Q-CTRL raises $15M for software that reduces error and noise in quantum computing hardware

As hardware makers continue to work on ways of making wide-scale quantum computing a reality, a startup out of Australia that is building software to help reduce noise and errors on quantum computing machines has raised a round of funding to fuel its U.S. expansion.

Q-CTRL is designing firmware for computers and other machines (such as quantum sensors) that perform quantum calculations, firmware to identify the potential for errors to make the machines more resistant and able to stay working for longer (the Q in its name is a reference to qubits, the basic building block of quantum computing).

The startup is today announcing that it has raised $15 million, money that it plans to use to double its team (currently numbering 25) and set up shop on the West Coast, specifically Los Angeles.

This Series A is coming from a list of backers that speaks to the startup’s success to date in courting quantum hardware companies as customers. Led by Square Peg Capital — a prolific Australian VC that has backed homegrown startups like Bugcrowd and Canva, but also those further afield such as Stripe — it also includes new investor Sierra Ventures as well as Sequoia Capital, Main Sequence Ventures and Horizons Ventures.

Q-CTRL’s customers are some of the bigger names in quantum computing and IT, such as Rigetti, Bleximo and Accenture, among others. IBM — which earlier this year unveiled its first commercial quantum computer — singled it out last year for its work in advancing quantum technology.

The problem that Q-CTRL is aiming to address is basic but arguably critical to solving if quantum computing ever hopes to make the leap out of the lab and into wider use in the real world.

Quantum computers and other machines like quantum sensors, which are built on quantum physics architecture, are able to perform computations that go well beyond what can be done by normal computers today, with the applications for such technology including cryptography, biosciences, advanced geological exploration and much more. But quantum computing machines are known to be unstable, in part because of the fragility of the quantum state, which introduces a lot of noise and subsequent errors, which results in crashes.

As Frederic pointed out recently, scientists are confident that this is ultimately a solvable issue. Q-CTRL is one of the hopefuls working on that, by providing a set of tools that runs on quantum machines, visualises noise and decoherence and then deploys controls to “defeat” those errors.

Q-CTRL currently has four products it offers to the market: Black Opal, Boulder Opal, Open Controls and Devkit — aimed respectively at students/those exploring quantum computing, hardware makers, the research community and end users/algorithm developers.

Q-CTRL was founded in 2017 by Michael Biercuk, a professor of Quantum Physics & Quantum Technology at the University of Sydney and a chief investigator in the Australian Research Council Centre of Excellence for Engineered Quantum Systems, who studied in the U.S., with a PhD in physics from Harvard.

“Being at the vanguard of the birth of a new industry is extraordinary,” he said in a statement. “We’re also thrilled to be assembling one of the most impressive investor syndicates in quantum technology. Finding investors who understand and embrace both the promise and the challenge of building quantum computers is almost magical.”

Why choose Los Angeles for building out a U.S. presence, you might ask? Southern California, it turns out, has shaped up to be a key area for quantum research and development, with several of the universities in the region building out labs dedicated to the area, and companies like Lockheed Martin and Google also contributing to the ecosystem. This means a strong pipeline of talent and conversation in what is still a nascent area.

Given that it is still early days for quantum computing technology, that gives a lot of potential options to a company like Q-CTRL longer-term: The company might continue to build a business as it does today, selling its technology to a plethora of hardware makers and researchers in the field; or it might get snapped up by a specific hardware company to integrate Q-CTRL’s solutions more closely onto its machines (and keep them away from competitors).

Or, it could make like a quantum particle and follow both of those paths at the same time.

“Q-CTRL impressed us with their strategy; by providing infrastructure software to improve quantum computers for R&D teams and end-users, they’re able to be a central player in bringing this technology to reality,” said Tushar Roy, a partner at Square Peg. “Their technology also has applications beyond quantum computing, including in quantum-based sensing, which is a rapidly-growing market. In Q-CTRL we found a rare combination of world-leading technical expertise with an understanding of customers, products and what it takes to build an impactful business.”

Latest Adobe tool helps marketers work directly with customer journey data

Adobe has a lot going on with Analytics and the Customer Experience Platform, a place to gather data to understand customers better. Today, it announced a new analytics tool that enables employees to work directly with customer journey data to help deliver a better customer experience.

