SentinelOne Announces Amazon Linux 2023 Service Ready Designation

SentinelOne is pleased to announce support for Amazon Linux 2023 (AL2023) with the latest agent 23.1, and achievement of the Amazon Linux 2023 Service Ready Designation. Amazon Linux 2023 Ready solutions are vetted by AWS Partner Solution Architects to ensure a consistent customer experience.

Singularity Cloud Workload Security for Servers delivers autonomous runtime protection, detection, and response for workloads operating in Amazon EC2, Amazon ECS, and hybrid cloud compute instances. With support for 13 major Linux distributions and operation entirely in user space, SentinelOne delivers frictionless runtime workload security, so you can innovate faster and focus on your core competency. Customer benefits include resource efficiency, high performance risk management, and high availability.

Amazon Linux 2023

AL2023 is optimized for Amazon EC2 and is well integrated with the latest AWS features. Based on Fedora, AL2023 provides frequent, flexible quarterly updates, and provides customers the control over how and when to absorb these updates

New Amazon Linux major versions are generally available every 2 years, and each major version, including AL2023, comes with 5 years of long-term support. Moreover, AL2023 sets a high security and hardening standard, with features such as SELinux, kernel live-patching (x86-64 and ARM), OpenSSL 3.0, and revised cryptographic policies. Major apps within AL2023 come with pre-configured SELinux policies to help meet compliance needs. Finally, AL2023 allows users to set security policies at boot time.

High-Performance Runtime Security

SentinelOne is cloud-native, built and run on AWS infrastructure. Working with AWS allows us to focus on our core competency, which is runtime security against advanced threats such as ransomware and crypto mining malware.

Our autonomous runtime Linux agent regularly shines in 3rd party benchmark testing, such as that by MITRE Engenuity ATT&CK®, which for the last 2 years has included Linux as part of its testing. The results may be found on the MITRE Engenuity™ webpage (see, Carbanak+FIN7 (2021), Wizard Spider + Sandworm (2023)). Discussion of the results and their significance can be found at SentinelOne here. In short, SentinelOne customers can expect the most analytic enrichment of detections, which helps accelerate triage and forensic investigation in the event of an incident.

Our latest Linux agent releases offer compelling enhancements to our already market-leading, AI-driven detection technology including support for Amazon Linux 2023. While earlier revisions did well in detecting execution of crypto mining malware, the latest releases detect crypto mining malware during setup/installation phase, before mining actually begins. Detecting such malware sooner not only simplifies incident response but also boosts customer confidence.

As customers like to remind us, and it’s a mission on which we remain singularly focused, “Innovation is king, and we have to move fast.” SentinelOne customers running Linux workloads have the confidence to go fast and secure.

Operational Efficiency

Back in July 2022, SentinelOne announced our AWS Graviton Ready Designation. The AWS Graviton3 processor itself delivers compelling improvement in energy, computational and memory efficiency.

Being continuous innovators ourselves, the R&D team at SentinelOne too had been working diligently to improve the resource efficiency of our fully capable Linux agent. The 22.x version shows dramatic improvement in both memory and CPU usage when compared to its 21.x predecessor. Both memory and CPU usage are nearly halved, without impairing its primary mission – workload protection – one iota.

The resource efficiency story is even more compelling for Kubernetes customers. Our specialized Singularity Cloud Workload Security for Kubernetes agent protects the host OS of the worker node, all its pods, and all their containers: no sidecars or pod instrumentation, just powerful visibility into and security for your Kubernetes workloads. This efficiency is very compelling for digital natives running workloads at scale.

Parting Thoughts

We are thrilled to protect our customers’ workloads on AWS by pushing the boundaries of machine learning, behavioral AI-driven detection, and autonomous response against runtime threats. Our sincere thanks to AWS for the opportunity to be part of the Amazon Linux 2023 launch, and for the Amazon Linux 2023 Service Ready Designation.

Our Linux and Kubernetes agents operate entirely in user space, completely free of any kernel dependency hassles, a fact which DevOps appreciate because it does not slow them down. Moreover, the agent is resource-efficient, high performance, and easy to deploy and manage, facts which SecOps appreciate for obvious reasons.

To learn more about our cloud workload protection solution and the importance of CWP in a cloud defense-in-depth strategy, visit Singularity Cloud Workload Security.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Why You Should Opt Out of Sharing Data With Your Mobile Provider

A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this data collection. Here’s a primer on why you might want to do that, and how.

Image: Shutterstock

Telecommunications giant AT&T disclosed this month that a breach at a marketing vendor exposed certain account information for nine million customers. AT&T said the data exposed did not include sensitive information, such as credit card or Social Security numbers, or account passwords, but was limited to “Customer Proprietary Network Information” (CPNI), such as the number of lines on an account.

Certain questions may be coming to mind right now, like “What the heck is CPNI?” And, ‘If it’s so ‘customer proprietary,’ why is AT&T sharing it with marketers?” Also maybe, “What can I do about it?” Read on for answers to all three questions.

AT&T’s disclosure said the information exposed included customer first name, wireless account number, wireless phone number and email address. In addition, a small percentage of customer records also exposed the rate plan name, past due amounts, monthly payment amounts and minutes used.

CPNI refers to customer-specific “metadata” about the account and account usage, and may include:

-Called phone numbers
-Time of calls
-Length of calls
-Cost and billing of calls
-Service features
-Premium services, such as directory call assistance

According to a succinct CPNI explainer at TechTarget, CPNI is private and protected information that cannot be used for advertising or marketing directly.

“An individual’s CPNI can be shared with other telecommunications providers for network operating reasons,” wrote TechTarget’s Gavin Wright. “So, when the individual first signs up for phone service, this information is automatically shared by the phone provider to partner companies.”

Is your mobile Internet usage covered by CPNI laws? That’s less clear, as the CPNI rules were established before mobile phones and wireless Internet access were common. TechTarget’s CPNI primer explains:

“Under current U.S. law, cellphone use is only protected as CPNI when it is being used as a telephone. During this time, the company is acting as a telecommunications provider requiring CPNI rules. Internet use, websites visited, search history or apps used are not protected CPNI because the company is acting as an information services provider not subject to these laws.”

Hence, the carriers can share and sell this data because they’re not explicitly prohibited from doing so. All three major carriers say they take steps to anonymize the customer data they share, but researchers have shown it is not terribly difficult to de-anonymize supposedly anonymous web-browsing data.

