Cybersecurity’s Biggest Mistakes of 2022

/0 Comments/in /by

In just a few years, the world of cybersecurity has changed dramatically. New technologies and threats have emerged, old ones have fallen by the wayside, and the stakes have never been higher.

As we move into 2023, it’s important to take stock of the past year and learn from our mistakes. Here are some of the biggest cybersecurity mistakes of 2022 – and how to avoid them in the New Year.

With the increasing reliance on technology in our personal and professional lives, it is essential to have strong cybersecurity measures in place to safeguard against threats such as hackers, malware, and data breaches. Making mistakes in this area can have serious consequences, including losing sensitive information, financial damage, and damage to an organization’s reputation.

Besides implementing the right level of security (using AI), here are a few of the main mistakes we observed in 2022:

  • Failing to update software and security patches
  • Using weak and easily guessable passwords
  • Neglecting to back up important data
  • Falling for phishing scams
  • Neglecting to train employees on cybersecurity best practices
  • Relying on outdated security measures
  • No Identity protection implemented
  • No threat hunting and lack of regular monitoring for security breaches

Failing to Update Software and Security Patches

Not keeping software up to date can be risky as new security vulnerabilities are regularly identified and patched by software vendors. One example is vulnerabilities like those found in Microsoft products, designated with a CVE (Common Vulnerabilities and Exposure) label.

Zero-day vulnerabilities, where no patch yet exists from the vendor, can quickly become N-day vulnerabilities, meaning a patch has been issued but the organization has not yet applied it. N-days are potentially more dangerous than zero-days because the vulnerability’s existence is now public, and threat actors are quick to develop exploits and search for organizations who have yet to patch. The infamous WannaCry ransomware that wreaked havoc across the world was a N-day vulnerability in Microsoft’s SMBv1 server protocol, more popularly known as EternalBlue.

These kinds of scenarios provide even greater reason for organizations to keep their environment current and running the most recent versions of each product. Proactive maintenance can help protect data centers and networks against breaches and data loss.

Here’s a typical lifecycle of an attack utilizing a zero day to compromise devices:

  1. A malware author discovers a vulnerability or new attack vector.
  2. The capability is weaponized and proven to work
  3. The zero-day is kept secret and utilized by cybercriminals.
  4. Defenders discover the vulnerability.
  5. The OS vendor or application vendor delivers a patch.
  6. The zero-day becomes an N-day.

The challenge is that patching requires time. It starts with the disclosure of the vulnerable software, then there is the time it takes the vendor to create a fix, and lastly, the time it takes to deploy the fix.

Using Weak and Easily Guessable Passwords / Reusing Passwords for Multiple Accounts

Using weak and easily guessable passwords is a common mistake that can seriously affect cybersecurity. Passwords are the first line of defense against unauthorized access to an online account or device, so it is crucial to use strong and unique passwords that are difficult for others to guess or crack.

Weak passwords are short, use common words or phrases, or include easily guessable personal information such as a name or birthdate. These passwords can be easily cracked by attackers using automated tools, which can then be used to gain access to an account or device.

Using weak and easily guessable passwords puts sensitive information and the security of the account or device itself at risk. Using strong, unique passwords and avoiding using the same password for multiple accounts can help mitigate password compromises.

Maintaining a secure identity and account protection is critical for everyone in today’s connected world. Unfortunately, keeping track of multiple passwords is difficult, prompting many people to reuse the same or similar passwords on multiple accounts – a dangerous security practice that can easily lead to breaches. Organizations can take advantage of multifactor authentication (MFA) and two-factor authentication (2FA) options to help strengthen account security. Hardware security keys and biometric authentication are also recommended for extra security.

Neglecting to Back Up Important Data

Neglecting to back up necessary data is a mistake for cybersecurity because it can have severe consequences in the event of a cyber attack or other incident resulting in data loss. Backing up data regularly creates a copy of important files and information, which can be used to restore the original data if it is lost or corrupted. Without backups, recovering lost or damaged data may be impossible, leading to significant disruption, financial loss, or other negative consequences.

In addition to protecting against data loss, regularly backing up critical data can also help to restore data encrypted in ransomware attacks. Although this may not prevent attackers from attempting to extort victims with threats to leak stolen data, it can help businesses to restore essential services and minimize business disruption caused by such attacks.

Falling for Phishing Scams

In the second quarter of 2022, the Anti-Phishing Working Group (APWG) observed a record number of phishing attacks, with over 1 million instances. This marks the worst quarter for phishing that APWG has ever observed. There has also been an increase in the amount requested in wire transfer Business Email Compromise (BEC) attacks, and industries such as healthcare and transportation have seen an increase in ransomware attacks.

Threats on social media have also risen, with a 47% increase from Q1 to Q2 2022. Mobile phone-based fraud, such as smishing and vishing, has also increased. These trends highlight the ongoing and evolving nature of cybersecurity risks from phishing attacks.

Increasingly sophisticated phishing scams are an unfortunate reality of our digital world, posing a serious threat to personal and financial security. Fraudulent emails or websites appear legitimate but deceive victims into giving away sensitive information such as passwords, credit card numbers, and other details, which can be detrimental if malicious actors access them. Furthermore, these attacks often serve as entry points for malware distribution, which poses yet another risk to the victim’s device and data systems.

Neglecting to Train Employees On Cybersecurity Best Practices

Neglecting to train employees on cybersecurity best practices is a mistake because it leaves individuals within an organization vulnerable to cyber attacks. Humans are often considered the weakest link in an organization’s cybersecurity defenses, as cybercriminals can easily trick or manipulate them using phishing or social engineering tactics. If employees are not trained to recognize and prevent these attacks, they may unwittingly put the organization’s data and systems at risk.

Employees who need to be trained on cybersecurity best practices may need to learn how to handle sensitive data properly or maintain the security of the organization’s systems, which can further increase the organization’s vulnerability to cyber-attacks. Training employees on cybersecurity best practices is essential to an organization’s overall cybersecurity strategy.

Relying on Outdated Security Measures

The problem businesses faced with the old, legacy AV solutions revolved around the fact that they were based on detecting malware files through signatures – typically a hash of the file, but later through identifying tell-tale strings contained in the binary through search methodologies like YARA rules.

This approach proved to have several weaknesses. First, malware authors began to sidestep signature-based detection simply by padding files with extra bytes to change the malware’s hash or using different ways to encrypt strings that could not be easily read by binary scanning. Second, adversaries intent on stealing company data and IP, or inflicting damage through ransomware, were no longer just trying to write malicious, detectable files to a victim’s machine. Instead, bad actors’ tactics had evolved to include in-memory “fileless” attacks, exploiting built-in applications and processes (“living off the land”) and compromising networks by phishing users for credentials or stealing resources with cryptomining. Legacy AV solutions didn’t have the resources to deal with the new wave of tactics, techniques, and procedures.