The customer journey involves a lot of different systems, from a company data lake to CRM to point of sale. This tool pulls all of that data together from across multiple systems and various channels and brings it into the data analysis workspace, announced in July.

Nate Smith, group manager for product marketing for Adobe Analytics, says the idea is to give access to this data in a standard way across the organization, whether it’s a data scientist, an analyst with SQL skills or a marketing pro simply looking for insight.

“When you think about organizations that are trying to do omni-channel analysis or trying to get that next channel of data in, they now have the platform to do that, where the data can come in and we standardize it on an academic model,” he said. They then layer this ability to continuously query the data in a visual way to get additional insight they might not have seen.

Adobe screenshot 1

Screenshot: Adobe

Adobe is trying to be as flexible as possible in every step of the process, and openness was a guiding principle here, Smith said. That means that data can come from any source, and users can visualize it using Adobe tools or an external tool like Tableau or Looker. What’s more, they can get data in or out as needed, or even use your their own models, Smith said.

“We recognize that as much as we’d love to have everyone go all in on the Adobe stack, we understand that there is existing significant investment in other tech and that integration and interoperability really needs to happen, as well,” he said.

Ultimately this is about giving marketers access to a full picture of the customer data to deliver the best experience possible based on what you know about them. “Being able to have insight and engagement points to help with the moments that matter and provide great experience is really what we’re aiming to do with this,” he said.

This product will be generally available next month.

New investment firm wants to change the way we fund early stage companies — from New Hampshire

The three founders of York IE have a vision about how to change the way early stage startups get funding. They have experience shattering norms, having built a successful startup, Dyn, in Manchester, New Hampshire, which is not exactly a hot-bed of startup activity.

The founders want to take that same spirit and apply it to investing, while maintaining its headquarters in New Hampshire (and Boston). In fact, the three founders — Kyle York, Joe Raczka and Adam Coughlin — were early Dyn employees and helped built it to $30 million in ARR before taking a dime in venture funding. They went onto raise $100 million before being acquired by Oracle in 2016. They believe they can apply the lessons that they learned to other early stage startups.

“We think, especially in B2B and SaaS, there is a way to build a scalable, effective and efficient business without chasing massive fund raises, diluting your company, bringing on traditional venture investors and chasing those kind of on-paper vanity metrics,” company CEO and co-founder Kyle York told TechCrunch.

For the past five years, while working at Oracle after the acquisition, the founders have been testing their theories while advising startups and acting as angel investors. They believed it was time to take all of those learnings and apply it to their own firm.

“I started thinking about how to transition out of Oracle, and what I wanted to do from a career perspective and we wanted to build a modern investment firm less focused on how to deploy as much capital as possible for the limited partners, and more on working with the entrepreneurs to help coach them on a path to success,” York said.

The company still wants to act as investors, and to make money along the way, but they want to help build more solid, grounded companies. York says that they want the founders truly understand that they are selling a part of their company in exchange for those dollars, and that it makes sense to have a strong foundation before taking on money.

York wants to change this culture of fund raising for fund raising’s sake. He acknowledges that some companies with deep tech or deep infrastructure require that kind of substantial up-front investment to get off the ground, but SaaS companies are supposed to be able to take advantage of modern technology to build companies more easily, and he wants to see them build solid companies first and foremost.

“The goal shouldn’t be to raise more capital. The goal should be to build a healthy, successful, scalable company,” he said.

To put their money where their mouth is, the new firm will not take management fees. “We are investing like a normal investor and coming through with an equity position, but we are betting on the future. In essence, if the startup wins, then we win.”

Snyk grabs $70M more to detect security vulnerabilities in open-source code and containers

A growing number of IT breaches has led to security becoming a critical and central aspect of how computing systems are run and maintained. Today, a startup that focuses on one specific area — developing security tools aimed at developers and the work they do — has closed a major funding round that underscores the growth of that area.

Snyk — a London and Boston-based company that got its start identifying and developing security solutions for developers working on open-source code — is today announcing that it has raised $70 million, funding that it will be using to continue expanding its capabilities and overall business. For example, the company has more recently expanded to building security solutions to help developers identify and fix vulnerabilities around containers, an increasingly standard unit of software used to package up and run code across different computing environments.

