The Good, the Bad and the Ugly in Cybersecurity – Week 17

Threat Hunters Power Up with Conversational AI

This was the week that was RSAC 2023, so good news abounded aplenty as vendors across the cybersecurity space made announcements and reveals about new features, services and products designed to help defenders keep their enterprises safe.

Among these, SentinelOne’s Purple AI is set to be a gamechanger as it brings LLM-powered conversational AI to the Singularity platform, allowing threat hunters to replace complex, structured query language with simple questions, from the specific to the vague. “Am I infected with SmoothOperator?”, “Which endpoints are exposed to Log4J?”, “What are the most suspicious events in my environment in the last 24 hours?”.

PurpleAI threat hunting console generative AI

The AI returns results along with identified behavior and recommendations for further action. Coupled with XDR to unite a business’ diverse data sources, the AI can help threat hunting teams to overcome the major challenges of threat hunting: time and skill-level. With many SOC teams struggling with alert fatigue and a skills shortage, PurpleAI will provide a much needed tonic for the troops.

RSAC 2023 also saw SentinelOne announce an exclusive partnership with CNAP specialists Wiz. Combining SentinelOne’s Cloud Workload Protection with Wiz’s Cloud Native Application Platform is expected to bring huge benefits to enterprise customers needing to manage and secure cloud infrastructure. For more on what happened at RSAC this week, see our dedicated posts on Days 1, 2, 3 and 4.

PaperCut Vulnerability Leveraged to Deliver Ransomware

PaperCut servers with known vulnerabilities CVE-2023-27350 and CVE-2023-27351 are being exploited to deliver Cl0p and LockBit ransomware, it was discovered this week. The print management software is widely used in enterprises to monitor and control printing tasks.

The vulnerabilities may have been weaponized as early as April 13, five days prior to the first reported suspicious activity linked to exploitation of unpatched PaperCut servers. The vulnerabilities in PaperCut NG and MF products expose the servers to unauthenticated remote code execution attacks and can also allow unauthorized attackers to steal credentials and PII.

In one in the wild case, attackers compromised a target with PowerShell scripts to deliver LockBit ransomware. Meanwhile, Microsoft reported that a Cl0p-affiliated ransomware gang was conducting multi-stage attacks on vulnerable PaperCut servers that begin with PowerShell delivering a TrueBot payload and then use Cobalt Strike for lateral movement and data exfiltration.

Needless to say, organizations deploying PaperCut are urged to ensure that all instances are updated as a matter of urgency.

RTM Locker Ransomware Targets Virtual Machine Servers

Recent weeks have seen a number of examples of how threat actors continue to explore new opportunities for compromise and seek new targets to exploit. In this regard, we’ve seen LockBit experimenting with macOS ransomware, and an increase in payloads targeting Linux, which of course is widely used in servers as well as devices common in the enterprise, from routers and printers to IoT ‘smart’ appliances and security cameras.

The latest development is a variant of the RTM Locker ransomware that specifically targets Linux, NAS and, significantly, virtual machines on VMware ESXi hosts. ESXi servers have become increasingly popular with the rise of cloud computing and cloud infrastructure as a means to deploy and manage enterprise level virtual computers, making them attractive targets for threat actors.

The new variant of RTM Locker is said to be based on leaked Babuk ransomware source code. On execution, it kills all running VM clients on the ESXi host and begins encrypting files. Locked files are appended with a .RTM extension and a ransom note entitled !!!Warning!!! is dropped on the compromised server. The ransomware uses asymmetric encryption, meaning decryption is only possible with possession of the private key held by an attacker.

RTM locker ransom note
Source: Uptycs

The hardcoded ransomware note shows that the victims need to install the encrypted chat client Tox in order to negotiate payment of the ransom. Exactly how active the RTM group is at the moment is open to debate, but the developers have been seen advertising for affiliates in darknet forums with translations available in English, Russian and Chinese languages.

Day 3 From RSAC 2023 | Innovations In Threat Hunting and Risks In the Lens of Regulatory Requirements

Beat the midweek blues with a full recap of Day 3 here at this year’s RSAC. Catch up on presentations the SentinelOne team is sharing on cybersecurity thought leadership, learn about exclusive demos, and feel like you’re part of all the action that’s happening in San Fran!

SentinelOne’s Management Console Fuses Generative AI Into Its Threat Hunting Processes

At SentinelOne, we stay laser-focused on securing enterprises by using cutting-edge technology to get ahead of cyber threats. In a major advancement for the cybersecurity community, our team was excited to launch Purple AI on Monday, an industry-first threat hunting tool fueled by generative AI and reinforcement learning capabilities. Demos on our new tool have been going all week. To see for yourself, stop by Booth S-626 for a hands-on demonstration on how it detects anomalies at machine-speed.

Purple AI is already being lauded as one of the top ten coolest new solutions by CRN announced at RSAC, and for good reason. As the global discussion continues on how AI will shape the world we live in, cybercriminals have already started experimenting with AI for the worse; designing malicious attacks and speeding up their processes. As a leader and early innovator of AI in cybersecurity, SentinelOne is integrating generative AI technology directly into the Singularity platform, allowing analysts to use conversational prompts to hunt for both known and unknown threats.

Spotlight Presentation | Navigating Top Cyber Risks & Regulatory Requirements

How we secure our hyper-connected world has been a much-discussed subject at RSAC. It’s also both a blessing and a curse for the global, modern enterprise. Reaching and engaging with more customers, more agility, and a more unified global workforce also means more exposure to attacks and a widening gap between defenders and threat actors. All of this is complicated by the different regulatory requirements that businesses need to follow in different regions: GDPR, CISA’s Cybersecurity Information Sharing Act, separate cybersecurity laws in China, Russia, Saudi Arabia, and the United Arab Emirates. The list goes on.

So, where does an organization even start to improve its cyber resilience in the face of today’s global threat landscape? In our session on Tuesday, SentinelOne’s Senior Director and Global Field CISO Milad Aslaner and Americas Field CISO Associate Director Mani Keethi Nagothu offered best practices to navigate this regulatory labyrinth.

“There’s a lot of things that we have to do, but it comes back to thinking about the cybersecurity strategy that we have today and that we have a clear roadmap to set up for success,” said Aslaner during the session. The five practical steps organizations should take towards cyber resilience are:

  1. Continuous Asset Discovery – Understand your environment and uncover all your blind spots continuously across all types of relevant networks.
  2. Risk-Based Vulnerability Management – Ensure that you have all your vulnerabilities and misconfigurations identified and remediated in real-time.
  3. Identity Threat Protection – Verify that only trusted identities with healthy endpoints have access to your corporate services.
  4. Endpoint, Identity, Cloud Detection and Response – Extend your detection and response capabilities beyond the endpoint to cover any identity and cloud workloads.
  5. Unified Security Platform – Have a convergence of security tools in a unified security platform.

“We want organizations to move from a reactive approach to taking a proactive approach,” says Nagothu. We also talked with Nagothu ahead of this session to ask her for that one takeaway she would like audience members and business leaders to know. Her message? Your organization should take a more “holistic approach” to cybersecurity.

“As a previous security leader myself, there’s always this gap where you’re not involving everybody in the whole process of security. Specifically when you talk about cloud adoption, you have DevOps, you have Operations, and you have your Security team. All of them have to collaborate and work together.”

