Industry experts say it’s full speed ahead as Snowflake files S-1

/0 Comments/in /by

When Snowflake filed its S-1 ahead of an upcoming IPO yesterday, it wasn’t exactly a shock. The company which raised $1.4 billion had been valued at $12.4 billion in its last private raise in February. CEO Frank Slootman, who had taken over from Bob Muglia in May last year, didn’t hide the fact that going public was the end game.

When we spoke to him in February at the time of his mega $479 million raise, he was candid about the fact he wanted to take his company to the next level, and predicted it could happen as soon as this summer. In spite of the pandemic and the economic fallout from it, the company decided now was the time to go — as did 4 other companies yesterday including J Frog, Sumo Logic, Unity and Asana.

If you haven’t been following this company as it went through its massive private fund raising process, investors see a company taking a way to store massive amounts of data and moving it to the cloud. This concept is known as a cloud data warehouse as it it stores immense amounts of data.

While the Big 3 cloud companies all offer something similar, Snowflake has the advantage of working on any cloud, and at a time where data portability is highly valued, enables customers to shift data between clouds.

We spoke to several industry experts to get their thoughts on what this filing means for Snowflake, which after taking a blizzard of cash, has to now take a great idea and shift it into the public markets.

Unity, JFrog, Asana, Snowflake and Sumo Logic file for IPOs in rapid-fire fashion

Pandemic? What pandemic?

Big market opportunities usually require big investments to build companies that last, that typically go public, and that’s why investors were willing to pile up the dollars to help Snowflake grow. Blake Murray, a research analyst at Canalys says the pandemic is actually working in the startup’s favor as more companies are shifting workloads to the cloud.

“We know that demand for cloud services is higher than ever during this pandemic, which is an obvious positive for Snowflake. Snowflake also services multi-cloud environments, which we see in increasing adoption. Considering the speed it is growing at and the demand for its services, an IPO should help Snowflake continue its momentum,” Murray told TechCrunch.

Leyla Seka, a partner at Operator Collective, who spent many years at Salesforce agrees that the pandemic is forcing many companies to move to the cloud faster than they might have previously. “COVID is a strange motivator for enterprise SaaS. It is speeding up adoption in a way I have never seen before,” she said.

It’s clear to Seka that we’ve moved quickly past the early cloud adopters, and it’s in the mainstream now where a company like Snowflake is primed to take advantage. “Keep in mind, I was at Salesforce for years telling businesses their data was safe in the cloud. So we certainly have crossed the chasm, so to speak and are now in a rapid adoption phase,” she said.

After $479M round on $12.4B valuation, Snowflake CEO says IPO is next step

So much coopetition

The fact is Snowflake is in an odd position when it comes to the big cloud infrastructure vendors. It both competes with them on a product level, and as a company that stores massive amounts of data, it is also an excellent customer for all of them. It’s kind of a strange position to be in says Canalys’ Murray.

“Snowflake both relies on the infrastructure of cloud giants — AWS, Microsoft and Google — and competes with them. It will be important to keep an eye on the competitive dynamic even although Snowflake is a large customer for the giants,” he explained.

Forrester analyst Noel Yuhanna agrees, but says the IPO should help Snowflake take on these companies as they expand their own cloud data warehouse offerings. He added that in spite of that competition, Snowflake is holding its own against the big companies. In fact, he says that it’s the number one cloud data warehouse clients inquire about, other than Amazon RedShift. As he points out, Snowflake has some key advantages over the cloud vendors’ solutions.

“Based on Forrester Wave research that compared over a dozen vendors, Snowflake has been positioned as a Leader. Enterprises like Snowflake’s ease of use, low cost, scalability and performance capabilities. Unlike many cloud data warehouses, Snowflake can run on multiple clouds such as Amazon, Google or Azure, giving enterprises choices to choose their preferred provider.”

Sutter Hill strikes ice-cold, $2.5B pre-market return with Snowflake’s IPO filing

Show them more money

In spite of the vast sums of money the company has raised in the private market, it had decided to go public to get one final chunk of capital. Patrick Moorhead, founder and principal analyst at Moor Insight & Strategy says that if the company is going to succeed in the broader market, it needs to expand beyond pure cloud data warehousing, in spite of the huge opportunity there.

“Snowflake needs the funding as it needs to expand its product footprint to encompass more than just data warehousing. It should be focused less on niches and more on the entire data lifecycle including data ingest, engineering, database and AI,” Moorhead said.

Forrester’s Yuhanna agrees that Snowflake needs to look at new markets and the IPO will give it the the money to do that. “The IPO will help Snowflake expand it’s innovation path, especially to support new and emerging business use cases, and possibly look at new market opportunities such as expanding to on-premises to deliver hybrid-cloud capabilities,” he said.

It would make sense for the company to expand beyond its core offerings as it heads into the public markets, but the cloud data warehouse market is quite lucrative on its own. It’s a space that has required a considerable amount of investment to build a company, but as it heads towards its IPO, Snowflake is should be well positioned to be a successful company for years to come.

A quick peek at Snowflake’s IPO filing

On Agent: On Time. Every Time.

/0 Comments/in /by

How deep is your love? How high is the sky? How long is a minute?

We can answer the third one: In the case of Maze ransomware, it’s plenty of time to encrypt tens of thousands of files. Unfortunately, if a business relies on the cloud, for virus signatures or reputation lookups, time is “the biggest gotcha,” according to SentinelOne Senior Threat Researcher Jim Walter.