Open source — Snyk works as an integration into existing developer workflows, compatible with the likes of GitHub, Bitbucket and GitLab, as well as CI/CD pipelines — was an easy target to hit. It’s used in 95% of all enterprises, with up to 77% of open-source components liable to have vulnerabilities, by Snyk’s estimates. Containers are a different issue.

“The security concerns around containers are almost more about ownership than technology,” Guy Podjarny, the president who co-founded the company with Assaf Hefetz and Danny Grander, explained in an interview. “They are in a twilight zone between infrastructure and code. They look like virtual machines and suffer many of same concerns such as being unpatched or having permissions that are too permissive.”

While containers are present in fewer than 30% of computing environments today, their growth is on the rise, according to Gartner, which forecasts that by 2022, more than 75% of global organizations will run containerized applications. Snyk estimates that a full 44% of Docker image scans (Docker being one of the major container vendors) have known vulnerabilities.

This latest round is being led by Accel with participation from existing investors GV and Boldstart Ventures. These three, along with a fourth investor (Heavybit) also put $22 million into the company as recently as September 2018. That round was made at a valuation of $100 million, and from what we understand from a source close to the startup, it’s now in the “range” of $500 million.

“Accel has a long history in the security market and we believe Snyk is bringing a truly unique, developer-first approach to security in the enterprise,” said Matt Weigand of Accel said in a statement. “The strength of Snyk’s customer base, rapidly growing free user community, leadership team and innovative product development prove the company is ready for this next exciting phase of growth and execution.”

Indeed, the company has hit some big milestones in the last year that could explain that hike. It now has some 300,000 developers using it around the globe, with its customer base growing some 200% this year and including the likes of Google, Microsoft, Salesforce and ASOS (side note: you know that if developers at developer-centric places themselves working at the vanguard of computing, like Google and Microsoft, are using your product, that is a good sign). Notably, that has largely come by word of mouth — inbound interest.

The company in July of this year took on a new CEO, Peter McKay, who replaced Podjarny. McKay was the company’s first investor and has a track record in helping to grow large enterprise security businesses, a sign of the trajectory that Snyk is hoping to follow.

“Today, every business, from manufacturing to retail and finance, is becoming a software business,” said McKay. “There is an immediate and fast growing need for software security solutions that scale at the same pace as software development. This investment helps us continue to bring Snyk’s product-led and developer-focused solutions to more companies across the globe, helping them stay secure as they embrace digital innovation – without slowing down.”

Payments giant Stripe debuts a credit card in its latest step into the financing fray

Last week, when the popular payments startup Stripe made some waves with its first move into money lending through the launch of Stripe Capital, we reported that the company was also soon going to be launching a credit card. Now, that news is official. Today, the company is doubling down on financing with the launch of corporate cards for business customers.

Announced officially today to coincide with the company’s developer event Stripe Sessions, the Stripe Corporate Card — as the product is officially called — is a Visa that will be open to businesses that are incorporated in the U.S., although they can operate elsewhere.

Notably, users are expected to pay their balance in full each month, so for now there is no interest rate, or fee, to use the card, with Stripe making its money by way of the interchange fee that comes with every transaction using the card.

“We’re not freezing cards based on late or no payments,” Cristina Cordova, the business lead overseeing the launch, said in an interview. “A pretty common reason for non-payment is that a person switched bank accounts and forgot to update the information. But we think we’ll have fewer problems because we have banking information for accepting revenue, by way of our payments business.”

The move is another major step ahead for Stripe as it continues to diversify its business and bring on more financial products to become a one-stop shop for e-commerce and other companies for all the transactions they might need to make in the course of their lives. It is a little ironic that it’s taken years for credit cards to get added into the mix, considering Stripe’s earliest homepages and marketing efforts were built around the design of a credit card (a reference to taking payments online, not issuing credit, of course).