Nagothu continued by saying that the place to start is by “looking at your tools, process, and people to understand how all of these pieces fit together to form the bigger puzzle.” That, she said, will “improve efficiencies, improve any gaps and give you more visibility and more control over your security environment.”

Watch the full recording on-demand by registering for RSAC 2023.

It’s About Time | The Results of Our F1 Simulator Competition

Speed matters whether you’re asking SentinelOne or the folks behind Aston Martin’s Aramco Cognizant Formula One™ Team. In cybersecurity, we are continuously striving for ways to shave off seconds in threat responses and keeping our detection capabilities in real-time. For Aston Martin, speed is in the DNA of their rich heritage of luxury sports cars, grand tourers, and F1 racers.

This week at RSAC, event attendees that felt the same need for speed as we do have stopped by to test their racing skills against Aston Martin F1 driver ambassador, stunt driver, and motorsports champion Jessica Hawkins herself. Many at Booth 4417 tore up the virtual tracks but only two race-hopefuls managed to come close to Jessica’s time of 1:38.589 on Tuesday. We’d like to congratulate Daniel Willenbring, with a time of 1:38.330, and Omokhoje Amu, with a time of 1:38.810 for being fellow speed enthusiasts.

We also had a real treat awaiting visitors to the F1 booth: driver Fernando Alonso’s P3 Bahrain trophy. Yes, the real thing!



Forward Motion | Following the Beat of the Music at RSAC’s FOMO After Party

City View at Metreon was transformed last night for FOMO (Forward Motion), an exclusive after party hosted for attendees of RSAC this year. 1,200 private guests filled the space and outdoor terrace to see two internationally acclaimed DJs who performed for an energetic crowd.

Not to fuel your own FOMO if you couldn’t attend, but one of the DJs was a multi-Grammy nominee who made sure to deliver some absolute bangers for our crowd! Thank you to everyone who attended last night and made the evening so special!



Day 3 might have come to a close, but we’ve got one day left at RSAC to look forward to. Be sure to swing by the S1 booths and see the new integrations and tools in action. We’ll be waiting at Booth S-626, or Booth 4417!

Day 4 From RSAC 2023 | Event Wrap Up & How to Keep the Conversation Going

San Francisco, we have made it to the final day of RSAC 2023 – what an event! For Day 4, we rounded off the show with several more exclusive talk tracks, getting connected with our partners and other leaders in the cyber community, and announcing the final winners of our highly popular F1 simulator race. For those of you who weren’t able to make it in person this year, let’s wrap up the event with this final recap post of the day.

Stronger Together | Honoring SentinelOne’s Partnerships at RSAC

Throughout the week, our team truly embraced the “Stronger Together” theme set by RSAC for this year’s conference. Believing that no one should go it alone in the threat landscape, SentinelOne was honored to collaborate with and learn from our valued partners and fellow defenders both on and off the Expo floor.

We were excited to invite our partners to present unique thought leadership segments at our main theater booth, including the team at KPMG, and also sent Sentinels to carry the purple flag across the Moscone Center to give numerous presentations at partner booths.

SentinelOne’s Associate Product Marketing Manager, Amy Pham, presents at Armis Security’s booth.

We also got a chance to visit our friends from Wiz at arguably the most creatively designed booth of all at RSAC. Event goers were invited to follow the yellow brick road to a “Winter of Oz” themed setup, complete with Wiz greeters dressed as Dorothy, the Cowardly Lion, and the Tin Man.

The folks at Wiz were presenting a demo of our exclusive partnership with them when we visited, showing the SentinelOne platform actively pulling information from the Wiz platform and using that information to enrich threat details in our Singularity platform. Upon detecting a cloud threat, our platform could be seen automatically ingesting additional cloud-infrastructure context. The details ingested include vulnerability, permissions, configurations, and more, to enrich our deep, process-level telemetry. Read more about this early availability integration here.

Adaptability, Performance & Speed | Securing Aston Martin to Secure the Wins

Much like the world of racing, cybersecurity is always changing. SentinelOne proudly partners with Aston Martin, making sure our best-in-class technology is constantly learning, adapting, and pivoting to protect them at every turn. After all, staying ahead of the game means being threat-free.

In an impromptu Q&A, SentinelOne’s Communication Specialist, Holly Bittinger, invited Aston Martin Cognizant F1’s driver ambassador and stunt and race driver, Jessica Hawkins, to chat all things F1 and why cybersecurity is important to racing.

Jessica explained to Holly why SentinelOne securing Aston Martin F1’s data is so important to AMF1. F1 teams generate and internally share very sensitive information including their own telemetry and data analysis. One can only imagine how that data could be valuable to both traditional threat actors and F1 competitors.

Holly then asked Jessica about her inspiring career as a female racing pioneer. For the longest time, said Jessica, she didn’t realize she was any different than all the boys she raced against, even when she was in most cases the only girl competing in a race. Of course, Jessica would go on to compete professionally in the W Series, an all-female, single-seater racing championship, in addition to performing stunt work including on the James Bond film, “No Time To Die” and on “Jurassic World: Dominion”.

Jessica then discussed with Holly the importance of promoting greater diversity, equality, and inclusion in motorsport and in general; a cause she’s passionately dedicated herself towards. You can read more about the inspiration that is Jessica Hawkins in this interview series published by Aston Martin F1.

Racing, like cyber defense, revolves around getting down to the cleanest lines and fastest response times possible. That said, we are pleased to reveal that one of our F1 simulator competition winners, Daniel Willenbring, embodied this spirit when he returned on Wednesday to beat his previous time. Final lap time recorded was 1:35:910 – congrats, Daniel!

Highlights from SentinelOne’s Booth Presentations

Comprehensive Identity Security

Securing digital identities is more important than ever. While organizations are starting to implement identity access management (IAM) solutions to manage authentication and access, these technologies are not the end-all-be-all security solutions for protecting identities or identity management systems.

SentinelOne’s Technical Marketing Engineer, Joseph Salazar, presented on what identity security entails, how to reduce identity-related risks, the role of Identity Threat Detection and Response (ITDR), and how it all fits in with your overall security strategy.

Enhancing ITDR with Deception – Joseph Salazar

Attackers leverage compromised identities in most successful attacks, stealing and misusing them to masquerade as legitimate employees and then moving laterally within the enterprise network. The emerging field of Identity Threat Detection and Response (ITDR) aims to secure identities and identity management systems, but many solutions fail to prevent attackers from exploiting the identities they’ve stolen. SentinelOne’s Joseph Salazar spoke on how deception tactics and technologies are key to how enterprises can address this critical gap.

Applying eBPF to Cloud Security – Rick Bosworth

The extended Berkeley Packet Filter (eBPF) framework allows OS process-level observability and response within the Linux kernel, without kernel interference, making it ideal for security applications such as cloud workload protection (CWPP).

In his session, SentinelOne’s Director of Product Marketing, Rick Bosworth, discussed the significance of eBFP to cloud workload protection platforms (CWPP) for machine-speed detection of OS-level runtime threats, and the benefits of such an architectural approach, including stability, scalability, and performance.

Thank You, RSAC 2023 – Until Next Year!