“Time is a big, sprawling thing,” Walter says. “Even if you’re talking fractions of a second, that’s still plenty of time for bad stuff to keep happening while the machine is trying to make a decision on what’s good or bad.”

Cooking Your Goose Takes a Fraction of a Second

It can be hard to imagine how much damage can occur in 1 minute. In one test, SentinelOne’s Labs recorded 23,969 events triggered by Maze within the span of a mere 60 seconds. Each one of those events is a file being encrypted in preparation for attackers holding a virtual gun to a kidnapped company’s head and demanding a ransom to unlock its data. All this damage underscores why local protection models—as in, those that are located on endpoints and don’t need to pause to fetch marching orders from the cloud—are superior to products that suffer from cloud lag and the dwell time it grants attackers.

Maze is one of many examples that show how and why local endpoint agents are crucial to neutralizing high-velocity attacks. Whereas some EPP (Endpoint Protection) and EDR (Endpoint Detection and Response) technologies have to remote-shell into endpoints and fix them with scripts, SentinelOne’s technology tracks and contextualizes everything on a device, identifying malicious acts in real-time and automating the required responses with local AI (artificial intelligence) agents on every endpoint. They can connect to the cloud, but they don’t have to: the local agents don’t need to be slowed down by that back-and-forth, freeing them from the lag time it takes to check in with the cloud to find out what to do.

Why On Time Matters: To Avoid Getting CryptoWalled

CryptoWall ransomware is an example of how an unknown malware can pop up and use fileless techniques to bypass traditional defenses. Before it encrypted anything, it started by deleting volume shadow copies to make sure that there was no way to recover encrypted files. VSS (Volume Shadow Copy Service) is a built-in Windows feature that can be used to create backup copies or snapshots of files and volumes, even when they’re in use. SentinelOne has also seen malware that disables VSS by using WMI (Windows Management Instrumentation) to evade detection by AV signatures. It’s not just CryptoWall: in fact, deleting shadow copies is a common technique used by ransomware.

In such a situation, local agents beat out cloud-reliant models because they don’t have to rely solely on AV signatures. Rather, they can carefully monitor processes and interrelationships in order to sniff out malicious behavior—including the noxious behavior of nuking shadow copies.

Why Local Matters: To Sniff Out LOLers

More recently, other fileless techniques have cropped up to bypass traditional defenses. A year ago, we saw a new malware threat—Nodersok/Divergent—that downloaded its own LOLBins (Living Off the Land Binaries). LOLBins are non-malicious binaries that researchers or cyber criminals have discovered can be used to hide their tracks and evade cyber defenses.

In September 2019, thousands of machines were infected by the Nodersok malware, which downloaded and installed a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud. It might not sound all that serious, but the fact that its creators managed to infect so many systems means that they could also have pivoted to deploy other, more dangerous modules, such as ransomware or banking Trojans.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

Read Now

Why On-Device Detection Matters: Ramsay Trojan’s Air-Gap Skipping

One of the most recent examples of why on-device detection beats cloud reliance comes in the form of the Ramsay Trojan: malware that emerged in late 2019 with a focus on both persistence and data exfiltration from air-gapped systems.

As SentinelOne’s Walter says in his May 2020 writeup of the new malware, (ongoing) analysis suggests that the malware “was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most sensitive of information.” But, he emphasizes, as is often the case with specialized malware, there’s once again the chance that it will pivot to focus on new targets.

Regardless of it being a novel threat, SentinelOne protects against Ramsay. “Even when the network is disconnected such as with an air-gapped device, the SentinelOne agent will detect the malware locally on-device,” Walter says. This video shows how it works:

SentinelOne vs Ramsay Trojan

Watch Now

What Happens When Clouds Evaporate?

Besides the time factor, some attackers directly target cloud connectivity itself. Migo Kedem, SentinelOne’s Senior Director of Products & Marketing, says the company has seen examples of malware that can actually disconnect its targets. While SentinelOne’s local models can use connectivity, it’s a relief that they’re not dead in the water without it. “If the connection is lost, SentinelOne would offer protection in a very similar, though not identical, way,” he says. “We use connectivity when it’s available, primarily to save resources as you don’t need to analyse something that’s already known. But unlike other products, we don’t rely on connectivity to protect the device. Known or unknown, connected to the cloud or not, the local agent will do the work of detecting and protecting against attacks.”

Here’s how it works: Pre-execution, SentinelOne’s single, local agent replaces traditional virus signatures with a Static AI engine to provide protection. It doesn’t stop there. Even if the threat isn’t recognized, SentinelOne’s Behavioral AI engines track all processes and their interrelationships, regardless of how long they’re active. When an agent detects malicious activities, it responds automatically, at machine speed. The local engine is vector-agnostic: it works with file-based malware, scripts, weaponized documents, lateral movement, fileless malware, and even zero-days.

Finally, post-execution, SentinelOne’s ActiveEDR—the behavioral AI model—provides rich forensic data and can mitigate threats automatically, perform network isolation, and auto-immunize the endpoints against newly discovered threats. As a final, last safety measure, SentinelOne can even roll back an endpoint to its pre-infected state.

Go Local to Avoid Getting Hosed

Not to beat a dead horse, but it’s important to emphasize that time matters. A lot.

Any modern ransomware can completely F-up a disk in half a minute,” says SentinelOne’s Walter. “If [any cloud-based protection] response was in a minute, you could be completely hosed.”

