-smart agriculture and help farmers have sprung forth trying to take the industry back to its past glory. Investors have taken notice and over the past five years, investments have flowed with breathtaking pace. 

For Aerobotics, it raised $600,000 from 4Di Capital and Savannah Fund as part of its seed round in September 2017. The company then raised a further $4 million in Series A funding in February 2019, led by Nedbank Capital and Paper Plane Ventures.

Naspers Foundry, the lead investor in this Series B round, was launched by Naspers in 2019 as a 1.4 billion rand (~$100 million) fund for tech startups in South Africa. 

Phuthi Mahanyele-Dabengwa, CEO of Naspers South Africa, said of the investment, “Food security is of paramount importance in South Africa and the Aerobotics platform provides a positive contribution towards helping to sustain it. This type of tech innovation addresses societal challenges and is exactly the type of early-stage company that Naspers Foundry looks to back.”

Besides Aerobotics, Naspers Foundry has invested in online cleaning service SweepSouth, and food service platform Food Supply Network.

IBM transformation struggles continue with cloud and AI revenue down 4.5%

A couple of months ago at CNBC’s Transform conference, IBM CEO Arvind Krishna painted a picture of a company in the midst of a transformation. He said that he wanted to take advantage of IBM’s $34 billion 2018 Red Hat acquisition to help customers manage a growing hybrid cloud world, while using artificial intelligence to drive efficiency.

It seems like a sound enough approach. But instead of the new strategy acting as a big growth engine, IBM’s earnings today showed that its cloud and cognitive software revenues were down 4.5% to $6.8 billion. Meanwhile cognitive applications — where you find AI incomes — were flat.

If Krishna was looking for a silver lining, perhaps he could take solace in the fact that Red Hat itself performed well, with revenue up 18% compared to the year-ago period, according to the company. But overall the company’s revenue declined for the fourth straight quarter, leaving the executive in much the same position as his predecessor Ginni Rometty, who led IBM during 22 straight quarters of revenue losses.

Krishna laid out his strategy in November, telling CNBC, “The Red Hat acquisition gave us the technology base on which to build a hybrid cloud technology platform based on open-source, and based on giving choice to our clients as they embark on this journey.” So far the approach is simply not generating the growth Krishna expected.

The company is also in the midst of spinning out its legacy managed infrastructure services division, which, as Krishna said in the same November interview, should allow Big Blue to concentrate more on its new strategy. “With the success of that acquisition now giving us the fuel, we can then take the next step, and the larger step, of taking the managed infrastructure services out. So the rest of the company can be absolutely focused on hybrid cloud and artificial intelligence,” he said.

While it’s certainly too soon to say his transformation strategy has failed, the results aren’t there yet, and IBM’s falling top line has to be as frustrating to Krishna as it was to Rometty. If you guide the company toward more modern technologies and away from the legacy ones, at some point you should start seeing results, but so far that has not been the case for either leader.

Krishna continued to build on this vision at the end of last year by buying some additional pieces like cloud applications performance monitoring company Instana and hybrid cloud consulting firm Nordcloud. He did so to build a broader portfolio of hybrid cloud services to make IBM more of a one-stop shop for these services.

As retired NFL football coach Bill Parcells used to say, referring to his poorly performing teams, “you are what your record says you are.” Right now IBM’s record continues to trend in the wrong direction. While it’s making some gains with Red Hat leading the way, it’s simply not enough to offset the losses, and something needs to change.

DDoS-Guard To Forfeit Internet Space Occupied by Parler

Parler, the beleaguered social network advertised as a “free speech” alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from their stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients — including the Internet addresses currently occupied by Parler.

The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

In October, a phone call from Guilmette to an Internet provider in Oregon was all it took to briefly sideline a vast network of sites tied to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. As a result, those QAnon and 8chan sites also ultimately ended up in the arms of DDoS-Guard.

Much like Internet infrastructure firm CloudFlare, DDoS-Guard typically doesn’t host sites directly but instead acts as a go-between to simultaneously keep the real Internet addresses of its clients confidential and to protect them from crippling Distributed Denial-of-Service (DDoS) attacks.

The majority of DDoS-Guard’s employees are based in Russia, but the company is actually incorporated in two other places: As “Cognitive Cloud LLP” in Scotland, and as DDoS-Guard Corp. based in Belize.  However, none of the company’s employees are listed as based in Belize, and DDoS-Guard makes no mention of the Latin American region in its map of global operations.