It’s been a very memorable four days at this year’s RSA Conference. As always, Sentinels brought their A-game and came to the event with the goal of exchanging ideas, sharing success stories, and finding new ways to innovate and create breakthroughs in how we all look at and understand the cyber threat landscape ahead of us.

We hugely enjoyed connecting with our partners and learning from our fellow leaders in the cybersecurity space. We take this opportunity to thank our hosts, RSAC, all our partners and colleagues who presented at SentinelOne’s booth, and most of all, all those who made time to visit our in-person team and took genuine interest in investing towards a safer future for us all.

We can’t wait to join RSAC in the year ahead, and in the meantime, welcome everyone to keep the conversations and ideas flowing. Contact us to learn more about what SentinelOne is doing to evolve the cyber defense industry or book a demo to get more in-depth experience with our newest integrations and security offerings.

Many Public Salesforce Sites are Leaking Private Data

A shocking number of organizations — including banks and healthcare providers — are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.

A researcher found DC Health had five Salesforce Community sites exposing data.

Salesforce Community is a widely-used cloud-based software product that makes it easy for organizations to quickly create websites. Customers can access a Salesforce Community website in two ways: Authenticated access (requiring login), and guest user access (no login required). The guest access feature allows unauthenticated users to view specific content and resources without needing to log in.

However, sometimes Salesforce administrators mistakenly grant guest users access to internal resources, which can cause unauthorized users to access an organization’s private information and lead to potential data leaks.

Until being contacted by this reporter on Monday, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data, including a Pandemic Unemployment Assistance program that exposed the applicant’s full name, Social Security number, address, phone number, email, and bank account number.

This misconfigured Salesforce Community site from the state of Vermont was leaking pandemic assistance loan application data, including names, SSNs, email address and bank account information.

Vermont’s Chief Information Security Officer Scott Carbee said his security teams have been conducting a full review of their Salesforce Community sites, and already found one additional Salesforce site operated by the state that was also misconfigured to allow guest access to sensitive information.

“My team is frustrated by the permissive nature of the platform,” Carbee said.

Carbee said the vulnerable sites were all created rapidly in response to the Coronavirus pandemic, and were not subjected to their normal security review process.

“During the pandemic, we were largely standing up tons of applications, and let’s just say a lot of them didn’t have the full benefit of our dev/ops process,” Carbee said. “In our case, we didn’t have any native Salesforce developers when we had to suddenly stand up all these sites.”

Earlier this week, KrebsOnSecurity notified Columbus, Ohio-based Huntington Bank that its recently acquired TCF Bank had a Salesforce Community website that was leaking documents related to commercial loans. The data fields in those loan applications included name, address, full Social Security number, title, federal ID, IP address, average monthly payroll, and loan amount.

Huntington Bank has disabled the leaky TCF Bank Salesforce website. Matthew Jennings, deputy chief information security officer at Huntington, said the company was still investigating how the misconfiguration occurred, how long it lasted, and how many records may have been exposed.

KrebsOnSecurity learned of the leaks from security researcher Charan Akiri, who said he wrote a program that identified hundreds of other organizations running misconfigured Salesforce pages. But Akiri said he’s been wary of probing too far, and has had difficulty getting responses from most of the organizations he has notified to date.

“In January and February 2023, I contacted government organizations and several companies, but I did not receive any response from these organizations,” Akiri said. “To address the issue further, I reached out to several CISOs on LinkedIn and Twitter. As a result, five companies eventually fixed the problem. Unfortunately, I did not receive any responses from government organizations.”

The problem Akiri has been trying to raise awareness about came to the fore in August 2021, when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data (Costello subsequently published a follow-up post detailing how to lock down Salesforce Community sites).

On Monday, KrebsOnSecurity used Akiri’s findings to notify Washington D.C. city administrators that at least five different public DC Health websites were leaking sensitive information. One DC Health Salesforce Community website designed for health professionals seeking to renew licenses with the city leaked documents that included the applicant’s full name, address, Social Security number, date of birth, license number and expiration, and more.

Akiri said he notified the Washington D.C. government in February about his findings, but received no response. Reached by KrebsOnSecurity, interim Chief Information Security Officer Mike Rupert initially said the District had hired a third party to investigate, and that the third party confirmed the District’s IT systems were not vulnerable to data loss from the reported Salesforce configuration issue.

But after being presented with a document including the Social Security number of a health professional in D.C. that was downloaded in real-time from the DC Health public Salesforce website, Rupert acknowledged his team had overlooked some configuration settings.

Washington, D.C. health administrators are still smarting from a data breach earlier this year at the health insurance exchange DC Health Link, which exposed personal information for more than 56,000 users, including many members of Congress.

That data later wound up for sale on a top cybercrime forum. The Associated Press reports that the DC Health Link breach was likewise the result of human error, and said an investigation revealed the cause was a DC Health Link server that was “misconfigured to allow access to the reports on the server without proper authentication.”

Salesforce says the data exposures are not the result of a vulnerability inherent to the Salesforce platform, but they can occur when customers’ access control permissions are misconfigured.

“As previously communicated to all Experience Site and Sites customers, we recommend utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users,” reads a Salesforce advisory from Sept. 2022. “Additionally, we suggest reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile.”

In a written statement, Salesforce said it is actively focused on data security for organizations with guest users, and that it continues to release “robust tools and guidance for our customers,” including:

Guest User Access Report 

Control Which Users Experience Cloud Site Users Can See

Best Practices and Considerations When Configuring the Guest User Profile

“We’ve also continued to update our Guest User security policies, beginning with our Spring ‘21 release with more to come in Summer ‘23,” the statement reads. “Lastly, we continue to proactively communicate with customers to help them understand the capabilities available to them, and how they can best secure their instance of Salesforce to meet their security, contractual, and regulatory obligations.”

Shift-Left, Shield Right | Early Availability of Wiz Integration with SentinelOne

SentinelOne is pleased to announce early availability (EA) of the integration between our real-time, AI-powered Cloud Workload Protection Platform (CWPP) with the Wiz Cloud-Native Application Protection Platform (CNAPP) functionality. This “shift-left, shield right” combination of Wiz and SentinelOne in a multi-layered cloud security stack helps cloud security practitioners quickly and easily identify, prioritize, and fix cloud security incidents more efficiently.

When SentinelOne detects a runtime threat to a cloud server or container, it automatically ingests relevant context from Wiz about that cloud resource, including any vulnerabilities, misconfigurations, and exposed secrets that Wiz has detected on it. The SentinelOne threat is automatically enriched with this information in the SentinelOne Singularity™ Platform console. This helps cloud security teams improve security outcomes, including faster and more effective triage, prioritization, and time to remediation. Through the integration of Wiz and SentinelOne products, security teams can now:

  • Visualize their cloud security posture in real time
  • Identify attack paths to critical cloud resources
  • Prioritize cloud risks and quickly triage them to reduce risk
  • Protect cloud workloads from build time to runtime
  • Speed mean time to detection and remediation of cloud incidents

Getting Started

To get started, SentinelOne customers can navigate to the Singularity Marketplace from within the management console and search for Wiz. Select the Wiz app and install (See Figure 1).

