Transform SecOps with Purple AI, Now Generally Available

Imagine if hunting for emerging threats was as straightforward as asking a colleague a simple question in plain language. Today, I’m excited to announce that SentinelOne has turned this into a reality with the launch of Purple AI.

Last April, we unveiled a first-of-its-kind AI-assisted platform that fuses data from SentinelOne’s real-time, embedded neural networks with a large language model (LLM)-based natural language interface to simplify threat hunting and help analysts boost productivity and scale their operations.

Today, we are excited to announce that Purple AI, the industry’s most advanced AI security analyst, is now generally available worldwide. Purple AI helps security teams detect earlier, respond faster, and stay ahead of attacks. It radically accelerates threat hunting, investigations, and response so security teams can save time, reduce costs, and better protect their environments.

Scaling Autonomous Protection Across the Enterprise

Purple AI is a force multiplier for security teams. It translates natural language questions into sophisticated PowerQueries within seconds, facilitates deep log analysis of native and third-party data, and provides one-click hunting quickstarts, suggested queries, and shareable investigation notebooks.

Early adopters perceived threat hunting with Purple as 80% faster, and 78% of those surveyed found investigation notebooks to be very or extremely helpful.

“The security insights provided by Purple AI have surpassed anything PruittHealth had before,” said Richard Bailey, SVP of IT at PruittHealth Connect Inc. “Purple AI assists in identifying weaknesses and vulnerabilities, thus bolstering PruittHealth’s overall security. Additionally, it enhances accuracy and reduces human error in data queries, allowing more time for other tasks.”

Maximizing the SOC’s Full Potential

Today’s security teams are dealing with a sophisticated threat landscape and endless alert queues that grow far faster than what teams can even hope to resolve. Staying ahead of adversaries requires both innovation and scalability, and Purple AI was specifically designed to empower your team to maximize their productivity.

Purple provides the following key benefits:

  • Simplifying the Complex – Querying your Singularity Data Lake is as easy as asking a colleague a question. Simply ask Purple a question like, “Am I being targeted by FIN12?” without needing to reference data schemas or create complex queries. This enables faster and more effective threat hunting for every analyst.
  • Up-Leveling the Entire SOC Team – Investigation notebooks make whole teams more efficient. Notebooks are auditable and shareable, and early adopters have used this as a knowledge-amplification tool. Senior analysts write plain language queries shared in an investigation notebook with their colleagues, which makes their expertise more accessible.
  • Taking Hunts from Hours to Minutes – Accelerate SecOps with AI-powered analyses, auto-summaries, and suggested next queries. Purple AI provides pre-populated threat hunting ‘quick starts’ and uses the latest threat intelligence so analysts can begin a hunt with a single click.
  • Safeguarding Your Data – Purple is designed for data protection and privacy by design. It is never trained with customer data and is architected with the highest level of safeguards.

What’s the Purple AI Difference?

As criminals around the world are starting to leverage AI-based, automated tools to execute malicious attacks, SentinelOne is taking this technology to help enterprises control all aspects of their security posture, from visibility and response, to supercharging SecOps and building long-term cyber resilience.

Speed & Visibility One Console, Platform & Data Lake

Responding to emerging threats requires both speed and deep visibility. Purple AI provides both, so analysts can see the full picture within the Singularity Platform. This means one unified console built on top of the industry’s most performant data lake for lightning-fast queries.

Purple AI is also the only AI security platform that supports the widely adopted Open Cybersecurity Schema Framework (OCSF), providing analysts with full data visibility and a single normalized view of native and partner data.

Threat Hunting Quickstarts & Guided Investigations

One of modern SOC teams’ biggest challenges is dealing with alert fatigue, which precludes proactive threat hunting and leads to missed notifications and burnout. Purple AI takes an intelligent, action-oriented approach to make threat hunting simple.

Security analysts are able to reduce critical MTTD through the Purple AI quickstart library, which provides suggested prompts to kick off investigations in natural language with a single click. Further, Purple will provide contextual suggested next queries to help analysts conduct faster, deeper investigations to better understand and mitigate critical risk.

Accelerated Collaboration Across the Board

Purple goes far beyond the now-popular chatbot experience. It helps analysts conduct deeper investigations that they can share across teams with auditable and auto-saved investigation notebooks. Since security analysts can now use natural language to conduct investigations, this means that the notebooks become artifacts they can share even with management and leadership teams without investing additional effort to make them understandable.