“Your phone, and consequently your mobile provider, know a lot about you,” wrote Jack Morse for Mashable. “The places you go, apps you use, and the websites you visit potentially reveal all kinds of private information — e.g. religious beliefs, health conditions, travel plans, income level, and specific tastes in pornography. This should bother you.”

Happily, all of the U.S. carriers are required to offer customers ways to opt out of having data about how they use their devices shared with marketers. Here’s a look at some of the carrier-specific practices and opt-out options.

AT&T

AT&T’s policy says it shares device or “ad ID”, combined with demographics including age range, gender, and ZIP code information with third parties which explicitly include advertisers, programmers, and networks, social media networks, analytics firms, ad networks and other similar companies that are involved in creating and delivering advertisements.

AT&T said the data exposed on 9 million customers was several years old, and mostly related to device upgrade eligibility. This may sound like the data went to just one of its partners who experienced a breach, but in all likelihood it also went to hundreds of AT&T’s partners.

AT&T’s CPNI opt-out page says it shares CPNI data with several of its affiliates, including WarnerMedia, DirecTV and Cricket Wireless. Until recently, AT&T also shared CPNI data with Xandr, whose privacy policy in turn explains that it shares data with hundreds of other advertising firms. Microsoft bought Xandr from AT&T last year.

T-MOBILE

According to the Electronic Privacy Information Center (EPIC), T-Mobile seems to be the only company out of the big three to extend to all customers the rights conferred by the California Consumer Privacy Act (CCPA).

EPIC says T-Mobile customer data sold to third parties uses another unique identifier called mobile advertising IDs or “MAIDs.” T-Mobile claims that MAIDs don’t directly identify consumers, but under the CCPA MAIDs are considered “personal information” that can be connected to IP addresses, mobile apps installed or used with the device, any video or content viewing information, and device activity and attributes.

T-Mobile customers can opt out by logging into their account and navigating to the profile page, then to “Privacy and Notifications.” From there, toggle off the options for “Use my data for analytics and reporting” and “Use my data to make ads more relevant to me.”

VERIZON

Verizon’s privacy policy says it does not sell information that personally identities customers (e.g., name, telephone number or email address), but it does allow third-party advertising companies to collect information about activity on Verizon websites and in Verizon apps, through MAIDs, pixels, web beacons and social network plugins.

According to Wired.com’s tutorial, Verizon users can opt out by logging into their Verizon account through a web browser or the My Verizon mobile app. From there, select the Account tab, then click Account Settings and Privacy Settings on the web. For the mobile app, click the gear icon in the upper right corner and then Manage Privacy Settings.

On the privacy preferences page, web users can choose “Don’t use” under the Custom Experience section. On the My Verizon app, toggle any green sliders to the left.

EPIC notes that all three major carriers say resetting the consumer’s device ID and/or clearing cookies in the browser will similarly reset any opt-out preferences (i.e., the customer will need to opt out again), and that blocking cookies by default may also block the opt-out cookie from being set.

T-Mobile says its opt out is device-specific and/or browser-specific. “In most cases, your opt-out choice will apply only to the specific device or browser on which it was made. You may need to separately opt out from your other devices and browsers.”

Both AT&T and Verizon offer opt-in programs that gather and share far more information, including device location, the phone numbers you call, and which sites you visit using your mobile and/or home Internet connection. AT&T calls this their Enhanced Relevant Advertising Program; Verizon’s is called Custom Experience Plus.

In 2021, multiple media outlets reported that some Verizon customers were being automatically enrolled in Custom Experience Plus — even after those customers had already opted out of the same program under its previous name — “Verizon Selects.”

If none of the above opt out options work for you, at a minimum you should be able to opt out of CPNI sharing by calling your carrier, or by visiting one of their stores.

THE CASE FOR OPTING OUT

Why should you opt out of sharing CPNI data? For starters, some of the nation’s largest wireless carriers don’t have a great track record in terms of protecting the sensitive information that you give them solely for the purposes of becoming a customer — let alone the information they collect about your use of their services after that point.

In January 2023, T-Mobile disclosed that someone stole data on 37 million customer accounts, including customer name, billing address, email, phone number, date of birth, T-Mobile account number and plan details. In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company.

Last summer, a cybercriminal began selling the names, email addresses, phone numbers, SSNs and dates of birth on 23 million Americans. An exhaustive analysis of the data strongly suggested it all belonged to customers of one AT&T company or another. AT&T stopped short of saying the data wasn’t theirs, but said the records did not appear to have come from its systems and may be tied to a previous data incident at another company.

However frequently the carriers may alert consumers about CPNI breaches, it’s probably nowhere near often enough. Currently, the carriers are required to report a consumer CPNI breach only in cases “when a person, without authorization or exceeding authorization, has intentionally gained access to, used or disclosed CPNI.”

But that definition of breach was crafted eons ago, back when the primary way CPNI was exposed was through “pretexting,” such when the phone company’s employees are tricked into giving away protected customer data.

In January, regulators at the U.S. Federal Communications Commission (FCC) proposed amending the definition of “breach” to include things like inadvertent disclosure — such as when companies expose CPNI data on a poorly-secured server in the cloud. The FCC is accepting public comments on the matter until March 24, 2023.

While it’s true that the leak of CPNI data does not involve sensitive information like Social Security or credit card numbers, one thing AT&T’s breach notice doesn’t mention is that CPNI data — such as balances and payments made — can be abused by fraudsters to make scam emails and text messages more believable when they’re trying to impersonate AT&T and phish AT&T customers.

The other problem with letting companies share or sell your CPNI data is that the wireless carriers can change their privacy policies at any time, and you are assumed to be okay with those changes as long as you keep using their services.

For example, location data from your wireless device is most definitely CPNI, and yet until very recently all of the major carriers sold their customers’ real-time location data to third party data brokers without customer consent.

What was their punishment? In 2020, the FCC proposed fines totaling $208 million against all of the major carriers for selling their customers’ real-time location data. If that sounds like a lot of money, consider that all of the major wireless providers reported tens of billions of dollars in revenue last year (e.g., Verizon’s consumer revenue alone was more than $100 billion last year).

If the United States had federal privacy laws that were at all consumer-friendly and relevant to today’s digital economy, this kind of data collection and sharing would always be opt-in by default. In such a world, the enormously profitable wireless industry would likely be forced to offer clear financial incentives to customers who choose to share this information.

But until that day arrives, understand that the carriers can change their data collection and sharing policies when it suits them. And regardless of whether you actually read any notices about changes to their privacy policies, you will have agreed to those changes as long as you continue using their service.

