How SentinelOne Delivers Results, Not Noise | MITRE Managed Services Engenuity ATT&CK® Evaluations

Organizations are faced with an increasingly sophisticated, constantly evolving threat landscape and limited resources to protect their environments. To keep up, many businesses count on the 24/7 hands-on expertise provided by managed detection and response (MDR) services.

SentinelOne has once again demonstrated industry-leading real world performance in the latest independent MITRE ATT&CK® Evaluation of managed security service (MSS) providers. The attack scenario in this year’s test highlights the importance of speed, visibility, and reduced noise; with SentinelOne’s Vigilance MDR+DFIR delivering:

  • 100% detection of major attack steps – 15 out of 15 steps identified, investigated, and reported
  • Best signal-to-noise ratio amongst top performers – Providing clear and actionable analysis and not a flood of automated alerts
  • Optimal Mean-Time-to-Detect and Mean-Time-to-Escalate – SentinelOne’s autonomous, AI-powered Singularity Platform balances speed and accuracy to ensure organizations stay ahead of attacks
  • Enriched reporting – Our final incident report was recognized by MITRE for enrichment with contextual analysis – including a key timeline of events, a detailed technical analysis, and clear, actionable recommendations to reduce the likelihood of incident recurrence

These results clearly illustrate how SentinelOne’s Singularity Platform, combined with its Vigilance MDR + DFIR services, provide the most comprehensive, thorough, and efficient real-world protection against sophisticated attacks for every organization.

Measuring Real-World Protection | Understanding MITRE Enginuity’s ATT&CK Evals MSS Round 2

This year’s evaluation emulated the adversary behavior of menuPass (G0045) and an ALPHV/BlackCat ransomware affiliate. Prevention and remediation were not in scope of the evaluation. menuPass (aka APT10) has been active since at least 2006 and is believed to be sponsored by the Chinese Ministry of State Security. The group focuses on the exfiltration of sensitive data such as intellectual property and business intelligence in support of Chinese national security objectives. ALPHV/BlackCat, a prolific Russian-speaking RaaS group that emerged in 2021, is linked to BlackMatter, DarkSide, REvil, and other RaaS groups. ALPHV/BlackCat utilizes ransomware coded in Rust, allowing for enhanced performance, flexibility, and cross-platform capabilities.

SentinelOne has participated in more comprehensive MITRE evaluations than any other cybersecurity leader as the only XDR provider to participate in all ATT&CK Enterprise Evaluations, the Deception evaluation, and the inaugural Managed Services evaluation.

SentinelOne Cuts Through the Noise to Deliver Expert Managed Detection & Response with Speed and Accuracy

It is estimated that security teams receive more than 1,000 events, alerts, or incidents per day, with more than half of these going uninvestigated. While visibility is critical to identifying and understanding threats, it can also lead to information paralysis and alert fatigue. As stated in the MITRE Enterprise Evaluation Round 5: “100% visibility” is not always a positive. AI and automation become critical in ensuring the right information gets to the right hands quickly and with context.

Managed Detection and Response bridges this gap by performing 24/7 detection, investigation, and mitigation of all attacker activity, summarizing incident scope, impact, and recommending critical next steps and actions to the customer.

This combination of machine and human intelligence makes the Autonomous SOC a reality, mitigating and remediating at cloud scale to stay ahead of attackers while escalating only the most critical incidents for attention. This allows analysts to stay focused on what matters most. SentinelOne’s MDR team fully resolves more than 99% of all threats without requiring an escalation to the customer. As evident in the table below, many vendors bombard analysts with notifications and alerts, as many as 8 or more per unique attacker action. Security teams need to spend their time responding to critical notifications, not creating mail rules.

Vendor ranked from least to most noise generated

Mean Time To Detect | The Power of the AI-powered Singularity Platform

Not all detections are created equal. It is important to note there is a significant material difference between Mean-Time-To-Detect (MTTD) and Mean-Time-To-Escalation (MTTE), though the MITRE Evaluation does not differentiate between the two.

The Singularity Platform detects and blocks threats in near real-time; often sub-second or within seconds. Components of the platform were turned off to allow the MITRE test to run, yet every major attack step was still detected and presented to MDR experts within an average of 3.3 minutes.

Only the most critical alerts, or those requiring human intervention or approval, are escalated after careful investigation. The time between the detection of the activity (first alert) and the escalation to the customer is known as MTTE.

Mean Time To Escalate | Balancing Accuracy & Speed

Once alerted by The Platform, our MDR analysts conduct their expert analysis, filtering out unrelated activity, correlating multiple data points, and in cases of actual incidents, performing containment and mitigation actions – all before escalating to the customer. During the evaluation, SentinelOne’s MDR experts achieved an incredible 47 min Mean-Time-To-Escalate (MTTE)*, ensuring that within 50 minutes of each major stage of the attack, the customer was presented with a single clear summary of the activity identified and the response actions that either should be or have already been taken on their behalf.

This final escalation to the customer is the last stage in the response process – not the first. Extremely low MTTD results (especially when combined with a low signal to noise ratio) should be a red flag for customers seeking MDR services. Short time frames imply a lack of expert analysis, investigation and response; meanwhile, rapid auto-notifications at high volume only creates additional noise for customers to sort through.

*Note: MITRE reports the time each vendor took to notify the customer about every stage of the attack as “Mean Time to Detect”. SentinelOne provides our customers with both Mean-Time-to-Detect (MTTD) on the Singularity Platform and Mean-Time-to-Escalate (MTTE) from our MDR team.

In Real-World Scenarios, Noise to Signal Matters

MDR services are trusted partners for security teams and their real value lies in turning signal noise into actionable insights. SentinelOne’s MDR+DFIR teams: 

  • Triage and investigate all suspicious activity on behalf of customers;
  • Filter out false positives;
  • Investigate the scope and impact of malicious activity;
  • Escalate only the incidents that matter most for the customer’s business (see figure 1); and
  • Provide clear, actionable updates until the incident is contained and remediated (see figure 2 for example notification).
Figure 1: Original incident notification sent to the customer

SentinelOne’s performance in this evaluation shows that our team of analysts and threat hunters identified and investigated all major steps of the attack, filtering out unrelated alerts and unnecessary details, and providing our customer with detailed, actionable updates and guidance.

Figure 2: Timeline of key events provided as part of a daily incident summary
Figure 2: Timeline of key events provided as part of a daily incident summary

At the conclusion of the incident, our team delivered a detailed and comprehensive incident report, including a full view of the scope and impact of the attack (figure 3) and detailed technical analysis (figure 4).

Figure 3: Diagram from the final incident report, summarizing the attack activity across 14 impacted hosts and 8 user accounts
Figure 3: Diagram from the final incident report, summarizing the attack activity across 14 impacted hosts and 8 user accounts
Figure 4: Reverse engineering performed by the SentinelOne team to fully document the behavior of one of the Remote Access Tools used during the simulation

A Team of Skilled Experts Augmented by Powerful Technology

At SentinelOne, we prioritize real-world protection for our customers, combining our autonomous, AI-powered Singularity Platform with a global team of MDR analysts, investigators, and threat hunters to cut through the noise and take proactive mitigation actions to prevent attacks. Together, our machine and human intelligence enable us to continue our leading performance in ATT&CK Evaluations based on real-world protection and results. This latest evaluation proves how we deliver on what customers need in an MDR provider and why leading partners and organizations of all sizes choose the Singularity Platform to autonomously detect and prevent threats and achieve complete enterprise protection.