Open & Reliable AI

Purple AI focuses on transparency, prioritizing SentinelOne’s commitment to security and privacy. The platform employs the highest level of safeguards to protect and ensure you own your data, and models are not trained using customer data or requests. Purple is also designed so that SOC teams can easily view query translations for verification and analyst training.

Conclusion | Learn More About Purple AI

Purple AI is set to enhance the threat hunting experience for modern enterprises and provide security professionals with the tools they need to secure today, tomorrow, and beyond. Saving time and maximizing resources through Purple AI ensures enterprises can focus on business-critical operations and build up a strong and lasting cyber posture against even the most sophisticated threats.

Book a demo with the SentinelOne team to learn more about how Purple AI can help untap the potential of your security teams.

Purple AI Is Now Generally Available
Save time and resources by up-leveling every analyst with natural language query translation and patent-pending threat hunting technology.

The Good, the Bad and the Ugly in Cybersecurity – Week 14

The Good | Developer Uncovers Backdoor Planted in XZ Utils

Over the Easter weekend, software developer Andres Freund uncovered a backdoor hidden within XZ Utils, an open-source data compressor ubiquitous in nearly all Linux-based systems. Currently, the supply chain flaw is tracked as CVE-2024-3094 (CVSS score: 10.0) and is being described as what could have been a highly sophisticated outbreak rivaling even that of the SolarWinds supply chain attack of 2020.

The backdoor was likely a multi-year-long effort, intentionally planted by an XZ Utils project maintainer named Jia Tan (aka Jia Cheong Tan or JiaT75). Tan allegedly worked his way up to this role over the span of two years to establish legitimacy in his role before introducing a series of changes to the software in 2023.

The changes were eventually included in the data compressor’s February 2024 release, affecting XZ Utils versions 5.6.0 and 5.6.1. The backdoor made it to some Linux releases including Debian Unstable, Fedora Linux 40, Kali Linux, and Fedora Rawhide, which have all since been rolled back.

The backdoor targets sshd, the executable file responsible for remote SSH connections. With a specific encryption key, a threat actor could have embedded any code within an SSH login certificate, enabling them to upload and execute it on affected devices. Although no actual code uploads have been observed, the potential risks would have included theft of encryption keys or malware deployment.

Freund’s stroke of luck diverted the potential of a very serious supply chain attack, but the event is a sharp reminder to prioritize security in OSS maintenance. Since the discovery of the XZ Utils compromise, other open source software maintainers have commented on the problem of bullying in OSS projects and raised concerns that the XZ story may not be an isolated incident.

Regular audits, thorough code reviews, and prompt patching are essential to addressing threats effectively.

The Bad | Missouri County Declares State of Emergency After Ransomware Attack

Home to over 717,000 residents, one of the largest counties in Missouri was hit this week with a confirmed ransomware attack, disrupting several critical services. In the wake of the attack, Jackson County offices responsible for tax payment, marriage licensing, and inmate management systems have all shut down until further notice while investigations continue.

So far, law enforcement agencies, including the FBI and the Department of Homeland Security, have been notified, and external IT security experts are assisting in the ongoing incident response. The County Executive has also issued a state of emergency to expedite IT measures and service restoration.

County officials have also assured residents that the compromised systems did not store financial data – specifically, information handled by the Payit payment service provider, which is independently managed outside the county’s network. The county collaborates with Payit to provide secure resident engagement and payment services for property taxes, marriage licenses, and more.

The shutdowns happened on the same day as a special election held by the county to decide on a proposed sales tax aimed at financing a new stadium for the Kansas City MLB and NFL teams. Officials have emphasized that both the Jackson County Board of Elections and the Kansas City Board of Elections remain unaffected by the cyberattack, with no indication of data compromise and both boards continuing their normal operations.

The attack on the Missouri county is now the 18th of ransomware incidents on state and local governments since the start of 2024. Researchers note that government entities will continue to be targeted by transnational threat groups – a reality triggered by aging IT infrastructures of underfunded agencies as well as a widening gap in skilled cybersecurity professionals working in government.

The Ugly | DinodasRAT Backdoor Targets Linux Servers Across Eastern Hemisphere

New findings emerged this week of a Linux variant for DinodasRAT (aka XDealer), a multi-platform backdoor attributed to a number of China-linked APTs. Reporting on the latest series of attacks, security researchers note the new variant to be targeting entities in China, Taiwan, Turkey, and Uzbekistan.