As of today, there is still a significant amount of the market relying on these products. Security teams can compare legacy AV solutions with more modern technology like SentinelOne to help understand the implications of relying on older security technologies.

No Identity Protection Implemented

Having no identity protection implemented is a problem for cybersecurity because it leaves individuals and organizations vulnerable to identity theft and other types of cyber attacks.

As we’ve seen in the Cisco breach, it’s enough to compromise a user to gain access to the entire network. With social networks, multi-tasking, and the evolution of devices around us, it just makes sense for adversaries to keep investing in social engineering.

SentinelOne’s Singularity™ Identity platform solves this problem through:

  • Identity Threat Detection and Response: The identity suite delivers holistic prevention, detection, and response. It protects in real time against credential theft, privilege escalation, lateral movement, data cloaking, identity exposure, and more, supporting conditional access and zero trust cybersecurity.
  • Identity Attack Surface Management: Identity assessment tools provides instant Active Directory visibility of misconfigurations, suspicious password and account changes, credential exposures, unauthorized access, and more, enabling identity-focused attack surface reduction.
  • Identity Cyber Deception: The network and cloud-based deception suite lures attackers into revealing themselves. Through misdirection of the attack with tactics including breadcrumbs and decoy accounts, files and IPs, organizations gain the advantage of time to detect, analyze, and stop attackers and insider threats without impacting enterprise assets.

No Threat Hunting and Lack of Regular Monitoring for Security Breaches

Not conducting threat hunting and failing to regularly monitor for security breaches is a problem for cybersecurity because it can lead to undetected or unmitigated threats and attacks.

Organization’s can implement a security strategy that involves looking for various tools and techniques to identify indicators of compromise (IOCs), such as unusual network traffic or suspicious user behavior, and investigating them to determine if they are a threat.

This is required because:

  • No security measures are 100% effective, so it is important to have multiple layers of protection in place. By conducting threat hunting and regularly monitoring for security breaches, organizations can identify potential threats and attacks as soon as possible, allowing them to take action to prevent or minimize the damage.
  • Threat hunting will enable organizations to proactively search for signs of potential security breaches or attacks within their systems and networks. This can help them to identify new indicators of compromise that their existing security measures may not detect. Organizations can improve their security posture by conducting threat hunting and better protect themselves against potential threats.

Conclusion

Are we losing the war against cybercrime? While it is true that there are constantly new threats emerging and that it can be difficult to stay ahead of these threats, it is important to remember there is much that enterprises can do to mitigate the risk, to cut off easy avenues of attack, and to harden the organization’s cybersecurity defenses.

As we look into 2023, solving the cybersecurity challenge will be a combination of deploying the right product and having the right people, processes and procedures in place to minimize the risk.

Don’t stay behind – upgrade your defenses with leading solutions from SentinelOne.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Learn More

Hacked Ring Cams Used to Record Swatting Victims

/0 Comments/in /by

Photo: BrandonKleinPhoto / Shutterstock.com

Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived.

Prosecutors in Los Angeles allege 20-year-old James Thomas Andrew McCarty, a.k.a. “Aspertaine,” of Charlotte, N.C., and Kya Christian Nelson, a.k.a. “ChumLul,” 22, of Racine, Wisc., conspired to hack into Yahoo email accounts belonging to victims in the United States. From there, the two allegedly would check how many of those Yahoo accounts were associated with Ring accounts, and then target people who used the same password for both accounts.

An indictment unsealed this week says that in the span of just one week in November 2020, McCarty and Nelson identified and swatted at least a dozen different victims across the country.

“The defendants then allegedly accessed without authorization the victims’ Ring devices and transmitted the audio and video from those devices on social media during the police response,” reads a statement from Martin Estrada, the U.S. Attorney for the Central District of California. “They also allegedly verbally taunted responding police officers and victims through the Ring devices during several of the incidents.”

James Thomas Andrew McCarty.

The indictment charges that McCarty continued his swatting spree in 2021 from his hometown in Kayenta, Ariz., where he called in bomb threats or phony hostage situations on more than two dozen occasions.

The Telegram and Discord aliases allegedly used by McCarty — “Aspertaine” and “Couch,” among others — correspond to an identity that was active in certain channels dedicated to SIM-swapping, a crime that involves stealing wireless phone numbers and hijacking the online financial and social media accounts tied to those numbers.

Aspertaine bragged on Discord that he’d amassed more than $330,000 in virtual currency. On Telegram, the Aspertaine/Couch alias frequented several popular SIM-swapping channels, where they initially were active as a “holder” — a low-level but key SIM-swapping group member who agrees to hold stolen cryptocurrency after an account takeover is completed. Aspertaine later claimed more direct involvement in individual SIM-swapping attacks.

In September, KrebsOnSecurity broke the news about a wide-ranging federal investigation into “violence-as-a-service” offerings on Telegram and other social media networks, wherein people can settle scores by hiring total strangers to carry out physical attacks such as brickings, shootings, and firebombings at a target’s address.

The story observed that SIM swappers were especially enamored of these “IRL” or “In Real Life” violence services, which they frequently used to target one another in response to disagreements over how stolen money should be divided amongst themselves. And a number of Aspertaine’s peers on these SIM-swapping channels claimed they’d been ripped off after Aspertaine took more than a fair share from them.

On April 30, 2022, a member of a popular SIM-swapping group on Telegram who was slighted by Aspertaine put out the word that he was looking for some physical violence to be visited on McCarty’s address in North Carolina. “Anyone live near here and wants to [do] a job for me,” the job ad with McCarty’s home address read. “Jobs range from $1k-$50k. Payment in BTC [bitcoin].” It’s unclear if anyone responded to that job offer.

In May 2021, KrebsOnSecurity published The Wages of Password ReUse: Your Money or Your Life, which noted that when normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Whereas, when cybercriminals reuse passwords, it often costs them their freedom.

But perhaps that story should be updated, because it’s now clear that password reuse can also put you in mortal danger. Swatting attacks are dangerous, expensive hoaxes that sometimes end in tragedy.

In June 2021, an 18-year-old serial swatter from Tennessee was sentenced to five years in prison for his role in a fraudulent swatting attack that led to the death of a 60-year-old man.

In 2019, prosecutors handed down a 20-year sentence to Tyler Barriss, a then 26-year-old serial swatter from California who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas man.

McCarty was arrested last week, and charged with conspiracy to intentionally access computers without authorization. Prosecutors said Nelson is currently incarcerated in Kentucky in connection with unrelated investigation.