Another regrettable aspect of cloud reliance is that “the bad guys are smart,” Walter says. They know how to use antivirus products just like the good guys do. Attackers will take the time to test a given service, whether it’s homegrown protection or otherwise. “If they’re able to do those tests, which predominantly require vendors or services to have cloud lookup mechanisms or API functionality, the bad guys will take advantage of that and, say, not release malware until it can pass those models.”

You don’t want to give the bad guys the time they need to do what they do, whether it’s encrypt files, exploit dwell time by infiltrating other parts of the network, plant spyware, wipe out your VSS shadow copies, deploy secondary malware, or test out whatever AV system you’ve rigged up.

You want local agents because that precious time should be spent stopping attacks before they wreak havoc. You want to spend that time fixing whatever attackers do manage to assault. In short, you want local agents so you can have what the CIA has so memorably referred to as “a colossal pain in the posterior” for attackers.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Meet the anti-antitrust startup club

/0 Comments/in /by

When Congress called in tech CEOs to testify a few weeks ago, it felt like a defining moment. Hundreds of startups have become unicorns, with the largest worth more than $1 trillion (or perhaps $2 trillion). Indeed, modern tech companies have become so entrenched, Facebook is the only one of the Big Five American tech shops worth less than 13 figures.

The titanic valuations of many companies are predicated on current performance, cash on hand and lofty expectations for future growth. The pandemic has done little to stem Big Tech’s forward march and many startups have seen growth rates accelerate as other sectors rushed to support a suddenly remote workforce.

But inside tech’s current moment in the sun is a concern that Congress worked to highlight: Are these firms behaving anti-competitively?

By now you’ve heard the arguments concerning why Big Tech may be too big, but there’s a neat second story that we, the Equity crew, have been chatting about: Some startups are racing into the big kill zone.

They have to be a bit foolhardy to take on Google Gmail and Search, Amazon’s e-commerce platform or Apple’s App Store. Yet, there are startups targeting all of these categories and more, some flush with VC funding from investors who are eager to take a swing at tech’s biggest players

If the little companies manage to carve material market share for themselves, arguments that Big Tech was just too big to kill — let alone fail — will dissolve. But today, their incumbency is a reality and these startups are merely bold.

Still, when we look at the work being done, there are enough companies staring down the most valuable companies in American history (on an unadjusted basis) that we had to shout them out. Say hello to the “anti-antitrust club.”

Hey and Superhuman are coming after Gmail

Gmail has been the undisputed leader in consumer email for years (if not enterprise email, where Microsoft has massive inroads due to Exchange and Outlook). Startups have contested that market, including Mailbox, which sold to Dropbox for about $100 million back in 2013, but whenever a new feature came along that might entice users, Gmail managed to suck it up into its app.

Sutter Hill strikes ice-cold, $2.5B pre-market return with Snowflake’s IPO filing

/0 Comments/in /by

Today is the day for huge VC returns.

We talked a bit about Sequoia’s coming huge win with the IPO of game engine Unity this morning. Now, Sequoia might actually have the second largest return among companies filing to go public with the SEC today.

Sequoia strikes gold with Unity’s IPO filing

Snowflake filed its S-1 this afternoon, and it looks like Sutter Hill is going to make bank. The long-time VC firm, which invests heavily in the enterprise space and generally keeps a lower media profile, is the big winner across the board here, coming out with an aggregate 20.3% stake in the data management platform, which was last privately valued at $12.4 billion earlier this year. At its last valuation, Sutter Hill’s full stake is worth $2.5 billion. My colleagues Ron Miller and Alex Wilhelm looked a bit at the financials of the IPO filing.

A quick peek at Snowflake’s IPO filing

Sutter Hill has been intimately connected to Snowflake’s early build-out and success, providing a $5 million Series A funding back in 2012, the year of the company’s founding, according to Crunchbase.

Now, there are some caveats on that number. Sutter Hill Ventures (aka “the fund”) owns roughly 55% of the firm’s total stake, with the balance owned by other entities owned by the firm’s management committee members. Michael Speiser, the firm’s partner who sits on Snowflake’s board, owns slightly more than 10% of Sutter Hill’s stake directly himself according to the SEC filing.

In addition to Sutter Hill, Sequoia also got a large slice of the data computing company: its growth fund is listed as having an 8.4% stake in the coming IPO. That makes for two Sequoia Growth IPOs today — a nice way to start the week this Monday afternoon.

Finally, Altimeter Capital, which did the Series C, owns 14.8%; ICONIQ owns 13.8%; and Redpoint, which did the Series B, owns 9.0%.

To see the breakdown in returns, let’s start by taking a look at the company’s share price and carrying values for each of its rounds of capital:

On top of that, what’s interesting is that Snowflake broke down the share purchases by firm for the last four rounds (D through G-1) the company fundraised:

That level of detail actually allows us to grossly compare the multiples on invested capital for these firms.

Sutter Hill, despite owning large sections of the company early on, continued to buy up shares all the way through the Series G, investing an additional $140 million in the later-stage rounds of the company. Adding in the entirety of its $5 million Series A round and a bit from the Series B assuming pro rata, the firm is looking on the order of a 16x return (assuming the IPO price is at least as good as the last round price).

Outside Sutter Hill, Redpoint has the best multiple return profile, given that it only invested $60 million in these later-stage rounds while still maintaining a 9.0% ownership stake. Both Sutter Hill and Redpoint purchased roughly 20% of their overall stakes in these later-stage rounds. Doing some roughly calculating, Redpoint is looking at a return of about 12-13x.