Feds Charge NY Man as BreachForums Boss “Pompompurin”

The U.S. Federal Bureau of Investigation (FBI) this week arrested a New York man on suspicion of running BreachForums, a popular English-language cybercrime forum where some of the world biggest hacked databases routinely show up for sale. The forum’s administrator “Pompompurin” has been a thorn in the side of the FBI for years, and BreachForums is widely considered a reincarnation of RaidForums, a remarkably similar crime forum that the FBI infiltrated and dismantled in 2022.

FBI agents carting items out of Fitzpatrick’s home on March 15. Image: News 12 Westchester.

In an affidavit filed with the District Court for the Southern District of New York, FBI Special Agent John Langmire said that at around 4:30 p.m. on March 15, 2023, he led a team of law enforcement agents that made a probable cause arrest of a Conor Brian Fitzpatrick in Peekskill, NY.

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias ‘pompompurin/’ and c) he was the owner and administrator of ‘BreachForums’ the data breach website referenced in the Complaint,” Langmire wrote.

Pompompurin has been something of a nemesis to the FBI for several years. In November 2021, KrebsOnSecurity broke the news that thousands of fake emails about a cybercrime investigation were blasted out from the FBI’s email systems and Internet addresses.

Pompompurin took credit for that stunt, and said he was able to send the FBI email blast by exploiting a flaw in an FBI portal designed to share information with state and local law enforcement authorities. The FBI later acknowledged that a software misconfiguration allowed someone to send the fake emails.

In December, 2022, KrebsOnSecurity broke the news that hackers active on BreachForums had infiltrated the FBI’s InfraGard program, a vetted FBI program designed to build cyber and physical threat information sharing partnerships with experts in the private sector. The hackers impersonated the CEO of a major financial company, applied for InfraGard membership in the CEO’s name, and were granted admission to the community.

From there, the hackers plundered the InfraGard member database, and proceeded to sell contact information on more than 80,000 InfraGard members in an auction on BreachForums. The FBI responded by disabling the portal for some time, before ultimately forcing all InfraGard members to re-apply for membership.

More recently, BreachForums was the sales forum for data stolen from DC Health Link, a health insurance exchange based in Washington, D.C. that suffered a data breach this month. The sales thread initially said the data included the names, Social Security numbers, dates of birth, health plan and enrollee information and more on 170,000 individuals, although the official notice about the breach says 56,415 people were affected.

In April 2022, U.S. Justice Department seized the servers and domains for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. As part of that operation, the feds also charged the alleged administrator, 21-year-old Diogo Santos Coelho of Portugal, with six criminal counts.

Coelho was arrested in the United Kingdom on Jan. 31, 2022. By that time, the new BreachForums had been live for just under a week, but with a familiar look.

BreachForums remains accessible online, and from reviewing the live chat stream on the site’s home page it appears the forum’s active users are only just becoming aware that their administrator — and the site’s database — is likely now in FBI hands:

Members of BreachForums discuss the arrest of the forum’s alleged owner.

“Wait if they arrested pom then doesn’t the FBI have all of our details we’ve registered with?” asked one worried BreachForums member.

“But we all have good VPNs I guess, right…right guys?” another denizen offered.

“Like pom would most likely do a plea bargain and cooperate with the feds as much as possible,” replied another.

Fitzpatrick could not be immediately reached for comment. The FBI declined to comment for this story.

There is only one page to the criminal complaint against Fitzpatrick (PDF), which charges him with one count of conspiracy to commit access device fraud. The affidavit on his arrest is available here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good

Good news this week as “one of the darkweb’s largest cryptocurrency laundromats”, unlicensed crypto platform ChipMixer, was seized and shuttered in a joint operation involving U.S., Swiss, Polish and German law enforcement agencies.

ChipMixer, which began operating in 2017, specialized in obfuscating blockchain transactions to hide the trail of virtual currency assets. Known as “mixers” or “tumblers”, such sites attempt to disguise the true source and destinations of exchanges by breaking down and mixing cryptocurrency tokens from different transactions.

It is alleged that the service had been used to launder over $3 billion in Bitcoin, with a large percentage of that being proceeds of ransomware payments, thefts, darknet marketplace payments and nation-state criminal activity. Notorious North Korean threat actor and cryptocurrency thief Lazarus is believed to have been among its clients along with Russia’s General Staff Main Intelligence Directorate (GRU), aka APT28, which is said to have used ChipMixer to hide purchases of hacking infrastructure.

chipmixer.io
Authorities have seized the ChipMixer domain

Along with seizing the site, authorities also bagged around $46 million worth of cryptocurrency and charged a 49-year old Vietnamese national, Minh Quoc Nguyen, with operating an unlicensed money transmitting business, money laundering and identity theft.

Nguyen, whose whereabouts remain unknown, openly flouted financial regulations. The DoJ’s indictment says that he publicly derided efforts to curtail money laundering and registered domain names and hosting services using stolen identities, pseudonyms and anonymous email services. If caught and convicted, Nguyen faces up to 40 years jail time.

ChipMixer joins BestMixer, BitcoinFog and Helix in being shut down by U.S. and European law enforcement agencies for money laundering via cryptocurrency.

The Bad

It was revealed this week that a U.S. Federal Agency had been breached by multiple threat actors, including a nation-state APT, through a software bug that had been known since 2019. The breaches may have begun as early as August 2021 and occurred as late as November 2022.

According to an advisory from CISA published on Wednesday, threat actors exploited CVE-2019-18935, a .NET deserialization vulnerability in Progress Telerik user interface located in the agency’s Microsoft IIS (Internet Information Services) web server to gain remote code execution.

Telerik UI
Source: Telerik

CISA says it observed threat actors including known cybercrime gang XE Group uploading malicious DLLs, some disguised as PNG image files to the C:WindowsTemp directory. These were then executed via the legitimate w3wp.exe process running on the compromised IIS servers. The attackers appear to have used timestomping as part of their evasion tactics, which involves changing the creation and modified dates on files to disguise their origin.

Much of the malware opened up reverse shells and allowed attackers interactive access to the compromised devices. ASPX webshells were also deployed to enumerate drives, send, receive and delete files, and execute commands.

Interestingly, the Federal agency concerned had deployed an appropriate plugin to scan for the CVE-2019-18935 vulnerability but failed to detect it. CISA’s advisory says this is due to the Telerik UI software being installed in a file path that the scanner does not typically scan, a situation that may be common in other organizations as file paths for installed software can vary depending on the organization and installation method.