If convicted on the conspiracy charge, both defendants would face a statutory maximum penalty of five years in federal prison. The charge of intentionally accessing without authorization a computer carries a maximum possible sentence of five years. A conviction on the additional charge against Nelson — aggravated identity theft — carries a mandatory two-year consecutive sentence.

The Good, the Bad and the Ugly in Cybersecurity – Week 51

/0 Comments/in /by

The Good

The latest dose of justice in the cyber threat landscape: U.S. authorities this week seized 48 internet domains selling “booter” and “stresser” services used by low-level hackers to launch powerful Distributed Denial of Service (DDoS) attacks. The DOJ has charged six individuals with computer crimes for their alleged relations to these services.

DDoS attacks are designed to overwhelm websites with fake traffic until the intended target, ranging from individuals and websites to entire network providers, is eventually rendered offline. According to the DOJ, the services in this action reportedly attacked victims in both the U.S. and abroad, including government agencies, educational institutions, gaming platforms, and millions of individual users.

In a sly effort to offload legal ramifications, the booter websites had attempted to hide behind lengthy terms and conditions which required customers to agree that services would only be used for network stress-testing purposes. The DOJ, however, has dismissed those claims using communications between site administrators and their customers as evidence of their intended malicious use.

Cybercrime-as-a-Service models have multiplied in the threatscape resulting in the number of DDoS attacks climbing in recent years. Booter services especially have created a low barrier to entry to cybercrime. The seized domains allowed purchasers to choose the volume of fake traffic to be sent as well as the number and duration of synchronized attacks that follow. Such services give non-technical users the ability to bombard essential services and critical infrastructure, draining their victims of time and money, as well as causing reputational harm.

Law enforcement have responded with Operation PowerOff; an ongoing coordination between internal agencies to dismantle DDoS-for-hire administrators and users. The takedown this week preempts a new wave of DDoS attacks as cyber criminals often favor the holiday season to launch.

The Bad

Notorious LockBit ransomware group has claimed a cyberattack on the California Department of Finance this week. While LockBit’s leak site posits that they made away with several gigabytes’ worth of confidential data, databases, and both financial and IT documents, California Office of Emergency Services (Cal OES) only confirmed the security intrusion and stated that “no state funds have been compromised”. Officials have given no further specifics except that state and federal security partners are working with threat hunting experts to continue the investigation.

The cyberattack on the Californian finance sector follows the DOJ’s recent arrest of accused LockBit threat actor, Mikhail Vasiliev. The Russian-Canadian’s capture from just last month was the result of a two-year FBI investigation into LockBit’s operations and related ransomware attacks on the U.S. and organizations across several other countries.

LockBit has been described by the DOJ as “one of the most active and destructive ransomware variants in the world.” LockBit associates have, since their first appearance in early 2020, extracted tens of millions of dollars from at least 1000 victims in various countries.

Though LockBit’s claim of this week’s attack on the State of California was reportedly accompanied by screenshots of stolen files and a file directory, the ransomware group has been known to fake breaches.

Back in June, LockBit’s claims to have breached cybersecurity firm Mandiant were dismissed after the firm’s internal investigation found no evidence of breach or LockBit ransomware. What is now widely understood to be a PR stunt by LockBit shows that ransomware operators are going to extensive lengths to support their criminal operations, even using public relation plays to adapt and persist in an evolving threat landscape.

The Ugly

PyPI and NPM code repositories are under active attack by malware. This week, software supply chain firm Phylum reported a campaign targeting Python and JavaScript developers after it identified several suspicious Python requests packages. Through the use of fake modules and typosquatting, the campaign is luring victims into downloading malicious pieces of code. PyPI is a prominent code repository for Python programming language hosting over 350,000 software packages while its JavaScript counterpart, NPM, is the hub for more than one million such packages.

The cyber criminals behind the campaign have been reported to leverage typosquatting, a technique that involves delivering malware from files that have been named very similarly to legitimate pieces of code. So far, the typosquatted Python packages are: 

dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests

Typosquatted JavaScript modules in NPM have been identified as: 

discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, discord-selfbot-v13, discord-all-intents-default, telnservrr. 

The typosquatting used in the campaign leads to packages embedded with Golang binaries detected as malware. Once unsuspecting developers execute the binaries, the malware encrypts files in the background, and updates the device’s desktop background with an image impersonating the CIA that instructs the victim to pay for a decryption key.

Phylum notes that attacks have continued throughout this week and that a newer version of the attacker’s ransomware has been released since the initial discovery. This attack on PyPI and NPM is the latest in a string of software supply chain attacks this year and is a trend that is likely to continue into 2023.

Feature Spotlight | Announcing General Availability (GA) of Linux and K8s Agents v22.3 for Cloud Workload Security

/0 Comments/in /by

SentinelOne is pleased to announce general availability of version 22.3 of our Linux and Kubernetes Cloud Workload Security (CWS) agents.

Our Linux and Kubernetes agents are specifically architected for the unique needs of cloud workloads. Our agents operate entirely in user space, making use of eBPF (Extended Berkeley Packet Filter) probes for visibility into the kernel without the hassles of kernel dependencies that would needlessly complicate deployment, impede agility, and consistently cause downtime and loss of business continuity from alternative solutions that use kernel modules.

eBPF is a powerful framework for the monitoring of traffic at the kernel level without the complication of kernel modules. As such, eBPF can be used to collect cloud workload telemetry and feed it to an XDR system for real-time detection of suspicious or malicious activity. This is precisely the SentinelOne approach for cloud workload security, which in turn is augmented by machine-speed response capabilities within the Singularity XDR Platform.

From an architectural perspective, the choice of eBPF is more stable, scalable, and performant than those which rely upon kernel modules. In this way, DevOps are free to innovate quickly, updating host OS images when they see fit and without fear of conflict between an agent version and Linux distribution/version combination.

Moreover, we have made a number of advancements that further enhance performance and detections, including:

  • Resource efficiency gains
  • Crypto mining detections
  • Detection of local privilege escalation
  • Detection of ransomware encryption

Outstanding Performance With Half the Resources

For any SentinelOne customers still running Linux or K8s agent v21.x, the resource efficiency gains alone are compelling reasons to upgrade your cloud workload protection agent to v22.1 or higher. We’ve been working with some forward-leaning customers, taking their feedback and further extending our resource efficiency. As a result, v22.1 (and higher) improves performance in 2 dimensions compared to version 21.x: 40-50% improvement in memory usage, and 40-50% improvement in CPU usage.

We would be remiss if we did not take the opportunity to thank those customers for taking this journey with us. Together, we achieved these results without sacrificing a single inch of detection performance. In fact, quite the opposite: we raised the bar on Linux detections.