We encourage buyers to continue to lean on third-party evaluations such as MITRE Engenuity to assess the best fit for their organizations. Dive deeper into SentinelOne’s leading performance over five years of MITRE Engenuity ATT&CK evaluations here. To join the ranks of other customers who have gained peace of mind and simplified their security with SentinelOne’s MDR services, learn more about Vigilance Respond Pro.

Vigilance Respond Pro
Vigilance Respond Pro extends the fastest MDR on the planet with world-class investigation and response.

PinnacleOne ExecBrief | Deep Tech In The Crosshairs

Last week, PinnacleOne highlighted how a new turn of phrase by China’s leader will spark efforts across the country to make scientific breakthroughs occur out of thin air (or steal them from the west).

This week, we flag three emerging threats to the “deep tech” venture ecosystem underpinning western technological and strategic advantage.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Deep Tech in The Crosshairs

Throughout the 20th century, most strategic technologies were incubated or directly invented by the Federal Government or by contractors and academic institutions under its protective umbrella. Not anymore.

Now, many cutting edge technologies of strategic and foundational importance (in AI, robotics, quantum, biotech, space, materials, and new energy) are spawned in a diffuse private ecosystem. Instead of well-resourced government programs of the 1950s-1990s, small teams of founder scientists and engineers convince “deep tech” venture capitalists they have caught lightning in a bottle. In venture capital jargon, “deep tech” signals that a company’s business model relies on significant advances in science and technology. Adversaries and cybercriminals are also catching on. We see them aggressively targeting these startups for their post-funding round cash, critical IP, proprietary R&D, and talented expertise.

Pre-IPO deep tech firms and their VC backers now face a fundamentally different threat environment than those of decades past. Decisions made now to protect themselves are critical not only to future investment rounds and successful exits, but also for the technological advantage of western liberal democracies confronting an acute and aggressive authoritarian challenge.

Those working in the cutthroat trenches of venture capital or the worktop benches of a deep tech startup understand risk. It is the essential premise of the outsized returns that motivate their high pressure endeavors, where failure is the baseline expectation. However, there are three emerging risks that are not currently priced into most venture valuation models: Criminals, China, and Co-Opters.

Criminals

“[VOWELLESS] startup today announces a $15M Series A funding round led by [blue chip VC firm] with participation by [Sand Hill Road standbys…]”. Such a headline tells a certain cohort of aggressive cybercriminals that this specific company (whose infosec staff is so small they can probably share an appetizer) now has millions in the bank and a cohort of deep-pocketed investors deeply motivated to make any incident quickly and quietly go away.

All it takes is a willingness to commit crimes, teenage hubris, some googling, off-the-shelf ransomware tools, and maybe some AI-assisted social engineering and presto… payday. The thing about such targeting trends among cybercriminals is that a successful tactic spawns imitators and what may now be a very quiet and limited circle of victims could expand quickly. The lack of headlines on this issue is likely a result of incentives to keep things secret, not an evidence of absence.

China

President Xi has given marching orders to his scientific, economic, and security bureaucracies to seize the “commanding heights” of technology development and make China into the “World’s Primary Center for Science and High Ground for Innovation.” Xi aims to leap ahead to the frontier of emerging technologies he sees driving a “S&T and industrial revolution” and critical to the “new quality productive forces” that will accrue strategic advantage to those nations in the lead position.

In Xi’s words, “creative breakthroughs in areas such as information technology, life sciences, manufacturing, energy, space, and maritime are supplying ever more wellsprings of innovation for cutting-edge and disruptive technologies…and S&T have never before so profoundly influenced the future and fate of nations.”

As described in a previous post on China’s hacking ecosystem, this top-level strategic demand signal drives an all-of-government (and commercial) effort to acquire (by any and all means, overt or not) the West’s technical crown jewels, many of which are being cut and polished by small startups in Silicon Valley and the “Gundo”.

For example, while it’s very cool to develop a breakthrough jet engine that could change the economics of space launch, posting your workshop location and part designs, and identifying key personnel roles along with your seed funding and backers is likely to invite unwarranted attention. We understand the important function hype and in-group social visibility play in early-stage venture success, but Lockheed engineers don’t post on X from their secret commuter plane flying into the Nevada desert for a reason.

If you want to play in the critical tech big leagues – or invest in it – and overtly signal the strategic value of your R&D, understand that your threat model isn’t that of a standard SaaS startup. If you claim your technology to have a strategic impact on competition between nations, expect strategic APTs.

Co-Opters

China isn’t the only nation looking to capture the frontier of these emerging technologies. The UAE and Saudi Arabia have lofty ambitions of their own, as we detailed in our earlier post on the new digital great game in the Middle East. While political “decoupling” has severed many of the (direct) venture links between China and the U.S., the western VC ecosystem has now “recoupled” to these deep-pocketed Gulf powers.

The private jets landing in Riyadh, Abu Dhabi, and Dubai over the last two years include a veritable who’s-who of leading deep tech VC players. It is hard to pass up on a nine or ten figure check from a sovereign wealth fund or royal UHNWI (ultra-high net-worth individual), even if the conditions require they be made sole limited partners of standalone funds, maybe at the expense of existing domestic limited partners (LPs).

These domestic LPs tend to be pension funds, family offices, endowments and other wealthy entities with no objective other than maximizing financial returns. But there is a key difference. These new Emirati and Saudi LPs are deploying state capital with a different objective: to scout, nurture, and accelerate critical technologies they intend to co-opt for their own national advantage, in line with their national strategic visions and economic innovation plans.

We are aware that some of these LPs receive detailed non-public reports on their investments, including not only the value of fund portcos, but closely-held R&D strategies, key hires, product roadmaps, high value customers and planned partnerships (which may include the U.S. and allied governments), technical dead-ends and imminent breakthroughs. This information is an S&T intelligence targeting officer’s dream and would provide a critical advantage to adversary aligned competitors looking to fast-follow western tech firms exploring the difficult and capital-intense scientific frontier.

We are also aware of firms leading in strategic and scientifically prized technology domains being “encouraged” by their Gulf backers to set up domestic R&D teams co-located at national universities where Chinese researchers just happen to be lab neighbors working on very similar projects. This is a remarkable coincidence to say the least.

The self-serving argument, for now, is that this is a win-win marriage of convenience between Gulf capital and Western venture, and that while the money buys some influence, the fundamental advantage and leverage remains where the brains and tech come together. This may be the case at the moment, but the trend of structural deep tech venture dependence on Gulf capital seems to be only going one way. The nature of addiction is that each hit can be justified in the moment, even if one knows it is ultimately self-destructive.

Risk-Return

Deep Tech seed investments typically have a longer horizon for return than B2B products or SaaS apps and rely disproportionately on the talents and insights of a small team of highly technical founders (often scientists and engineers). Additionally, the path to growth (especially in military, intelligence, and adjacent dual-use application spaces) often weaves through government programs or related defense technical primes that buffer the “valley of death” between prototype and product-market fit. This exposes such startups and their VC backers to more “key man” and “loss of competitive edge” risk than typical software ventures that rely less on a scientific edge than on sales, partnerships, and platform scaling strategies.

