The Klaviyo EC-1

E-commerce is booming as retailers race to transform their brick-and-mortar footprints into online storefronts. By some counts, the market grew an astonishing 42% in 2020 in the wake of the COVID-19 pandemic, and estimates show that online spending in the U.S. will surpass $1 trillion by 2022. It’s a bonanza, and everyone is figuring out this new terrain.

Consumers are likely familiar with the front-end brands for these storefronts — with companies like Amazon, Shopify, Square, and Stripe owning attention — but it’s the tooling behind the curtain that is increasingly determining the competitiveness of individual stores.

Klaviyo may not be a household name to consumers (at least, not yet), but in many ways, this startup has become the standard by which email marketers are judged today, triangulating against veterans Mailchimp and Constant Contact and riding the e-commerce wave to new heights.

Founded in 2012, this Boston-based company helps marketers personalize and automate their email messaging to customers. By now, most people are intimately familiar with these kinds of emails; if you’ve ever given your email address to an online store, the entreaties to come back to your abandoned cart or browse the latest sale are Klaviyo’s bread and butter.

It may seem obvious in retrospect that email would grow to become a premier platform for marketing, but this wasn’t the case even a few years ago when social ads and search engine marketing were the dominant paradigm. Today, owned marketing and customer experience management are white-hot trends, and Klaviyo has surged from a lifestyle business to a multi-billion dollar behemoth in just a few short years. Its story is at the heart of the internet economy today, and the future.

TechCrunch’s writer and analyst for this EC-1 is Chris Morrison. Morrison, who previously wrote our EC-1 on Roblox, has been a writer and independent game developer covering the video game industry and the marketing challenges that come with publishing. As an analyst and a potential user, he’s in a unique position to explain the Klaviyo story. The lead editor for this package was Danny Crichton, the assistant editor was Ram Iyer, the copy editor was Richard Dal Porto and illustrations were created by Nigel Sussman.

Klaviyo had no say in the content of this analysis and did not get advance access to it. Morrison has no financial ties to Klaviyo or other conflicts of interest to disclose.

The Klaviyo EC-1 comprises four main articles numbering 9,700 words and a reading time of 43 minutes. Let’s take a look:

  • Part 1: Origin storyHow Klaviyo transformed from a lifestyle business into a $4.15B email titan” (2,600 words/10 minutes) — Explores the rise of Klaviyo from a database for e-commerce data into a modern email powerhouse as it successively learned from customers and bootstrapped in the absence of funding from accelerators and early VCs.
  • Part 2: Business and growthHow Klaviyo used data and no-code to transform owned marketing” (3,000 words/12 minutes) — Analyzes Klaviyo’s recent growth and how marketers increasingly focus on owned marketing channels and customer experience management.
  • Part 3: Dynamics of e-commerce marketingMarketing in 2021 is emotional and not just transactional” (2,200 words/9 minutes) — To fully understand Klaviyo and this new world of martech, this article contextualizes how and why marketers are increasingly trying to personalize and build deeper emotional bonds with their customers outside of social media channels.
  • Part 4: Lessons on startup growthDrama and quirk aren’t necessary for startup success” (1,900 words/8 minutes) — Founders shouldn’t have to keep learning the same lessons over and over again. Klaviyo offers a number of tried-and-true tutorials to understand how to build a competitive startup and not get bogged down in finding product-market fit and scaling.

We’re always iterating on the EC-1 format. If you have questions, comments or ideas, please send an email to TechCrunch Managing Editor Danny Crichton at danny@techcrunch.com.

Once VMware is free from Dell, who might fancy buying it?

TechCrunch has spilled much digital ink tracking the fate of VMware since it was brought to Dell’s orbit thanks to the latter company’s epic purchase of EMC in 2016 for $58 billion. That transaction saddled the well-known Texas tech company with heavy debts. Because the deal left VMware a public company, albeit one controlled by Dell, how it might be used to pay down some of its parent company’s arrears was a constant question.

Dell made its move earlier this week, agreeing to spin out VMware in exchange for a huge one-time dividend, a five-year commercial partnership agreement, lots of stock for existing Dell shareholders and Michael Dell retaining his role as chairman of its board.

So, where does the deal leave VMware in terms of independence, and in terms of Dell influence? Dell no longer will hold formal control over VMware as part of the deal, though its shareholders will retain a large stake in the virtualization giant. And with Michael Dell staying on VMware’s board, it will retain influence.

Here’s how VMware described it to shareholders in a presentation this week. The graphic shows that under the new agreement, VMware is no longer a subsidiary of Dell and will now be an independent company.