The resource efficiency story is even more compelling for Kubernetes customers. A single, specialized Singularity Cloud Workload Security for Kubernetes agent protects the host OS of the K8s worker node, all its pods, and all their containers. It does so with no container sidecar or usage of kernel modules, and with complete visibility into and runtime security for Kubernetes workloads. This architectural approach is very compelling for digital natives running workloads at scale.

As a representative example, if a typical sidecar agent takes 128 MB of memory per container, and each worker node has, on average, 30 containers, then the overhead of a sidecar architecture amounts to nearly 4 GB of additional memory per worker node. Multiply that by the number of worker nodes in each K8s cluster, and then again by the number of clusters running workloads across your DEV and PROD cloud accounts, and the operational overhead that the customer pays quickly stacks up. In stark contrast, SentinelOne provides industry-leading performance with half that memory and CPU.

Customers have done the napkin math themselves and drawn their own conclusions. We even have a business value calculator which takes this into account, to help our prospective customers build their own business case specific to their needs, and to share with their upper management because securing limited budget dollars in the current economic context requires rigorous cash flow analysis.

Enhanced Detection and Protection

Operational efficiency matters, but the primary job of a runtime agent is workload protection. To borrow from an F1 racing analogy, this is truly where “the rubber meets the road.” The Linux agent v22.3 brings enhanced detections of cryptomining earlier in the chain, local privilege escalation, and ransomware. These gains extend our performance leadership as evidenced by the MITRE ATT&CK benchmark testing, which for the last 2 years has included Linux.

Cryptomining Detections

Cryptomining malware is a nuisance and financial drain, quietly siphoning off costly compute cycles from workloads. We have made even further advancements in the Singularity Cloud Workload Security ability to detect cryptomining malware. We detect the invocation of cryptominers associated with known suspicious wallets and/or URLs.

With v22.3, we detect cryptominer setup activity before mining even begins. By detecting the configuration and preparation activities, the SentinelOne agent stops cryptomining before it hits the organization’s cloud bill and bogs down workload operations.

Local Privilege Escalation

The SentinelOne Linux v22.3 agent also alerts on suspicious attempts to escalate local privilege via a SUID binary exploit.

Ransomware

We’ve seen an increase in ransomware attempts targeting cloud infrastructure, implementing new techniques and methods to compromise workloads. To address it, we enhanced our ransomware detection, identifying file encryption activity via common Linux utilities such as OpenSSL. Ransomware attacks on cloud workloads represent a potentially devastating risk to those businesses that rely upon the integrity and availability of their workloads.

SentinelOne K8s Agent Now Supports Graviton-backed Amazon EC2

The SentinelOne Kubernetes agent now supports the AWS Graviton-based EC2 instances. Our Linux agent achieved the AWS Graviton Ready Service Designation back in July 2022. Extending that support to Kubernetes clusters was a logical next step. The arm64 architecture of Graviton brings with it some compelling efficiency gains which make it very attractive to compute-intensive workloads. Singularity Cloud Workload Security for Kubernetes stands ready to deliver runtime workload protection to your Graviton-based clusters.

Conclusion

The SentinelOne eBPF-powered CWS agent is architected for the unique needs of cloud infrastructure. By operating entirely in user space, kernel dependency hassles are eliminated, thereby simplifying deployment and maintenance while simultaneously delivering complete runtime visibility and security across the hybrid cloud enterprise. Moreover, DevOps can update their host OS image without fear of agent conflict, so that business agility is supported, not impeded.

To learn more, visit the Singularity Cloud Workload Security for Server/VMs or Kubernetes product page. There, you can find customer case studies, product information, and much more. If you are an existing CWPP customer, please contact your SentinelOne account team to discuss a planned upgrade to the latest version of the Singularity agent.

Singularity Cloud
Singularity Cloud Workload Security. Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Learn More

SentinelOne’s Cybersecurity Predictions 2023 | What’s Next?

/0 Comments/in /by

2022 was a sobering year for us all. Riding on the back of the COVID pandemic of the previous two years, we entered a new reality with war returning to Europe in a way not seen since 1945. And yet along with tanks, missiles, and the targeting of civilians and civilian infrastructure came a new battlefront: cyber warfare with wipers being used to hit targets inside and outside the physical battleground.

Meanwhile, new attack surfaces came to the fore, as cybercriminals began to understand how to exploit identity for access and cloud workloads for assets, privilege escalation and lateral movement.

It’s not been all bad. Evolving security technologies like XDR are helping organizations to fill the gaps in visibility, join the dots in defense, and hunt for hidden threats in the enterprise. Law enforcement at home and abroad has been capturing and incarcerating more cybercriminals than ever before, while also closing the doors on some of the darknet’s worst illicit markets.

But defenders are still playing catch up, a point not lost on our experts who, below, offer their predictions for what we can expect in cybersecurity 2023. Our predictions last year weren’t far off the mark, so as we look forward to another year in the trenches of cybersecurity, here’s what our researchers and thought leaders see in their crystal balls.

Driving Painful Lessons Home

2022 has been a year of painful lessons precisely because the most intense threats weren’t technically advanced or mind-bending feats of cyber wizardry. Instead, they were mundane, pragmatic, and wildly successful. This year was largely populated by asymmetrical threat actors– hacktivists of all stripes, youthful petty criminals, and an increasingly fragmented ransomware ecosystem.

Infosec dark humor held that ransomware groups were ‘technical debt collectors’– attaching an eye watering price tag to unpatched systems, misconfigurations, and generally underserved networks. It seems that we collectively underestimated the true depth and breadth of that technical debt as a wider swath of lower tier threat actors show us the results of living on a diet of fruit so low-hanging as to have rotten on the pavement.

Cells of youthful SIM swappers and source code hoarders, best referred to as ‘disorganized crime’, have successfully hacked their way across scores of noteworthy well-resourced companies. They’ve embraced a pragmatic approach to operations– abusing the nebulous web of dubious ‘trusted’ parties that serve the customer-facing requirements of larger corporations. Whether through social engineering, stolen and borrowed credentials, or the financially-motivated shortrun insider, attackers have enjoyed all that excessive privileges across unsegmented service VPNs can net them.

The cumulative effect? A near endemic failure of SMS 2FA as a security measure. As we enter 2023, we need to accept that hardware multi-factor authentication, short lived sessions, and severely curtailed account privileges aren’t nice-to-have paranoid bells and whistles. They are now the entry threshold of the aspirational standard of corporate security.