Figure 1: Wiz App on the Singularity™ Marketplace within the SentinelOne console

To configure the integration (see Figure 2), the “Wiz API URL” value can be found from the Wiz console via:

  • Clicking on the user icon in the top right corner and selecting “User Settings”.
  • In the left hand menu, select “Tenant”.
  • Copy the value for “API Endpoint URL” and paste it into the “Wiz API URL” field of the Singularity Marketplace app for Wiz.

The value for “Wiz URL to fetch token” will be And the values for “Client ID” and “Client Secret” can be obtained by creating a new Service Account in the Wiz console.  For instructions, please refer to the Wiz documentation on the topic. Then, simply save the configuration and your integration between the Wiz and SentinelOne platforms is ready to use.

From any Threat Details screen within the SentinelOne management console, click the XDR tab to review related context from Wiz – called “Issues” – for the underlying cloud resource (e.g., Amazon EC2 instance).

Figure 2: Configuring the SentinelOne + Wiz Integration

Threat Detection, Enriched

Singularity Cloud Workload Security is SentinelOne’s real-time CWPP solution for workloads, on-prem or in the cloud, on VMs, containers, or Kubernetes clusters. It stops runtime threats such as ransomware, zero-day exploits, and memory injections from disrupting cloud operations or compromising company secrets. Machine-speed threats such as these require the machine-speed detection and response that only a real-time solution can provide. Working alongside a “shift-left” solution such as Wiz – which scans for software vulnerabilities, excessive permissions, misconfigurations, and more – only makes the cloud security stack that much more compelling.

Upon detecting a runtime threat, Singularity Cloud Workload Security automatically ingests issue details from Wiz, enriching threat details with context on the underlying infrastructure. For example, a suspicious threat detected on an Amazon EC2 instance (see Figure 3) is enriched with details such as whether the instance is exposed to the internet, has excessive permissions, and/or contains a vulnerability with a known exploit.

Figure 3: SentinelOne Cloud Threat Detection Enriched with Wiz Issue Details

Wiz had previously scanned the infrastructure, identifying that this specific cloud compute instance is publicly exposed to the internet, via a cloud access key that was saved in cleartext on a public repository such as GitHub. Moreover, this instance has a critical or high network vulnerability with a known exploit. These supporting details are extraordinarily helpful to the security practitioner during triage. Not only is the investigation streamlined, the incident can be routed to the appropriate DevOps owner with all haste.

Additionally, a deep link from the cloud resource issues attached to the threat details can take the user – whether a security practitioner, or the DevOps owner – from the SentinelOne console directly into the Wiz console. As a matter of convenience and efficiency, the user can then examine the attack path in Wiz Security Graph, run queries to identify what other instances may have the same vulnerabilities, and take corrective action such as updating the workload image to prevent recurrence. Meanwhile, back in the SentinelOne console, the security user can remediate the incident, either with a single click or in a fully-automated, machine-speed fashion governed by policy which the security admin controls.


By enriching cloud runtime threats detected by Singularity Cloud Workload Security with context from Wiz on the underlying cloud resources directly within the SentinelOne console, security practitioners can better protect cloud workloads from build time to runtime. Through better prioritization, streamlined investigation, and simplified remediation, security can better manage risk and slash mean-time-to-repair. Each solution works alongside the other to set the stage for improved cloud operations, innovation, and ROI.

To learn more, visit us at RSAC 2023 at booth S-626, where we are demonstrating this exciting integration. Won’t be at RSAC this year? Not a problem. Navigate over to our solution homepage to learn more and, when you are ready, connect with one of our cloud security experts for a demo.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Day 2 From RSAC 2023 | Unparalleled Data Visibility and Cloud-Enhancing Integrations

It was a full day here at RSAC, hosted this year at the Moscone Center of San Francisco! Day 2 was filled with many in-depth presentations and training sessions from various cyber leaders in our industry.

To those who’ve already made their way to visit the SentinelOne team at Booth S-626, we’ve loved meeting you! There’s still lots of time to swing by and connect with us over the next two days if you haven’t yet. For those who aren’t with us in person, this post will cover all of the highlights from the day’s activities.

SentinelOne Unveils the Singularity™ Security DataLake

Day 2 of RSAC 2023 saw the team at SentinelOne launch Singularity™ Security DataLake, the most performant cloud-native data solution providing our customers with unparalleled insights into their data across their security ecosystems.

The modern digital landscape is one that is ever-evolving and many organizations face the challenge of reconciling data from multiple sources and formats. These days, enterprises that can master their data and get more value from it are equipped to stay ahead of even the most advanced cyber threats.

Singularity™ Security DataLake enables organizations to uncover threats rapidly and have the power to launch a response in real-time, saving both minutes and cost. It works by combining active orchestration and automation, seamlessly ingesting all data types from any source so customers can work within one cohesive overview.

Security DataLake is powered using new, AI-based anomaly detection capabilities to process data from endpoints, workloads, and users. Effectively protecting cloud workloads to user identities, Security DataLake ensures security teams can proactively identify and stop attacks faster than any human could.

To learn more about how SentinelOne’s autonomous security solutions can serve your business, visit Booth S-626, book a meeting with our team here at RSAC, or request a demo.

SentinelOne Announces an Integration With Wiz

Security teams should never stand in the way of innovation. Rather, they should be thought of as the guardrails that foster a safe space where big ideas and even bigger results can happen.

This premise – that security teams can and should bolster a business’s innovation engine – is one of the driving forces behind our exclusive and strategic partnership with Wiz, which we first announced last month. For Day 2 of RSAC, we revealed that we have successfully integrated our platforms to empower companies of all sizes, securing their cloud infrastructure and workloads without hampering the speed or agility of their application development teams.

As part of this news, cloud security experts from SentinelOne and Wiz unveiled on the RSAC Expo floor a demonstration of the Wiz-SentinelOne integration. RSAC attendees were among the first members of the public to see the SentinelOne platform actively pulling information from the Wiz platform and using that information to enrich threat details in our Singularity platform.

Upon detecting a cloud threat, our platform could be seen automatically ingesting additional cloud-infrastructure context. The details ingested include vulnerability, permissions, configurations, and more, to enrich our deep, process-level telemetry.

SentinelOne’s Director of Product Marketing, Rick Bosworth, described how this integration boosts the abilities of both Security Operation Centers (SOCs) and threat hunters. “It’s truly complementary and better together,” said Bosworth, who described this integration as ‘the flight data recorder’ for cloud workloads. Singularity Cloud now securely records all the deep, OS-level telemetry that workloads carry out on virtual machines or servers.

During investigative processes, SOC analysts easily ‘rewind the tape’ to see exactly what happened; a process made simpler by our artificial intelligence, which automatically correlates relevant and related processes. Now, threat hunters can easily search this record to look for the earliest indicators of compromise; a key element in being able to proactively harden and improve an organization’s cybersecurity posture.

“With this ‘shift-left, shield right’ combination, security practitioners can make better decisions, faster, to prioritize the highest impact security alerts and keep the cloud innovation engine humming smoothly,” said Bosworth. “Fundamentally, this is about the combination of business agility and security you want, and get right-touch security that does not slow down your innovation engine.”

See how the integration works first hand at the SentinelOne booth (S-626)!