Organizations are advised to implement patch management solutions to ensure compliance with the latest security patches, and to update any instances of Telerik UI ASP.NET AJAX to the latest version. Security teams should review the detection and mitigations provided in the advisory for further information.

The Ugly

A threat actor group with interests closely aligned to those of the Russian and Belarussian governments was revealed to have been conducting a wide range of hitherto unknown espionage campaigns against Western governments and institutions this week by SentinelLabs researchers.

Winter Vivern, aka UAC-0114, was first spotted back in 2021 but appeared to have gone dark soon after. New activity was observed by the Polish CBZC and Ukraine CERT at the end of January this year, but research published this week revealed a much wider set of campaigns that have targeted the Vatican, Indian government organizations, the Italian Ministry of Foreign Affairs as well as Polish and Ukrainian government agencies, among others. The campaigns have been ongoing through 2021 and 2022 to present but have remained unreported until now.

Some of the group’s latest tactics involve mimicking government domains, including government email login pages, to phish credentials and distribute malicious downloads.

Although the group is not thought to be particularly technical, the researchers say that Winter Vivern makes creative use of simple batch scripts using PowerShell. In some incidents, the threat actors utilized batch scripts disguised as virus scanners to download malware in the background while victims believed they were conducting a security scan.

The group also exploits application vulnerabilities to compromise specific targets. The SentinelLabs post says that in one incident, a malicious server hosted a login page for the Acunetix web application vulnerability scanner, which may have served as a supplementary resource to scan target networks and possibly compromise WordPress sites.

More information about the Winter Vivern APT including indicators of compromise can be found in the SentinelLabs report here.

BlackMamba ChatGPT Polymorphic Malware | A Case of Scareware or a Wake-up Call for Cyber Security?

Artificial Intelligence has been at the heart of SentinelOne’s approach to cybersecurity since its inception, but as we know, security is always an arms race between attackers and defenders. Since the emergence of ChatGPT late last year, there have been numerous attempts to see if attackers could harness this or other large language models (LLMs).

The latest of these attempts, dubbed BlackMamba by its creators, uses generative AI to generate polymorphic malware. The claims associated with this kind of AI-powered tool have raised questions about how well current security solutions are equipped to deal with it. Do proof of concepts like BlackMamba open up an entire new threat category that leaves organizations defenseless without radically new tools and approaches to cybersecurity? Or is “the AI threat” over-hyped and just another development in attacker TTPs like any other, that we can and will adapt to within our current understanding and frameworks?

Fears around the capabilities of AI-generated software have also led to wider concerns over whether AI technology itself poses a threat and, if so, how society at large should respond.

In this post, we tackle both the specific and general questions raised by PoCs like BlackMamba and LLMs such as ChatGPT and similar.

What is BlackMamba?

According to its creators, BlackMamba is a proof-of-concept (PoC) malware that utilizes a benign executable to reach out to a high-reputation AI (OpenAI) at runtime and return synthesized and polymorphic malicious code intended to steal an infected user’s keystrokes.

The use of the AI is intended to overcome two challenges the authors perceived were fundamental to evading detection. First, by retrieving payloads from a “benign” remote source rather than an anomalous C2, they hope that BlackMamba traffic would not be seen as malicious. Second, by utilizing a generative AI that could deliver unique malware payloads each time, they hoped that security solutions would be fooled into not recognizing the returned code as malicious.

BlackMamba executes the dynamically generated code it receives from the AI within the context of the benign program using Python’s exec() function. The malicious polymorphic portion remains in memory, and this has led BlackMamba’s creators to claim that existing EDR solutions may be unable to detect it.

Detecting AI-Generated Malware Like BlackMamba

Such challenges, however, have been well understood in the cybersecurity community. We have seen “benign” channels such as Pastebin, Dropbox, Microsoft Azure, AWS and other cloud infrastructure abused in the past for the same reason of trying to hide malicious traffic in the noise of legitimate network services.

Polymorphic malware is also hardly new; among other things, it is one of a number of factors that helped the industry move beyond legacy AV solutions and towards next-gen AI-driven solutions like SentinelOne.

With regards to isolating malicious code to memory, this is also not a new or novel approach to building malware. The idea of not writing code or data to disk (and therefore evading security measures that monitor for those events) has long been attractive to threat actors. However, modern security vendors are well aware of this tactic. SentinelOne, and a number of other EDR/XDR vendors, have the required visibility into these behaviors on protected systems. Simply constraining malicious code to virtual memory (polymorphic or not) will not evade a good endpoint security solution.

This raises the question: can AI-generated malware defeat AI-powered security software? Indeed, as said at the outset, it’s an arms race, and some vendors will have to catch up if they haven’t already. At SentinelOne, we decided to put ChatGPT-generated malware to the test.

Does AI Pose a New Class of Threat?

Widening the discussion beyond BlackMamba, which will undoubtedly be superseded in next week’s or next month’s news cycle by some other AI-generated PoC given that ChatGPT4 and other updated models have become available, just how worried should organizations be about the threat of AI-generated malware and attacks?

The popular media and some security vendors portray AI as a Frankenstein monster that will soon turn against its creators. However, AI is neither inherently evil nor good, like any other technology. It’s the people who use it that can make it dangerous. Proof of concepts like BlackMamba do not expose us to new risks from AI, but reveal that attackers will exploit whatever tools, techniques or procedures are available to them for malicious purposes – a situation that anyone in security is already familiar with. We should not attack the technology but seek, as always, to deter and prevent those who would use it for malicious purposes: the attackers.

Understanding What AI Can and Cannot Do

Fundamental to many of the concerns that swirl around discussions of AI is often a need for clarification of what AI is and how it works. The effectiveness of any AI system or LLM like ChatGPT depends on the quality and diversity of its dataset. The dataset used to train the model determines its capabilities and limitations.

Defenders can level the playing field by creating their own datasets, which can be used to train models to detect and respond to threats, something SentinelOne has been specializing in for years.

Despite that, AI is not a magical technology that can do everything. There are limitations to what AI can do, especially in cybersecurity. AI-based systems can be fooled by sophisticated attacks, such as adversarial attacks, which bypass the defenses. Additionally, AI cannot make judgment calls and can reveal bias if the dataset is not diverse.

We need to be aware of the limitations of AI and use it as part of a comprehensive security strategy. That’s why SentinelOne deploys a multi-layered approach combining AI with other security technologies and human intelligence.

What About Human Intelligence?