The ransomware ecosystem continues to shift, experiment, and fracture. The most notable incident is the ‘Conti Rica’ affair, where a ransomware group held an entire government for ransom. In 2023, our tracking will have to become more granular– moving away from the notion of monolithic ransomware cartels to acknowledge the prevalence of smaller affiliate groups (often engaged with multiple RaaS brands).

Perhaps at that level of observability, we’ll be quicker to note attempts to use ransomware as a flimsy cover for nation-state activity– as in the case of Iran ‘ransoming’ Albanian governmental institutions. This last facet jives with the abuse of an increasingly populated field of hacktivists (of varying degrees of authenticity) emerging to represent different sides of hot conflicts and societal tensions via overrated DDoSes and underrated hack-and-leak ops whose long-term effects are entirely unforeseeable.

The cybersecurity industry enjoys cutting its teeth on advanced threats and sophisticated techniques that challenge the collective braintrust to find new solutions. But 2022 has forced us to pay attention to the state of disrepair of our networked fabric. Without a sizable, conscientious collective effort, we should brace ourselves for a 2023 that drives those painful lessons well beyond our tolerance.
Juan Andres Guerrero-Saade, Sr. Director of SentinelLabs

Cybersecurity Only Works When “It Just Works”

2022 has been a year where, compared to previous years, the cybersecurity market has adapted not just to the threat landscape but perhaps more strongly to how security teams want to use cyber-security products. This is something I expect to see much more of in 2023.

Consolidation, But Not At All Costs

The sheer number of cyber-security products covering different surfaces and use cases means that customers are looking to consolidate when and where possible. With that said, there are many sides to consolidation – security teams will not satisfied with just “buying more products from the same vendor vs multiple vendors” or “pushing everything to one data-lake” – they will demand holistic workflows, unified agents and cross-product synergies that actually deliver value that is greater than the sum of its parts when consolidating around a platform as opposed to endless point solutions.

Demand for More Vendor Collaboration

As much as we expect consolidation, customers will always end up using more than one vendor. We’re already seeing security teams demand more integration and more value from the collaborations between vendors. Gone are the days when a “technological alliance” could mean little more than a shared video. In 2023 this will range from a demand for integration across more types of use-cases and standardization of data models to a very legitimate expectation that every new vendor will not only provide value on its own but also help extract more value from the existing products in the security stack

Data Retention Needs to Be Simpler, More Affordable

Despite sounding like an oxymoron – it actually makes a lot of sense. There’s no argument about the importance of data. Between compliance regulations, low-and-slow attacks and the overall increase in analyst skill-level – most customers can and need to do more with security data.

The historical price and complexity of facilitating that is where change is going to come. SOCs will start looking for alternative solutions for Analytics and Data Storage that make more sense in terms of cost, scale, performance and ease-of-use. They’ll be looking for improvements across the board – from “How we get the data in” to “How we can access historical data”, “How fragmented the data will be” and ultimately “How much does it cost”.
Yonni Shelmerdine, VP Products, SentinelOne

No One Gets to Opt Out of Cybersecurity in 2023

If there is one thing that we learned from 2022, it is that no one is immune from cyber threats. We’ve seen many breaches in 2022 – Lapsus$ alone breached Okta, Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, and Uber. It’s hard to believe that behind these breaches, there were no well-sponsored nation-states or global cybercrime syndicates but (allegedly) a group of young hackers who met online and collaborated, not even financially motivated.

This creates a new paradigm to think about. I am not a fan of zero trust, as it is tough for organizations to implement and leaves cracks for adversaries to exploit, but trusting no one makes more sense when you look at 2022. So what should we expect in 2023? There are a few moving parts to consider.

Cost Will Be a Driving Force

The economic turmoil will pressure enterprises and organizations to save on costs and be more effective. As a result, expect more consolidation of pinpoint tools and teams and more utilization of growth and efficacy enablers like moving to the cloud.

Prediction: With less security budget, efficiency-driven products will strive. The cost will become the main consideration for cybersecurity programs.

Attacks Will Be Bigger, Louder, Faster

The attacks we’ve seen in 2022 are more significant than those we witnessed in 2021. This is not just a trend; the reasons remain: Vulnerable products (led by Microsoft as an operating system provider and a security vendor), the means of communication, and the speed it takes a zero-day to become an exploit.

Prediction: More organizations will be breached, more critical infrastructure will be impacted, and the cybercrime economy will continue to thrive.

We Are Entering A Golden Era of Social Engineering

As we’ve seen in the Cisco breach, it’s enough to compromise a user to gain access to the entire network. With social networks, multi-tasking, and the evolution of devices around us, it just makes sense for adversaries to keep investing in social engineering.

Prediction: Phishing is a problem that is not solved and will continue to be a leading factor in compromising identities.
Migo Kedem, VP Growth, SentinelOne

The Disruptors Are Here, And They Aren’t Going Away

2022 has been the year of disruption by non-traditional threat actors. Flaws in how teenagers exploited the way the traditional cybersecurity establishment thinks. Advances in computing power and AI will transform the effectiveness of social engineering, fraud, and active measures (information/influence operations). As governments try to get a handle on asymmetric threats, new ways of attacking the global problem will have to be used.

Deep Fakes Will Enhance Social Engineering

As we get better at defending the endpoints, threat actors will need to up their game in order to penetrate harder targets. Social engineering remains a popular vector of attack, especially as workforces continue to remain decentralized and remote. Increases in computing power and availability of AI/ML engines will accelerate the effectiveness and authenticity of social engineering attacks through audio and video.

Increased Targeting of Vaccine R&D by China

The unthinkable has happened in China–widespread dissent that is becoming more vocal and violent. Aggressive lockdowns have not made the expected impact in the spread of COVID, and the Chinese vaccines are significantly less effective than international options. For President XI Jinping, an attractive option is to enhance the efficacy of their vaccines through more aggressive theft of R&D and medical intellectual property.

Lapsu$ Shows Flaws in Adult Thinking

Migo Kedem laid out the impact of Lapsu$ and the disruption they caused. This was a group of 16-21 year olds who out thought and outwitted some of the most sophisticated cybersecurity defenses and professionals in the world. How? Because it doesn’t matter how we look at the problem. It only matters how our adversaries look at the problem. Expect more attacks and disruption by younger threat actors who refuse to limit their thinking to the proverbial way of doing business.

Retasking of Intelligence Priorities

According to testimony before Congress during hearings on the SolarWinds compromise, it was estimated at last one thousand engineers and intelligence officers were involved in the design and execution of the operation. And yet there is no evidence any intelligence agency outside of Russia was able to discover this long-term campaign.