In any case, the list of products now offered by Stripe is long — longer, you might say, than it takes to incorporate a Stripe service into a developer workflow. In addition to its API-based flagship payments product — which is available as a direct service or, via Stripe Connect, for third parties via marketplaces and other platforms — it offers billing and invoicing, in-person payment services (via Terminal), business analytics, fraud prevention on transactions (Radar), company incorporation (Atlas) and a range of content around business strategy.

Some of these Stripe products are free to use, and some come at a price: The main point for offering them together is to build more engagement and loyalty from customers to keep them from migrating to other services. In that regard, credit cards are a cornerstone of how businesses operate, to handle day-to-day expenses in a more accountable way, and this is an area that is already well-served by others, including startups like Brex but also a plethora of challenger and traditional banks. So as much as anything else, this is a clear move to help stave off competition.

At the same time, it underscores how Stripe is leveraging the huge amount of data that it has amassed about its users and payments on the platform: It’s not just about enabling single services, but about using the byproducts of those services — data — to put fuel into new products.

Today, to underscore its global ambitions in that regard, Stripe is adding some expansions to several of its existing products. For example, it will now allow businesses to make payouts in local currencies in 45 countries (an important detail, for example, for marketplaces and network-based companies like ridesharing businesses).

The credit card product will follow a model similar to that of Stripe Capital. As with the lending product, there is a single bank issuing the credit and the card. Amber Feng, head of financial infrastructure for Stripe, confirmed to me that it is actually the same bank that’s providing the cash behind Stripe Capital. Stripe is still declining to name the bank itself, but hints that we may hear more about it soon, which leads me to wonder what news might be coming next.

(Funding perhaps would make sense? The company has raised a whopping $785 million to date and has a valuation of $22.5 billion at the moment. Given that Stripe has made indications that a public listing is not on the cards soon, that might imply, with the launch of these new financing products, that more capital might be raised soon.)

Also similar to Stripe Capital, the underwriting of the card is based on Stripe data. That is to say, business users are verified and approved based on turnover (revenues) as measured by the Stripe payments platform itself; and in cases where applicants are “pre-revenue,” they can be evaluated based on other data sources. For example, if they have used Stripe Atlas to incorporate their businesses, the paperwork supplied for that is used by Stripe to vet the customer’s suitability for a credit card.  

Notably, the cards will be delivered in the spirit of instant gratification: If you are applying and get approved, you can within minutes download a virtual card to your Apple Wallet as you await the physical card to arrive in the post.

Stripe is big on data in its own business, and it’s bringing some of that into this product with spending controls that can be set by person and by category; real-time expense reporting by way of texts; rewards of 2% back on spending in the business’s most-used categories; and integration with financial software like QuickBooks and Expensify.

Work Life Ventures raises $5M for debut enterprise SaaS seed fund

Brianne Kimmel had no trouble transitioning from angel investor to general partner.

Initially setting out to garner $3 million in capital commitments, Kimmel, in just two weeks’ time, closed on $5 million for her debut venture capital fund Work Life Ventures. The enterprise SaaS-focused vehicle boasts an impressive roster of limited partners, too, including the likes of Zoom chief executive officer Eric Yuan, InVision CEO Clark Valberg, Twitch co-founder Kevin Lin, Cameo CEO Steven Galanis, Andreessen Horowitz general partners Marc Andreessen and Chris Dixon, Initialized Capital GP Garry Tan and fund-of-funds Slow Ventures, Felicis Ventures and NFX.

At the helm of the new fund, Kimmel joins a small group of solo female general partners: Dream Machine’s Alexia Bonatsos is targeting $25 million for her first fund; Day One Ventures’ Masha Drokova raised an undisclosed amount for her debut effort last year; and Sarah Cone launched Social Impact Capital, a fund specializing in impact investing, in 2016, among others.

Meanwhile, venture capital fundraising is poised to reach all-time highs in 2019. In the first half of the year, a total of $20.6 billion in new capital was introduced to the startup market across more than 100 funds.

For most, the process of raising a successful venture fund can be daunting and difficult. For well-connected and established investors in the Bay Area, like Kimmel, raising a fund can be relatively seamless. Given the speed and ease of fund one in Kimmel’s case, she plans to raise her second fund with a $25 million target in as little as 12 months.