Chart showing before and after structure of Dell spinning out VMware. In the after scenario, VMware is an independent company.

Image Credits: VMware

But with VMware tipped to become independent once again, it could become something of a takeover target. When Dell controlled VMware thanks to majority ownership, a hostile takeover felt out of the question. Now, VMware is a more possible target to the right company with the right offer — provided that the Dell spinout works as planned.

Buying VMware would be an expensive effort, however. It’s worth around $67 billion today. Presuming a large premium would be needed to take this particular technology chess piece off the competitive board, it could cost $100 billion or more to snag VMware from the public markets.

So VMware will soon be more free to pursue a transaction that might be favorable to its shareholders — which will still include every Dell shareholder, because they are receiving stock in VMware as part of its spinout — without worrying about its parent company simply saying no.

Data scientists: Bring the narrative to the forefront

By 2025, 463 exabytes of data will be created each day, according to some estimates. (For perspective, one exabyte of storage could hold 50,000 years of DVD-quality video.) It’s now easier than ever to translate physical and digital actions into data, and businesses of all types have raced to amass as much data as possible in order to gain a competitive edge.

However, in our collective infatuation with data (and obtaining more of it), what’s often overlooked is the role that storytelling plays in extracting real value from data.

The reality is that data by itself is insufficient to really influence human behavior. Whether the goal is to improve a business’ bottom line or convince people to stay home amid a pandemic, it’s the narrative that compels action, rather than the numbers alone. As more data is collected and analyzed, communication and storytelling will become even more integral in the data science discipline because of their role in separating the signal from the noise.

Data alone doesn’t spur innovation — rather, it’s data-driven storytelling that helps uncover hidden trends, powers personalization, and streamlines processes.

Yet this can be an area where data scientists struggle. In Anaconda’s 2020 State of Data Science survey of more than 2,300 data scientists, nearly a quarter of respondents said that their data science or machine learning (ML) teams lacked communication skills. This may be one reason why roughly 40% of respondents said they were able to effectively demonstrate business impact “only sometimes” or “almost never.”

The best data practitioners must be as skilled in storytelling as they are in coding and deploying models — and yes, this extends beyond creating visualizations to accompany reports. Here are some recommendations for how data scientists can situate their results within larger contextual narratives.

Make the abstract more tangible

Ever-growing datasets help machine learning models better understand the scope of a problem space, but more data does not necessarily help with human comprehension. Even for the most left-brain of thinkers, it’s not in our nature to understand large abstract numbers or things like marginal improvements in accuracy. This is why it’s important to include points of reference in your storytelling that make data tangible.

For example, throughout the pandemic, we’ve been bombarded with countless statistics around case counts, death rates, positivity rates, and more. While all of this data is important, tools like interactive maps and conversations around reproduction numbers are more effective than massive data dumps in terms of providing context, conveying risk, and, consequently, helping change behaviors as needed. In working with numbers, data practitioners have a responsibility to provide the necessary structure so that the data can be understood by the intended audience.

The Good, the Bad and the Ugly in Cybersecurity – Week 16

The Good

Last month, Microsoft released an out-of-band security update addressing a total of seven CVEs, four of which are associated with ongoing, targeted attacks. Since then, numerous organizations have patched their systems. But many haven’t, and this puts them in grave danger. Step up, the US government, which in an unprecedented (and in some quarters controversial) move this week conducted a court-authorized operation to remove malicious web shells from infected servers on US soil. The operation covered devices running on-premises versions of Microsoft Exchange Server and vulnerable to HAFNIUM.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell” explained the US Justice Department.

The FBI says it will attempt to alert server owners through their publicly available contact information or ISP provider via an email message from an FBI.gov account.

It’s important to note that the action doesn’t actually patch those vulnerable servers from further compromise. Organizations of all shapes and sizes need to take responsibility and ensure they have a thorough and robust patch management policy and practices in place.

And for those who missed the news: in this month’s patch Tuesday (April 2021), Microsoft released security updates including new mitigations for additional on-premise Exchange Server vulnerabilities. CISA has issued an alert on the same vulnerability and recommends to patch immediately.

The Bad

It has been suggested that within five years there will be some 41.6 billion IoT devices in the home, enterprise and industrial environments. Most of these devices are insecure by nature, and others, although possessing some form of security mechanisms, may be left exposed due to poor cyber hygiene and lack of IoT security know-how. In June 2020, a set of vulnerabilities affecting millions of ‘Smart’ devices named “Ripple20” fired a warning shot to businesses about the potential dangers of IoT in the enterprise. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including numerous IoT products and IT management servers.