In studying the more than 11,000 Internet addresses assigned to those two companies, Guilmette found that approximately 66 percent of them were doled out to the Belize entity by LACNIC, the regional Internet registry for the Latin American and Caribbean regions.

Suspecting that DDoS-Guard incorporated in Belize on paper just to get huge swaths of IP addresses that are supposed to be given only to entities with a physical presence in the region, Guilmette filed a complaint with the Internet registry about his suspicions back in November.

Guilmette said LACNIC told him it would investigate, and that any adjudication on the matter could take up to three months. But earlier this week, LACNIC published a notice on its website that it intends to revoke 8,192 IPv4 addresses from DDoS-Guard — including the Internet address currently assigned to Parler[.]com.

A notice of revocation posted by LACNIC.

LACNIC has not yet responded to requests for comment. The notice on its site says the Internet addresses are set to be revoked on Feb. 24.

DDoS-Guard CEO Evgeniy Marchenko maintains the company has done nothing wrong, and that DDoS-Guard does indeed have a presence in Belize.

“They were used strongly according [to] all LACNIC policies by [a] company legally substituted in LACNIC region,” Marchenko said in an email to KrebsOnSecurity. “There is nothing illegal or extremist. We have employers and representatives in different countries around the world because we are global service. And Latin America region is not an exception.”

Guilmette said DDoS-Guard could respond by simply moving Parler and other sites sitting in those address ranges to another part of its network. But he considers it a victory nonetheless that a regional Internet registry took his concerns seriously.

“It appeared to me that it was more probable than not that they got these 8,000+ IPv4 addresses by simply creating an arguably fraudulent shell company in Belize and then going cap in hand to LACNIC, claiming that they had a real presence in the Latin & South American region, and then asking for 8,000+ IPv4 addresses,” he said. “So I reported my suspicions to the LACNIC authorities in early November, and as I have only just recently learned, the LACNIC authorities followed up diligently on my report and, it seems, verified my suspicions.”

In October, KrebsOnSecurity covered another revelation by Guilmette about the same group of QAnon and 8chan-related sites that moved to DDoS-Guard: The companies that provided the Internet address space used by the sites were defunct businesses in the eyes of their respective U.S. state regulators. In other words, the American Registry for Internet Numbers (ARIN) — the non-profit which administers IP addresses for entities based in North America — was well within its contract rights to revoke the IP space.

Guilmette brought his findings to ARIN, which declined to act on the complaint and instead referred the matter to state investigatory agencies.

Still, Guilmette’s gadfly efforts to stir things up in the RIR community sometimes do pay off. For example, he spent nearly three years documenting how $50 million worth of the increasingly scarce IPv4 addresses were misappropriated from African companies to dodgy Internet marketing firms.

His complaints about those findings to the African Network Information Centre (AFRINIC) resulted in an investigation that led to the termination of a top AFRINIC executive, who was found to have quietly sold many of the address blocks for personal gain to marketers based in Europe, Asia and elsewhere.

And this week, AFRINIC took the unusual step of officially documenting the extent of the damage wrought by its former employee, and revoking discrete chunks of address space currently being used by marketing firms.

In a detailed report released today (PDF), AFRNIC said its investigation revealed more than 2.3 million IPv4 addresses were “without any lawful authority, misappropriated from AFRINIC’s pool of resources and attributed to organizations without any justification.”

AFRINIC said it began its inquiry in earnest back in March 2019, when it received an application by the U.S. Federal Bureau of Investigation (FBI) about “certain suspicious activities regarding several IPv4 address blocks which it held.” So far, AFRNINIC said it has reclaimed roughly half of the wayward IP address blocks, with the remainder “yet to be reclaimed due to ongoing due diligence.”

Six Steps to Successful And Efficient Threat Hunting 

Cybersecurity often feels like a game of cat and mouse. As our solutions get better at stopping an attack, adversaries have often already developed and started utilizing new tactics and techniques. According to Verizon DBIR, advanced threats lurk in our environment undetected, often for months, while they stealthily look to gather valuable information to steal or data to compromise. If you wait until these threats become visible or an alert is generated by traditional SOC monitoring tools, it can be too late. Threat hunting can help combat these challenges. Rather than waiting for an alert, threat hunters proactively assume that an advanced adversary operates inside the network and operates to find their existence.