In today’s AI-driven world, we can easily get caught up in the latest technological advancements and overlook the importance of human intelligence. Even with AI’s ability to analyze vast amounts of data and identify patterns, the human touch remains essential, if not more critical. We need people’s ability to reason, think creatively, and critically to supplement AI’s capabilities.

Both attackers and defenders employ AI to automate their operations, but it’s only through human intelligence that we can strategize and deploy effective security measures, deciding how and when to use AI to stay ahead of the game.

Recent events, like the National Cybersecurity Strategy, have shown that defending our businesses and society against threats isn’t just about using a single tool or hiring top-notch talent. The internet, much like AI, has sparked plenty of discussion about its merits and drawbacks, making cybersecurity a collective challenge that demands collaboration between various stakeholders, including vendors, customers, researchers, and law enforcement agencies.

By sharing information and working together, we can build a more robust defense system capable of withstanding AI-powered attacks. To succeed, we must move away from a competitive mindset and embrace the cooperative spirit, combining our expertise in malware, understanding the attacker’s mindset, and using AI to create products that can handle the ever-changing threat landscape. In the end, human intelligence is the icing on the cake that makes our AI-driven defenses truly effective.

Conclusion

Cybersecurity is a cat-and-mouse game between attackers and defenders. The attackers try new ways to bypass the defenses, while the defenders always try to stay one step ahead. The use of AI in malware is just another twist in this game. While there is no room for complacency, security vendors have played this game for decades, and some have become very good at it. At SentinelOne, we understand the immense potential of AI and have been using it to protect our customers for over ten years.

We believe that generative AI and LLMs, including ChatGPT, are just a tool that people can use for good or ill. Rather than fearing technology, we should focus on improving our defenses and cultivating the skills of the defenders.

To learn more about how SentinelOne can help protect your organization across endpoint, cloud and identity surfaces, contact us or request a demo.

Demystifying the Top 5 Myths About Cloud Computing Security

Three years ago, during the global pandemic, businesses worldwide shifted their focus to delivering services digitally, supported by remote workforces and virtual environments. Many of these businesses hastily spun up cloud infrastructures to bolster critical aspects of their operations.

Threat actors saw an opportunity during this time and data breaches and cyberattacks targeting the cloud rose alongside cloud adoption. Now, leaders are shifting their focus again: This time to implement better strategies to secure the cloud infrastructures that carried them through the pandemic.

With so many myths and misconceptions surrounding cloud security, it is essential for business leaders to separate fact from fiction regarding how to secure the cloud. In this post, we debunk the top five myths about cloud computing security to help CISOs, CIOs, and other business leaders make informed decisions for their organization.

Myth #1: The Cloud is Inherently Insecure

If one were to believe the stories and opinions circulating around many technical, business, and security-focused media, it might seem that the cloud is inherently insecure. These stories tend to zero in on one aspect of cloud computing: that because it is accessible from anywhere in the world with an internet connection, it is vulnerable to cyberattacks and data breaches.

It is impossible to guarantee complete security against cyber threats. Even with advanced security measures in place, such as encryption and firewalls, there is always a possibility that an attacker can bypass these defenses and gain unauthorized access to sensitive data.

While it is true that clouds can be vulnerable to cyberattacks, it is the responsibility of Cloud Service Providers (CSPs) to ensure that the underlying machines are consistently updated and hardened against possible threats. In addition, CSPs offer various built-in security features to simplify cloud security management, such as S3 Block Public Access. By leveraging such features, DevOps engineers can effectively mitigate risks and secure their cloud infrastructure.

In fact, CSPs invest heavily in security measures to protect their customers’ data. These measures include encryption, firewalls, and multi-factor authentication (MFA), among other tools. As a result, CSPs often employ more advanced security measures than the average organization. They have dedicated security teams whose sole focus is to detect and respond to security threats and continuously improve their security posture. These security teams have access to the latest threat intelligence and are constantly monitoring their clouds for potential security breaches.

Myth #2: Cloud Providers Have Access to Your Data

One of the most persistent myths surrounding CSPs themselves is that they have unrestricted access to customer data. This myth has been fueled by examples of high-profile data breaches and incidents of unauthorized access, which have raised concerns about customer privacy and security in the cloud industry.

Though providers do need access to customer infrastructure to provide adequate services, they are bound by strict and extensive data privacy laws to ensure the confidentiality and security of that data. Cloud providers also proactively combat and mitigate risks by investing heavily in security measures and specialized teams to monitor and manage data security.

Despite the security measures, it is worth keeping in mind that customers have little control over their data once it is in the cloud, and although general malfeasance is unlikely given the obligations and regulations providers must adhere to, businesses should be aware that providers may be subject to government surveillance or other legal demands for customer data, which can compromise customer privacy and security.

Myth #3: Cloud Computing is Too Expensive

The myth that cloud computing is too expensive is often perpetuated by those who focus solely on the initial costs of implementation.

Focusing on this initial, one-time cost, however, overlooks the long-term savings and benefits that cloud computing provides. By outsourcing infrastructure maintenance to cloud providers, companies can save money on hardware, software, and staffing.

CSPs also offer scalable infrastructure that can be easily adjusted to meet changing business needs, eliminating the need for companies to maintain large, unused infrastructure. Flexible pricing models allow companies to pay only for the services they use, resulting in significant cost savings.

When organizations partner with CSPs, they can rely on their expertise and resources to get top-notch security, disaster recovery, and backup services. These services are usually difficult and expensive for many organizations to evaluate, manage, and maintain on their own.

Myth #4: The Cloud is Only for Big Businesses

The reality of understanding and using technology like cloud computing is that there is a learning curve for small businesses. The misconception, though, is that cloud is only for big businesses. Cloud computing is frequently lauded for its elasticity and has become an important technology for businesses of all sizes. It offers numerous benefits, such as scalability and cost-effectiveness.

While it may be true that some small businesses with limited budgets can struggle to justify the ongoing costs of cloud services, most reliable CSPs now offer affordable pricing plans that can be scaled up or down as needed.

It is also important for small businesses to evaluate what exactly they are looking to gain from cloud computing. The cloud offers a wide variety of services, ranging from basic file storage to big data analysis, data security, testing and development, and more. The cloud also provides small businesses with data security and disaster recovery options previously only available to large companies. In short, small businesses can leverage the cloud to compete with larger enterprises on a level playing field.

Leveraging all cutting edge technologies may be too expensive for small businesses, but they can still use the cloud to access enterprise-level technology without investing heavily in hardware and infrastructure. They can leverage cloud-based software and applications to manage business operations such as accounting, inventory, and customer relationship management.