The collection of vulnerabilities, dubbed Name:Wreck, were found within the DNS implementations of four TCP/IP stacks in widespread use by device manufacturers: FreeBSD, IPnet, NetX and Nucleus NET. The related CVEs are CVE-2016-20009, CVE-2020-7461, CVE-2020-15795, CVE-2020-27009, CVE-2020-27736, CVE-2020-27737, CVE-2020-27738, and CVE-2021-25677.

An attacker exploiting the Name:Wreck vulnerabilities could cause a Denial of Service via either crashing the device or knocking it offline. Even worse, researchers say, Name:Wreck could be used to gain control of a vulnerable device remotely, including devices responsible for critical building functions such as heating and ventilation.

Among those affected are devices produced by Siemens, who are now releasing emergency patches. In some cases, however, the device manufacturers haven’t created mechanisms that would allow users to update the vulnerable code. In other situations, the manufacturers no longer produce or support the component anymore, and it’s almost impossible to notify owners and alert them.

Consequently, these vulnerabilities are likely to persist for many years to come. Now that they have been made public, it’s inevitable that attackers will look for ways to search for and exploit any such devices exposed to the public internet.

The Ugly

In case you hadn’t heard, Clubhouse is an audio-only social media app that facilitates auditory communication through rooms that can accommodate groups of up to 5,000 people, and it is the social media platform of the moment. Estimated to be valued at around $4 billion, the app owes its success to a new user experience that allows unprecedented intimacy with other users: the rooms are “ad-hoc” and the content is generated and shared live, and then it’s gone. However, some of the appeal may be lost if users find their privacy is being violated. This week, an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum.

The leaked database contains a variety of user-related information from Clubhouse profiles, including:

  • User ID
  • Name
  • Photo URL
  • Username
  • Twitter handle
  • Instagram handle
  • Number of followers
  • Number of people followed by the user
  • Account creation date
  • Invited by user profile name

The company said that the data is already publicly available and that it can be accessed by “anyone” via their API. A nice, but controversial admission that didn’t assuage the concerns of some.

That raises questions about the privacy stance of the company, since the way Clubhouse is built lets anyone with a token, or via an API, query the entire body of public Clubhouse user profile information. The unfortunate reality is, however, that the kind of data contained in the leaked files can be used by threat actors to target Clubhouse users with phishing and social engineering attacks.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Should Dell have pursued a more aggressive debt-reduction move with VMware?

When Dell announced it was spinning out VMware yesterday, the move itself wasn’t surprising; there had been public speculation for some time. But Dell could have gone a number of ways in this deal, despite its choice to spin VMware out as a separate company with a constituent dividend instead of an outright sale.

The dividend route, which involves a payment to shareholders between $11.5 billion and $12 billion, has the advantage of being tax-free (or at least that’s what Dell hopes as it petitions the IRS). For Dell, which owns 81% of VMware, the dividend translates to somewhere between $9.3 billion and $9.7 billion in cash, which the company plans to use to pay down a portion of the huge debt it still holds from its $58 billion EMC purchase in 2016.

Dell hopes to have its cake and eat it too with this deal: It generates a large slug of cash to use for personal debt relief while securing a five-year commercial deal that should keep the two companies closely aligned.

VMware was the crown jewel in that transaction, giving Dell an inroad to the cloud it had lacked prior to the deal. For context, VMware popularized the notion of the virtual machine, a concept that led to the development of cloud computing as we know it today. It has since expanded much more broadly beyond that, giving Dell a solid foothold in cloud native computing.

Dell hopes to have its cake and eat it too with this deal: It generates a large slug of cash to use for personal debt relief while securing a five-year commercial deal that should keep the two companies closely aligned. Dell CEO Michael Dell will remain chairman of the VMware board, which should help smooth the post-spinout relationship.

But could Dell have extracted more cash out of the deal?

Doing what’s best for everyone

Patrick Moorhead, principal analyst at Moor Insights and Strategies, says that beyond the cash transaction, the deal provides a way for the companies to continue working closely together with the least amount of disruption.

“In the end, this move is more about maximizing the Dell and VMware stock price [in a way that] doesn’t impact customers, ISVs or the channel. Wall Street wasn’t valuing the two companies together nearly as [strongly] as I believe it will as separate entities,” Moorhead said.

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?

On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. An analysis of the malicious file and other submissions by the same VirusTotal user suggest the account that initially flagged the backdoor as suspicious belongs to IT personnel at the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department that handles telecommunications and Internet policy.