“The desire for the fund is to take a step back and imagine how do we build great consumer experiences in the workplace,” Kimmel tells TechCrunch.

Kimmel has been an active angel investor for years, sourcing top enterprise deals via SaaS School, an invite-only workshop she created to educate early-stage SaaS founders on SaaS growth, monetization, sales and customer success. Prior to launching SaaS School, which will continue to run twice a year, Kimmel led go-to-market strategy at Zendesk, where she built the Zendesk for Startups program.

 

View this post on Instagram

 

✔ available offline #google #remote

A post shared by Work Life Ventures (@worklifevc) on Aug 17, 2019 at 8:09pm PDT

“You start by advising, then you start with very small angel checks,” Kimmel explains. “I reached this inflection point and it felt like a great moment to raise my own fund. I had friends like Ryan Hoover, who started Weekend Fund focused on consumer, and Alexia is one of my friends as well and I saw what she was doing with Dream Machine, which is also consumer. It felt like it was the right time to come out with a SaaS-focused fund.”

Emerging from stealth today, Work Life Ventures will invest up to $150,000 per company. To date, Kimmel has backed three companies with capital from the fund: Tandem, Dover and Command E. The first, Tandem, was amongst the most coveted deals in Y Combinator’s latest batch of companies. The startup graduated from the accelerator with millions from Andreessen Horowitz at a valuation north of $30 million.

Dover, another recent YC alum, provides recruitment software and is said to be backed by Founders Fund in addition to Work Life. Command E, currently in beta, is a tool that facilities search across multiple desktop applications. Kimmel is also an angel investor in Webflow, Girlboss, TechCrunch Disrupt 2018 Startup Battlefield winner Forethought, Voyage and others.

Work Life is betting on the consumerization of the enterprise, or the idea that the next best companies for modern workers will be consumer-friendly tools. In her pitch deck to LPs, she cites the success of Superhuman and Notion, a well-designed email tool and a note-taking app, respectively, as examples of the heightened demand for digestible, easy-to-use B2B products.

“The next generation of applications for the workplace sees people spinning out of Uber, Coinbase and Airbnb,” Kimmel said. “They’ve faced these challenges inside their highly efficient tech company so we are seeing more consumer product builders deeply passionate about the enterprise space.”

But Kimmel doesn’t want to bury her thesis in jargon, she says, so you won’t find any B2B lingo on Work Life’s website or Instagram.

She’s focusing her efforts on a more important issue often vacant from conversations surrounding investment in the future of work: diversity & inclusion.

Kimmel meets with every new female hire of her portfolio companies. Though it’s “increasingly non-scalable,” she admits, it’s part of a greater effort to ensure her companies are thoughtful about D&I from the beginning: “Because I have a very focused fund, it’s about maintaining this community and ensuring that people feel like their voices are heard,” she said.

“I want to be mindful that I am a female GP and I feel [proud] to have that title.”

HashiCorp announces fully managed service mesh on Azure

Service mesh is just beginning to take hold in the cloud native world, and as it does, vendors are looking for ways to help customers understand it. One way to simplify the complexity of dealing with the growing number of service mesh products out there is to package it as a service. Today, HashiCorp announced a new service on Azure to address that need, building it into the Consul product.

HashiCorp co-founder and CTO Armon Dadgar says it’s a fully managed service. “We’ve partnered closely with Microsoft to offer a native Consul [service mesh] service. At the highest level, the goal here is, how do we make it basically push button,” Dadgar told TechCrunch.

He adds that there is extremely tight integration in terms of billing and permissions, as well other management functions, as you would expect with a managed service in the public cloud. Brendan Burns, one of the original Kubernetes developers, who is now a distinguished engineer at Microsoft, says the HashiCorp solution really strips away a lot of the complexity associated with running a service mesh.

“In this case, HashiCorp is using some integration into the Azure control plane to run Consul for you. So you just consume the service mesh. You don’t have to worry about the operations of the service mesh, Burns said. He added, “This is really turning it into a service instead of a do-it-yourself exercise.”

Service meshes are tools used in conjunction with containers and Kubernetes in a dynamic cloud native environment to help micro services communicate and interoperate with one another. There is a growing number of them including Istio, Envoy and Linkerd jockeying for position right now.