Spotlight Presentation | Debunking Common Myths About Cloud Security

When it comes to cybersecurity and the cloud, myths abound: “The cloud is inherently secure,” “Cloud ransomware only affects large organizations,” or “Cloud ransomware is easy to prevent.” Don’t get us started.

Two members of SentinelOne’s Field CISO team, Senior Director and Global Field CISO Milad Aslaner and Americas Field CISO and Associate Director Mani Keerthi Nagothu, busted the top ten myths we most often hear. At a theater presentation on the Expo floor, they dissected each of these misconceptions to clear the air and give attendees a clear understanding of the reality of cloud security. We have listed each of these myths and their realities below, but encourage any readers at RSAC to stop by SentinelOne’s booth, S-626, to chat in depth with any of our booth team members.

Here are those 10 myths busted:

  1. Myth: Security is the responsibility solely of the cloud service provider. Reality: Cloud security is a shared responsibility that organizations must also take part in.
  2. Myth: CWP can exist without a solid EDR foundation. Reality: Cloud EDR is critical because it provides real time threat detection and prevention.
  3. Myth: Everything required can be achieved with CWP. Reality: CWP is an integral part of a cloud security stack, but does not supersede other technologies like CIEM, CSPM, and data security.
  4. Myth: CSPM provides us a cloud security platform. Reality: CSPM is another integral part of a cloud security stack, but isn’t a security platform in itself and is no replacement for CWP.
  5. Myth: CSPM is XDR but for the cloud. Reality: XDR is a security platform. CSPM is not. However, XDR platforms will incorporate CSPM capabilities.
  6. Myth: CSPM and CWP combined is all I will need to secure my cloud instance. Reality: CSPM and CWP aren’t the only capabilities required in a cloud security stack. Organizations still need the ability to manage cloud identities and entitlements as well as securing their cloud data, network, and applications.
  7. Myth: CNAPP is the silver bullet that can cover my cloud security needs. Reality: CNAPP technologies can in theory consolidate CSPM, CWP, and CIEM capabilities into one platform, but not all CNAPP solutions are created equal. Organizations need to access the use cases and capabilities before rushing a decision.
  8. Myth: Data and network security is handled by the cloud service provider. Reality: Your data your responsibility; your network your responsibility.
  9. Myth: Automated response means loss of control. Reality: Some tasks can be automated, but keep the human in the loop to gain confidence
  10. Myth: More data yields better detections. Reality: Be strategic. Data lakes can lead to data swamps, data ingestion is hard, and data storage and transport is expensive.

The SentinelOne Booths | Where Innovation, Customer Experience, and Fun Come Together

For those of you who have seen the legendary S1 booth before, we brought it back for RSAC 2023! Our iconic neon purple tree has come to symbolize the intricate yet organized flow of data between all of cybersecurity spaces. From ceiling to floor, the tree shows the movement of data to and from various solutions into one powerful (and, in this case, stunning) platform.

Aside from this, what would a cybersecurity conference be without a little fun? The S1 team was proud to feature a second booth at RSAC (Booth 4417) where we featured our partnership with the Aston Martin Aramco Cognizant Formula One™ Team.

The Aston Martin F1 car, on display just around the corner, and team driver ambassador Jessica Hawkins just may have been the most photographed duo at RSAC. Conference goers posed in front of the car, and were excited to meet Jessica and test their own driving skills on our much-anticipated simulator. In line with SentinelOne’s mission to stay ahead, at least one competitor raced within two seconds of Jessica’s first time (although those results weren’t finalized as of press time!)



That’s a wrap on Day 2 activities, and we’re already looking forward to what Day 3 has in store. Be sure to drop by to see our epic booths yourself and chat with one of our security exports about our newest announcements and integrations. We’ll see you at Booth S-626, or Booth 4417 for a bit of “high-octane” fun!

Join SentinelOne @ RSAC 2023
Booth S-626 | April 24-27

Purple AI | Empowering Cybersecurity Analysts with AI-Driven Threat Hunting, Analysis & Response

SentinelOne is delighted to introduce Purple AI, a generative AI dedicated to threat-hunting, analysis and response. Purple AI uses a variety of models both open source and proprietary and aims to increase the organization’s efficiency by arming security analysts with an AI engine that can help identify, analyze and mitigate threats using conversational prompts and interactive dialog.

In this post, we explain how Purple AI will drive SOC team efficiency and efficacy in threat hunting, analysis and response and illustrate this powerful new feature with example use cases.

Threat Hunting Made Simple with Conversational AI

When it comes to threat hunting, building the right query to get effective results is not an easy task. It requires the analyst to understand what patterns to look for and be familiar with the query syntax at hand in order to translate a seemingly simple question into something the system can understand.

With Purple AI, analysts can now get rapid, accurate and detailed responses to any question, in any language, that otherwise would have required hours of research and multiple queries – not to mention years of analyst experience – to obtain an answer.

The Known Knowns

Purple AI allows threat hunters to ask questions about specific, known threats and get fast answers without needing to create manual queries around indicators of compromise.

For example, the analyst could use a prompt such as “Is my environment infected with SmoothOperator?”, or “Do I have any indicators of SmoothOperator on my endpoints?” to hunt for a specific named threat.

In response, Purple AI delivers a table of results along with context-aware insights based on the observed behavior and identified anomalies within the returned data. Suggested follow up questions and best next actions are also provided. In the case of the SmoothOperator example, a hunter might, for instance, receive the following summary:

Analysis of results shows that there are three endpoints with the SmoothOperator malware detected, all from the same company site. The data shows that the malware has infected both desktop and server endpoints. This indicates that there may be a larger-scale attack underway, and it is important to investigate further to determine the extent of the infection.

The data shows that the malware has been detected multiple times on some of the infected devices. For example, the malware has been detected twenty two times on the endpoint named “TheEnterprise”, where it was last observed a few hours ago. This suggests that the malware is persistent and that it has been active on the infected devices for some time.”

The hunter can then follow up with additional questions suggested by Purple or manually typed by the user, such as:

“Have there been any persistent events on the endpoint ‘TheEnterprise’?”

“Are there any known vulnerabilities on the affected machines?”

“Show me the users that are active on the affected machines, check their Okta data for successful logins and include the location where the logon happened.”

The system will then automatically return results, alongside a summary of the identified behavior and recommend the next best investigation questions and response actions.

In the examples above, the final question might have resulted in a suggestion to trigger one or more of a combination of actions like “clear user session”, “suspend user`s Okta account”, “force Password reset”, “network quarantine all affected endpoints”, “create a rule to notify users on similar activity identified on other endpoints”, “collect recent security logs from affected machines” and more.

With a single click of a button the analyst can then trigger one or multiple actions, while continuing the conversation and analysis with Purple.

Purple runs on every piece of information within the SentinelOne Security DataLake and enables one-click response via the various SentinelOne XDR integrations. Every question asked by the analyst is executed against the right source or a combination of sources behind the scenes, without the user needing to be familiar with the various data sources or the way their data is ingested. For instance, analysts may ask:

“Are there any ec2 instances running xmrig?”

“Are there any disconnected linux machines of type server or any kubernetes node in my network?”

The analyst can then trigger E/XDR actions like the following:

“Scan all affected EC2 instances, to confirm that no residual artifacts remain on any of the instances that were involved in the incident.”