Both Microsoft and FireEye published blog posts on Mar. 4 concerning a new backdoor found on high-value targets that were compromised by the SolarWinds attackers. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” FireEye says the Sunshuttle backdoor was named “Lexicon.exe,” and had the unique file signatures or “hashes” of “9466c865f7498a35e4e1a8f48ef1dffd” (MD5) and b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 (SHA-1).

“In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository,” FireEye wrote.

The “Sunshuttle” or “GoldMax” backdoor, as identified by FireEye and Microsoft, respectively. Image: VirusTotal.com.

A search in VirusTotal’s malware repository shows that on Aug. 13, 2020 someone uploaded a file with that same name and file hashes. It’s often not hard to look through VirusTotal and find files submitted by specific users over time, and several of those submitted by the same user over nearly two years include messages and files sent to email addresses for people currently working in NTIA’s information technology department.

An apparently internal email that got uploaded to VirusTotal in Feb. 2020 by the same account that uploaded the Sunshuttle backdoor malware to VirusTotal in August 2020.

The NTIA did not respond to requests for comment. But in December 2020, The Wall Street Journal reported the NTIA was among multiple federal agencies that had email and files plundered by the SolarWinds attackers. “The hackers broke into about three dozen email accounts since June at the NTIA, including accounts belonging to the agency’s senior leadership, according to a U.S. official familiar with the matter,” The Journal wrote.

It’s unclear what, if anything, NTIA’s IT staff did in response to scanning the backdoor file back in Aug. 2020. But the world would not find out about the SolarWinds debacle until early December 2020, when FireEye first disclosed the extent of its own compromise from the SolarWinds malware and published details about the tools and techniques used by the perpetrators.

The SolarWinds attack involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software. Beginning in March 2020, the attackers then used the access afforded by the compromised SolarWinds software to push additional backdoors and tools to targets when they wanted deeper access to email and network communications.

U.S. intelligence agencies have attributed the SolarWinds hack to an arm of the Russian state intelligence known as the SVR, which also was determined to have been involved in the hacking of the Democratic National Committee six years ago. On Thursday, the White House issued long-expected sanctions against Russia in response to the SolarWinds attack and other malicious cyber activity, leveling economic sanctions against 32 entities and individuals for disinformation efforts and for carrying out the Russian government’s interference in the 2020 presidential election.

The U.S. Treasury Department (which also was hit with second-stage malware that let the SolarWinds attackers read Treasury email communications) has posted a full list of those targeted, including six Russian companies for providing support to the cyber activities of the Russian intelligence service.

Also on Thursday, the FBI, National Security Agency (NSA), and the Cybersecurity Infrastructure Security Administration (CISA) issued a joint advisory on several vulnerabilities in widely-used software products that the same Russian intelligence units have been attacking to further their exploits in the SolarWinds hack. Among those is CVE-2020-4006, a security hole in VMWare Workspace One Access that VMware patched in December 2020 after hearing about it from the NSA.

On December 18, VMWare saw its stock price dip 5.5 percent after KrebsOnSecurity published a report linking the flaw to NSA reports about the Russian cyberspies behind the SolarWinds attack. At the time, VMWare was saying it had received “no notification or indication that CVE-2020-4006 was used in conjunction with the SolarWinds supply chain compromise.” As a result, a number of readers responded that making this connection was tenuous, circumstantial and speculative.

But the joint advisory makes clear the VMWare flaw was in fact used by SolarWinds attackers to further their exploits.

“Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse,” the NSA’s advisory (PDF) reads. “SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.”

Officials within the Biden administration have told media outlets that a portion of the United States’ response to the SolarWinds hack would not be discussed publicly. But some security experts are concerned that Russian intelligence officials may still have access to networks that ran the backdoored SolarWinds software, and that the Russians could use that access to affect a destructive or disruptive network response of their own, The New York Times reports.

“Inside American intelligence agencies, there have been warnings that the SolarWinds attack — which enabled the SVR to place ‘back doors’ in the computer networks — could give Russia a pathway for malicious activity against government agencies and corporations,” The Times observed.

MITRE Mania: Your Guide to Understanding Vendor Positioning and Why It All Matters

It’s that time once again. MITRE ATT&CK Phase 3 testing has drawn to a conclusion, and technologists worldwide await the results. At SentinelOne, we continue to be enthusiastic supporters for the work MITRE Engenuity is doing to painstakingly define and continually expand a common cybersecurity language that describes how adversaries operate. This matters to you because MITRE is a unifier and a force multiplier for the people on security’s front line who work tirelessly defending their infrastructure and assets from unscrupulous adversaries looking to turn a quick buck, wreak havoc, or steal a life’s work. When vendors use MITRE…. No wait… when vendors fully adopt MITRE, their offerings have the potential to make defense and response easier, faster, and more effective.