The standard practice of USG-affiliated deep tech venture activities like the Defense Innovation Unit, In-Q-Tel, as well as the venture arms of major defense and intelligence contractors (like Booz Allen Hamilton, Lockheed, etc.) has been to scout and quickly incorporate leading edge tech under their protective umbrella (experienced as they are with managing sensitive R&D programs at acute risk of adversary compromise). In some cases, truly disruptive startups are known to “disappear”, their technology tucked behind the classification curtain, and their patents classified.

Such protections are now the exception, not the rule, for the breakthrough technologies emerging from the U.S.’s venture engine of innovation. In most cases, their teams, tech, and tools are in full public view, if not aggressively hyped as the foundation for strategic national advantage. It is high time these firms and their funders wake up to the fact that they are squarely in the crosshairs, before this advantage bleeds away to illiberal authoritarians and U.S. adversaries.

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.

The Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as he tried to board a flight to Italy.

A still frame from a video released by the Spanish national police shows Tylerb in custody at the airport.

“He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point he controlled Bitcoins worth $27 million.”

The cybercrime-focused Twitter/X account vx-underground said the U.K. man arrested was a SIM-swapper who went by the alias “Tyler.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

“He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang implicated in costly data ransom attacks at MGM and Caesars casinos in Las Vegas last year.

Sources familiar with the investigation told KrebsOnSecurity the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

In January 2024, U.S. authorities arrested another alleged Scattered Spider member — 19-year-old Noah Michael Urban of Palm Coast, Fla. — and charged him with stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly went by the nicknames “Sosa” and “King Bob,” and is believed to be part of the same crew that hacked Twilio and a slew of other companies in 2022.

Investigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as “The Com,” wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

One of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.

0KTAPUS

In August 2022, KrebsOnSecurity wrote about peering inside the data harvested in a months-long cybercrime campaign by Scattered Spider involving countless SMS-based phishing attacks against employees at major corporations. The security firm Group-IB dubbed the gang by a different name — 0ktapus, a nod to how the criminal group phished employees for credentials.

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

These phishing attacks used newly-registered domains that often included the name of the targeted company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule. The phishing sites also featured a hidden Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then pivoted, using their access to Twilio to attack at least 163 of its customers.

A Scattered Spider phishing lure sent to Twilio employees.

Among those was the encrypted messaging app Signal, which said the breach could have let attackers re-register the phone number on another device for about 1,900 users.

Also in August 2022, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to Mailchimp, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information, and weeks later LastPass said an investigation revealed no customer data or password vaults were accessed.

However, on November 30, 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach. LastPass said criminal hackers had stolen encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against an engineer who was one of only four LastPass employees with access to the corporate vault. In that incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

TURF WARS

Sosa and Tylerb were both subjected to physical attacks from rival SIM-swapping gangs. These communities have been known to settle scores by turning to so-called “violence-as-a-service” offerings on cybercrime channels, wherein people can be hired to perform a variety geographically-specific “in real life” jobs, such as bricking windows, slashing car tires, or even home invasions.

In 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urban’s parents in Sanford, Fl.

January’s story on Sosa noted that a junior member of his crew named “Foreshadow” was kidnapped, beaten and held for ransom in September 2022. Foreshadow’s captors held guns to his bloodied head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life (Foreshadow escaped further harm in that incident).

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

KrebsOnSecurity sought comment from Mr. Buchanan, and will update this story in the event he responds.

Building a Defense Posture | Top 5 Cybersecurity Tips For Small & Medium Businesses (SMBs)

Verizon’s annual Data Breach Investigations Report has historically compared and contrasted small and medium businesses (SMB) against large organizations. Not this year. The reason: Both SMBs and large enterprises are increasingly sharing similar attack surfaces. With much of the same services and infrastructures, the difference between the two boils down to the available resources.

Where larger companies may have entire teams of cybersecurity analysts or full-fledged security operation centers (SOCs), many SMBs rely on a single IT person to manage their security. Or, companies may outsource cybersecurity to managed service providers (MSPs) who may not yet have the required skills or services in place to plan, build out, and manage a full cyber program.

In this blog post, we examine the most common types of cybersecurity threats SMBs face today and share a list of top 5 cybersecurity tips that SMBs can follow to start building a more robust cyber posture against modern threats.

Types of Cybersecurity Threats for Small Businesses

In a 2023 Data Breach Investigations Report, researchers found that the top patterns of cybersecurity threats for small businesses (less than 1,000 employees) were system intrusion, social engineering, and basic web application attacks – representing 92% of breaches. Several types of attacks including, phishing, malware, watering hole attacks, and drive-by downloads drive these categories of threats.

Phishing

Phishing attacks continue to grow year-over-year and remain one of the main methods threat actors use to gain entry into their victims’ systems alongside vulnerability exploitation and stolen credentials.

A phishing attack is launched when a threat actors poses as a legitimate entity to lure individuals into providing sensitive data or launching malicious files. Phishing scams are both common and growing increasingly convincing with the help of generative AI tools like ChatGPT. Where spelling errors and odd tone of voice were once a main tip-off, AI-crafted content makes it harder to decipher legitimacy. This leads to the sharing of credit card information, bank account numbers, login credentials, and other sensitive data – all gateway data to the lifeblood of SMBs.

Malware

Malware is the overarching term for malicious software of any kind. It is the software, script, or code that performs an attack on your system against the owner’s consent. Attackers disseminate malware through various vectors, including websites, files, phishing and drive-by downloads.

Watering Holes

Watering hole attacks compromise users by infecting websites they frequent. Once cyber criminals lure people to the website, they infect their computer with malware. Attackers first work to identify and research the websites that their targeted users like to visit frequently, looking for clues to common interests and online habits. Attackers then inject malicious code via vulnerabilities found in the website’s code or server. When the targeted users access the website, malware is installed on the user’s device which can lead to unauthorized access to their organization’s network and valuable data.

Drive-By Downloads

Drive-by downloads can be particularly frustrating as the attack doesn’t always require user interaction. When a person visits a website, an unintentional download of malicious code happens without any interaction (e.g. clicking or taking an action on the site), implanting it on the victim’s computer or mobile device. Once on the endpoint, it can hijack the device, spy on activity, exfiltrate data, or disable the device entirely.

Why Do Small Businesses Need Cybersecurity?

According to the U.S. Small Business Association, “surveys have shown that the majority of small business owners feel their businesses are vulnerable to a cyberattack.” A Small Business Index report for Q1 2024 from the U.S. Chamber of Commerce stated that 27% of small businesses reported that they were one disaster or threat away from shutting down their business. The margins for small businesses are razor thin, making cybersecurity controls a top priority.

The damage can also go beyond small businesses. Since cybercriminals know that smaller businesses are often part of the same digital supply chain as larger companies, SMBs can be seen as the less protected entry point to a larger corporation’s network for double the profit. The good news is, there have never been more resources to help small businesses put protections in place.

Cybercriminals assume that small businesses have limited resources and time and weaker security measures, making them easier to crack than enterprises. Not only are SMBs a target, but bad actors are using more sophisticated and widespread attacks that easily thwart common security practices such as traditional antivirus software.