This is a glaring failure of intelligence that has become increasingly technically focused. To stop major intelligence operations, we have to develop robust HUMINT – human intelligence. And that can only come from more aggressive recruitment of agents in targeted sections of adversarial intelligence organizations. There will be retasking of intelligence priorities to identify earlier, and disrupt more aggressively, long-term operations against nations and critical infrastructure.
Morgan Wright, Chief Security Advisor, SentinelOne

No More Hiding Behind Our Macs

Indicators of what we might expect in 2023 can be read in the tea leaves of our roundup of macOS threats in 2022. The year just ending saw something rare in the macOs threat landscape become common: the inclusion of Mac payloads appearing in numerous cross-platform attack frameworks. While this wasn’t entirely unheard of in the past, it was not the norm, and Mac payloads were generally poorly written, unreliable and, frankly, unsuccessful.

What’s changed is the increasing popularity of two things: performative and stable cross-platform languages like Go, Kotlin and Rust, and Mac devices in the enterprise. The first makes it easier for threat actors to write Mac-compatible malware, the second gives them the motivation to get better at it.

Another trend that gathered pace in 2022 was the number of reported CVEs for macOS devices, many of which allow privilege escalation and some the ability to execute kernel code from user land processes. While a transparent bug reporting ecosystem is a good thing and long overdue regarding Apple operating systems, it has consequences for those that patch little, and patch late.

Threat actors, with or without the help of security researcher write-ups and PoCs, will increasingly pay attention to exploiting reported bugs (aka N-days) on enterprise users that fail to patch. It’s not for nothing that Apple has become more aggressive in trying to force enterprises to update within 90 days.

In 2023, expect to see threat actors target macOS more successfully with cross-platform malware and to expend more effort on finding windows of opportunity to compromise unpatched Macs with known bugs. More supply chain attacks on developers and shared repositories are also likely to feature in 2023.

Deploying a native Mac security solution is the default first step to combating the increased attention of threat actors on high-interest targets like developers and senior management in 2023. Enterprises that defer upgrades and minor updates need to pay particular attention to risk assessment and their overall macOS security posture.
Phil Stokes, macOS Threat Researcher, SentinelLabs

Conclusion

Threat actors have become collaborative enough and malicious software and techniques available enough to brings us to a point where attackers are now platform and technology agnostic. Where there is a weakness, there is a way.

And yet, while 2023 will undoubtedly hold surprises none of us could predict, it’s a fair bet that organizations that cover their bases, kill off the low-hanging fruit, and implement coverage across cloud, identity and endpoint will be safer than those that do not. The future is opaque to us all, but in cybersecurity we can’t afford to trust to luck.

Microsoft Patch Tuesday, December 2022 Edition

/0 Comments/in /by

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,
said Greg Wiseman, product manager at security firm Rapid7. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

Kevin Breen at Immersive Labs said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, Trend Micro’s Zero Day Initiative highlights CVE-2022-44713, a spoofing vulnerability in Outlook for Mac.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s Dustin Childs wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, Sophos, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group Cuba, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, Apple released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including  a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining Fortinet or Citrix remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Six Charged in Mass Takedown of DDoS-for-Hire Sites

/0 Comments/in /by

The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The booter service OrphicSecurityTeam[.]com was one of the 48 DDoS-for-hire domains seized by the Justice Department this week.

The DOJ said the 48 domains it seized helped paying customers launch millions of digital sieges capable of knocking Web sites and even entire network providers offline.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Prosecutors in Los Angeles say the booter sites supremesecurityteam[.]com and royalstresser[.]com were the brainchild of Jeremiah Sam Evans Miller, a.k.a. “John the Dev,” a 23-year-old from San Antonio, Texas. Miller was charged this week with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). The complaint against Miller alleges Royalstresser launched nearly 200,000 DDoS attacks between November 2021 and February 2022.

Defendant Angel Manuel Colon Jr., a.k.a Anonghost720 and Anonghost1337, is a 37-year-old from Belleview, Fla. Colon is suspected of running the booter service securityteam[.]io. He was also charged with conspiracy and CFAA violations. The feds say the SecurityTeam stresser service conducted 1.3 million attacks between 2018 and 2022, and attracted some 50,000 registered users.

Charged with conspiracy were Corey Anthony Palmer, 22, of Lauderhill, Fla, for his alleged ownership of booter[.]sx; and Shamar Shattock, 19, of Margate, Fla., for allegedly operating the booter service astrostress[.]com, which had more than 30,000 users and blasted out some 700,000 attacks.

Two other alleged booter site operators were charged in Alaska. John M. Dobbs, 32, of Honolulu, HI is charged with aiding and abetting violations of the CFAA related to the operation of IPStresser[.]com, which he allegedly ran for nearly 13 years until last month. During that time, IPstresser launched approximately 30 million DDoS attacks and garnered more than two million registered users.

Joshua Laing, 32, of Liverpool, NY, also was charged with CFAA infractions tied to his alleged ownership of the booter service TrueSecurityServices[.]io, which prosecutors say had 18,000 users and conducted over 1.2 million attacks between 2018 and 2022.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

Dobbs, the alleged administrator of IPStresser, gave an interview to ZDNet France in 2015, in which he asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks.

“None of these sites ever required the FBI to confirm that it owned, operated, or had any property right to the computer that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose),” reads an affidavit (PDF) filed by Elliott Peterson, a special agent in the FBI’s Anchorage field office.

“Analysis of data related to the FBI-initiated attacks revealed that the attacks launched by the SUBJECT DOMAINS involved the extensive misuse of third-party services,” Peterson continued. “All of the tested services offered ‘amplification’ attacks, where the attack traffic is amplified through unwitting third-party servers in order to increase the overall attack size, and to shift the financial burden of generating and transmitting all of that data away from the booter site administrator(s) and onto third parties.”

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The charges unsealed today stemmed from investigations launched by the FBI’s field offices in Los Angeles and Alaska, which spent months purchasing and testing attack services offered by the booter sites.

A similar investigation initiating from the FBI’s Alaska field office in 2018 culminated in a takedown and arrest operation that targeted 15 DDoS-for-hire sites, as well as three booter store defendants who later pleaded guilty.

The Justice Department says its trying to impress upon people that even buying attacks from DDoS-for-hire services can land Internet users in legal jeopardy.

“Whether a criminal launches an attack independently or pays a skilled contractor to carry one out, the FBI will work with victims and use the considerable tools at our disposal to identify the person or group responsible,” said Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office.

“Potential users and administrators should think twice before buying or selling these illegal services,” said Special Agent Antony Jung of the FBI Anchorage field office. “The FBI and our international law enforcement partners continue to intensify efforts in combatting DDoS attacks, which will have serious consequences for offenders.”