In this post, we discuss threat hunting, why it’s essential, and how you can enable your team to adopt efficient hunting strategies with the SentinelOne Platform.

What is Threat Hunting?

Threat hunting has been defined by some as a “computer security incident response before there is an incident declared”. Others define it as “threat detection using the tools from incident response” or even“security hypothesis testing on a live IT environment.”

We define threat hunting as the process of searching across networks and endpoints to identify threats that evade security controls before they can execute an attack or fulfill their goals.

Rather than simply relying on security solutions to detect threats, threat hunting is a proactive approach to finding threats hidden in your network.

Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to threats; they actively search for them. This process involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data and analysis.

Threat hunting is also quite a different activity from either incident response or digital forensics. The purpose of DF/IR methodologies is to determine what happened after a breach was discovered. In contrast, when a team engages in threat hunting, the aim is to search for attacks that may have already slipped through your defensive layers.

Threat hunting differs from penetration testing and vulnerability assessment, too. These attempt to simulate an attack, ask questions such as what ‘could’ happen if someone compromised my security. Whereas threat hunters work from the premise that an attacker is already in the network and then look for indicators of compromise, lateral movement, and other tell-tale artifacts that may provide evidence of the attacker.

Why Do You Need To Incorporate Threat Hunting?

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage.

Simply stated, if you aren’t looking for threat actors inside your network, you may never know they are there. What if the attackers lock you out of the systems before you notice that you are under attack? With an efficient threat hunting program, you don’t have to stress over such possibilities.

Threat hunting is human-driven, iterative, adaptive, and systematic. Hence, it effectively reduces damage and overall risk to an organization, as its proactive nature enables security professionals to respond to incidents more rapidly than would otherwise be possible. It reduces the probability of an attacker being able to cause damage to an organization, its systems, and its data.

Threat hunting also reduces your reliance on external vendors that may not know your network or normal employee behavior as well as your threat hunting team might.

Finally, threat hunting will force you to learn your networks, systems, applications, and users.

Understanding all of these components is a critical element of a robust security framework.

Six Steps To Creating An Efficient Hunting Program

So how do you create a perfect and efficient hunting program? Well! In reality, the perfect hunting program rarely exists! You need your hunting program to be an iterative combination of processes, tools, and techniques continually evolving and adaptive to suit your organization. Here are six steps that will help you create an efficient threat hunting program in your organization.

1. Ensure You Have The Right Data.

No data, no hunt! Period!

All successful threat hunting begins with having the right data to answer the right questions. Without the right data, you will not be able to conduct a successful and meaningful hunt. You need to ensure you have telemetry that captures a wide range of activity and behaviors across multiple operating systems and which can serve as a base for all your threat hunting efforts. Device telemetry should include data like network traffic patterns, file hashes, processes, user activity, network activity, file operations, persistence activity, system and event logs, denied connections, and peripheral device activity.

Just having the raw data is not enough; you also need to ensure that you have context surrounding the data. Knowing which data to combine, correlate, or extend is critical. Ideally, you want tools that allow a clear overview of all the above data with powerful capabilities to automatically contextualize and correlate different events into unified detections that minimize the amount of manual sifting through raw logs.

SentinelOne patented StorylineTM technology provides analysts with real-time actionable correlation and context and lets security analysts understand the full story of what happened in your environment.

Each autonomous SentinelOne Agent builds a model of its endpoint infrastructure and real-time running behavior. Every element of a story has the same Storyline. This gives you the full picture of what happened on a device and what caused it to happen. SentinelOne automatically correlates related activity into unified alerts that provide Campaign Level Insight. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts.

2. Baseline To Understand What’s Normal In Your Environment

Threat hunters need a solid understanding of the organization’s profile, business activities that could attract threat actors, such as hiring new staff or acquiring new assets, and companies.

A critical component of threat hunting is having the data to baseline ‘normal’ and find outliers (outlier analysis). Attackers will often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behavior is a useful baseline for investigating anomalous file access or login events.

Combining that with understanding what company data is of value to attackers and where it is located can lead to creating hypotheses such as “Is an attacker trying to steal data located at a specific location?” This, in turn, could prompt data collection that answers questions like: “Which users have accessed that location for the first time in the last n days?”