Myth #5: Cloud Computing is Not Compliant

Despite its rapid adoption across all industry verticals in recent years, there is still a persistent myth that cloud computing is not compliant with industry regulations and standards. This misconception has led many businesses to avoid adopting cloud technology, fearing that it could put them at risk of non-compliance.

The truth is that cloud computing can actually enhance compliance to regulations and standards by providing robust security measures and data protection. CSPs have invested heavily in ensuring their systems comply with various regulations and standards, such as HIPAA and GDPR, to provide their clients with peace of mind.

Cloud technology enables businesses to easily track and monitor compliance with regulatory requirements by offering real-time visibility into data management and access. This feature allows businesses to easily identify and address any non-compliance issues, thus reducing the risk of penalties or legal consequences.

Learn About SentinelOne’s Approach to Cloud Security

As organizations continue to adopt cloud technologies, they will need to implement the right security solution to defend against cloud-based risks and help protect the greater cloud surface and all data and assets connected to it.

Many organizations place their trust in SentinelOne’s Singularity™ Cloud to ensure they can continue growing their business safely in the cloud. Singularity™ Cloud works by distributing autonomous endpoint protection across all environments, including public, private, and hybrid clouds to detect complex threats at the virtual machine (VM) level and Kubernetes pod level with no need for human detection. It also provides runtime protection of containerized workloads and kills unauthorized processes in real-time.

SentinelOne helps organizations improve their cloud security strategy without the risk of compromising agility or availability. Learn more about Singularity™ Cloud by booking a demo or contacting us today.

Conclusion

It is crucial for organizational leaders tasked with securing the cloud to understand the myths and misconceptions surrounding cloud computing security. Those who can separate fact from fiction are set up to gain far more from cloud computing and use it to accelerate their business and support their customers in a safe and sustainable way.

Now that digital transformation has become a keystone to staying competitive, cloud computing provides the foundation for this evolution and enables businesses to deliver a higher level of customer value in their industries. By demystifying the common misunderstandings surrounding cloud security, businesses make informed strategies and move towards an effective transformation effort.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Two U.S. Men Charged in 2022 Hacking of DEA Portal

Two U.S. men have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.

Prosecutors for the Eastern District of New York today unsealed criminal complaints against Sagar Steven Singh — a.k.a “Weep” — a 19-year-old from Pawtucket, Rhode Island; and Nicholas Ceraolo, 25, of Queens, NY, who allegedly went by the handles “Convict” and “Ominus.”

The Justice Department says Singh and Ceraolo belong to a group of cybercriminals known to its members as “ViLE,” who specialize in obtaining personal information about third-party victims, which they then use to harass, threaten or extort the victims, a practice known as “doxing.”

“ViLE is collaborative, and the members routinely share tactics and illicitly obtained information with each other,” prosecutors charged.

The government alleges the defendants and other members of ViLE use various methods to obtain victims’ personal information, including:

-tricking customer service employees;
-submitting fraudulent legal process to social media companies to elicit users’ registration information;
-co-opting and corrupting corporate insiders;
-searching public and private online databases;
-accessing a nonpublic United States government database without authorization
-unlawfully using official email accounts belonging to other countries.

The complaint says once they obtained a victim’s information, Singh and Ceraolo would post the information in an online forum. The government refers to this community only as “Forum-1,” saying that it is administered by the leader of ViLE (referenced in the complaint as “CC-1”).

“Victims are extorted into paying CC-1 to have their information removed from Forum-1,” prosecutors allege. “Singh also uses the threat of revealing personal information to extort victims into giving him access to their social media accounts, which Singh then resells.”

Sources tell KrebsOnSecurity in addition to being members of ViLE, both Weep and Ominous are or were staff members for Doxbin, a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly. This is supported by the Doxbin administrator’s claimed responsibility for a high-profile intrusion at the DEA’s law enforcement data sharing portal last year.

A screenshot of alleged access to the Drug Enforcement Agency’s intelligence sharing portal, shared by “KT,” the current administrator of the doxing and harassment community Doxbin.

The government alleges that on May 7, 2022, Singh used stolen credentials to log into a U.S. federal government portal without authorization. The complaint doesn’t specify which agency portal was hacked, but it does state that the portal included access to law enforcement databases that track narcotics seizures in the United States.

On May 12, 2022, KrebsOnSecurity broke the news that hackers had gained access to a DEA portal that taps into 16 different federal law enforcement databases. As reported at the time, the inside scoop on how that hack went down came from KT, the current administrator of the Doxbin and the individual referenced in the government’s complaint as “CC-1.”

Indeed, a screenshot of the ViLE group website includes the group’s official roster, which lists KT at the top, followed by Weep and Ominus.

A screenshot of the website for the cybercriminal group “ViLE.” Image: USDOJ.

In March 2022, KrebsOnSecurity warned that multiple cybercrime groups were finding success with fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms and mobile telephony providers, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

That story showed that the previous owner of the Doxbin also was part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web.

Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.”

The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms.

“In these communications, Ceraolo requested personal information about users of these platforms, under the false pretense that the users were committing crimes or in life-threatening danger,” the complaint states.

For example, on or about March 13, 2022, Ceraolo allegedly used the Bangladeshi police email account to falsely claim that the target of the EDR had sent bomb threats, distributed child pornography and threatened officials of the Bangladeshi government.

On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed on the Doxbin and was trying to extort for their Instagram handle. The data included the victim’s Social Security number, driver’s license number, cellphone number, and home address.

“Look familiar?” Singh allegedly wrote to the victim. “You’re gonna comply to me if you don’t want anything negative to happen to your parents. . . I have every detail involving your parents . . . allowing me to do whatever I desire to them in malicious ways.”

Neither of the defendants could be immediately reached for comment. KT, the current administrator of Doxbin, declined a request for comment on the charges.

Ceraolo is a self-described security researcher who has been credited in many news stories over the years with discovering security vulnerabilities at AT&T, T-Mobile, Comcast and Cox Communications.

Ceraolo’s stated partner in most of these discoveries — a 30-year-old Connecticut man named Ryan “Phobia” Stevenson — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies via SIM-swapping, a crime that involves tricking a mobile provider into routing a target’s calls and text messages to another device.

In 2018, KrebsOnSecurity detailed how Stevenson earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their websites, all the while secretly peddling those same vulnerabilities to cybercriminals.