The Linux version primarily targets Red Hat and Ubuntu systems. It establishes persistence using SystemV or SystemD startup scripts and communicates with remote servers for commands over TCP or UDP. Capabilities include file operations, process enumeration, shell command execution, and evasion techniques against detection tools.

An initial Linux variant (V10) was first spotted in early October 2023, with evidence tracing back to a previous version (V7) from July 2021.

DinodasRAT aims to gain and maintain control over infected machines with the main goals of data exfiltration and espionage. The backdoor creates a distinct identification code for every compromised device by combining the infection date, hardware details, and backdoor version. This code is then saved in a concealed configuration file, aiding in the monitoring and control of compromised systems. To operate covertly and avoid discovery, DinodasRAT alters file access timestamps, reducing its traceability and complicating efforts for security experts to identify and counter the threat.

The remote access trojan has cropped up in various threat campaigns over the past half year. In October 2023, attackers used DinodasRAT to spy on the Guyanese government. Just earlier this month, the trojan was seen again in the hands of Chinese APT group, Earth Krahang, to compromise both Linux and Windows systems of governments worldwide.

This string of attacks illustrate the maturing of China’s cyber espionage ecosystem, meaning sectors will need to continuously factor in geopolitical risks and focus their cyber strategy on building resilience.

Fake Lawsuit Threat Exposes Privnote Phishing Sites

A cybercrook who has been setting up websites that mimic the self-destructing message service privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the scammers.

The real Privnote, at privnote.com.

Launched in 2008, privnote.com employs technology that encrypts each message so that even Privnote itself cannot read its contents. And it doesn’t send or receive messages. Creating a message merely generates a link. When that link is clicked or visited, the service warns that the message will be gone forever after it is read.

Privnote’s ease-of-use and popularity among cryptocurrency enthusiasts has made it a perennial target of phishers, who erect Privnote clones that function more or less as advertised but also quietly inject their own cryptocurrency payment addresses when a note is created that contains crypto wallets.

Last month, a new user on GitHub named fory66399 lodged a complaint on the “issues” page for MetaMask, a software cryptocurrency wallet used to interact with the Ethereum blockchain. Fory66399 insisted that their website — privnote[.]co — was being wrongly flagged by MetaMask’s “eth-phishing-detect” list as malicious.

“We filed a lawsuit with a lawyer for dishonestly adding a site to the block list, damaging reputation, as well as ignoring the moderation department and ignoring answers!” fory66399 threatened. “Provide evidence or I will demand compensation!”

MetaMask’s lead product manager Taylor Monahan replied by posting several screenshots of privnote[.]co showing the site did indeed swap out any cryptocurrency addresses.

After being told where they could send a copy of their lawsuit, Fory66399 appeared to become flustered, and proceeded to mention a number of other interesting domain names:

You sent me screenshots from some other site! It’s red!!!!
The tornote.io website has a different color altogether
The privatenote,io website also has a different color! What’s wrong?????

A search at DomainTools.com for privatenote[.]io shows it has been registered to two names over as many years, including Andrey Sokol from Moscow and Alexandr Ermakov from Kiev. There is no indication these are the real names of the phishers, but the names are useful in pointing to other sites targeting Privnote since 2020.

DomainTools says other domains registered to Alexandr Ermakov include pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io.

A screenshot of the phishing domain privatemessage dot net.

The registration records for pirvnota[.]com at one point were updated from Andrey Sokol to “BPW” as the registrant organization, and “Tambov district” in the registrant state/province field. Searching DomainTools for domains that include both of these terms reveals pirwnote[.]com.

Other Privnote phishing domains that also phoned home to the same Internet address as pirwnote[.]com include privnode[.]com, privnate[.]com, and prevnóte[.]com. Pirwnote[.]com is currently selling security cameras made by the Chinese manufacturer Hikvision, via an Internet address based in Hong Kong.

It appears someone has gone to great lengths to make tornote[.]io seem like a legitimate website. For example, this account at Medium has authored more than a dozen blog posts in the past year singing the praises of Tornote as a secure, self-destructing messaging service. However, testing shows tornote[.]io will also replace any cryptocurrency addresses in messages with their own payment address.