The United Kingdom, which has been battling its fair share of domestic booter bosses, in 2020 started running online ads aimed at young people who search the Web for booter services. And in Europe, prosecutors have even gone after booter customers.

In conjunction with today’s law enforcement action, the FBI and the Netherlands Police joined authorities in the U.K. in announcing they are now running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

“The purpose of the ads is to deter potential cyber criminals searching for DDoS services in the United States and around the globe, as well as to educate the public on the illegality of DDoS activities,” the DOJ said in a press release.

Here is the full list of booter site domains seized (or in the process of being seized) by the DOJ:

api-sky[.]xyz
astrostress[.]com
blackstresser[.]net
booter[.]sx
booter[.]vip
bootyou[.]net
brrsecurity[.]org
buuter[.]cc
cyberstress[.]us
defconpro[.]net
dragonstresser[.]com
dreams-stresser[.]io
exotic-booter[.]com
freestresser[.]so
instant-stresser[.]com
ipstress[.]org
ipstress[.]vip
ipstresser[.]com
ipstresser[.]us
ipstresser[.]wtf
ipstresser[.]xyz
kraysec[.]com
mcstorm[.]io
nightmarestresser[.]com
orphicsecurityteam[.]com
ovhstresser[.]com
quantum-stresser[.]net
redstresser[.]cc
royalstresser[.]com
securityteam[.]io
shock-stresser[.]com
silentstress[.]net
stresser[.]app
stresser[.]best
stresser[.]gg
stresser[.]is
stresser[.]net/stresser[.]org
stresser[.]one
stresser[.]shop
stresser[.]so
stresser[.]top
stresserai[.]com
sunstresser[.]com
supremesecurityteam[.]com
truesecurityservices[.]io
vdos-s[.]co
zerostresser[.]com

SentinelOne Recognized Across CRN’s 2022 Products Of The Year

/0 Comments/in /by

It’s an exciting time for SentinelOne as we celebrate being named a WINNER in CRN’s 2022 Products of the Year. The award recognizes the industry’s top partner-friendly technology products and solutions, and we are honored to lead the pack. Our Singularity XDR platform was named a winner of the Managed Detection and Response category, and Singularity for Endpoint was named a winner in the Endpoint Protection category. With today’s cyberattackers moving faster than ever, Singularity XDR is the only cybersecurity platform empowering modern enterprises to take autonomous, real-time action with greater visibility of their dynamic attack surface and cross-platform security analytics.

SentinelOne Recognized Across CRN’s 2022 Products Of The Year

At SentinelOne, our mission is to provide the most advanced and effective protection on the market. Our Singularity XDR platform unifies and extends detection and response capability across multiple security layers, providing security teams with centralized end-to-end enterprise visibility, powerful analytics, and automated response across the complete technology stack.

A core part of our Singularity XDR platform, Singularity for Endpoint, provides a flexible and robust solution to prevent, detect and respond to secure every endpoint, no matter where it is located across the globe. With Singularity XDR, we help turn disparate event data into an understandable story at machine speed – enabling enterprises to benefit from the automation, scale, and speed that we’re bringing to the XDR era.

In addition to our Singularity XDR platform, our 24/7/365 award-winning Managed Detection and Response (MDR) service, Vigilance, works for you to deliver a personalized approach to managing your security posture. Designed to supplement our endpoint security SaaS offerings, Vigilance MDR is the human side to our Singularity XDR platform – augmenting customer security organizations to provide a second set of eyes on the SentinelOne deployment and appropriate responses to contain threats.

Our mission is to enable enterprises to do more than ever through automation, data analytics, and machine speed XDR. By constantly innovating our products to stay one step ahead of the ever-evolving threat landscape, we help provide extended protection from the endpoint to beyond – with unfettered visibility, proven protection, and unparalleled response.

If you’re interested in learning more about SentinelOne and how our Singularity XDR Platform can help you stand out from the crowd, reach out to schedule your personalized demo and take advantage of the future of autonomous cybersecurity.

Building Blocks For Your XDR Journey, Part 4 | The Value of Security Data 

/0 Comments/in /by

Welcome to Part 4 of our multi-part XDR (eXtended Detection and Response) blog series. If you haven’t read the earlier posts in this series yet, we recommend checking out the following:

  • Part 1 discusses why organizations need to extend protection beyond the endpoint to stay ahead of adversaries
  • Part 2 discusses why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy.
  • Part 3 discusses why identity security is a cornerstone of an XDR strategy

In this post, we discuss the importance and value of security data for detection and investigation.

Challenges With Security Data Visibility

In today’s landscape of increasingly sophisticated cyber threats, organizations must be able to effectively operationalize the data housed in their cybersecurity tools to maintain visibility across their networks.

However, many organizations struggle with this due to the cybersecurity tool sprawl and point products, which do not integrate well, leading to inefficiencies in visibility, detection, investigation, and hunting. An ESG study found that 66% of customers surveyed admit that “if you keep your data in multiple silos, you’re guaranteed to lack visibility and miss critical detections.”

As a result, many organizations lack the visibility they need to defend against cyber attacks. Cross-stack visibility of security data is a cornerstone of any effective cyber defense strategy, and organizations that can’t achieve it are at a disadvantage. To address this issue, organizations must focus on consolidating their tools and integrating their data, enabling teams to operationalize their tools more effectively and gain the visibility they need to protect their information assets.

Why Legacy Tools Have Failed

SIEMs have been on the market for over a decade now, and they are still failing to meet the needs of organizations when it comes to detection and response. The problem is that SIEMs are designed to be reactive, not proactive. They rely on SOC teams to manually sift through data and look for patterns of malicious activity –  a time-consuming and error-prone process that often leads to false positives or late detections. Additionally, SIEMs have very little automation, so they cannot keep up with the rapidly changing landscape of cybersecurity threats.

The security information and event management (SIEM) model is aimed to be the one-stop shop universal answer to reducing mean time to detect and respond. However, SIEM with its reliance on indexed architectures and on-premises infrastructure, is not a panacea.

Indexed architectures, while suitable for performing simple queries, struggle to keep up with the increasing volume and complexity of security logs. As a result, they often require lengthy search times and may not provide complete coverage of log types. On-premises infrastructure also brings with it concerns regarding scalability, as well as the need for physical space and maintenance resources.

The limitations of these traditional models have led many organizations to embrace modern cloud-native logging solutions. These options offer increased flexibility and scalability, allowing for rapid expansion during times of growth or additional monitoring needs. They also eliminate the need for physical hardware and maintenance costs, resulting in cost savings for the organization.