According to the Justice Department, if convicted Ceraolo faces up to 20 years’ imprisonment for conspiracy to commit wire fraud; both Ceraolo and Singh face five years’ imprisonment for conspiracy to commit computer intrusions.

A copy of the complaint against Ceraolo and Singh is here (PDF).

Microsoft Patch Tuesday, March 2023 Edition

Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.

The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane.

While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs.

Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.”

“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.”

Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.

The other zero-day flaw being actively exploited in the wild — CVE-2023-24800 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools.

Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24800 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.

“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said.

Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user.

Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking

The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.

String similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB may be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022 and targeted the automotive industry.

In this post, we offer a technical analysis of the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.

CatB Ransomware Technical Information

CatB payloads are distributed as a two DLL set. A dropper DLL is responsible for initial evasive environmental checks as well as dropping and launching the second DLL, which serves the ransomware payload.

CatB Ransomware Process Graph
CatB Ransomware Process Graph

First, the dropper is distributed in the form of a UPX-packed DLL (versions.dll). This dropper deposits the second DLL payload (oci.dll) onto the target host. The dropper DLL is responsible for any sandbox evasion techniques required by the threat actor. Sandbox evasion inhibits the analysis process and ultimately leads to more time in the target environment for the attacker.

CatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual environment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and checking for odd or anomalous combinations of processors and cores.

Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.

Oci.dll payloads in System32 (view from Singularity™ Console)
Oci.dll payloads in System32 (view from Singularity™ Console)

The malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result, the system will inject the malicious oci.dll into the service’s executable (msdtc.exe) when the MSDTC service is restarted. Taskill.exe is used to terminate the msdtc.exe process once the service configuration changes have been made.

Msdtc.exe termination syntax
Msdtc.exe termination syntax

CatB ransomware excludes the following files and extensions from the encryption process: .msi, .dll, .sys, .iso and NTUSER.DAT.

Encryption exclusions in payload DLL
Encryption exclusions in payload DLL

In addition to the hardcoded exclusions, the local disk volumes to be encrypted are also configured in a similar manner. By default, the oci.dll payload will attempt to encrypt C:users (crawl whole tree), I:, H:, G:, F:, E:, and D:.

Local encryption targets in oci.dll
Local encryption targets in oci.dll

The lack of post-encryption alterations is a trait that sets CatB apart from other contemporaries. Once encrypted, there is no blatant indicator – no separate ransom note dropped, no change to the desktop wallpaper, and no antagonizing file extensions. Instead, what could be considered the ransom note is inserted into the beginning of each encrypted file.

Ransom note appended to head of encrypted file (catb991 variation)
Ransom note appended to head of encrypted file (catb991 variation)

Per the ransom note, the only way to engage the threat actor is via email at the provided catB9991 protonmail address. Beyond that, a single Bitcoin (BTC) address is provided for payment submissions. The ransom price is set to increase each day for five days and, following the fifth day, there will be “permanent data loss” if the victim does not comply.

Based on observations, there is no evidence to indicate that CatB operators are generating payment wallets for each victim as the Bitcoin address provided is not unique to each sample.

Generation of unique key file
Generation of unique key file

A key file is deposited onto each infected host in c:userspublic. This file must be included in email correspondence with the attackers as it is, ideally, a unique identifier for each victim or host.

Key file dropped for each victim
Key file dropped for each victim

Example CatB ‘key’ file
Example CatB ‘key’ file

Credential and Browser Data Theft

In addition to file encryption and obfuscation, the CatB malware will attempt to gather specific, sensitive information from targeted systems. This includes browser session and credential data.

The ransomware contains functionality to discover and extract user data from Mozilla Firefox, Google Chrome, Microsoft Edge as well as Internet Explorer. Data extracted from browsers includes bookmarks, blocklists, crash logs, history, user profile data, autofill data, environmental settings, browser session keys, and more.

CatB malware will also attempt to locate and extract sensitive information from Windows Mail profile data (AppDataLocalMicrosoftWindows Mail).

Variations of CatB Threat Campaigns

Samples pulled from a November 2022 campaign feature a different contact email address, fishA001[@]protonmail.com. This later changes to the catB9991 protonmail address mentioned above. This is the only difference with regards to the ransom notes. Other details such as payment-per-day breakdowns and the BTC payment address are identical.

Alternate ransom note (fisha001)
Alternate ransom note (fisha001)

We have also encountered variations which include both email addresses. When these ‘double email’ notes are appended to the head of files, it looks as follows:

Alternate ransom note (double-email, no BTC)
Alternate ransom note (double-email, no BTC)

These ransom notes display all the same features minus the BTC payment address. Also missing is the requirement to submit the key file in cuserspublickey. Notes that are missing the key submission feature suggest that they are artifacts of an earlier ‘test’ version of the ransomware.

BTC Payment / Blockchain Status

As the time of writing, the BTC address associated with CatB ransomware have zero transactions and a zero balance.

BTC Balance for Wallet - bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz
BTC Balance for Wallet – bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz

Conclusion

CatB joins a long line of ransomware families that embrace semi-novel techniques and atypical behaviors such as appending notes to the head of files. These behaviors appear to be implemented in the interest of detection evasion and some level of anti-analysis trickery. For example, many environments rely solely on the appearance of ransom notes to alert them to the potential of a ransomware outbreak. This is not the case with CatB.

Despite that, the threat lacks in overall sophistication, and a modern, properly configured, XDR/EDR solution should alert quickly upon initiation of a CatB attack in the environment.

SentinelOne Singularity™ fully prevents and protects customers against malicious behaviors associated with CatB Ransomware.

Indicators of Compromise

SHA1 CatB Samples

1028a0e6cecb8cfc4513abdbe3b9d948cf7a5567
8c11109da1d7b9d3e0e173fd24eb4b7462073174
951e603af10ec366ef0f258bf8d912efedbb5a4b (early version note example)
db99fc79a64873bef25998681392ac9be2c1c99c
dd3d62a6604f28ebeeec36baa843112df80b0933

Email addresses

catB9991[at]protonmail[.]com
fishA001[at]protonmail[.]com

BTC Wallets

bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz

Introducing SentinelOne’s Customer Community | Actionable Reports to Maximize Your Success

Enterprise security teams are responsible for the overwhelming task of evolving their organization’s defenses to keep pace with ever-changing threats. As a result, it’s often difficult to measure the effectiveness of their current cybersecurity measures and determine whether or not progress has been made – let alone stay on top of new, emerging risks to their environment.

At SentinelOne, we’re committed to the success of our customers, not just as a technology provider and platform. We want to ensure that we’re also delivering the knowledge, insight, and resources security programs need to succeed.