“Add the detected coinminer software to the SentinelOne Blocklist, preventing it from being re-downloaded, or running on any other endpoints.”

The Unknown Unknowns

In other cases, however, threat hunters may not know what they are looking for. By leveraging the capabilities and speed of Purple AI to intelligently utilize internal and external resources, users can ask questions about suspicious activity they may have not been able to define themselves.

For instance, they might ask Purple AI to:

“Search for all instances of processes attempting to access sensitive data or files and investigate the source of these access attempts”


“Search for all command-line tools commonly used by attackers and investigate if they are being used in suspicious ways.”

Analysts can also leverage Purple to ask questions like “how can I identify X”? For instance:

“How do I look for a possible webshell?”


“How can I search for LOLBins?”

The above might seem simple, but without Purple AI, the task of translating vague terms like “sensitive data”, “commonly used” or “suspicious way” into patterns and then syntax of a query language that could return useful results is an extremely challenging  task.

Threat Analysis Made Simple

It is well-known that alert fatigue is one of the biggest challenges facing the modern security operations center (SOC). Most security teams receive more security alerts than they can possibly investigate and address. The issue is clear: the security problem is a data problem. Information only becomes knowledge once we apply meaningful linkages between multiple points of information, assembling the contextualized data into actionable results.

Purple AI, on top of its ability to help security teams ask complex threat hunting questions and run operational commands to manage the entire enterprise environment using natural language, also significantly simplifies the threat investigation process.

Purple’s understanding of ingested data as well as the cyber security domain allows it to quickly determine the chain of events and then to summarize a potentially complex situation to the analyst. The powerful combination of SentinelOne’s patented Storylines technology and Purple AI allows analysts to not only quickly find all events associated with a given activity but also get a summary of these events and their suspicion level in no time.

Within seconds, Purple will provide insights on the identified behavior alongside recommendations, thus reducing the need to manually analyze and stitch together diverse events into one contextual story. This vastly improves analysts’ efficiency, allowing them to investigate and triage a far greater number of alerts in significantly less time.

Purple AI In Action

Below is an example summary created for a threat identified by the SentinelOne Singularity platform.

Analysis of this event suggests that a potentially malicious activity occurred on the endpoint named “TheBorg” running on a Windows server in the SF East Bay Corp site. The suspicious activity was initiated by the “ResistanceIsFutile.exe” process, which is unsigned and located on the user’s desktop. This process started another process, “powershell.exe”, which is signed by Microsoft Windows and located in the SysWOW64 folder.

Notice that Purple AI first indicates whether any malicious activity had been seen and where. This is important for the analyst to understand how widespread the attack is. In this example, all malicious activity had been identified on a single site. The user can then choose to drill down further to get detailed analysis of the identified activity if required.

Purple next provides detailed analysis of the events, indicating the behaviors that made SentinelOne classify the behavior as malicious.

The PowerShell process executed a command to force a Group Policy update on all Active Directory computers in the “starfleet.corp” domain. This command had a high number of indicators associated with it, including 127 Reconnaissance indicators, 16 Evasion indicators, and 136 General indicators. The high number of indicators suggests that the PowerShell command may have been used for malicious purposes, such as gathering information about the network or attempting to evade detection.

In this case, a PowerShell process forced a group policy update, which triggered various indicators like Reconnaissance & Evasion. Purple then presents aggregations on the activity made by the suspicious process:

The PowerShell process also performed several file operations, including creating 4 files, modifying 11 files, and deleting 4 files. Additionally, the process made 6 DNS requests and established 15 outgoing network connections to the IP address on port 49667. The network connections were successful, and the event was classified as an “IP Connect” event with a repetition count of 2.

Purple will then move on to provide additional information on the entities associated with the malicious process, like users or files. Suspicious behaviors or attributes associated with these entities will be highlighted as well.

The user “STARFLEETjeanluc” was associated with both the “ResistanceIsFutile.exe” process and the PowerShell process. The PowerShell process had an unsigned active content file associated with it, which was located on an unknown device and file path. This further raises suspicion about the nature of the activity.

Finally, Purple summarizes the activity, highlighting the malicious entities involved, and provides a conclusion along with recommended next steps.

In conclusion, the event data suggests that the “ResistanceIsFutile.exe” process initiated a potentially malicious PowerShell command to force a Group Policy update on all Active Directory computers in the “starfleet.corp” domain. The high number of indicators, file operations, and network connections associated with the PowerShell process, as well as the unsigned active content file, indicate that this activity should be investigated further by cybersecurity analysts.”

Now in possession of an accurate analysis with a high level of detail, the analyst is rapidly able to copy and paste the insights generated by Purple into a threat analysis report, or initiate further mitigation and incident response steps.


Purple AI is an integrated generative AI that allows threat hunters and SOC team analysts to leverage the power of LLMs (large language models) from within the SentinelOne console to identify and respond to attacks faster and easier. Using natural language conversational prompts and responses, even less-experienced or resourced security teams can rapidly expose suspicious and malicious behaviors that hitherto were only possible to discover with highly-trained analysts dedicating many hours of effort.

Purple AI will be delivered as part of SentinelOne’s threat-hunting experience and is  available in limited preview today. Contact us for more information or to request a demo.

Day 1 From RSAC 2023 | The Future Starts Now, Together

San Francisco, are you ready for this year’s RSA Conference? The team at SentinelOne is excited to kick off RSAC 2023 and join our peers in the cybersecurity space for keynotes from industry-recognized experts, exclusive sessions, as well as training and demos.

RSA Conference, like years before, will connect cybersecurity leaders and defenders from across all industry verticals with transformative solutions. Be sure to check our daily posts covering all the details from each day of the event so you don’t miss out!

RSA 2023 | Stronger Together

This week, RSAC invites the community to build on each other’s diverse knowledge and foster breakthroughs in the cyber protection landscape. For the next four days, this year’s event centers around the theme, Stronger Together, focused on exchanging ideas, sharing stories of success, and examining areas where the community can join forces for collective safety.

SentinelOne Has Landed | Where to Find Us

We can’t wait to connect with everyone attending the event this year – come find us at Booth S-626 to chat with our team, get some next-level swag, and more.

A New Era | Combining Speed & Security Together

Whether it’s about facing every corner with hair-trigger reflexes or responding in real-time to advanced threats, speed means constantly learning, thinking, adjusting to whatever the environment calls for every second of everyday. That’s why SentinelOne is proud to empower organizations like the Aston Martin Aramco Cognizant Formula One™ Team with first-in-class cybersecurity protection.

Visit our F1 Booth 4417 to learn how SentinelOne’s Singularity XDR platform has revolutionized its approach to security to protect every Aston Martin cloud workload, IoT device, and endpoint with AI-powered technology that prevents and adapts to cyberattacks at machine speed.

Event Announcements & Highlights

We kick of RSA 2023 with a very special announcement: a first-of-its-kind integration of a generative AI-powered threat hunting tool within the SentinelOne management console. This will allow security teams to improve their productivity and uncover more threats. The integration of generative AI within the platform also simplifies threat hunting, allowing SOC teams to scale up their threat hunting efforts while reducing the level of skill needed by SOC team analysts.