Burns makes it clear that while Microsoft is working closely with HashiCorp on this project, it’s also working with other vendors, as well. “Our goal with the service mesh interface specification was really to let a lot of partners be successful on the platform. You know, there’s a bunch of different service meshes. It’s a place where we feel like there’s a lot of evolution and experimentation happening, so we want to make sure that our customers can can find the right solution for them,” Burns explained.

The HashiCorp Consul service is currently in private Beta.

HashiCorp expands Terraform free version, adds paid tier for SMBs

HashiCorp has had a free tier for its Terraform product in the past, but it was basically for a single user. Today, the company announced it was expanding that free tier to allow up to five users, while also increasing the range of functions that are available before you have to pay.

“We’re announcing a pretty large expansion of the Terraform Cloud free tier. So many of the capabilities that used to be exclusively in our Terraform enterprise product, we’re now bringing down into the Terraform free tier. It allows you to do central actual execution of Terraform and apply the full lifecycle as part of the free tier,” HashiCorp co-founder and CTO Armon Dadgar explained.

In addition, the company announced a middle tier aimed at SMBs. Dadgar says the new pricing tier helped address some obvious gaps in the pricing catalog for a large sets of users who outgrew the free product yet weren’t ready for the enterprise version.

“We were seeing a lot of friction with our SMB customers trying to figure out how to go from one-user Terraform to a team of five people or a team of 20 people. And I think the challenge was that we had the enterprise product, which in terms of deployment and pricing, is really geared toward Global 2000 kinds of companies,” Dadgar told TechCrunch.

He said this left a huge gap for smaller teams of between five and 100-user teams, which forced those teams to kludge together solutions to fit their requirements. The company thought it would make more sense to have a paid tier specifically geared for this group that would create a logical path for all users on the platform, while solving a known problem.

“It’s a logical path, but it also just answers the constant questions on forums and mailing lists regarding how to collaborate [with smaller teams]. Before, we didn’t have a prescriptive answer, and so there was a lot of DIY, and this is our attempt at a prescriptive answer of how you should do this,” he said.

Terraform is the company’s tool for defining, deploying and managing infrastructure as code. There is an open-source product, an on-prem version and a SaaS version.

Threat Actor Basics: Understanding the 5 Main Threat Types

Protecting the business in today’s cybersecurity climate is all about staying up-to-date. Up-to-date with your security technology, up-to-date with security patches and up-to-date with the tools, techniques and procedures of different threat actors. In this post, we take a look at the five main threat types, how these adversaries operate and how you can defend against them.

image of threat actor basics

1. Organized Crime – Making Money from Cyber

The number one threat for most organizations at present comes from criminals seeking to make money. Whether it’s theft and subsequent sale of your data, flat out ransomware or stealthy, low-risk/low-return cryptojacking, criminals have been quick to adapt themselves to the opportunities for illicit moneymaking via the online world. There are digital equivalents of pretty much any ‘analog’ financial crime you care to think of, from kidnapping to bank robbery, and there’s a double pay-off for the criminally-inclined: digital crime offers far greater rewards and much lower risks.

The low-risk factor is due both to the ability of criminals to hide their activity online and the ease of money laundering thanks to the rise of digital currencies. There are apparently over 17000 “Bitcoin millionaires” – addresses that hold more than $1 million worth of bitcoin – according to one report. As the value of bitcoin is currently on the rise again, expect to see some of those starting to cash out.

In the first 6 months of 2019, ransomware attacks have nearly doubled and business email compromises are up over 50% from the previous six months. It’s not just the multinationals and famous names that are under attack either. Organizations from local governments to SMEs all represent soft targets for an increasingly experienced and well-equipped cybercrime underworld. Malware and ransomware kits are widely traded on the dark net and the impact is being felt. In the UK, 24% of SMEs reported an attack or cyber incident last year, amounting to a combined loss of over $10m.

How To Protect Against Criminals

To protect yourself from external threats like criminals, it is essential that your network and endpoints are protected by a modern, multi-layered intrusion detection and response solution. As proven by the number of successful attacks that hit the media on a weekly basis, the AV Suites of the past are simply antiquated and not up to the job of defeating well-funded cyber criminals armed with sophisticated tools. A modern solution should be able to detect anomalous behavior both pre-execution and on-execution and should have simple remediation and rollback capabilities to deal with ransomware and other threats.