Sequoia’s multiple on investment is capped a bit given that it only invested in the most recent funding rounds. Its 8.4% stake was purchased for nearly $272 million, all of which came in these late-stage rounds. At Snowflake’s last round valuation of $12.4 billion, Sequoia’s stake is valued at $1.04 billion — a return of slightly less than 4x. That’s very good for mezzanine capital, but nothing like the multiple that Sutter Hill or Redpoint got for investing early.

Doing the same back-of-the-envelope math and Altimeter is looking at a better than 6x return, and ICONIQ got 7x. As before, if the stock zooms up, those returns will look all the better (and of course, if the stock crashes, well…)

One final note: The pattern for these last four funding rounds is unusual for venture capital: Snowflake appears to have “spread the love around,” having multiple firms build up stakes in the startup over several rounds rather than having one definitive lead.

Palo Alto Networks to buy digital forensics consulting firm for $265M

/0 Comments/in /by

It’s been quite a day in the tech world, with a bushel of S-1s being filed to go public. Not to be left out, the ever acquisitive Palo Alto Networks announced its intent to acquire The Crypsis Group, an incident response, risk management and digital forensics consulting firm, for a crisp $265 million.

Nikesh Arora, chairman and CEO at Palo Alto Networks, sees a company that builds on the foundation of services the cybersecurity giant already provides, giving customers a set of services to lean on when a breach happens.

“By joining forces, we will be able to help customers not only predict and prevent cyberattacks but also mitigate the impact of any breach they may face,” he said. While the kinds of tools that Palo Alto provides are designed to prevent attacks, the fact is no set of tools is foolproof, and it’s always going to be a cat and mouse game between companies like Palo Alto and the attackers trying to breach their defenses.

Crypsis can help figure out how a breach happened and ways to close up the cracks in the foundation to prevent access through that particular weak point in the future. “We have dedicated ourselves to creating a more secure world through the fight against cybercrime. Together with Palo Alto Networks, we will be able to help businesses and governments better respond to threat actors on a global scale,” Bret Padres, CEO of The Crypsis Group said in a statement.

When the deal closes, and The Crypsis Group is in the fold, Palo Alto will gain more than 150 highly trained consultants, who have been handling approximately 1,300 incidents a year. This gives Palo Alto some serious consulting fire power to deal with those times when attackers get through their defenses.

The Crypsis Group has up until now been part of a larger security consultancy called ZP Group. The deal is expected to close in the fiscal first quarter of 2021, which just started when Q42020 closed today. Per usual, the acquisition will be subject to regulatory scrutiny, as Palo Alto is a public company.

Palo Alto Networks to acquire CloudGenix for $420M

The Good, the Bad and the Ugly in Cybersecurity – Week 34

/0 Comments/in /by

The Good

This week there were some significant updates surrounding the ongoing effort between Binance and the Ukraine Cyber Police. On August 18, new details were released, in a joint press release, from the collaborators. Through their combined efforts, dubbed “Bulletproof Exchanger”, law enforcement were able to track and ultimately arrest multiple individuals involved with malicious cryptocurrency exchanges, and the laundering of approximately $42 million in illicit funds. The individuals concerned were heavily involved in launching multiple malicious cryptocurrency exchanges, as well as advertising their services in various dark corners of the internet. The cybercriminals directly assisted ransomware groups and other fraudsters with masking and obfuscating transactions, allowing them to convert their tainted profits into usable currency.

Through the “Bulletproof Exchanger” program, Binance has been able to identify and track data and behaviors that are indicative of these criminal activities (malicious exchanges, transaction cleaning). This effort allowed Binance to build a dynamic database of indicators specific to these actors and their activities. Artifacts such as user traits, DNS events, and blockchain analytical data have all become powerful tools that can be used to counter this sort of criminal activity.

This case marks the first true victory for the “Bulletproof Exchanger” effort. Binance has indicated that they intend to continue to operate and expand the project, stating “Fighting money laundering, ransomware, and other malicious activity is of critical importance to the well-being of the community and industry growth.” At SentinelOne, we could not agree more and applaud and support this ongoing effort.

The Bad

This week, CISA (Cybersecurity and Infrastructure Security Agency) released an updated malware analysis report on the North Korean-backed remote access trojan (RAT) BLINDINGCAN. Malware Analysis Report AR20-232A describes details around the RAT, which is being used to target high-value government contractors and related entities, notably including those in the defense and energy industries.

The malware is being attributed to the North Korean-backed threat actor known variously as Hidden Cobra / Lazarus / APT38. The malware analysis report focuses on malicious documents and DLLs associated with the BLINDINGCAN RAT. The documents are Microsoft Word documents which, upon opening, attempt to connect to an external server to download additional payloads. Both 32 and 64 bit versions of the payloads exist. The documents also initiate keylogging routines, and attempts to gather basic system information.

Of note, this is the 12th alert issued by CISA this year. SentinelOne Endpoint Protection is capable of preventing / detecting malicious behavior associated with BLINDINGCAN and artifacts cited in AR20-232A.

The Ugly

The week would not be complete without mention of another high-value ransomware target. Unfortunately, our highlight this week revolves around Carnival cruise lines. In a recent SEC 8-k filing, Carnival disclosed very limited details around the attack. Carnival also released a joint press release with PLC concerning the ransomware incident, with data nearly identical to that stated in the SEC filing.

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files. “

Promptly upon its detection of the security event, the company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals. While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address the situation and reinforce the security of its information technology systems.