On the first day of RSAC, join the SentinelOne team for the following sessions:

“This Is the Last of Them | Finding & Protecting Cloud VMs”

  • Speaker: Rick Bosworth
  • When: Monday, April 24 @ 5:20PM

Do you know what cloud computer instances are hiding in your hybrid-cloud infrastructure? Once they are found, how do you protect them from runtime threats like ransomware, cryptojacking, memory injection, and more? Join SentinelOne’s Director of Product Marketing, Rick Bosworth, to discuss how to automatically discover the lost sheep amongst your cloud virtual machines (VMs) so you can bring them back into your field of vision.

“Debunking Common Myths About Cloud Security”

  • Speakers: Milad Aslaner & Mani Keerthi Nagothu
  • When: Monday, April 24 @ 5:40PM

Everyone is talking about the cloud, but what do we really need to protect? There is a lot of buzz around AI-powered cloud protection and many other different technologies like cloud workload protection, but none of these alone are enough to help organizations truly understand what they need. Join SentinelOne’s Senior Director of Global Field CISO, Milad Aslaner and CISO Associate Director, Mani Keerthi Nagothu, in a session discussing the threat landscape, real-world cloud-centric attacks, and how to demystify the various cloud security technologies and how they really work together.

“Clearing Up the ITDR Confusion”

  • Speaker: Joseph Salazar
  • When: Monday, April 24 @ 6:20PM

Identity Threat Detection and Response (ITDR) is a relatively new area of security that focuses on securing identities and identity management systems, but there seems to be a confusion as to what it actually is. Many vendors claim to offer ITDR solutions but only focus on IAM tools and don’t provide detection or response capabilities. At this session, join SentinelOne’s Technical Marketing Engineer, Joseph Salazar,  to learn what ITDR really is and how it can help accelerate security within your organization.

Register Now! | The SentinelOne FOMO After Party

After a full day of bumping shoulders with the top security partners in the cyber community, spend an evening bumping to the beats of multi-Grammy award nominated Kaskade at the 2023 RSAC FOMO after party!

Limited tickets are available so be sure to register now and join the waitlist today! SentinelOne is proud to host this exclusive networking event featuring live entertainment, specialty cocktails, and gourmet snacks.

The Future Starts Now | Securing the Best at RSA 2023

This year’s RSAC will no doubt be filled with exciting announcements! Be sure to schedule an in-person meeting with us before the week is out and come by our booth (S-626) to become a part of the movement set on moving cybersecurity forward, together.

Join SentinelOne @ RSAC 2023
Booth S-626 | April 24-27

The Good, the Bad and the Ugly in Cybersecurity – Week 16

Time to Patch | Google Issues Warnings for the First Two Zero-Day Vulnerabilities of 2023

Google has released emergency patches for two high-severity zero-day vulnerabilities affecting Chrome, CVE-2023-2136 and CVE-2023-2033, with the latter being actively exploited in the wild. Google is currently restricting access to further details until a majority of Chrome’s 3 billion users have applied the fix.

CVE-2023-2136 targets an integer overflow in Google’s Skia used in Chrome, allowing a remote attacker to perform a sandbox escape via a crafted HTML page if they compromised the renderer process. CVE-2023-2033 is a vulnerability targeting a confusion weakness in the Chrome V8 JavaScript engine. This type of flaw allows attackers to trigger browser crashes through reading or writing memory out-of-buffer bounds. It could also be exploited to run arbitrary code on vulnerable devices.

The latest version of the browser, v112.0.5615.137/138, includes a total of eight fixes. Currently, the stable release covers Windows and Macs and a rollout for Linux is scheduled to arrive in the coming days.

Data Exfiltration | Vice Society Ransomware Gang Uses New Stealthy PowerShell Tool

Notorious ransomware group, Vice Society, has been exercising a ‘rather sophisticated’ PowerShell script to automate data theft from compromised networks. The new tool employs living-off-the-land binaries and scripts (LOLBAS) designed to sidestep alarms from security software used by the targeted party so they can reach the encryption phase of the attack.

Researchers first observed this tool earlier this year when Vice Society began using a script named w1.ps1 referenced in a Script Block Logging event to exfiltrate data from a victim’s network. The script automates the data exfiltration process through multiple functions to identify vulnerable directories where data can be exfiltrated via HTTP POST requests to Vice Society’s servers.

Overview of the script’s functions (Source: Unit 42)

Threat actors often leverage stolen corporate and customer data to extort a higher ransom from their victims and resell to other criminals for additional profit. Vice Society’s newest script allows them to operate stealthily and keep their footprint small – all signs of further evolution since debuting their new file encryptor, PolyVice, back in December 2022.

Critical RCE Flaws | Sandbox Escape PoCs Available for VM2 JavaScript Library

Three recent sandbox escape proof-of-concept (POC) exploits have been released, all enabling attackers to execute malicious code on hosts running VM2. A specialized JavaScript sandbox, VM2 is commonly used by pen-testing frameworks and code editors to run and test untrusted code in isolation. All three flaws have been assigned a critical scoring of 9.8.

CVE-2023-29017 describes a case where VM2 does not properly handle host objects passed to Error.prepareStackTrace during unhandled async errors. Using this, attackers could gain remote code execution rights. CVE-2023-29199 affects VM2’s source code transformer. If exploited, it allows attackers to bypass sandbox protections and gain remote code execution rights on the host running the sandbox. CVE-2023-30547 prevents the handleException() function from sanitizing exceptions discovered in the sandbox. By escaping these sandbox restrictions, attackers can perform arbitrary code execution in the host and potentially set up severe cyberattacks.

VM2 strongly recommends all users and developers using the VM2 library to upgrade to version 3.9.17 to address the security flaws.

LockBit Ransomware | New & Incomplete Samples of macOS Variant Surface

Researchers this week revealed details of a LockBit ransomware sample compiled for Apple’s macOS arm64 architecture. As of now, there are no reports of LockBit for Mac being exploited in the wild, nor any associated distribution method.

The discovered samples use “test” as a hardcoded password for execution, inviting speculation that the threat remains in its development stages. Researchers found that the Mac variant is a direct descendant of the Linux version, recycling much of the same code. Further, the Mac variant does not appear to be capable of exfiltrating the data it locks and has not been shown to have any method of persistence.

A breakdown of the variant shows that there is yet to be a credible threat to Mac endpoints at this time. Though the samples are underdeveloped, a LockBit spokesperson has said development of a Mac ransomware payload is an active project, raising concerns that more effective payloads targeting Apple Mac devices may be not far over the horizon.

Operation DreamJob | Tools Found in Linux Malware Found Tied to 3CX Supply Chain Attack

Operation DreamJob, a long-running campaign led by Lazarus group, has been observed targeting Linux for the first time this week. Using social engineering tactics to target job searchers on various platforms, victims are tricked into downloading malicious files disguised as files containing job opportunities.

After dropping malware on the victim’s device, a ZIP containing a Go-written Linux library is distributed masquerading as a PDF file, prompting victims to double click and launch the “OdicLoader” malware. A second-stage, C++ backdoor called SimplexTea is then launched.