Today, we’re introducing a new home to our Global Support & Services reporting capabilities, all accessible through the SentinelOne Customer Community. The Community offers our customers a centralized, collaborative environment to receive help and insight into their SentinelOne deployment, understand the performance and efficacy of their MDR service, and understand what steps can be taken to improve the overall health and security posture of their environments. Customers can also network amongst themselves in groups or access a full library of onboarding videos.

In this post, we’ll highlight how security teams, no matter where they are in the world, can use the reports and resources available through the Customer Community to uplevel their cybersecurity programs.

Seamlessly Manage Your Security Estate with the Enterprise Deployment Report

Our reporting capabilities pull in data from across a customer’s security estate to give security leaders and analysts a comprehensive overview of their deployment. By tracking the number of active agents, teams can track the rollout of Sentinel Agents across their endpoint fleet over time.

Enterprise Deployment reports also provide a full list of tickets within a security team’s workflow, displaying both open and pending tickets, along with priority levels to track team and analyst performance, so that team leaders can prioritize issues that need to be addressed.

Additional components of the report include the EP deployment graph, which provides security teams with high-level visibility into blindspots in their security estate so they can roll out agents as necessary.

(However, customers that already deploy Singularity Ranger can automatically close any deployment gaps, with no manual intervention necessary.)

Moreover, security teams can also ensure continuous protection of their enterprise’s various attack surfaces by viewing the start and end dates of the enterprise’s SentinelOne products and subscriptions from one pane of glass.

Understand Effort and Impact with the Business Value Report

With the Business Value Report, enterprise security leaders and CISOs can provide tangible proof of improved security posture to their boards and executives. They can demonstrate their team’s value by showing an overview of the risks they’ve mitigated, which gives them a foundation to expand on by talking about how their analysts have faced more specific known and emergent threats.

This report provides visibility into the number of malicious and suspicious threats the team has detected and resolved. Key stakeholders can also get a look at resolved and unresolved threats, sorted by the incident’s status, to evaluate their security team’s workflows and what blockers may exist for further improvement. This view can be drilled down further to threats at the account level.

The report also offers visibility into a customer’s endpoint fleet by attaching a health overview of their Sentinel Agents. These charts provide valuable insights into agent deployments by sorting them according to their supported operating systems and legacy systems that have reached their end-of-support or end-of-life stage. This organization makes it easier for teams to manage their endpoint devices and stay ahead of any potential security threats. By grouping the devices by OS, site, and attack surface type, such as desktops, laptops, and servers, teams can quickly identify any vulnerable devices and take proactive measures to address them.

The report provides additional value for our Vigilance customers by giving them a month-by-month look at the number of attacks prevented by our Managed Detection and Response (MDR) service, along with a breakdown of the types of threats encountered by our Vigilance analysts. Vigilance Respond and Vigilance Respond Pro customers can get a more granular view of the work performed by our team and its impact through the Vigilance Executive Report—more on that shortly.

Stay Healthy with Proactive Support & Health Monitoring

With SentinelOne’s Enterprise Pro Support offering, security teams gain unique, unmatched insight into their security suite’s health and performance, so they can quickly detect and resolve performance issues before downstream business impact.

Enterprise Pro Support customers can access daily Proactive Support Reports that provide a snapshot of their environment’s health at both the agent and console levels.

Every report starts with a high-level health overview of Sentinel Agents across a security estate, organized by OS, site, and attack surface type (such as desktop, laptop, and server).

Get insight into agents that are reaching end-of-support or end-of-life, and deploy additional protections immediately. Customers can also identify sites and agents with the highest level of alerts to prioritize their security team’s investigations.

Get a head start on managing any issues in an environment with a comprehensive list of management and agent diagnostics. These reports provide 24×7 visibility into any factors that may impact performance, such as agent performance, CPU and memory impact, anomalies in processes or databases, and upgrade or install progress with actionable steps for remediation. Even better, the Enterprise Pro Support service automatically opens tickets for high-severity issues without requiring a customer to create a ticket manually.

The Singularity Platform offers its administrators and users unparalleled accuracy in isolating and resolving issues, and empowers users to identify and address any potential security risks, ensuring the integrity and protection of their system.

Each report will list impacted devices for each category, and offer policies and best practices that your security program can implement to create additional layers of protection for your environments.

Assess the Impact of MDR with Vigilance Executive Reports

Teams using Vigilance Respond and Vigilance Respond Pro Managed Detection and Response (MDR) can now access their Vigilance executive reports through the Community. These reports offer a month-to-month look at the volume and complexity of threats an environment faces, including the type of threats encountered, Mean Time to Respond (MTTR), and the efficacy of alert and ticket resolution.

Customers use this overview of their activity in conversations with leadership. For example, this data can be visualized to show how a security program has consistently lowered your company’s MTTR to potential incidents, and break down the number and type of cyber attacks prevented each month.

These reports can also help key stakeholders outside of the security discipline to understand how their security team prioritizes and quickly resolves high-severity issues, and show a clear decrease in risks to their company’s sensitive data.

Proactively Prepare for Incidents with Response Readiness Reports

SentinelOne empowers Vigilance Respond Pro customers with quarterly Response Readiness Reviews, which ensure that organizations are prepared to investigate and respond to suspicious or malicious activities and close gaps in their cybersecurity coverage.

In addition to noting the service & retainer hours a customer has left in their Vigilance subscription and expiration date, Response Readiness reviews also allow them to schedule consultations and include suggestions for how they can make the most of the time they have remaining in their subscription, through offerings such as workshops, policy reviews, and tabletop exercises.

Like other Vigilance reports, these reviews also allow them to identify endpoints and servers with operating systems nearing EOL and versions of the Sentinel Agent approaching EOS to mitigate security risks. Teams can also follow given recommendations and notes from Vigilance MDR & DFIR analysts to better align their organization’s security posture with best practices.

Looking Ahead

The reports available in the Community can help teams understand the kind of threats their environments face and proactively tackle high-priority issues. They can also help generate additional buy-in from CISOs and executives by demonstrating the impact of SentinelOne technology and services on keeping their business running smoothly.

And there’s more! As we continue to partner with our customers, the SentinelOne Customer Community will be introducing further new ways to gain and share knowledge, optimize security programs and take informed action. Stay tuned for further exciting announcements ahead by signing up for SentinelOne’s weekly email digest using the form on your right.

If you would like to learn how SentinelOne can help protect your business, contact us or request a free demo.