Details around the family of ransomware, or any sort of attribution for that matter, have yet to be publicly disclosed. This attack highlights a few interesting things. First of all, as we know, highly-motivated ransomware operators are still very active and will target their resources wherever they see the most potential for profit and/or disruption.

The other, lesser known, bit here is that remediation becomes a huge hurdle for these types of attacks. The topology of a network like Carnival’s differs quite a bit from more than land-based entities. Having to rely on slower or more segmented networks (as they do with the cruise ships out at sea) can greatly complicate the process of remediation. How do you approach remediation when you can only connect to the ships’ systems during limited times each day? How do you approach remediation when your bandwidth is severely limited? This should serve as a reminder that prevention is absolutely critical. This is especially true in a time where ransomware authors are more innovative, aggressive and greedier than ever.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

As the pandemic creates supply chain chaos, Craft raises $10M to apply some intelligence

/0 Comments/in /by

During the COVID-19 pandemic, supply chains have suddenly become hot. Who knew that would ever happen? The race to secure PPE, ventilators and minor things like food was and still is an enormous issue. But perhaps, predictably, the world of “supply chain software” could use some updating. Most of the platforms are deployed “empty” and require the client to populate them with their own data, or “bring their own data.” The UIs can be outdated and still have to be juggled with manual and offline workflows. So startups working in this space are now attracting some timely attention.

Thus, Craft, the enterprise intelligence company, today announces it has closed a $10 million Series A financing round to build what it characterizes as a “supply chain intelligence platform.” With the new funding, Craft will expand its offices in San Francisco, London and Minsk, and grow remote teams across engineering, sales, marketing and operations in North America and Europe.

It competes with some large incumbents, such as Dun & Bradstreet, Bureau van Dijk and Thomson Reuters . These are traditional data providers focused primarily on providing financial data about public companies, rather than real-time data from data sources such as operating metrics, human capital and risk metrics.

The idea is to allow companies to monitor and optimize their supply chain and enterprise systems. The financing was led by High Alpha Capital, alongside Greycroft. Craft also has some high-flying angel investors, including Sam Palmisano, chairman of the Center for Global Enterprise and former CEO and chairman of IBM; Jim Moffatt, former CEO of Deloitte Consulting; Frederic Kerrest, executive vice chairman, COO and co-founder of Okta; and Uncork Capital, which previously led Craft’s seed financing. High Alpha partner Kristian Andersen is joining Craft’s board of directors.

The problem Craft is attacking is a lack of visibility into complex global supply chains. For obvious reasons, COVID-19 disrupted global supply chains, which tended to reveal a lot of risks, structural weaknesses across industries and a lack of intelligence about how it’s all holding together. Craft’s solution is a proprietary data platform, API and portal that integrates into existing enterprise workflows.

While many business intelligence products require clients to bring their own data, Craft’s data platform comes pre-deployed with data from thousands of financial and alternative sources, such as 300+ data points that are refreshed using both Machine Learning and human validation. Its open-to-the-web company profiles appear in 50 million search results, for instance.

Ilya Levtov, co-founder and CEO of Craft, said in a statement: “Today, we are focused on providing powerful tracking and visibility to enterprise supply chains, while our ultimate vision is to build the intelligence layer of the enterprise technology stack.”

Kristian Andersen, partner with High Alpha commented: “We have a deep conviction that supply chain management remains an underinvested and under-innovated category in enterprise software.”

In the first half of 2020, Craft claims its revenues have grown nearly threefold, with Fortune 100 companies, government and military agencies, and SMEs among its clients.

Box CEO Aaron Levie says thrifty founders have more control

/0 Comments/in /by

Once upon a time, Box’s Aaron Levie was just a guy with an idea for a company: 15 years ago as a USC student, he conceived of a way to simply store and share files online.

It may be hard to recall, but back then, the world was awash with thumb drives and moving files manually, but Levie saw an opportunity to change that.

Today, his company helps enterprise customers collaborate and manage content in the cloud, but when Levie appeared on an episode of Extra Crunch Live at the end of May, my colleague Jon Shieber and I asked him if he had any advice for startups. While he was careful to point out that there is no “one size fits all” advice, he did make one thing clear:

“I would highly recommend to any company of any size that you have as much control of your destiny as possible. So put yourself in a position where you spend as little amount of dollars as you can from a burn standpoint and get as close to revenue being equal to your expenses as you can possibly get to,” he advised.

Don’t let current conditions scare you

Levie also advised founders not to be frightened off by current conditions, whether that’s the pandemic or the recession. Instead, he said if you have an idea, seize the moment and build it, regardless of the economy or the state of the world. If, like Levie, you are in it for the long haul, this too will pass, and if your idea is good enough, it will survive and even thrive as you move through your startup growth cycle.

FBI, CISA Echo Warnings on ‘Vishing’ Threat

/0 Comments/in /by

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic.

“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification,” the alert reads. “In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting — with the end goal of monetizing the access.”

As noted in Wednesday’s story, the agencies said the phishing sites set up by the attackers tend to include hyphens, the target company’s name, and certain words — such as “support,” “ticket,” and “employee.” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk.

The joint FBI/CISA alert (PDF) says the vishing gang also compiles dossiers on employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. From the alert:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

The alert notes that in some cases the unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, the attackers were able to intercept the one-time codes by targeting the employee with SIM swapping, which involves social engineering people at mobile phone companies into giving them control of the target’s phone number.

The agencies said crooks use the vished VPN credentials to mine the victim company databases for their customers’ personal information to leverage in other attacks.