CISOs, SOC analysts, and architects, this post is for you. It’s SentinelOne’s take on MITRE Phase 3, what it means to your organization, and how you can implement it to better understand and use the security tools at your disposal.

What Is the MITRE ATT&CK Framework?

In chess, there are three tactical game phases: the opening, middlegame, and endgame. Within each game phase, multiple moves are employed to progress the game from one phase to the next. Players of different skill levels will employ techniques at varying sophistication levels as they work through their strategy to get to checkmate.

In the real world, we deal with adversaries, and each one plays their chess game a little differently. They all use tools. They develop methodologies and approaches toward objectives. They weave legitimate and atypical behaviors into different attack tapestries. And they all know what they’re after.

MITRE ATT&CK is a way to describe how and why they do what they do. The MITRE framework is “a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.” Its purpose is to be a common language whose components are used in endless combinations to describe how threat actors operate.

Let’s explain. The first key concept here is phases. An adversary performs multiple phases to achieve an objective. Generic example:

Initial access → discovery → lateral movement → collection → exfiltration

In this linear example, the adversary’s ultimate strategy—his objective—is to exfiltrate your data. We can describe his attack methodology in 5 tactical phases, step 1 being initial access through to step 5, the exfiltration. The MITRE ATT&CK framework currently consists of 14 tactics as seen on the X-axis of the Enterprise navigator tool (hint: click “create new layer” then “enterprise”).

The second key concept from the quote above is behaviors. Behaviors are the moves bad guys utilize against you each step of the way. Behaviors are the techniques they employ within each tactical phase. For example, to achieve initial access (Tactic #1 above), the adversary may send a phishing email with a link to a compromised website that takes advantage of an unpatched browser flaw. The ATT&CK framework currently consists of 200+ techniques (Y-axis of the navigator tool) organized under the 14 tactics.

The next level is the procedures adversaries use. Procedures are the end mechanics within each technique.

Therefore, the end goal requires an initial tactic with one or more techniques, followed by another tactic with its techniques, and so on until the adversary’s objective is met. This layering of general tactics down to specific procedures is where we get TTP: Tactic, Technique, Procedure.

Why Does the MITRE ATT&CK Evaluation Matter?

MITRE ATT&CK emulations are constructed to mimic an adversary’s known TTPs and are conducted in a controlled lab environment to determine each participating vendor’s product efficacy. According to MITRE,

“The (ATT&CK) evaluations use adversary emulation, which is a way of testing ‘in the style of’ a specific adversary. This allows us to select a relevant subset of ATT&CK techniques to test. To generate our emulation plans, we use public threat intel reporting, map it to ATT&CK, and then determine a way to replicate the behaviors.”

The aim is to put together a complete, logical attack that moves through all the stages of a comprehensive, successful attack from initial compromise to persistence, lateral movement, data exfiltration, and so on.

The ATT&CK framework brings a common lexicon to stakeholders, cyber defenders, and vendors helping us to apply intelligence to cybersecurity operations.

Three benefits ensue:

  1. We gain insight into the adversary’s game plan in terms of combinations of tactics and techniques.
  2. We can clearly communicate the exact nature of a threat and respond faster with greater insight.
  3. When we understand who our typical adversaries are and how they attack us, we can proactively design defenses to blunt them.

MITRE points out that it is a “mid-level adversary model”, meaning that it is not too generalized and not too specific. High-level models like the Lockheed Martin Cyber Kill Chain® illustrate adversary goals but aren’t specific about how the goals are achieved. Conversely, exploit and malware databases specifically define IoC “jigsaw pieces” in a giant puzzle but aren’t necessarily connected to how the bad guys use them, nor do they typically identify who the bad guys are. MITRE’s TTP model is that happy medium where tactics are the stepwise intermediate goals and the techniques represent how each tactic is achieved.

MITRE Round 3

Since MITRE collaborates with vendors during the evaluations, MITRE is effectively the red team, while the vendor providing detection and response to MITRE is the blue team. The result is a “purple team” that helps test security controls in real time by emulating the type of approach that intruders are likely to use in an actual attack based on their known TTPs observed in the wild.

While the MITRE ATT&CK Evaluation Round 1 (the first year of testing) was based on APT3 (Gothic Panda), and MITRE ATT&CK Round 2 focused on TTPs associated with APT29 (Cozy Bear), this year’s Round 3 focuses on emulating financial threat groups.