These malicious note sites attract visitors by gaming search engine results to make the phishing domains appear prominently in search results for “privnote.” A search in Google for “privnote” currently returns tornote[.]io as the fifth result. Like other phishing sites tied to this network, Tornote will use the same cryptocurrency addresses for roughly 5 days, and then rotate in new payment addresses.

Tornote changed the cryptocurrency address entered into a test note to this address controlled by the phishers.

Throughout 2023, Tornote was hosted with the Russian provider DDoS-Guard, at the Internet address 186.2.163[.]216. A review of the passive DNS records tied to this address shows that apart from subdomains dedicated to tornote[.]io, the main other domain at this address was hkleaks[.]ml.

In August 2019, a slew of websites and social media channels dubbed “HKLEAKS” began doxing the identities and personal information of pro-democracy activists in Hong Kong. According to a report (PDF) from Citizen Lab, hkleaks[.]ml was the second domain that appeared as the perpetrators began to expand the list of those doxed.

HKleaks, as indexed by The Wayback Machine.

DomainTools shows there are more than 1,000 other domains whose registration records include the organization name “BPW” and “Tambov District” as the location. Virtually all of those domains were registered through one of two registrars — Hong Kong-based Nicenic and Singapore-based WebCC — and almost all appear to be phishing or pill-spam related.

Among those is rustraitor[.]info, a website erected after Russia invaded Ukraine in early 2022 that doxed Russians perceived to have helped the Ukrainian cause.

An archive.org copy of Rustraitor.

In keeping with the overall theme, these phishing domains appear focused on stealing usernames and passwords to some of the cybercrime underground’s busiest shops, including Brian’s Club. What do all the phished sites have in common? They all accept payment via virtual currencies.

It appears MetaMask’s Monahan made the correct decision in forcing these phishers to tip their hand: Among the websites at that DDoS-Guard address are multiple MetaMask phishing domains, including metarrnask[.]com, meternask[.]com, and rnetamask[.]com.

How profitable are these private note phishing sites? Reviewing the four malicious cryptocurrency payment addresses that the attackers swapped into notes passed through privnote[.]co (as pictured in Monahan’s screenshot above) shows that between March 15 and March 19, 2024, those address raked in and transferred out nearly $18,000 in cryptocurrencies. And that’s just one of their phishing websites.

‘The Manipulaters’ Improve Phishing, Still Fail at Opsec

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “The Manipulaters,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

In May 2015, KrebsOnSecurity published a brief writeup about the brazen Manipulaters team, noting that they openly operated hundreds of web sites selling tools designed to trick people into giving up usernames and passwords, or deploying malicious software on their PCs.

Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold on the domain heartsender,com. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed as long as possible. Image: DomainTools.

The core brand of The Manipulaters has long been a shared cybercriminal identity named “Saim Raza,” who for the past decade has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” “FudCo,” etc. The term “FUD” in those names stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

A September 2021 story here checked in on The Manipulaters, and found that Saim Raza and company were prospering under their FudCo brands, which they secretly managed from a front company called We Code Solutions.

That piece worked backwards from all of the known Saim Raza email addresses to identify Facebook profiles for multiple We Code Solutions employees, many of whom could be seen celebrating company anniversaries gathered around a giant cake with the words “FudCo” painted in icing.

Since that story ran, KrebsOnSecurity has heard from this Saim Raza identity on two occasions. The first was in the weeks following the Sept. 2021 piece, when one of Saim Raza’s known email addresses — bluebtcus@gmail.com — pleaded to have the story taken down.

“Hello, we already leave that fud etc before year,” the Saim Raza identity wrote. “Why you post us? Why you destroy our lifes? We never harm anyone. Please remove it.”

Not wishing to be manipulated by a phishing gang, KrebsOnSecurity ignored those entreaties. But on Jan. 14, 2024, KrebsOnSecurity heard from the same bluebtcus@gmail.com address, apropos of nothing.

“Please remove this article,” Sam Raza wrote, linking to the 2021 profile. “Please already my police register case on me. I already leave everything.”

Asked to elaborate on the police investigation, Saim Raza said they were freshly released from jail.

“I was there many days,” the reply explained. “Now back after bail. Now I want to start my new work.”

Exactly what that “new work” might entail, Saim Raza wouldn’t say. But a new report from researchers at DomainTools.com finds that several computers associated with The Manipulaters have been massively hacked by malicious data- and password-snarfing malware for quite some time.

DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

“Curiously, the large subset of identified Manipulaters customers appear to be compromised by the same stealer malware,” DomainTools wrote. “All observed customer malware infections began after the initial compromise of Manipulaters PCs, which raises a number of questions regarding the origin of those infections.”

A number of questions, indeed. The core Manipulaters product these days is a spam delivery service called HeartSender, whose homepage openly advertises phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me, to name a few.

A screenshot of the homepage of HeartSender 4 displays an IP address tied to fudtoolshop@gmail.com. Image: DomainTools.

HeartSender customers can interact with the subscription service via the website, but the product appears to be far more effective and user-friendly if one downloads HeartSender as a Windows executable program. Whether that HeartSender program was somehow compromised and used to infect the service’s customers is unknown.

However, DomainTools also found the hosted version of HeartSender service leaks an extraordinary amount of user information that probably is not intended to be publicly accessible. Apparently, the HeartSender web interface has several webpages that are accessible to unauthenticated users, exposing customer credentials along with support requests to HeartSender developers.

“Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement,” DomainTools wrote. “The data table “User Feedbacks” (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain. Given the risk for abuse, this domain will not be published.”

This is hardly the first time The Manipulaters have shot themselves in the foot. In 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s past and current business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that focuses on connecting cybercriminals to their real-life identities.

Currently, The Manipulaters seem focused on building out and supporting HeartSender, which specializes in spam and email-to-SMS spamming services.

“The Manipulaters’ newfound interest in email-to-SMS spam could be in response to the massive increase in smishing activity impersonating the USPS,” DomainTools wrote. “Proofs posted on HeartSender’s Telegram channel contain numerous references to postal service impersonation, including proving delivery of USPS-themed phishing lures and the sale of a USPS phishing kit.”

Reached via email, the Saim Raza identity declined to respond to questions about the DomainTools findings.

“First [of] all we never work on virus or compromised computer etc,” Raza replied. “If you want to write like that fake go ahead. Second I leave country already. If someone bind anything with exe file and spread on internet its not my fault.”

Asked why they left Pakistan, Saim Raza said the authorities there just wanted to shake them down.

“After your article our police put FIR on my [identity],” Saim Raza explained. “FIR” in this case stands for “First Information Report,” which is the initial complaint in the criminal justice system of Pakistan.

“They only get money from me nothing else,” Saim Raza continued. “Now some officers ask for money again again. Brother, there is no good law in Pakistan just they need money.”

Saim Raza has a history of being slippery with the truth, so who knows whether The Manipulaters and/or its leaders have in fact fled Pakistan (it may be more of an extended vacation abroad). With any luck, these guys will soon venture into a more Western-friendly, “good law” nation and receive a warm welcome by the local authorities.

PinnacleOne ExecBrief | Geopolitical and Cyber Risk in the Portfolio

Last week, PinnacleOne examined the geopolitical dynamics and risks facing firms that do business or have key dependencies in China and highlighted principles to frame a China-for-China strategy given firm-specific threat models.

This week, we focus on the intersection of geopolitical and cyber risks facing western firms investing in strategic technologies and the dangers of oversharing.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Geopolitical and Cyber Risk in the Portfolio

In today’s rapidly evolving global landscape, the intersection of geopolitical and cyber risks poses significant challenges for private equity, multinational conglomerates, and venture capital firms. As these firms invest in companies operating in strategic technology domains, it is crucial to understand how the changing risk landscape affects their business interests. This week’s ExecBrief sheds light on the increasing threats faced by portcos, particularly those working on critical and emerging technologies and provides guidance on managing these risks effectively.

The Evolving Threat Landscape

Geopolitical dynamics driving strategic technology competition and the proliferation of offensive tools has created an increasingly hostile environment for high-growth firms. These companies are targeted for their valuable intellectual property (IP) in strategic technologies, their role in the digital supply chain, and their market position. In particular:

  1. The loss of critical IP or talent at an early stage can be devastating for a company, leaving it unable to compete or see its Total Addressable Market cut substantially by a fast-following (foreign) competitor (that may also receive covert state support).
  2. The impact of a cyber event can immediately threaten net asset values booked on the balance sheet. As seen in the case of the SolarWinds attack, a cyber incident can result in a significant drop in company value and create costly litigation expenses.
  3. The increasing scrutiny on board members’ roles and responsibilities in cybersecurity oversight, exemplified by the SEC’s additional rules for public companies, further emphasizes the importance of proactive cyber risk management and governance.