“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the alert reads. “The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”

The advisory includes a number of suggestions that companies can implement to help mitigate the threat from these vishing attacks, including:

• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.

• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

• Verify web links do not have misspellings or contain the wrong domain.

• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Defending macOS Against Sophisticated Attacks

/0 Comments/in /by

Recently, SentinelOne researcher Phil Stokes joined Dave Bittner from CyberWire to discuss macOS security for Recorded Future’s Inside Threat Intelligence podcast. Phil discusses his journey into macOS Security and the recent release of SentinelOne’s free eBook for enterprise macOS Threat Hunting and Incident Response.

Listen to (or read) the full interview below, and get the SentinelOne macOS Threat Hunting and Incident Response eBook here!

170 Defending MacOS Against Sophisticated Attacks was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

This is recorded Future Inside Threat Intelligence for Cyber Security.

Dave Bittner:
Hello, everyone, and welcome to Episode 170 of the recorded Future podcast, I’m Dave Bittner from The Cyber Wire. Our guest today is Phil Stokes. He’s a security researcher at SentinelOne, where he specializes in the analysis of attacks against macOS. In our conversation, Phil Stokes shares his professional journey, how he came to focus on the Mac platform, as well as insights on the state of security on Apple’s desktop operating systems. He tracks the growing sophistication of those seeking to attack macOS and provides tips for security professionals looking to bolster their defenses. Stay with us.

Phil Stokes:
I’ve come from a kind of unusual background, I guess, for somebody in cybersecurity, in the sense that I started I mean, I’ve been involved with the Mac platform for something like 15 years or more, but I didn’t really start getting into it in a kind of technical way until about 10 or 11 years ago. And I just started out on Apple’s support forums, troubleshooting, you know, sort of volunteering, troubleshooting advice to people. And after a while, that led me to most of the problems that were coming up back then were or it started to be when we started to see security issues coming up, like adware and things like that. And that sort of in a roundabout way led me to develop my own software to basically deal with all these issues instead of answering people’s questions all the time.
And so for about five or six years, I was developing my own software and doing that. And then about two years ago, I joined SentinelOne.
Basically, they were looking for somebody who had a background in macOS security issues to sort of help with with research and somebody who kind of knew the threat scape and had sort of seen it evolve. So that’s kind of how I got to today.

Dave Bittner:
Where do we find ourselves today when it comes to macOS and and sort of the state of things when it comes to security? What’s your estimation of where we are?

Phil Stokes:
Generally, the Mac is a safe platform. I don’t think there’s a big argument about that. But I think that the issue really is that there is a malware problem on macOS, which never existed maybe five or six years ago. And it’s actually even escalated again in the last couple of years, I think. And I think part of that is to do with the fact that Macs are now far more often found in business environments where, as you know, they probably weren’t going back those five or six years. They weren’t really popular business machine. And I think it’s also that just to use a sort of vague general term threat actors, have realised there is money to be made from Mac users. I think, you know, possibly it comes with the, you know, the development of the iPhone from 2007. But the fact that people now have their Macs connected to so many other devices, they are a rich hunting ground for people who want to gather data, serve adware, and we also have some more targeted actors as well with the business environment. So, I think the situation today really is that there is a lot more threats for Macs than there’s ever been before, but I think there’s also not a great awareness of it. If you compare that to, say, Windows, you can ask even the most basic Windows user and they probably know what an AV is or probably know that they need to have Windows Defender turned on or something like that. But with Mac users, I don’t generally get that sense of awareness. You know, this is sort of general feeling that, oh, well, it’s a market. You know, it’s safe by design. You know, I think that’s something that people really need to have. Second, think about with the kind of threats that we see these days.

Dave Bittner:
It’s my perception from the folks that I’ve talked to that the majority of the the malware hitting Mac users seems to be adware, you know, people. It’s that it’s that classic, you know, update your copy of Flash and then something gets installed that shows ads. Is that an accurate perception on my part?

Phil Stokes:
I would say so. I think I wouldn’t like to give figures because I don’t really have the data to to say it up. But, you know, it sort of. Off the off the top of my head, I would say probably 70, 80, maybe even 90 percent of the stuff I actually see on a day to day basis is is going to be adware.
And it’s kind of cousin, which is the stuff we call Bundleware, you know, all the kind of potentially unwanted software that gets installed alongside, you know, it says download some software manager and you get like 10 things like mackeeper and, you know, all these sort of utilities that are not really offering any any value that often get installed through hidden or very, very difficult to see checkboxes and things like that. Crypto miners are also a thing we’ve had Loudminer and Birdminer in the last couple of years so that they’ve been in terms of detections. We see those on the rise quite a lot and to a much lesser extent, there’s bits of sort of spyware and data stealing stuff. And of course, the things that get the headlines every now and again is that, you know, the things like Lazarus or APTs, you know, very, very targeted things that are going after specific users. So, yeah, I mean, I think that’s a fairly accurate way to think about it. In terms of the general user, I think the the most threats that they’re looking at are adware and bundle where the other problem that I’m I see developing is when we look at these adware and bundle where actors and there’s there’s an actor in the media generally called Schleyer, which has been kind of pretty proactive in the last 18 months or so.
What you see is a lot of interaction between between themselves and a lot of swapping. So you get adware that’s also installing Bundall where and you get bundle where downloads that are that are serving up hardware. And it’s it’s kind of difficult, actually a lot of time to pull apart the different players, you know, all these sort of paper install kind of things. Some of them are self serving hardware and some of them are serving genuine malware. So. It seems as if there is, you know, a lot of sort of interaction with these guys in terms of helping each other out to. You know, serve this. I mean, I just called a whole lot malware, basically. It’s something that the user doesn’t want and doesn’t know and is not in their interests. And as you know, as far as I’m concerned, you might as well call it all malware. The number of these things is what’s really quite shocking when you look at just how much more of this is occurring. It is more this year than it was last year, you know, almost exponentially. And this seems to be more players as well.