The Impact of a Cyberattack on Small and Midsize Businesses (SMBs)

Small and midsize businesses are an essential part of the economy, and require the same protection as large enterprises at scale. When attacks hit, costs can be far-reaching. Some of the costs post-attack may include, but are not limited to:

  • Mitigating damages and repairs
  • Paying ransoms (even though this is not recommended)
  • Supplying free credit monitoring to affected clients
  • Paying fines/penalties (applicable to businesses in regulated industries) and managing lawsuits
  • Hiring outside help from security consultants, lawyers, risk management and public relations consultants
  • Downtime and loss of productivity both in the short and long term
  • Losing potential new and existing business due of reputational damage and loss of trust
  • Increased cyber insurance premiums, which add to operational costs

5 Essential Cybersecurity Tips for Small Businesses

Cybersecurity tips for small businesses should be actionable, not overwhelming. This checklist rounds up the top ways to strengthen SMB defenses against cyberattacks. While cybersecurity can be expensive, these tips come at little to no cost.

1. Conduct Regular Software and Patch Updates

The two main ways to protect against software vulnerabilities are routine and timely patches and updates. While commonly confused, these are two distinct processes.

Software patching – Software developers release small updates that fix specific issues or vulnerabilities within a program. These can address known security flaws, bugs, or any other issues that users or developers have found since the initial release of the software.

Software updates – This is what you may be more familiar with from the automatic updates pushed to your laptops and PCs. Released on a specific schedule such as monthly or quarterly, these improvements provide a set of changes to the software.

2. Implement Cybersecurity Training for Employees

Cybersecurity is the responsibility of all employees within an organization, regardless of its size. Regular training programs and courses can teach employees of all levels how to identify, mitigate, and report security issues appropriately. Educated employees can be a strong first line of defense when it comes to preventing security events from occurring and greatly reduce the risks of data breaches, malware infections, and more. If they are aware of how cybercriminals are trying to target them, they can be more aware and able to detect scams like phishing emails.

3. Enforce Strong Passwords and Authentication Policies

Weak and common passwords such as 123456 and qwerty are an easy entry point for data theft. Creating a password policy that requires the use of strong passwords – one that is at least 12 characters long, including letters, numbers, and symbols – is a must. The more difficult and time-consuming it is for a cybercriminal to guess a password, the less likely they are to try and compromise sensitive data. According to NIST’s password guidelines, password security can be bolstered by:

  • Focusing on length more so than complexity
  • Using password managers
  • Avoiding the use of password hints
  • Limiting the number of authentication attempts

Multi-factor authentication (MFA) is also a must-have in today’s threat landscape. With the amount of business-critical data users have access to and the number of digital identities associated per user, MFA adds an extra layer of security beyond just passwords. MFA is a trusted way to protect against phishing attempts and cases involving credential theft since it requires another form of authentication, like a text message with a code that only the rightful user has possession of to grant access.

4. Schedule Timely Risk Assessments

Small businesses should conduct informal risk assessments, at a minimum, by meeting with cybersecurity vendors to brainstorm scenarios based on recent cybersecurity events. Discussing current threats allows SMBs to identify gaps that exist in their current security program.

Regular risk assessments are one of the first steps to establishing a more proactive threat identification program. Before potential threats can be exploited by threat actors, risk assessments allow SMBs to map out the actions needed to shore up weaknesses and keep up with the evolving threat landscape. Risk assessments are also vital for planning out incident response plans (IRPs), emergency communication matrices, and post-attack strategies.

5. Use Virtual Private Networks (VPNs)

In the age of remote work, virtual private networks (VPNs) allow employees to work anywhere and gain secure access to the company network. VPNs mitigate cyberattacks by creating a secure, encrypted tunnel for users to hide their personal information, location, and other data while connecting to the internet. Using VPNs is a cost-effective solution for SMBs with limited security budgets.

VPNs work by encrypting internet traffic, making it difficult for cybercriminals to intercept and read data. This is crucial for protecting sensitive business information and communications. They can also help in network segmentation efforts, providing access control to different parts of the network based on user roles. This minimizes the risk of unauthorized access.

Conclusion

The landscape of cybersecurity threats is evolving and threat actors are no longer distinguishing between the size of their targets. SMBs, often perceived as easier targets with less means of cyber defense, now face the same sophisticated attacks that large enterprises do. Phishing schemes, ransomware attacks, and data breaches are just as prevalent and damaging for a small business as they are for a Fortune 500 company. This convergence in the threat landscape notes a stark shift in how cybersecurity is approached across all industries.

Cybersecurity attacks on a small business can be devastating. SMBs around the globe have turned to SentinelOne’s Singularity™ Platform, allowing them to proactively resolve modern threats at machine speed. Learn how SentinelOne works with best-in-class security service providers to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more. Contact us today or book a personalized demo here to learn more.

Cybersecurity for Small Business
Protect all your Windows, MacOS, and Mobile devices from ransomware and malware with an easy-to-use cybersecurity platform from SentinelOne.

 

The Good, the Bad and the Ugly in Cybersecurity – Week 24

The Good | Ukrainian Police Arrest Cryptor Specialist Helping Conti & LockBit Ransomware Operations

A Russian national was arrested this week for allegedly working with Conti and LockBit ransomware groups, helping to make their malware undetectable and also conducting at least one attack himself. Ukrainian cyber police apprehended the 28-year-old man in Kyiv during Operation Endgame, a major operation carried out two weeks ago to dismantle an extensive ecosystem of malware droppers.

(Source: Cyber Police of Ukraine)

According to Ukrainian law enforcement, the arrested had expertise in developing custom crypters that encrypted and obfuscated ransomware payloads into what looked like innocuous files. This made them fully undetectable (FUD) to legacy antivirus software. His services were sold to both Conti and LockBit syndicates, which bolstered their success rates in infiltrating networks.

Reports from Dutch police confirm that the man orchestrated at least one of his own attacks using a Conti payload in 2021, indicating his involvement as an affiliate and goals to gain maximum profits from the relationship. His arrest includes seizure of computer equipment, mobile phones, and handwritten notes, all being held for ongoing examination. As it stands, the Russian suspect has already been charged under Part 5 of Article 361 of the Criminal Code of Ukraine for unauthorized interference with information systems. He faces up to 15 years in prison.

This arrest is the latest in a string of actions against LockBit operations, most recently following the distribution of 7000 decryption keys to all affected victims of the Ransomware-as-a-Service (RaaS). Earlier last month, the DoJ unveiled the identity of LockBit’s developer, placing a reward up to $10 million for his arrest or conviction.

The Bad | Hamas-Linked Threat Group Spies on Android Users in Egypt & the Palestinian Territories

An espionage-focused threat actor known as Arid Viper has been linked to an ongoing mobile-based campaign, involving trojanized Android apps delivering ‘AridSpy’ spyware. Based on a recent report, the Hamas-aligned actor is distributing malware through websites that mimic legitimate messaging, job search, and civil registry applications.

Arid Viper’s latest appearance is marked by a new version of AridSpy – a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server. The attacks are primarily targeting Palestinian and Egyptian users through websites that distribute the fake (but functional) apps. The apps themselves are clones of legitimate services, but with malicious features.

(Source: WeLiveSecurity)

In one case, researchers found a website impersonating a Palestinian Civil Registry, which had a nearly 200-person following on its dedicated Facebook page. While the app on this site is not a direct clone of the legitimate version found on Google Play Store, it communicates with its legitimate server, indicating a high level of sophistication by Arid Viper.