SentinelOne’s behavioral AI engine leverages advanced data science methods to teach systems the difference between regular day-to-day operations and actual threat behavior.

This provides the analyst with the complete picture and any additional context needed to help them understand what normal looks like and enable them to spot any outliers. An alert is triggered if a pattern emerges, such as repeated login attempts from a country that is not the usual norm in your environment, which may indicate a potential brute force attack. This helps make threat detection and hunting faster and more accurate. SentinelOne also retains historical data from 14 days to 365+ days, available to query in near real-time, so that the hunting team can understand and analyze data over large periods of time.

3. Develop A Hypothesis

Many hunts start from an intel source that uses Indicators of Compromise (IoCs), hash values, IP addresses, domain names, network or host artifacts provided by third-party data sources such as Information Sharing and Analysis Center (ISAC) or the FBI. Hunts can also be incident driven; given any incident, you need to answer how and when it happened. However, not all threats are known. In fact, a large number of threats are unknown, so hunting cannot solely rely on utilizing known methodologies.

In a hypothesis-driven workflow, a hunt starts with creating a hypothesis, or an educated guess, about some type of activity that might be going on in your environment. Using Open-source intelligence (OSINT) tools and frameworks like MITRE ATT&CK works effectively if you know what you are looking for.

That brings us to one of the essential components of threat hunting: hypothesis formation and testing. Hypotheses are typically formulated by hunters based on tools and frameworks, social intelligence, threat intelligence, and past experiences. Generalized questions could include, “If I were to attack this environment, how would I do it? What would I attempt to gain access to? What would be my targets?”. Other examples could include questions like “Why do I see encrypted HTTPS, FTP traffic to countries in the East, in my environment?” or “Why do I see an abnormal volume of DNS queries from a single machine?”

Ideas can be derived from the following sources:

  • MITRE ATT&CK framework: a vast knowledge base of attack tactics, techniques, and procedures. Studying the MITRE techniques and their simulation in test environments can serve as a foundation for developing hypotheses.
  • Threat Intelligence reports: contain useful information about attack techniques and procedures based on real incidents. Systematic analysis of such reports should spark some thought and give rise to many threat hunting ideas.
  • Blogs, Twitter, and conference talks: information about new attack techniques appears for the first time via research blogs, and conferences, even before the attackers start actively using it. The timely study of such information will allow threat hunters to be proactive and prepare before the new attack technique becomes widespread.
  • Penetration testing: attackers tend to use tools similar to those applied by experienced pen testers. Therefore, studying pen-testing practices creates a treasure trove of knowledge for generating threat hunting hypotheses.
SentinelOne’s patented Deep Visibility lets you quickly and iteratively query and pivot across endpoint telemetry captured from endpoint devices to validate hypotheses.

SentinelOne automatically correlates all related objects (processes, files, threads, events, and more) of a threat. For example, suppose a process modifies a different process by injecting code. When you run a query, all interaction between the source process, target process, and parent process shows clearly in the cross-process details. This lets you quickly understand the data relationships: the root cause behind a threat with all of its context, relationships, and activities. Analysts can also leverage historical data to map advanced threat campaigns across time to enable efficient hypothesis generation.

You can create powerful hunting queries with easy-to-use shortcuts. As a threat hunter, the MITRE ATT&CK framework has likely become one of your go-to tools. SentinelOne makes hunting for MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) fast and painless. It’s as easy as entering the MITRE technique ID and using this to perform a hunt.

SentinelOne provides a query library of hunts using data from various open, commercial, and bespoke sources curated by SentinelOne research.

These hunts are the output of hypotheses that are proven across research data and are generic. For example, the use of unmanaged, unsigned PowerShell is likely abnormal in most environments and would commonly require additional investigation. Both of the above examples are not malicious in and of themselves but fit in a hunting workflow as they are descriptive of anomalies.

4. Investigate & Analyze Potential Threats

After generating the hypothesis, the next step is to follow up on it by investigating various tools and techniques to discover new malicious patterns in the data and uncover the attacker’s TTPs. If the hypothesis is correct and evidence of malicious activity is found, then the threat hunter should immediately validate the nature, extent, impact, and scope of the finding.