Dave Bittner:
Well, so you and your team recently published an ebook in one of the among the things you focused on were Incident Response and threat hunting on macOS. Can you take us through share share with us some of the insights that are in that e-book when it comes to those topics?

Phil Stokes:
Our idea with the e-book was really in a sense was that, you know, we deal with a lot of SOC teams, a security operation, centers that are very familiar with Windows. And I know that, you know, their way around all the Windows devices, but maybe they’ve got, you know, a very small percentage of of Macs in their fleet. And this is not necessarily a topic that they’re very familiar with. So what we wanted to do was basically produce a book that would guide them through, you know, how do you triage a Mac device that comes into, you know, the IT team or the soccer team? And it looks like it’s either had malware on it or could have malware on it or, you know, been behaving in some some way it’s suspicious. So basically, the idea is to try to educate people who are not familiar with Macs about all the different places and the different ways that malware can get itself inside a Mac device. So we talk particularly about persistence agents in the ebook. That’s for me. When I’m trying to get a machine, the first thing I want to look at is what is the persistance mechanism? Because 99 percent of all malware is going to have some way that it wants to stay on the system. So we talk about all the different persistance mechanisms that are possible on a Mac. So there’s kind of a whole chapter on that. And then we talk about how to actually look at a Mac and and determine whether it’s been manipulated in some way.

So that might be, of course, looking at running processes that are actually live at the time but also looking at historical things. How do you investigate the file system on a Mac? It’s not the same as on a Windows device, obviously. How do you check what’s what the network configuration is and has it been manipulated in any way? And Max, ah, I mean, Max is special in a one very specific way that different from all other computing devices in the sense that that hardware and software is all built by the same people. So there is this huge integration that you don’t see on Windows device you don’t see on Linux devices. And for that reason, there are lots of things hidden away that the operating system knows that you can find out about the history. And many people don’t know about these things. Lots of hidden Ezekial databases, lots of little obscure utilities that only exist on macOS, even though Mac is a Unix based system or Unix type system with lots of command-line utilities that you won’t find on on Linux or Unix based system. So, you know, we try to talk through all these various different tools and databases that are useful. If you want to basically find out what’s happened on the system and where can I find evidence that the system has been manipulated.

Dave Bittner:
So what are your recommendations for folks who are out there and have, you know, a fleet of machines that they’re charged with looking after? Perhaps they have a handful of Macs, perhaps they have a lot of Macs. And any suggestions towards the wisdom?

Phil Stokes:
Sure. Well, I think, you know, the main thing that you need, especially if you’re talking about, you know, business, enterprise situation, the main thing that you need is visibility, because the one thing that you don’t get I don’t know windows. I don’t know if it’s true that the one thing that you don’t get on a Mac is any way to be able to tell what’s going on in an easy way. For example, I mean, if you thought you had malware or I often have this conversation with people where they just say, oh, you know, my Macs, great, it never gets any infections. And I say, so how do you know? How would you check? What tool would you use that could give you that confidence? And normally, you know, if people know anything about the Mac, the only thing they’ll know is like, well, I can open up the activity monitor. And I’m like, yeah, but, you know, there’s crypto miners that go to sleep when you open up the activity line for macOS, you know the program to do exactly that. So, you know, this is I mean, Apple have their own sort of built-In security tools, OK? But they leave a lot of gaps. And one of the main things that they don’t have is they don’t offer if you’re in it, if you’re an admin, they don’t offer you any visibility into what’s going on.

So I think you need some kind of software that’s going to be able to give you that visibility that you’re going to be able to easily look at. How is this machine different today than it was yesterday? What’s happened on this machine if you find, you know, some suspicious launch agent or something, where did it come from? How do I see what it’s connected to? So, you know, my main advice is that, I mean, there’s lots of solutions out there that can do this. And this is one of the things that, as I said earlier, I originally started out as a software developer. And this is one of the things that I developed. But the point is to ask yourself the question and then go find out the answer. How would I find out if my Mac had malware? That would be my first piece of advice. My second piece of advice would be to think about again, if you’re thinking more about it, teams and admins think about how do you control what your users do? Because almost all malware, 99 percent of it is coming through user interaction. Certainly, on the Mac, I can’t speak for other platforms, but on the Mac, you know, there might be some rare case where, you know, Apte actor steals your laptop and inserts something on the book, you know, on the logic board. But in reality, 99 percent of malware is coming through user interaction.