Along with that, it’s important that you patch vulnerabilities in a timely fashion. Criminals will soon jump on flaws like BlueKeep and although solutions like SentinelOne can detect exploitation of known vulnerabilities, timely patching is one more layer of defense that may persuade an attacker to look for an easier target.

An incident response plan is also a vital part of your security posture. Be sure that appropriate staff know what to do and who to contact in the event of a breach.

2. APT – Industrial Spies, Political Manipulation, IP Theft & More

Advanced persistent threat groups have become increasingly active as an estimated 30 nations wage cyber warfare operations on each others’ political, economic, military and commercial infrastructure.

APT groups have proliferated in recent years, and tracking them is complicated. Groups may have common members and toolsets making attribution difficult, and often impossible. Added to that is the fact that security vendors do not use a common classification scheme, leading to a snowball of different labels for each group. Ever heard of Longhorn, Housefly or Tilded Team? Probably not, but they are all names for what is more commonly known as the USA’s ‘Equation Group’. A useful public document is maintained that tries to make sense of these different actors, their classifications and their activities.

image of apt group doc

Although APTs are primarily engaged in activities that benefit the interests of one country or countries over another, businesses can easily get caught in the crossfire, too. Whether it’s a nation-state that wants your IP for their own use, cyber weapons like stuxnet that escape into the wild or weaponized zero-day vulnerabilities like Eternalblue, APT activity can have a dramatic impact on a business.

APTs aren’t shy about straight-up financial theft either. North Korean APT groups like Lazarus (aka ‘Hidden Cobra’) have been engaged in SWIFT-related bank heists as well as targeting bitcoin exchanges.

Middle East actor ‘Syrian Electronic Army’ were widely held responsible for causing a $200 billion dollar loss on the Dow Jones stock exchange after an attack on the twitter account of the Associated Press. The hackers caused the stock market panic after using the hijacked account to tweet about a fake bomb attack at the White House, stating “Breaking: Two explosions in the White House and Barack Obama is injured”.

How To Protect Against APTs

Defending against targeted attacks from APT groups requires similar defensive strategies to those mentioned above, but on top of that ensure that security risk assessment includes consideration of what assets your company may possess that would be attractive to nation states. Look at the TTPs of groups that might have an interest in your organization and devise suitable strategies around those.

For all external threats actors, be sure that employees are following safe password procedures and are aware of phishing techniques.

3. Insider Threats – Malicious Intent, Incompetence, Negligence

When valued employees go ‘off the reservation’, the impact to an organization can be devastating, and potentially far more catastrophic than the relentless attempts of external threat actors. It’s common to think of insider threats as being a risk due to malicious intent, but as we’ve pointed out recently, negligence and unintentional errors can be as much, if not more, of a factor. Financial institutions like HSBC and Wells Fargo have both suffered embarrassing and costly data breaches due to unintentional errors.

At the other end of the scale, intentional insider threats are on the rise according to recent industry reports. These can be difficult to detect because employees may well have valid credentials and knowledge of the company’s security procedures. Moreover, an increasing number of businesses are moving their data to the cloud where monitoring of user behavior and file access may be less rigorous or not yet in place. Staff being able to use personal mobile devices on the corporate network is also an area where organizations need to be increasingly vigilant.

How To Protect Against Insider Threats

For internal threats, aside from the advice given above for external actors, it is also important that anomalous user behaviour is tracked and acted on, and for that you need visibility across your network. File access should be locked down according to the maxim of ‘least privilege’, and all devices on the network should have proper firewall and media control, as well as protection against compromise from Bluetooth and other peripherals. Employee wellness programs led by HR or Personnel Management can help to identify disgruntled employees. Be sure that employees receive appropriate and regular training on cyber security awareness to minimize the possibility of unintentional errors.