The actor is also responsible for registering a fake job opportunity app which, upon install, downloads a first-stage payload posing as a Google Play Services update. The spyware then executes various commands, including taking pictures with the front camera when specific conditions are met and sending the data to the actor’s C2 server.

Arid Viper continues to cause concern due to its consistent use and development of mobile spyware to target military personnel in the Middle East as well as journalists and political dissidents. Organizations in critical infrastructures guarding high-value intel can mitigate the threat of cyber espionage by implementing proactive and AI-enhanced threat detection, advanced response capabilities, and deep visibility across networks.

The Ugly | Multi-Platform Malware Campaign Targets Indian Critical Sectors via RATs

Cyber researchers have uncovered a six-year-long threat campaign, dubbed ‘Operation Celestial Force’, that employs a combination of GravityRAT, an Android-based malware, and HeavyLift, a Windows-based malware loader. Their report ties Pakistani threat group Cosmic Leopard (aka SpaceCobra) to the campaign with high confidence.

Most recent activity in the operation shows a defined expansion and evolution in the malware suite being used, suggesting ongoing success of the campaign in targeting users in the Indian subcontinent. The operation leverages both Gravity RAT and HeavyLift which are simultaneously managed through another standalone tool called ‘GravityAdmin’.

Though GravityRAT was originally a Windows-based malware deployed via spear phishing emails, it has since been adapted for Android systems as well. The Android version of the tool has now been observed in attacks against the Indian military and Pakistani Air Force personnel by masquerading as cloud storage, entertainment, and chat apps. The HeavyLift malware loader is shipped as an Electron app and targets Windows, macOS and Linux.

HeavyLift code targeting macOS
HeavyLift code targeting macOS

Cosmic Leopard commonly uses spear phishing and social engineering tactics to gain the trust of their victims. After being directed to visit malicious sites, victims are lured into downloading benign-looking programs that then deploy either GravityRAT or HeavyLift depending on the OS in question. The GravityAdmin binary has been used to control the compromised systems since at least August 2021 and works by managing connections with GravityRAT and HeavyLift’s C2 servers.

Researchers posit that the long-running operation will continue to harvest sensitive information from users in the Indian defense, government, and technology sectors, making it crucial for these organizations to shore up their data encryption and monitoring, real-time monitoring, and automated response capabilities.

Navigating the NVD Backlog | How to Stay Ahead in Vulnerability Management

The National Vulnerability Database (NVD) is a critical – yet often overlooked – element of an organization’s security defenses. Established to provide a catalog of known software vulnerabilities, it has become an authoritative source of vulnerability intelligence. However, the NVD faces a troubling backlog of vulnerabilities raising existential concerns about its efficacy.

This blog post takes a dive into what this means for organizations, what actions the industry leaders are taking to mitigate the challenges, and how solutions like Singularity Vulnerability Management are set to help businesses identify and prioritize all types of risk across their attack surfaces.

A Brief History of the NVD

Launched in 2005 by the National Institute of Standards and Technology (NIST), the NVD was created as a repository for the U.S. government to standardize and communicate information on publicly disclosed vulnerabilities. Utilizing the Common Vulnerabilities and Exposures (CVE) system, the NVD provides a centralized source for identifying and evaluating security flaws. Over the years, the NVD has evolved, integrating additional metrics such as the Common Vulnerability Scoring System (CVSS) to assess vulnerabilities’ severity and prioritize remediation efforts.

One of the most important benefits of the NVD is standardization, ensuring that all stakeholders from researchers, security teams, and security vendors, are on the same page regarding how they identify and mitigate vulnerabilities. The NVD enables organizations of all sizes to improve their security posture by offering open access to vulnerability data.

This democratization of information allows smaller businesses, which may lack extensive cybersecurity resources, to leverage the same vulnerability data as larger enterprises. To support the dissemination of this information, the NVD offers integration of vulnerability data via public APIs that many vendors integrate into their IT and Security products. The NVD API has its own set of challenges at enterprise scale with API rate limiting and occasional API call failures.

The NVD in Crisis | Backlogs & Wait Times

Despite its historical and practical significance, the NVD has been grappling with a substantial backlog of vulnerabilities since issues emerged in February of this year. Just in 2024, there have been over 18,000 vulnerabilities submitted to the NVD, yet 75% remain unprocessed waiting to be analyzed. The volume of submissions to the NVD has skyrocketed in recent years as the sheer number of vulnerabilities being discovered overwhelmed the systems and resources in place.

As the volume has grown, so has the complexity and sophistication of vulnerability exploits, which now require more time to analyze. Coupled with the recent cuts to NIST’s budgets, it’s a perfect storm of vulnerability overload and staffing shortages that create delays in vulnerability processing.

Source: National Vulnerability Database Dashboard (6/10/2024)

On average it takes 44 days from a vulnerability disclosure to it being exploited in the wild. Adelay in processing and publishing new vulnerabilities means that security teams are operating with outdated information and aren’t able to assess and mitigate risk promptly. If vulnerabilities aren’t addressed in a timely manner it could lead to an incident.. Without the enrichment and context the NVD provides – including CVSS scoring – vulnerabilities become more difficult to prioritize. A critical vulnerability may be overlooked without that context, while teams spend time chasing lower priority vulnerabilities. Many customers who rely on NVD feeds are now questioning the future viability of the NVD and whether NIST is the right organization to lead it.

What Is the Industry Doing About It?

In an open letter addressed to U.S. Congress and the Secretary of Commerce, 50 cybersecurity professionals including SentinelOne’s Staff Product Manager Maor Kuriel urged Congress to urgently “establish a plan, with clear timelines and accountability, to improve NVD processes and operations.” In the letter, the NVD was described as “the backbone of vulnerability management across the globe” and that delays “have disrupted essential resilience efforts across the public and private sectors”. The letter goes on to offer recommendations on how the NVD should be treated as critical infrastructure given its importance to U.S. cyber infrastructure.

Recently, NIST announced additional resourcing for an initiative to clear the backlog through a consortium of industry partners, which may go into effect as soon as the end of this year.  Despite the contract to improve processing rates, the outdated NVD infrastructure persists. NIST is working on longer-term modernization plans and reiterated that it’s the right agency to maintain the NVD going forward, however, some in the industry are skeptical.

“No modern database should choke and be down for 3 ½ months (and counting) due to a sudden increase in workload”, said Tom Alrich, leader of the OWASP SBOM Forum project. “In fact, no modern database should be down for even a day due to any technical problem, let alone 3 ½ months. But, we’ve known for a long time that there are multiple single points of failure in the NVD’s infrastructure.”

Vendors like VulnCheck have stepped in to help fill the gap by offering free feeds like NVD++, a free community alternative to the NVD APIs that provide similar enrichment of vulnerability data while the NVD issues are being resolved. The Cybersecurity and Infrastructure Security Agency (CISA) is also contributing to help clear the backlog, announcing a “Vulnrichment” initiative in which it analyzed and enriched 1,300+ vulnerabilities.