Testing day 1 simulates the Carbanak adversary group’s attack methodology. Their objective? … Breach the HR Manager, quietly move about the network, identify payment data, and exfiltrate it.
 It involves four Windows computers and a Linux server and consists of 99 techniques in 10 steps. Testing day 2 simulates the FIN7 adversary group. Similarly, their objective is to steal financial data. This simulation involves five computers and 79 techniques in 10 steps.

Both Carbanak and FIN7 have a well-documented history of widespread impact. Carbanak is cited with the theft of a cumulative $900M from banks and more than a thousand private customers. FIN7 is said to be responsible for the theft of more than 15 million customer credit card records from victims spanning the globe. The main goal behind its malicious activities is to steal financial assets from companies, such as debit card information, or to get access to financial data through the computers of finance department employees to conduct wire transfers to offshore accounts.

These numbers are what we know. Many incidents go unreported.

Detection Quality

ATT&CK does not score vendors on performance. Instead, the evaluation focuses on how detections occurred as each test moves through its steps. For several years, SentinelOne has underscored what MITRE depicts in their evaluation guide—not every detection is of the same quality. It’s pretty clear that whereas a “Telemetry” detection is minimally processed data related to an adversary behavior, at the other end of the quality spectrum, a “Technique” detection is information-rich and orients the analyst at a glance. Consistent technique-driven detections are ideal for organizations that want more out of their tools.

If you take away one thing from this blog, it is to understand that vendor tools should ideally automate real-time context creation related to adversary moves and bubble that up into the tool with as few alerts as possible. The more Techniques a tool can automatically provide and then aggregate into single incident alerts, the more the tool is automating the security function. This is critical for driving mean time to respond to as close to zero as possible.

More about detection types:

  • Tactic & Techniques: These are the highest quality tool-produced detections. Tactics provide the analyst with “intent of the activity” (why are they doing this? what they are trying to accomplish?).  Techniques provide the analyst with “information on how the action was performed or helped answer the question ‘what was done’.”
  • General & Telemetry: These are detections further down the quality scale and more simplistic in nature. By themselves, General detections and Telemetry detections provide less context to the analyst and can be thought of as raw data. Note that when vendors are awarded a Technique, they are often also awarded a Telemetry. However, when they are only awarded a simplistic Telemetry (due to the tool’s inability to correlate enough data points), this is not accompanied by the more sophisticated Technique.
  • Config Change and Delayed:  These are test modifiers. Config Change indicates when a vendor “tweaked” their configuration in the middle of the test. Delayed indicates when a detection was not immediately available to the test proctors due to some delay in processing.
Ideally, vendors don’t change their product configurations in the middle of the test, and all detections should be available in real time and without delay.

Round 3 also introduced two significant evolutions: Testing on Linux environments, as well as the addition of Protection testing.

The final results are due to be released on April 20, 2021. Until then we wait. A game of chess, anyone?

How Can CISOs Navigate Through Vendor Positioning to Interpret and Understand the Results?

As a CISO, navigating through various vendors’ positions can be a real challenge. Here are a few critical pointers:

  • Be wary of excessive misses, delays, and config changes
    Vendors that miss a lot of detections…Enough said. Vendors that have lots of delays are getting credit for detections using means typically outside of the tool’s normal workflow, which means your people will have to do the same thing. Vendors with lots of config changes felt the need to modify their detection capabilities in the middle of the test. Try to understand whether these changes are understandable or if the test was being gamed.
  • Be wary of high Telemetry numbers and low Techniques numbers
    Vendors that trumpet their big Telemetry numbers without many Techniques have a tool that does not automate the correlation of events, which means your people will have to do it manually or there may be significant delays and accuracy in connecting the dots. Delays here lead to delays in response, and that leads to more risk.
  • Be wary of vendors that invent their own scoring systems
    We’ve seen many vendors obfuscating poor results with stats and numbers that make them look good but are, in actuality, complete nonsense. Stats like “Context per alert” and “100% Detection” (when there clearly were missed detections) are silly. Read the fine print.

And when it comes to product architectures, CISOs will find these product-centric tenets to be compatible with the spirit of MITRE’s objectives:

  • EDR Visibility & Coverage Are Table Stakes
    The foundation of a superior EDR solution lies in its ability to consume and correlate data at scale in an economic way by harnessing the power of the cloud. Every piece of pertinent data should be captured—with few to no misses—to provide breadth of visibility for the SecOps team. Data, specifically capturing all events, is the building block of EDR and should be considered table stakes and a key MITRE metric.
  • Machine-built Context and Correlation is Indispensable
    Correlation is the process of building relationships among atomic data points. Preferably, correlation is performed by the machine and at machine speed, so an analyst doesn’t have to manually stitch data together and waste precious time. Furthermore, this correlation should be accessible in its original context for long periods of time in case it’s needed.
  • Console Alert Consolidation Is Critical
    More signal, less noise is a challenge for the SOC and modern IR teams who face information overload. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, ensure that the solution automatically groups data points into consolidated alerts. Ideally, a solution can correlate related activity into unified alerts to provide campaign level insight. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts. All of this leads to better outcomes for the SOC in the form of shorter containment times and an overall reduction in response times.