4. Hacktivists – Rebels With a Cause, Or Maybe Just a Gripe

Like APTs, hacktivists like to pool their resources, but stealth is rarely on their agenda. Hacktivist groups aim to bring attention to an issue, person or organization that they want to positively promote or negatively disclose information about. Although less in the spotlight in recent years, groups like Anonymous and LulzSec have caused significant problems for businesses and organizations. The CIA, Sony Pictures and even governments such as the Philippines and Thailand have been targeted in the past.

Hacktivists tactics of choice include DDoS attacks on web services through botnets, defacing corporate websites, and taking over the Twitter and other social media accounts of high-profile individuals and businesses.

image of hacktivist tweet

How To Protect Against Hacktivists

As we have seen, hacktivist campaigns will tend to target web services and applications, so it’s important that as well as a modern security solution you have 2FA and MFA on all social media accounts, strong web application firewalls and a DDoS mitigation strategy that can analyse network traffic and identify anomalous requests. Be sure that your incident response plan includes mitigation strategies for reputational damage that could be caused by hacktivists.

5. Script Kiddies, Lone Wolves & Other Malcontents

Aside from the threats described above, there are also the dangers of individuals with no clear motives other than to break into other people’s computers. These actors are sometimes labelled ‘script kiddies’, meaning teenagers who have acquired powerful tools written by others and deploy them against targets for fun or experimentation. However, that ‘script kiddie’ designation is not entirely accurate and also risks downplaying the seriousness of the threat from these kinds of actors.

A good example is the recent case of expert programmer and webstack engineer Paige A Thompson. For seemingly no reason, or at least not a reason that fits into the categories discussed above, Thompson allegedly hacked CapitalOne and other corporations causing data breaches that could cost the affected parties millions of dollars in FTC fines – such, at least, was the fate of Equifax – even though the data was not actually sold or distributed.

A different kind of case that would fall into this category would be a ‘lone wolf’ such as Phillip Durachinsky, the alleged developer of Fruitfly, malware targeting macOS that was used to infiltrate systems belonging to companies, schools, police departments as well as state and federal governments. Durachinsky’s motives remain unknown.

How To Protect Against Script Kiddies et al

This threat actor type can be either internal or external. A good EDR solution should protect against non-targeted attacks like these. Anti-phishing strategies should also be in place here as phishing kits are as popular among script kiddies looking to see what they can ‘catch’ as they are among other threat actor types.

Conclusion

In this post we’ve looked at the five main threat actor groups and some strategies that you should have in place to present an effective, multi-layered security posture. The modern cyber world has changed markedly from just a few years ago, with tools and techniques proliferating to the advantage of different kinds of attackers, from script kiddies to nation-state actors. If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors, contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Spendesk raises $38.4 million for its corporate card and expense service

French startup Spendesk has raised another $38.4 million Series B round with existing investor Index Ventures leading the round. The company has raised $49.4 million (€45 million) over the years.

Spendesk is an all-in-one corporate expense and spend management service. It lets you track expenses across your company, empower your employees with a clear approval process and simplify your bookkeeping.

The service essentially works like Revolut or N26, but for corporate needs. After you sign up, you get your own Spendesk account with an IBAN. You can top up that account and define different sets of policies.

For instance, you can set payment limits depending on everyone’s job and define who’s in charge of approving expensive payments. After that, everyone can generate virtual cards for online payments and get a physical card for business travel.

When you’re on the road, you can pay directly using Spendesk just like any corporate card. If you have to pay in cash or with another card, you can take a photo of the receipt from the Spendesk mobile app and get your money back.

Many Spendesk users also leverage the service for other use cases. For instance, you can define a marketing budget and let the marketing team spend it on Facebook or Google ads using a virtual card.

You can also track all your online subscriptions from the Spendesk interface to make sure that you don’t pay for similar tools. If you hire freelancers, you can also upload all your invoices to the platform, export an XML with your outstanding invoices and import it to your banking portal.

Spendesk tries to be smarter than legacy expense solutions. For instance, the company tries to leverage optical character recognition (OCR) to match receipts with payments, autofill the VAT rate, etc.

With today’s funding round, the company plans to open offices in Berlin and London, add more currencies and develop new features. Over the past year, the company went from 20 employees to 120 employees. There are now 1,500 companies using Spendesk in Europe.