Illustration of probable chain of compromise (Source: Welive Security)

The use of this backdoor and other common artifacts have resulted in researchers linking Operation DreamJob to Smooth Operator – the recent supply chain attack against VoIP provider, 3CX. The attack on 3CX has garnered major attention from the cyber defense community over the past four weeks; the most severe in the growing trend of supply chain attacks.

This Linux-based malware attack attributed to Lazarus is evidence of how threat actors are continuing to grow their arsenal and tactics, expanding their malware variants to target more systems than before.

Avoiding the Storm | How to Protect Cloud Infrastructure from Insider Threats

One of the most significant security threats to cloud infrastructure is insider threats. As more businesses move to cloud and hybrid environments, employees sending sensitive data to unsecured or misconfigured clouds risk exposing their organization to advanced cyber threats and opportunistic attackers.

The importance of cloud infrastructure to businesses of all sizes along with the privileged access that insiders often have mean that mitigating the risk of insider threats is now high on the list of priorities for mature security teams. In this post, we describe and explore best practices that security teams can implement to safeguard cloud infrastructures from insider threats.

Why Are Insiders Considered a Main Risk to Cloud?

Whether out of negligence or presenting malicious intent, insider threats pose a serious risk to cloud security as they are harder to detect and respond to. Since they are already part of the organization, they are considered ‘trusted’. Unlike an external intruder, insiders do not have to breach external security measures to access sensitive assets.

Insider risks can stem from a great many reasons. Malicious insiders, for example, may be motivated to do harm to a system in return for a bribe or in retaliation for a perceived slight. Their goals can range from intentional data theft, data destruction, espionage, or personal benefit.  Since malicious insiders have the benefit of time, they are able to study the system and craft a serious attack based on specific weak points in the infrastructure they are privy to.

In Ponemon’s most recent research on Insider Threats, the findings reveal that both negligent and malicious insider risks as well as credential theft have grown 44% in the last two years alone. Incidents involving compromised users have since racked up costs amounting to over $15 million dollars globally.

In many of these incidents, cloud infrastructures have been the main target with Ponemon’s report indicating that 52% of enterprises name cloud security as one of their greatest risks.

The following best practices can help security teams to mitigate these risks.

1. Implement Least Privilege Access Control

Defending against insider threats is a persistent challenge that requires continuous monitoring. One of the key ways to defend sensitive data and systems is to limit the number of users who have access to it as well as the permissions they have whilst exercising that access. To minimize the access of potential insider risk, enterprises can implement the principle of least privilege (PoLP).

The principle of least privilege is a security concept that states that every user, program, or system component should only have access to the resources they need to perform their function and no more. This works to minimize the potential damage that can happen as a result of a security breach or a misconfiguration.

The idea behind the principle of least privilege is that by limiting access to resources, the attack surface is reduced. By limiting the resources that a user or program can access, it makes it more difficult for attackers to gain access to sensitive information. For example, a user who only needs to read files in a specific directory should not have write access to that directory. Similarly, a program that only needs to access certain system files should not have access to other parts of the system.

2. Conduct Regular Security Awareness Training

An uncomfortable fact is that sometimes, insider behavior is carried out unknowingly by a negligent or untrained legitimate user. The Ponemon report cited 56% of incidents related to negligence in comparison to the 26% related to criminal insiders. This makes negligence a root cause in most cybersecurity incidents and varies anywhere from unsecured devices, unprotected passwords, not following their organization’s security policies, or forgetting to patch or upgrade their software.

Unintentional insider threats can arise from the smallest of actions, such as clicking on malicious links or sharing sensitive information with unauthorized individuals. Enterprise leaders can combat this type of insider threat by implementing regular and accessible security awareness training and fostering a culture of good cyber hygiene. Employees who are trained on how to recognize the signs and consequences of insider risks can help prevent them from occurring in the first place. Security awareness training programs often cover a wide range of topics including phishing, password hygiene, social engineering recognition, and how to correctly report anomalous behavior they see.

3. Use Behavioral Analytics

Behavioral analytics can be a powerful tool for security teams working to mitigate insider risks in their cloud environments. By measuring real-time behaviors against a predetermined state of normalcy, analytics can help raise a red flag on any anomalies that may indicate potential malicious activity.

For instance, behavioral analytics can monitor user activities such as login times, locations, and access patterns to detect any suspicious changes or deviations from their normal behavior. It can also detect attempts to access unauthorized resources, perform unauthorized actions, or exfiltrate data.

Behavioral analytics is instrumental to how security teams streamline their hunt for potential insider threats. The more time is saved during that crucial hunting stage, the more effective the response can be in stopping incidents from becoming full-blown security crises. Even in post-event processes, behavioral analytics provides valuable insights into the motivations and patterns of insider threats, helping teams to develop or improve their existing security policies and procedures. Learning from the analytic is often a strong foundation upon which training programs can be created.

4. Implement DSPM (Data Security Posture Management)

Planning the security of business-critical data requires a comprehensive approach to data security and privacy. Implementing data security posture management (DSPM) can help enterprises manage their data access and prevent data leakage by implementing policies and controls to protect sensitive data from unauthorized access, sharing, and exfiltration.

In cloud infrastructures, DSPM is designed to help prevent insider threats by detecting and blocking attempts to transmit sensitive data outside the infrastructure. It works by:

  • Controlling Access – DSPM can help enforce access control policies, ensuring that only authorized users have access to sensitive data. This can include implementing role-based access controls, multi-factor authentication, and other access management controls.
  • Classifying Data – DSPM can help classify data based on its sensitivity level and apply appropriate security controls to protect it. This can include encryption, data masking, and data loss prevention (DLP) technologies.
  • Monitoring & Logging – DSPM solutions can monitor and log all data access and usage, enabling security teams to detect any suspicious activity in real-time. This can include monitoring access patterns, data transfers, and other user activities.
  • Supporting Incident Response – DSPM can help organizations respond to security incidents quickly and effectively. This can include automated incident response workflows, as well as real-time alerts and notifications to security teams.

5. Conduct Regular Audits

Prolong the effectiveness of access control policies through regular audits. Security teams can effectively nip suspicion behavior in the bud when they are able to identify potential insider threats in their earliest stages. Audits should be conducted on a regular basis and cover all areas of the cloud infrastructure, including access controls, user activity, and data transmission.

Scheduling regular audits allow teams to detect subtle anomalies in user behavior and cloud infrastructure activity such as usual file sharing, copying, or deletions. Uncovering security gaps and vulnerabilities that a malicious insider could exploit is often the first step in improving security policies and processes and building a cycle of continuous improvement.


As cloud computing is adopted across all major industry verticals, security leaders are looking at the bigger picture of cloud-centric cyber risks across all possible attack surfaces – endpoint, identity, and network – to protect against both external and internal threats.

Since protecting a cloud infrastructure from insider threats requires a multi-faceted approach, leaders will rely on cloud-focused security solutions that can combine autonomous threat hunting, endpoint detection and response capability, and AI or machine-powered analytics to support all areas of cloud security.

SentinelOne is here to help enterprise leaders bolster their cloud defense strategies with least privilege access control, behavioral analytics, data loss prevention, and cloud workload protection. Contact us or request a demo to see how SentinelOne’s Singularity™ for Cloud leverages machine learning to provide detection, response, and threat hunting across user endpoints, containers, cloud workloads, and IoT devices.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.