Geopolitical-Cyber Risk Factors

Companies working on critical and emerging technologies will find themselves in the geopolitical bullseye for targeting. No firm is too small to warrant the attention of nation-state actors if their IP, products, military/critical infrastructure customers, or talent are deemed strategically important. This heightened risk requires investment firms to be vigilant in assessing and managing the geopolitical-cyber risks faced by their portcos and strategic business units.

Furthermore, the evolving regulatory landscape–driven by national security, AI risk, and data privacy concerns–introduces additional challenges for multinationals and investment firms. Increasingly stringent policy regulations, export controls, and investment screening policies can impact:

  1. Portco operations
  2. Investment firm growth strategies
  3. IT infrastructures, and
  4. Portco security postures

The Danger of Oversharing

At the frontier of strategic technology investment, there is often an incentive for portcos and their funders to “hype” their capabilities and broadcast technical details and staffing information through media channels. While this may serve to attract investors and customers, success can also inadvertently draw the attention of malicious actors.

This is especially true for those firms conspicuously advertising themselves as aligned with and supporting national defense or intelligence interests. Traditionally, such firms in the Defense Industrial Base follow very strict operational security and eschew publicity for key innovations, except where used for strategic communications or political signaling.

Publicly sharing sensitive information about a company’s technical capabilities, key personnel, and ongoing projects can provide valuable intelligence to potential attackers. This information can be used to:

  1. Target specific individuals,
  2. Identify potential vulnerabilities in a company’s systems and facilities, and
  3. Justify to the attacker’s bureaucracy the prioritization of resources to target the firm.

Investment firms must be aware of these risks and work with their portcos to develop prudent operational security practices. This may involve:

  1. Establishing guidelines for public communications,
  2. Training employees on the risks of oversharing, and
  3. Implementing strict controls on the dissemination of sensitive information.

Managing Geopolitical-Cyber Risks

To effectively manage geopolitical-cyber risks, investment firms must adopt a comprehensive approach that integrates geopolitical-cyber risk intelligence, business strategy, and technology security considerations. This approach should be tailored to the specific composition of the firm’s portfolio and business units.

  1. Developing strategic threat models is a crucial first step in prioritizing risks to portco value chains. By considering the threat landscape, third-party/supply chain exposure, and shared customer exposure, firms can identify the most pressing risks and allocate resources accordingly.
  2. Capability assessments ensure that business objectives align with the security program and existing technical controls, given the identified threat model. This alignment is essential for maintaining the integrity and resilience of portcos in the face of evolving threats.
  3. Mitigating risks and strengthening resilience requires a combination of tactical control improvements and strategic security posture changes. Investment firms should provide business justification for these changes to ensure buy-in from portco leadership.

Finally, establishing cyber risk management programs is essential for long-term success. By integrating continuous geopolitical-cyber risk management into risk governance frameworks, diligence activities, training & exercises, security vendor selection, and strategic investment decision-making, firms can proactively address risks and maintain the value of their investments.

Navigating Towards Safety

The intersection of geopolitical and cyber risks presents significant challenges for private equity, multinational conglomerates, and venture capital firms operating at the technology frontier. As the threat landscape continues to evolve, it is imperative that firms adopt a proactive and comprehensive approach to managing these risks.

By understanding the unique risks faced by portcos operating in strategic technology domains, including the dangers of oversharing sensitive information, firms can take steps to mitigate threats, strengthen resilience, and protect the value of their investments.

Through the integration of geopolitical-cyber risk intelligence, business strategy, and technology security considerations, firms can navigate the complex risk landscape and position themselves for long-term success.

The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good | U.S. Treasury Cracks Down on Russian & Chinese State-Backed Threats

In back-to-back announcements this week, the U.S. Department of the Treasury has sanctioned cryptocurrency exchanges leveraged by Russian dark markets and a Chinese-based company linked to APT31 threat actors (aka Zirconium and Violet Typhoon).