The Path Forward | Asking the Right Questions

Given the current state of the NVD, cybersecurity and IT operations teams need to adopt a proactive stance. Here are key questions business leaders can ask their security vendors to ensure robust vulnerability management:

  • How do you prioritize vulnerabilities amidst NVD delays? Vendors should have a clear strategy for prioritizing and addressing vulnerabilities, even without immediate updates from the NVD.
  • What supplementary sources do you use? Vendors should integrate multiple sources of threat and vulnerability intelligence to mitigate the impact of NVD backlogs.
  • Can you provide real-time updates on emerging threats? Real-time intelligence is crucial for staying ahead of potential exploits.
  • What are your plans for future-proofing against emerging vulnerabilities? As technology evolves, so do potential threats. Vendors should articulate their strategies for anticipating and countering future vulnerabilities.

Best Practices for Security Teams

Security teams can also refine their internal processes to navigate the current landscape effectively. Essential best practices include:

  • Regularly Auditing Your Security Posture – Continuous assessment of an organization’s security measures ensures preparedness and improves security posture.
  • Investing in Vulnerability Intelligence – Proactively sourcing vulnerability intelligence from multiple sources can provide a more comprehensive understanding of the threat & vulnerability landscape and reduce reliance on the NVD.
  • Implementing Intelligent Solutions – Leveraging AI tools in vulnerability management can help identify, prioritize, and remediate issues more rapidly.
  • Encouraging Vendor Collaboration – Maintain open communication channels with vendors to ensure alignment on security priorities and product coverage updates.

SentinelOne’s Answer | Singularity Vulnerability Management

As part of the Singularity Platform, Singularity Vulnerability Management is a network discovery and vulnerability management solution that identifies and prioritizes risk to your enterprise attack surface. Singularity Vulnerability Management detects vulnerabilities across applications and OSs and provides dynamic prioritization based on the likelihood of exploitation by threat actors and business criticality. SentinelOne utilizes multiple third-party intelligence sources and analysis methods to provide coverage and context of the latest vulnerabilities despite the shortcomings at the NVD, helping IT and security teams prioritize active risks and exploitations.

The SentinelOne agent can fulfill EDR, vulnerability management, and compliance requirements, without having to deploy network scanners which add cost, complexity, and bandwidth challenges. Consolidation of EDR and vulnerability management workflows in the Singularity Platform enables graph-based correlation of vulnerabilities and threats so teams can visualize risk from pre-compromise to post-compromise. The Singularity Platform offers single agent, single console simplicity to achieve maximum risk reduction with minimum efforts.

Conclusion

The National Vulnerability Database remains a cornerstone of cybersecurity, but its current backlog forces IT and security teams to ask tough questions about their vulnerability management practices. Security teams can better navigate these challenges by asking their vendors the right questions about how they are evolving their products to deal with persistent NVD issues. SentinelOne is at the forefront of solving challenges in vulnerability management and can be a partner to help you navigate the complexities and mitigate the risk of the NVD. Take a tour of Singularity Vulnerability Management here.

Singularity™ Vulnerability Management
Discover unknown networks assets, close blind spots, and prioritize vulnerabilities using your existing SentinelOne agents.

Block Attacks with SentinelOne’s AI-Powered CNAPP

Market research soon to be published in the first annual SentinelOne Cloud Security Report shows that cloud security professionals are drowning in data, yet lacking insights. While many point-specific solutions like cloud security posture management (CSPM), cloud detection and response (CDR), and cloud workload protection platforms (CWPP) are now mainstream, organizations are struggling with data silos as they seek to derive meaning from a long list of cloud security alerts. SentinelOne’s AI-powered CNAPP, Singularity Cloud Native Security (CNS) solves each of these pain points.

In this blog post, learn how Singularity Cloud Security combines the rapid insights and value realization of an agentless CNAPP, with the stopping and forensics power of a runtime agent, to realize AI-powered protection for modern cloud operations. SentinelOne consolidates security data from native and third-party security sources into the Singularity Data Lake.

Agentless CNAPP and The Attacker’s Mindset

Singularity Cloud Native Security (CNS) from SentinelOne is an agentless CNAPP with a unique Offensive Security Engine™ that thinks like an attacker, to automate red-teaming of cloud security issues and present evidence-based findings. We call these Verified Exploit Paths™. Going beyond simply graphing attack paths, CNS finds issues, automatically and benignly probes them, and presents its evidence.

The Offensive Security Engine might indicate something like, “We found this misconfigured Amazon EC2 instance. We were able to curl out to our dummy C2 server and install a random file. Here is the proof.” With this, cloud security practitioners can prioritize their backlog better and focus on what is truly important rather than tread water in a sea of theoretical noise.

Beyond offensive security, CNS includes many more multi-cloud CNAPP capabilities. Here are just a few:

  • CSPM (Cloud Security Posture Management) includes over 2,00 built-in resource configuration checks, with support for custom policies.
  • Secrets Scanning – CNS finds over 750 types of cloud secrets and access keys. That’s an order of magnitude more than most alternatives.
  • Agentless Vulnerability Scanning for deployed VMs, containers, and registries, to identify known vulnerabilities.
  • IaC Scanning – Shift left to identify pre-production issues in IaC templates with over 700 checks across popular IaC frameworks like Terraform, CloudFormation, etc.
  • Container & Kubernetes Security (KSPM) finds overly permissive roles, exposed APIs, and more.
  • CDR (Cloud Detection & Response)
  • Graph Explorer visualizes attack paths and streamlines analysis. Graphical query of vulnerabilities is both intuitive and powerful.

Real-Time Runtime Security

Alongside CNS, customers can also benefit greatly from Singularity Cloud Workload Security (CWS). CWS is real-time cloud workload protection (CWPP) for hybrid cloud workloads. CWS detects and stops runtime attacks like zero-days, ransomware, and fileless memory injection exploits. The two primary benefits of a CWPP agent are real-time threat detection and remediation response, and forensic visibility of workload telemetry.

The Significance of Real-Time Threat Protection

Why the emphasis on real-time? What makes real-time threat protection so important? Runtime attacks are automated – they occur and spread in seconds. A runtime attack example on AWS Fargate on Amazon ECS was discussed in yesterday’s blog post. In brief, a threat actor exploits a known vulnerability and curls out to C2 infrastructure to download and run a malicious shell script that, in turn, runs a malicious python script that runs base64-encoded malware. The entire attack sequence happens in seconds.

The longer an attack is allowed to fester, the costlier and messier the clean-up. In addition to being intuitively obvious, the data in the annual IBM X-Force Cost of Data Breach Report continue to prove this out, year after year. Only an agent can deliver real-time threat detection and response.

The Importance of a Forensic Data Log

When there is a runtime attack, incident responders rely upon a record of workload telemetry to conduct their analysis. Understanding the root cause of an incident is foundational to determining its resolution. Only a CWPP agent can observe and record kernel-level telemetry.

CWS delivers real-time runtime protection for workloads whether in public or private cloud. Considering AWS for example, whether those workloads run on Amazon EC2, Amazon ECS or EKS, or even on AWS Fargate, SentinelOne delivers proven performance that is:

  • Powered by AI
  • Built on eBPF since 2019
  • Easily deployed

AI-Powered Data Security for Amazon S3

Amazon S3 (Simple Storage Storage) is one of AWS most popular services. Amazon S3 is an object storage service that offers industry-leading scalability, availability, and performance. To prevent S3 buckets from becoming a forward operating base of threat actors in which they can deposit malware and to prevent downstream data risks, SentinelOne launched Threat Detection for Amazon S3 (TD4S3).