How Can CISOs Leverage the ATT&CK Framework In Their Organization?

CISOs and security teams can use the following best practices to improve their security posture:

  • Plan a cyber security strategy: Use ATT&CK to plan your cyber security strategy. Build your defenses to counter the techniques known to be used against your type of organization and equip yourself with security monitoring to detect evidence of ATT&CK techniques in your network.
  • Run adversary emulation plans: Use ATT&CK for Adversary Emulation Plans to improve Red team performance. Red teams can develop and deploy a consistent and highly organized approach to defining the tactics and techniques of specific threats, then logically assess their environment to see if the defenses work as expected.
  • Identify gaps in defenses: ATT&CK matrices can help Blue teams better understand the components of a potential or ongoing cyber attack to identify gaps in defenses and implement solutions for those gaps. ATT&CK documents suggested remediations and compensating controls for the techniques to which you are more prone.
  • Integrate threat intelligence: ATT&CK can effectively integrate your threat intelligence into cyber defense operations. Threats can be mapped to the specific attacker techniques to understand if gaps exist, determine risk, and develop an implementation plan to address them.

Conclusion

The MITRE evaluation continues its stellar record in pushing the security industry forward and brings much-needed visibility and independent testing to the EDR space. As a security leader or practitioner, it’s important that you move beyond just the numbers game to look holistically at which vendors can provide high visibility and high quality detections while reducing the burden on your security team.

In the short term, we are excited to announce the details of SentinelOne’s participation in the MITRE Round 3 evaluation, and we will be posting the results when available. In the meantime, if you’d like to learn more about how the SentinelOne Singularity platform can help your organization achieve these goals, contact us for more information or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Dell is spinning out VMware in a deal expected to generate over $9B for the company

Dell announced this afternoon that it’s spinning out VMware, a move that has been suspected for some time. Dell acquired VMware as part of the massive $58 billion EMC acquisition (announced as $67 billion) in 2015.

The way that the deal works is that Dell plans to offer VMware shareholders a special dividend of between $11.5 and $12 billion. As Dell owns approximately 81% of those shares that would work out to somewhere between $9.3 and $9.7 billion coming into Dell’s coffers when the deal closes later this year.

“By spinning off VMware, we expect to drive additional growth opportunities for Dell Technologies as well as VMware, and unlock significant value for stakeholders. Both companies will remain important partners, with a differentiated advantage in how we bring solutions to customers,” Dell CEO Michael Dell said in a statement.

While there is a fair amount of CEO speak in that statement, it appears to mean that the move is mostly administrative as the companies will continue to work closely together, even after the spin-off is official. Dell will remain as chairman of both companies.

In a presentation to investors, the companies indicated that the plan to work together is more than lip service. There is a five-year deal commercial agreement in place with plans to revisit that deal each year thereafter. In addition, there is a plan to sell VMware products through the Dell sales team and for VMware to continue to work with Dell Financial Services. Finally, there is a formalized governance process in place related to achieving the commercial goals under the agreement, so it’s pretty firm that these companies will continue to work closely together at least for another five years.

For its part, VMware said in a separate release that the deal will allow it “increased freedom to execute its strategy, a simplified capital structure and governance model and additional strategic, operational and financial flexibility, while maintaining the strength of the two companies’ strategic partnership.”

Dell shares are up more than 8% following the announcement. The company intends on using parts of its proceeds to deleverage, writing in a release that it will use “net proceeds to pay down debt, positioning the company well for Investment Grade ratings.” By that it means that Dell will reduce its net debt position and, it hopes, garner a stronger credit rating that will limit its future borrowing costs.

Even when it was part of EMC, VMware had a special status in that it operates as a separate entity with its own executive team and board of directors, and the stock has been sold separately as well.

The deal is expected to close at the end of this year, but it has to clear a number of regulatory hurdles first. That includes garnering a favorable ruling from the IRS that the deal qualifies for a tax-free spin-off, which could prove to be a considerable hurdle for a deal like this.