A major issue plaguing SIEMs is that they simply ingest alerts without any context among the atomic data points. For example, a single alert or threat may comprise thousands of pieces of telemetry. When looking at only alerts, analysts can be blind to additional activity and indicators that may be linked to a larger scope of malicious activity. While this approach may be suitable for high-level monitoring or compliance, telemetry is far superior to enable security teams to threat hunt and perform analytics effectively.

Telemetry includes data such as raw network flows, endpoint, and cloud activity that can provide context to the alerts being generated and give analysts the ability to quickly determine whether an alert warrants further investigation. Additionally, analysts can use this extra data to detect sophisticated attacks that may appear benign in isolation. However, feeding this essential security data into a SIEM for analytics can be prohibitively expensive, particularly for small and medium-sized businesses.

For SIEM deployments, time to value can often be a struggle. The implementation process may involve collecting and normalizing data from multiple sources, setting up alerts and dashboards, and fine-tuning configurations. This can stretch the deployment timeline and delay the realization of benefits such as improved visibility into network activity and threat detection.

According to the Panther.io State of SIEM 2021, over 18 percent of the IT security professionals surveyed indicated that the time it took to receive high-value alerts — from deployment to implementation — was 12 months or longer. Additionally, over 40 percent said their organization was overpaying for their SIEM relative to the system’s capabilities.

Unifying Security Data with XDR

To create human-understandable context among the alerts and logs flowing into traditional SIEM, most organizations build rules, dashboards, and playbooks on top of alert data. However, this approach needs more visibility into the underlying endpoint devices or cloud workloads. Looking only at summary-level data in a SIEM can make it difficult to centralize triage and investigation, making it more likely that threats will go undetected.

Collecting and storing this data is only half the battle – the real challenge lies in making sense of it all. EDR vendors have recognized this problem and are increasingly offering powerful cloud-native logging and analytics tools to ingest and analyze security and IT telemetry. This is where correlation comes in.

By looking at how different data sets relate to one another, analysts can uncover patterns and trends that would otherwise be hidden. For example, by correlating network traffic data with employee login records, it may be possible to detect unusual activity that could indicate a security breach. By simplifying access to relevant data sets like logs and indicators of compromise from other tools, security teams can gain a complete view of their organization’s security posture.

As the amount of data generated by enterprise infrastructure continues to grow, many security vendors are turning to artificial intelligence (AI) to help make sense of it. AI can be used to detect suspicious and malicious behaviors, and it can also help to identify anomalous activity that might otherwise go unnoticed.

Endpoint Detection and Response (EDR) vendors have expertise in developing behavioral AI models and performing large-scale analytics on telemetry sourced from native endpoint agents. It’s only natural that Extended Detection and Response (XDR) is an evolution of EDR that brings the same visibility, analytics, and response to any attack surface.

XDR solutions extend the core EDR platform, providing visibility into native endpoint, cloud, network, and identity telemetry and making it easier to detect and respond to threats in real time. This approach is more economical and can provide better visibility into potential threats because they can operationalize consolidated telemetry in a single console without needing to export the data to a SIEM for analysis.

XDR platforms powered by machine learning, like SentinelOne Singularity, produce correlated alerts that provide the precise context analysts need to make informed decisions, saving valuable time during endpoint triage and response. AI and automation, such as Singularity Storyline, remove the heavy lifting of data analysis and bring high-fidelity signals through the noise.

SentinelOne patented Storyline technology provides real-time, automated machine-built context and correlation across the enterprise security stack to transform disconnected data into rich stories and lets security analysts understand what happened in their environment. Storyline automatically links all related events and activities together in a storyline with a unique identifier. High-fidelity alerts allow security teams to see the full context of what occurred within seconds rather than spending hours, days, or weeks correlating logs and linking events manually.

Singularity XDR provides a single, unified platform for extended threat detection, investigation, response, and hunting with:

  • Single source of prioritized alerts that ingests and contextualizes massive quantities of data across multiple native EDR data sources.
  • Direct integration with other best-of-breed platforms like Zscaler, Okta, and Mimecast for the purpose of automatically enriching alerts
  • Single consolidated view to quickly understand the progression of attacks across security layers.
  • Single platform to rapidly respond and proactively hunt for threats

Conclusion

If you want to improve your organization’s current XDR strategy, you should focus on utilizing your organization’s security data. By doing so, you can more accurately detect and respond to threats. A modern XDR solution will integrate this data to give you a comprehensive view of your organization’s security posture. Request a demo today to see how our platform can help you implement an effective XDR strategy.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Learn More

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

/0 Comments/in /by

InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.

The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.

“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.

In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.

“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.

USDoD’s InfraGard sales thread on Breached.

USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth  and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.

The CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application.

USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address that they controlled — but also the CEO’s real mobile phone number.

“When you register they said that to be approved can take at least three months,” USDoD said. “I wasn’t expected to be approve[d].”

But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved (see redacted screenshot to the right). While the FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email.

“If it was only the phone I will be in [a] bad situation,” USDoD said. “Because I used the person[‘s] phone that I’m impersonating.”

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other.

USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.

“InfraGard is a social media intelligence hub for high profile persons,” USDoD said. “They even got [a] forum to discuss things.”

To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct note through InfraGard’s messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread.

That InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD’s message but asked to remain anonymous for this story.

USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields — like Social Security Number and Date of Birth — are completely empty.

“I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,” they explained.

While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders.

USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal. USDoD shared the following redacted screenshot from what they claimed was one such message, although they provided no additional context about it.

A screenshot shared by USDoD showing a message thread in the FBI’s InfraGard system.

USDoD said in their sales thread that the guarantor for the transaction would be Pompompurin, the administrator of the cybercrime forum Breached. By purchasing the database through the forum administrator’s escrow service, would-be buyers can theoretically avoid getting ripped off and ensure the transaction will be consummated to the satisfaction of both parties before money exchanges hands.

Pompompurin has been a thorn in the side of the FBI for years. Their Breached forum is widely considered to be the second incarnation of RaidForums, a remarkably similar English-language cybercrime forum shuttered by the U.S. Department of Justice in April. Prior to its infiltration by the FBI, RaidForums sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches.

In November 2021, KrebsOnSecurity detailed how Pompompurin abused a vulnerability in an FBI online portal designed to share information with state and local law enforcement authorities, and how that access was used to blast out thousands of hoax email messages — all sent from an FBI email and Internet address.

Update, 10:58 p.m. ET: Updated the story after hearing from the financial company CEO whose identity was used to fool the FBI into approving an InfraGard membership. That CEO said they were never contacted by the FBI.

Update, 11:15 p.m. ET: The FBI just confirmed that it is aware of a potential false account associated with the InfraGard portal. The story now includes their full statement.

This is a developing story. Updates will be noted here with timestamps.