Part of the Singularity Cloud Data Security product line, TD4S3 is machine-speed protection which detects and eliminates malware from S3 buckets. New files are automatically scanned, and existing files can be scanned on-demand. All file scans happen locally, so that no sensitive data ever leaves an organization’s AWS network.

TD4S3 leverages SentinelOne’s proprietary Static AI Engine, trained on nearly a billion malware samples over the last 10 years. Any files judged to be malicious are automatically encrypted and quarantined. Flexible policies automatically discover buckets at scale, so you do not have to name them one by one.

Learn More at AWS re:Inforce 2024

Come see SentinelOne’s AI-powered CNAPP at AWS re:Inforce 2024, Booth #427 for a demo and in-depth discussion. Notable integrations with AWS native services include Amazon Security Lake, AWS Security Hub, Amazon GuardDuty, AWS CloudTrail, and many more.

Conclusion

Singularity Cloud Security is SentinelOne’s unique approach to CNAPP. We combine the best of agentless and agent-based capabilities to deliver unmatched performance and convenience. Cloud Native Security (CNS) is the agentless component that uses an attacker’s mindset to help cloud security practitioners focus on proven exploitable issues. All solutions within Singularity Cloud Security are integral to SentinelOne’s Singularity Platform and Singularity Data Lake for unified visibility and AI-powered insights.

To learn more about the value of agentless CNAPP and applying an attacker’s mindset to better secure your AWS cloud operations, head over to the Cloud Native Security homepage for a 2-minute, self-guided tour. Connect with one of our cloud security experts for a personalized demo today.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

Patch Tuesday, June 2024 “Recall” Edition

Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted Copilot+ PCs, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed Recall, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host Patrick Gray noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2004-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the Microsoft Message Queuing (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

Kevin Breen, senior director of threat research at Immersive Labs, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the Windows WiFi Driver, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its Office applications, including at least two remote-code execution flaws, said Adam Barnett, lead software engineer at Rapid7.

CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for Acrobat, ColdFusion, and Photoshop, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.

PinnacleOne ExecBrief | China’s “New Quality Productive Forces”

Last week, PinnacleOne examined how China’s strategy for evading semiconductor technology controls is driving an increased insider threat issue for leading western enterprises.

This week, we highlight how a new turn of phrase by China’s leader will spark efforts across the country to make scientific breakthroughs occur out of thin air (or steal them from the west).

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | “New Quality Productive Forces”

Marxism and Factors of Production

The Chinese Communist Party (CCP) uses Marxism as its guiding ideology. Marx and Engles defined factors of production – the inputs used to create and derive economic value – as labor and capital. Marxist scholars argue over the precise description of these inputs and their definitions.

But, Marxist ideology is a living thing in China, shaped by the ideological contributions of the country’s leaders. It was Deng Xiaoping, China’s paramount leader after Mao Zedong’s death, who added “science and technology” to China’s original three factors on production in the 1980s. So, by the time Xi Jinping came into power in 2013, the CCP’s chief ideological bodies had maintained 4 factors of production for the preceding three decades: land, labor, capital, and science and technology.

When Xi Jinping joined the league of PRC leaders who contributed to Marxist ideology in 2018, he pushed the National People’s Congress to include language on “Xi Jinping Thought on Socialism with Chinese Characteristics” to the Party’s constitution. In 2022, Xi added the fifth factor of production to China’s interpretation of Marxist ideology: data. Since then, the CCP has launched many ideological publications to put scaffolding around the idea that data is an input to economic development.

In the same way that Deng’s addition of Science and Technology (S&T) as the fourth productive force led to massive spending on S&T projects by the state, so too has Xi’s addition of data as the fifth productive force led to changes in data export controls, new data trading zones, and leaked into other areas of policy making.

New Quality Productive Forces

Enter “New Quality Productive Forces,” a now totally separate ideological space for the CCP, introduced by Xi in January of this year. Different from tangible technology development plans, such as Made-In-China 2025, this idea frames the way S&T impacts society and economic development. It is an ideological phrase that underpins the design of future science and technology development plans. As with other parts of Communist ideology, it remains to be adequately defined, but many are trying.

State media states that New Quality Productive Forces “encompass high-tech, efficient, and high-quality productivity methods” and cites examples of AI, blockchain, quantum technologies, and life sciences. Quotes from Xi Jinping in this month’s publication of the Party’s chief ideological journal state that New Quality Productive Forces include revolutionary scientific breakthroughs that fundamentally alter the current economic model (original: 摆脱传统经济增长方式) and focus on high-tech, high-efficiency, and high-quality goods.

Xi Jinping tours the Hong Kong Science Park (Source: SCMP)

Xi’s New Quality Productive Forces come at a time of growing economic hardships for the PRC. China’s population is aging and some demographers contend that the rate of its aging will preclude the economy from sustaining GDP growth near 4% again. China is now facing down the middle income trap. China expert Tanner Greer summarized Xi’s hopes to use science and technology to save China’s future as:

  1. Technology and scientific capabilities are the primary source of national power.
  2. At certain moments in history, S&T capabilities undergo disruptive revolutions where great leaps benefit first movers.
  3. We are in such a moment.

In the context of China’s aging population, addiction to property development, and mass youth unemployment, Xi’s implied theory for S&T revolution looks like copium.

Government ministries are already trying to fill in the ideological gaps. For example, a group of key government ministries released a document on future development goals coinciding with Xi’s first use of New Quality Productive Forces in January. The ministries highlight the future of manufacturing (smart manufacturing, laser precision, intelligent sensing), information technology (satellite internet, quantum communications), materials (high-quality carbon fibers, semiconductors), energy (nuclear fusion, renewables), space (deep sea mining, lunar exploration), and health (AI medicine, digital twins). The authors believe AI will help analysts target fast-growing scientific research clusters for development across all these domains. All of these sectors were presented in the context of supporting China’s 14th Five-Year Plan and Long-Range Objectives for 2035.

Brass Tax

In a cult of personality, sycophancy is rewarded, criticism is punished, and shortcomings are perceived to be the result of deviation from the leader’s obviously flawless plans. For the bureaucrats responsible for implementing Xi’s new ideological thoughts, the question becomes how to achieve what they think to be the best path forward in a politically safe manner. Attaching old initiatives and targeting efforts towards current research trends while paying lip-service to Xi’s new ideology is a likely path. Eventually, Xi may find that bureaucratic resistance to his excellent ideas are the problem and elevate more of his factional ideologues to positions of influence. In short, it may all be a terrible waste for the Chinese economy if Xi’s entire idea can be summarized as “gambling the economy on moonshots.”

Bureaucrats will do their best to fight back and industry will get sucked in along the way. For global companies, the promise of technology saving China from the middle income trap will motivate IP theft, tech transfer, and talent poaching like never before. If Xi truly believes that such S&T advancements confer first-mover advantages, and that such technologies help define which nation is the world’s uncontested leader, then the bureaucracy he is able to wield will move heaven and earth to make sure China is that first mover. Given the state of China’s prospective long-term economic growth challenges, the state is very motivated to ensure China comes out on top.

Introducing Real-Time CWPP for Amazon ECS Fargate

Containers are popular because they are easy to build, test, and operate across a wide variety of infrastructure. Increasingly, serverless infrastructure services like AWS Fargate are preferred for containerized workload operations, because they allow organizations to focus their resources on innovation, while outsourcing the infrastructure management to their cloud service provider.