The transaction is not a surprise. The company has been open about its intention to shake up its broader corporate structure. And with Dell bloated in debt terms and, perhaps, in product scope as well, the VMware deal could be an intelligent way forward. Dell investors are more excited about the transaction than VMware shareholders, with the latter company’s stock is up a more modest 1.4%.

VMware’s most recent earnings release notes that it had $4.715 billion in “total cash, cash equivalents and short-term investments.” Perhaps its shareholders aren’t enthused at the prospect of levering VMware’s balance sheet to help Dell do the opposite.

 

Cado Security locks in $10M for its cloud-native digital forensics platform

As computing systems become increasingly bigger and more complex, forensics have become an increasingly important part of how organizations can better secure them. As the recent Solar Winds breach has shown, it’s not always just a matter of being able to identify data loss, or prevent hackers from coming in in the first place. In cases where a network has already been breached, running a thorough investigation is often the only way to identify what happened, if a breach is still active, and whether a malicious hacker can strike again.

As a sign of this growing priority, a startup called Cado Security, which has built forensics technology native to the cloud to run those investigations, is announcing $10 million in funding to expand its business.

Cado’s tools today are used directly by organizations, but also security companies like Redacted — a somewhat under-the-radar security startup in San Francisco co-founded by Facebook’s former chief security officer Max Kelly and John Hering, the co-founder of Lookout. It uses Cado to carry out the forensics part of its work.

The funding for London-based Cado is being led by Blossom Capital, with existing investors Ten Eleven Ventures also participating, among others. As another signal of demand, this Series A is coming only six months after Cado raised its seed round.

The task of securing data on digital networks has grown increasingly complex over the years: not only are there more devices, more data and a wider range of configurations and uses around it, but malicious hackers have become increasingly sophisticated in their approaches to needling inside networks and doing their dirty work.

The move to the cloud has also been a major factor. While it has helped a wave of organizations expand and run much bigger computing processes are part of their business operations, it has also increased the so-called attack surface and made investigations much more complicated, not least because a lot of organizations run elastic processes, scaling their capacity up and down: this means when something is scaled down, logs of previous activity essentially disappear.

Cado’s Response product — which works proactively on a network and all of its activity after it’s installed — is built to work across cloud, on-premise and hybrid environments. Currently it’s available for AWS EC2 deployments and Docker, Kubernetes, OpenShift and AWS Fargate container systems, and the plan is to expand to Azure very soon. (Google Cloud Platform is less of a priority at the moment, CEO James Campbell said, since it rarely comes up with current and potential customers.)

Campbell co-founded Cado with Christopher Doman (the CTO) last April, with the concept for the company coming out of their respective experiences working on security services together at PwC, and respectively for government organizations (Campbell in Australia) and AlienVault (the security firm acquired by AT&T). In all of those, one persistent issue the two continued to encounter was the issue with adequate forensics data, essential for tracking the most complex breaches.

A lot of legacy forensics tools, in particular those tackling the trove of data in the cloud, was based on “processing data with open source and pulling together analysis in spreadsheets,” Campbell said. “There is a need to modernize this space for the cloud era.”

In a typical breach, it can take up to a month to run a thorough investigation to figure out what is going on, since, as Doman describes it, forensics looks at “every part of the disk, the files in a binary system. You just can’t find what you need without going to that level, those logs. We would look at the whole thing.”

However, that posed a major problem. “Having a month with a hacker running around before you can do something about it is just not acceptable,” Campbell added. The result, typically, is that other forensics tools investigate only about 5% of an organization’s data.

The solution — for which Cado has filed patents, the pair said — has essentially involved building big data tools that can automate and speed up the very labor intensive process of looking through activity logs to figure out what looks unusual and to find patterns within all the ones and zeros.

“That gives security teams more room to focus on what the hacker is getting up to, the remediation aspect,” Campbell explained.

Arguably, if there were better, faster tracking and investigation technology in place, something like Solar Winds could have been better mitigated.

The plan for the company is to bring in more integrations to cover more kinds of systems, and go beyond deployments that you’d generally classify as “infrastructure as a service.”

“Over the past year, enterprises have compressed their cloud adoption timelines while protecting the applications that enable their remote workforces,” said Imran Ghory, partner at Blossom Capital, in a statement. “Yet as high-profile breaches like SolarWinds illustrate, the complexity of cloud environments makes rapid investigation and response extremely difficult since security analysts typically are not trained as cloud experts. Cado Security solves for this with an elegant solution that automates time-consuming tasks like capturing forensically sound cloud data so security teams can move faster and more efficiently. The opportunity to help Cado Security scale rapidly is a terrific one for Blossom Capital.”