Although threat hunting starts with a human-generated hypothesis, threat protection tools, like SentinelOne, make the investigation more efficient. SentinelOne’s Deep Visibility empowers rapid threat hunting capabilities thanks to Storyline. Each autonomous SentinelOne Agent monitors endpoint activity and real-time running behavior. A Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events, and other data with a single query.

With Storyline, Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat with all of its context, relationships, and activities revealed from one search.

Storyline allows threat hunters to understand the full story of what happened on an endpoint and enable them to see the complete chain of events, saving time for your security teams.

5. Rapidly Respond To Remediate Threats

Once you uncover a new TTP, you need to make sure you can effectively respond and remediate the threat.

The response should distinctively define both short term and long term response measures that will be used to neutralize the attack. The main goal of the response is to immediately put an end to the ongoing attack to prevent the system from damage by a perceived threat. But it is also essential to understand the cause of the threat to improve security and prevent attacks of a similar manner in the future. All necessary steps must be taken to ensure that similar attacks are not likely to happen again.

SentinelOne enables analysts to take all the required actions needed to respond and remediate the threat with a single click.

With one click, the analyst can rollback the threat or perform any other available mitigation actions. Rollback functionality automatically restores deleted or corrupted files caused by ransomware activity to their pre-infected state without needing to reimage the machine.

The threat can be added to Exclusions, marked as resolved, and notes can be added to explain the rationale behind the decisions taken. SentinelOne also offers full Remote Shell capabilities to give your security team a quick way to investigate attacks, collect forensic data, and remediate breaches no matter where the compromised endpoints are located, eliminating uncertainty and significantly reducing any downtime that results from an attack.

SentinelOne also can detect threats in advance through the aid of its machine learning and intelligent automation. It can anticipate threats and attacks by deeply inspecting files, documents, emails, credentials, browsers, payloads, and memory storage. It can automatically disconnect a device from a network when it identifies a possible security threat or attack.

6. Enrich And Automate For Future Events

Finally, successful hunts form the basis for informing and enriching automated analytics. The final step in the threat hunting practice is to use the knowledge generated during the threat hunting process to enrich and improve EDR systems. This way, the organization’s global security is enhanced thanks to the discoveries made during the investigation.

Advanced threat hunting techniques will try to automate as many tasks as possible. Monitoring user behavior and comparing that behavior against itself to search for anomalies, for example, is far more effective than running individual queries. However, both techniques are likely to be required in practice. Both are made easier if you have tools like SentinelOne with a rich set of native APIs enabling full integration across your security software stack.

SentinelOne is designed to lighten the load on your team in every way, and that includes giving you the tools to set up and run custom threat hunting searches.

With Storyline Auto-Response (STAR) custom detection rules, you can turn Deep Visibility queries into automated hunting rules that trigger alerts and responses when rules detect matches. STAR gives you the flexibility to create custom alerts specific to your environment that can enhance alerting and triaging of events

SentinelOne can also automatically mitigate detections based on the policy for suspicious threats or the policy for malicious threats or can put endpoints in Network Quarantine. Alerts are triggered in near-real-time and show in the Activity log in the Management Console. You can enable alerts in Syslog that can be used for triage and SIEM integration.

After running the query in Deep Visibility and investigating, you can select an Auto-Response for the rule to automatically mitigate the rule detections. With that, you have set your SentinelOne solution to automatically protect your environment, according to your needs, from every threat, every second of every day. Modern adversaries are automating their techniques, tactics, and procedures to evade preventative defenses, so it makes sense that enterprise security teams can better keep up with attacks by automating their manual workloads.

Closing Thoughts

Implementing a threat hunting program can reap many benefits to the organization, including proactively uncovering security incidents, faster Incident Response times, and a more robust security posture. Effective threat hunting needs to result in less work for your busy analysts while at the same time future-proofing your SOC from a variety of known and unknown adversaries. SentinelOne gives you visibility, ease of use, speed, and context to make threat hunting more effective than ever before. Please contact us or request a demo to see how SentinelOne can help you develop an efficient hunting program.

Additional Resources

Deep Dive – Hunting with MITRE ATT&CK
Use the S1QL Cheatsheet For Security Analysis
Learn more about Rapid Threat Hunting with Storyline
Visit SentinelOne Platform page
Visit Sans Threat Hunting Report – Automating Hunt
Read Gartner Report about Using Threat Hunting for Proactive Threat Detection

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security