In this blog post, learn about SentinelOne’s Singularity Cloud Workload Security (CWS) for Serverless Containers, a real-time cloud workload protection platform (CWPP) for containerized workloads, running on AWS Fargate for Amazon ECS and Amazon EKS. Powered by AI, CWS detects runtime threats like ransomware, zero-days, and fileless exploits in real-time, and streamlines machine-speed response actions.

The Challenge | Maintaining Cloud Workload Availability

Organizations of all sizes increasingly deploy containerized cloud workloads to serverless infrastructure services such as AWS Fargate. Whether running on Amazon ECS (Elastic Container Service) or Amazon EKS (Elastic Kubernetes Service), these ephemeral workloads, although short-lived, still represent a vulnerable attack surface. Automated runtime attacks can exploit vulnerabilities and spread in seconds. Simply examining configurations is insufficient when machine-speed attacks threaten to disrupt cloud operations in seconds. Therefore, they require real-time threat detection and response, to stop the spread and maintain the integrity and availability of cloud workloads.

Moreover, short-lived workloads can challenge incident response (IR) procedures unless there is a forensic data record of workload telemetry for IR specialists to follow. Here again, agentless inspection falls short. Only an agent can serve as the flight data recorder of workload telemetry. These are two of the primary value propositions of a CWPP agent: real-time threat detection and response, and a forensic record of workload telemetry.

However, serverless infrastructure services restrict or prohibit access to the underlying infrastructure. This constraint necessitates an agent architecture tailored to the specific use case of containerized workloads running on serverless infrastructure.

Such complications may very well tempt cloud security practitioners to give up on a runtime agent altogether, choosing instead to focus solely upon an agentless CNAPP. Yes, an agentless CNAPP (Cloud-Native Application Protection Platform) is ideally suited for inspecting resource configurations, IaC templates, and container images for vulnerabilities. And yes, containerized workloads should have security throughout the software development life cycle. Even so, only a CWPP agent can both detect and stop runtime threats in real-time, and record the serverless workloads telemetry needed by security analysts during investigations.

For these reasons, a real-time CWPP agent serves a very important role in a cloud defense-in-depth strategy. With the right architecture, a CWPP agent can dovetail nicely with the constraints of serverless infrastructure.

Our Solution | Cloud Workload Security

SentinelOne has been in the real-time CWPP business for years. Singularity Cloud Workload Security (CWS) for Serverless Containers protects containerized workloads running on AWS Fargate for Amazon ECS and Amazon EKS. The CWS product line now has 3 solutions depending upon customer use cases:

  • CWS for Serverless Containers (e.g., AWS Fargate on Amazon ECS and EKS)
  • CWS for Containers (i.e., containerized workloads running on servers/VMs)
  • CWS for Servers/VMs (i.e., workload protection on servers/VMs)

Amazon ECS is a managed container service from AWS that can be deployed to VMs (Amazon EC2) or serverless (AWS Fargate). With ECS, a customer needs only focus on their application; AWS manages the infrastructure monitoring and scaling.

When containerized workloads within Amazon ECS are deployed to AWS Fargate, SentinelOne’s runtime agent is deployed as a containerized application itself, which runs in the ECS task alongside the customer’s containers. This architecture is commonly referred to as a “sidecar.”

The agent includes the SentinelOne CWPP detection engines, which observe workload processes in real time to detect suspicious or malicious activity. It also uses SentinelOne’s proprietary Storyline™ technology, to automatically correlate, enrich, and visualize atomic workload events within an attack sequence. This has the added benefit of profound noise reduction, so that overworked SOC analysts can more easily focus and streamline investigation.

Runtime Attack Example | Singularity Cloud Workload Security (CWS) In Action

To better understand how CWS for Serverless Containers helps protect cloud workloads, let’s consider an example running a vulnerable web application within Amazon ECS launched on AWS Fargate. The Singularity Cloud Workload Security solution is deployed to protect the containerized workload running on Amazon ECS Fargate. Using a command injection attack on a vulnerable web app, the threat actor will curl out to C2 infrastructure to download and execute a malicious shell script. This script, in turn, will execute a python script containing obfuscated, base64-encoded malware. Let’s dive in.

First, when the threat actor launches their automated runtime attack, the Behavioral AI Engine immediately triggers and issues an alert of AI Confidence Level “SUSPICIOUS.” By policy (which the customer controls), the agent is configured in Detect Mode: issue an alert. Outside of this example, the policy would have been set to Protect Mode, the suspicious processes would have been immediately killed, and any malware files quarantined.

Inspecting the Threat Details, observe that the alert pertains to a containerized (Docker) workload running on Amazon ECS, with various details like cluster name, task definition, and availability zone as shown. Note THREAT INDICATORS on the right panel indicative of Evasion and Infostealer tactics. Links to each of the MITRE techniques are available as shown.

The DOCKER CONTAINER tab in the bottom panel shows the container name, image, etc. Hovering on Command Line Argument then displays “python3 -c import” followed by base64-encoded data. This is a key component for security analysts.

Clicking on EXPLORE at the top of the management console shows the Storyline of this attack sequence. The apache2 process is normal (i.e., not red – that’s the web application). Clicking the “dash” event, the first red node in the process tree, shows the Command Line details that triggered the Behavioral AI Engine: “sh -c ping -c 4 127.0.0.1; curl…”

With a single concatenated command line, an intruder pinged the local host (127.0.0.1) running the vulnerable web application, and upon getting a response, curl’d out to command-and-control infrastructure to download and execute a shell script. That’s the bash event next in the sequence. Next, looking at that python3.7 node in the attack sequence, the Command Line details show the “import base64…” badness.

Example Summary

The Command Line details are enough for security analysts to deduce that the intruder  exploited a command injection vulnerability of the web app to download and run malware. Analysts can put out the immediate fire via 1-click remediation in the SentinelOne management console. After, they would open an incident ticket, attach all the details for context, and route to the DevOps owner so they can solve the vulnerability which was the root cause of the exploit.

Consider the incident without a real-time CWPP solution like CWS for Serverless Containers. Firstly, there would have been no real-time threat detection. Machine-speed evil spreads at machine-speed, so the longer runtime attacks are allowed to fester, the messier and more costly the clean-up. Also, delays provide the threat actor opportunity to move laterally, quietly establish persistence, and complete data exfiltration.

Secondly, signature-based AV would have missed this attack entirely. A sophisticated threat actor could have quietly erased the evidence of their presence, making detection all the more challenging. And lastly, no agent means no forensic details (e.g., command line) to speed the investigation on its way.

Conclusion

SentinelOne recommends a combinational approach to cloud security, one which combines the best of agentless insights, such as those from Singularity Cloud Native Security, our agentless CNAPP, with the real-time detection and stopping power of an AI-powered CWPP like Singularity Cloud Workload Security.

To learn more about the value of agentless CNAPP and real-time CWPP in securing your AWS cloud operations, visit SentinelOne at AWS re:Inforce 2024, Booth #427. We would be happy to give you a personalized demo. You can also learn more at the Cloud Native Security homepage, or see a 2-minute self-guided walk-through here. For a personalized demo, connect with one of our cloud security experts today.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.