The user is downloading something, as you were talking about before, being convinced that they need some fake flash player update. So the question is, how can you want to see what users are doing and to how can you control them? And, you know, there’s various things you can do in terms of controlling devices. You can Apple have this MDM platform and there’s third party solutions like JAMF and Fleetsmith, where you can control various aspects of what users can change from a sort of admin perspective. And I think that’s, you know, certainly in an enterprise environment, I think that’s important. Of all of your security posture, because. The thing with Macs is that almost every user by default is an admin user, and as soon as you download something and run it as an admin user, if it’s not a sandbox stop, you know, from the App Store that. The process has an enormous power to do things without you knowing what it’s doing, so it comes back to what I was saying earlier about visibility, but also, you know, if you’re looking at it from a SOC or IT team. The perspective you really want to be thinking about how can you get some kind of control to stop people infecting themselves basically? And the last thing I would just say is I think this is a big one. And it comes back to where I started, I think is user education, because as I say, you know, Windows users have kind of got the idea that there are threats there, that they need to have Windows Defender running or whatever, you know, and I think Mac users haven’t got there yet.
I think there’s a very wide I see this even with, you know, some of the thought leaders or influencers on Twitter and various social media platforms. Now, they will argue that, oh, there’s no real malware for macOS. And, you know, nobody needs security software. And, you know, how would you know if you had some? So I think just this idea that you know, it’s not a myth anymore, that there is you can go on VirusTotal and just do you know, for those that have access to it, you can just do a search tag for Mac-O and just see how many new malware to going up on on a repository like VirusTotal every day. So, you know, people just need to be aware that, yeah, you can be safe if you are educated. As you say, there’s a lot of the adware and stuff that we see there is just manipulating users who, you know, just don’t know better. They trust stuff and they just need to know that, you know, the situation has changed. It’s not necessarily a trustworthy world out there.

Dave Bittner:
What are your thoughts as Apple has announced that they’re going to be shifting to arm chips, is do you have any is it a shift you’re you’re looking forward to? What do you think we’re in for?

Phil Stokes:
Yeah, I, I don’t know. Actually I am personally. I’m looking forward to it. As I told you, you know, I started off with Acorn Risk Machines and that’s basically where I am itself comes from.
So this is reduced instruction set, CPUs, Right. So as a reverse engineer, I’m absolutely. Yeah. Let’s you know, let’s go. This is great stuff. So great to get away from Intel. But I don’t know. I mean, you know, in terms of your listeners, I don’t know yet at this point. I think it’s too early to say what that will mean in terms of, you know, the security situation. It’s fairly clear with Big Sur and 10.16 Or 11, whichever they finally decide on, it’s fairly clear that there’s a lot more lockdown coming.
You know, they’re locking down the there’s COL integrity protection coming. They’re locking down the system volume so much now that you won’t even need five file volts on it.
So it’s clear that you know, Apple have got this whole concept, if you like, of philosophy about locking down the system and things like notarization that came in in 10.14, I think are all part of that. How that transitions into ARM kind of remains to be seen. Sorry, I could be much more informative at the moment, but we don’t have that much info on it. Yeah. So quite recently we saw one of the very few instances of ransomware on the Mac and it was kind of very unusual ransomware in the sense that it never really looked like the threat actors were that serious about making money and in fact, from our investigation, didn’t look like they made any money whatsoever. But the threat itself was interesting as a development because they actually included multiple different kind of capabilities. In fact, all the kind of capabilities that you typically associate with Windows malware. So there’s a back door in there. You know, there was spyware data, exfiltration stuff in there that was privileged escalation in there, as well as the actual ransomware component, you know, that got all the headlines. And that to me and and to my colleagues was something what struck us mostly about that was. Just how developed now these actors are becoming on the Mac platform, I mean, a few years ago.
Anything that you saw on a Mac was very poorly conceived and it was clear that the developers probably didn’t come from a Mac background. And I think now that that particular item was called EvitQuest or ThiefQuest, I think they was finally named. That particular piece of malware was clearly developed by people who were Mac developers. And the same story with the recent Lazarus. We did a post recently on four different families of Lazarus malware, and I think Kaspersky had done one on a framework as well a week before they attributed to Lazarus. And again, when you look at the code underneath, you know, from a reverse engineering standpoint, you can see that these are not developers from another platform are just trying to pull something over. You know, these are Mac developers. These are people that know Apple’s APIs and Apple’s coding languages inside out. And they’re using everything from basic C libraries to object to C to Swift and, you know, the whole gamut of things that are available for Mac developers. So this, again, is part of my perception that I think the whole malware scene on Mac is what we can see, that it has increased over the last few years. But I think it is developing as well. And as Apple develop their responses, it’s clear that there are teams, threat actors that are out there that are, you know, responding in kind. So I think this is a problem that, you know, it’s not going to go away with that with a quick solution from Apple changing, you know, some technology, their side. I think that the threat actors are heavily invested in the platform.

Dave Bittner:
Our thanks to Phil Stokes from SentinelOne for joining us. Don’t forget to sign up for the recorded future cyber daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. You can find that and recorded future dot com slash intel. We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The recorded Future Podcast Production Team includes coordinating producer Caitlin Madingley, executive producer Greg Barrett. The show is produced by The Cyber Wire with executive editor Peter Kilbey. And I’m Dave Bittner. Thanks for listening.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Better audio means a higher transcript accuracy rate. Lawyers need to transcribe their interviews, phone calls, and video recordings. Most choose Sonix as their speech-to-text technology. Automated transcription is getting more accurate with each passing day. Automated transcription is much more accurate if you upload high quality audio. Here’s how to capture high quality audio. More computing power makes audio-to-text faster and more efficient. Are you a podcaster looking for automated transcription? Sonix can help you better transcribe your podcast episodes. Sonix has the world’s best audio transcription platform with features focused on collaboration. Are you a radio station? Better transcribe your radio shows with Sonix.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it’s fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//sonix.ai/widget.js”,”//sonix.ai/widget.css”);
Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.

Read Now

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security