Thirteen entities and two individuals now face sanctions by the Treasury’s Department’s Office of Foreign Assets Control (OFAC) for their role in developing and servicing OFAC-designated Russian dark web markets and banks. Bitpapa IC FZC LLC and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP) both facilitated substantial transactions with entities like Hydra Market and Garantex, while Crypto Explorer DMCC (AWEX) operated as a crypto exchange, facilitating conversions involving OFAC-designated Russian banks.

Before its seizure in April 2022, Hydra Market was one the world’s largest and longest-operating darknet markets, attributed with over 80% of all darknet-related crypto transactions at the time.

The Treasury, in collaboration with other international agencies, has also placed sanctions on a Wuhan-based company and two Chinese nationals associated with targeting U.S. politicians to support China’s espionage objectives. Both individuals are allegedly linked to APT31, a PRC state-backed hacking group focused on stealing information from government officials, journalists, and academics.

The coordinated effort with the DoJ, FBI, Department of State, and the UK Foreign, Commonwealth & Development Office (FCDO) led to unsealed indictments and sanctions, freezing all assets and interests in the United States connected to the designated individuals and entities. These sanctions are part of an ongoing commitment by the U.S. government to protect national security interests amidst evolving geopolitical tensions.

The Bad | Upgraded PhaaS Phishing Kit Threatens Microsoft & Google MFA Measures

The emergence of a new phishing-as-a-service (PhaaS) platform dubbed “Tycoon 2FA” is targeting Microsoft 365 and Gmail accounts with the aim of circumventing two-factor authentication (2FA) safeguards.

Initially detected by cybersecurity analysts in October 2023 during routine threat monitoring, Tycoon 2FA had been operational since at least August 2023 and initially distributed through private Telegram channels by a group called Saad Tycoon. Similarities between Tycoon 2FA and other adversary-in-the-middle (AitM) platforms indicate potential code reuse or collaborative efforts between developers.

Tycoon 2FA’s modus operandi involves a multi-step process where users are tricked into interacting with phishing pages. Background scripts then extract the user’s email in order to customize the attack while the user is redirected to a fake Microsoft login page to steal credentials. The threat actors then employ a reverse proxy server hosting phishing web pages to intercept session cookies. Once a user completes the MFA challenge and successfully authenticates their access, the actors can then replay the sessions and bypass multi-factor authentication (MFA) mechanisms.

Most currently, the analysts have reported Tycoon 2FA’s latest version upgrade, which enhances its capabilities, by expanding traffic filtering and refining stealth tactics to evade analysis. The modifications are indicative of ongoing efforts to refine the kit’s effectiveness in avoiding detection by identifying and bypassing typical traffic patterns.

Recent estimates show that Tycoon 2FA is associated with thousands of phishing pages found in the wild since August 2023. Given this broad user base of cybercriminals using the service for their phishing operations, it is essential for organizations to double down on educating their users on how to recognize the signs of phishing attacks, even if they have MFA enabled.

The Ugly | Chinese APTs Target ASEAN Members in Cyber Espionage Campaign

A new report shed light this week on a three-month long espionage campaign conducted by two Chinese-based advanced persistent threat (APT) groups. Most notably, both APTs have focused their efforts on entities and member nations of the Association of Southeast Asian Nations (ASEAN).

The first of the two APT groups is known by names such as Stately Taurus, Camaro Dragon, or Earth Preta, active since 2012. As observed, Stately Taurus targeted organizations in Japan, Singapore, Myanmar, and the Philippines via phishing scams delivering two custom-created malware packages. Coincidentally, the state-sponsored APT group took advantage of a recent ASEAN-Australia Special Summit event to launch this campaign – a tactic used by threat actors to exploit the increased online activity, communications, and digital traffic characteristic of major events.

One of the malware packages is designed to masquerade as a ZIP file, containing an executable named “Talking_Points_for_China.exe” to initiate the deployment of a known Stately Taurus malware called “PUBLOAD” upon execution. This executable, a renamed copy of the legitimate software KeyScrambler.exe, executes malicious code discreetly through DLL side-loading. The second package comprises a screensaver executable titled “Note PSO.scr”, which serves as a conduit for retrieving additional malicious payloads from a remote IP address. These payloads include a benign program disguised as “WindowsUpdate.exe” alongside a rogue DLL.

The second, unidentified APT group has been observed compromising government entities in Singapore, Cambodia, and Laos. Given their role in managing sensitive diplomatic and economic information, attacks on ASEAN member countries are consistent. These kinds of cyber espionage campaigns will continue to be a key challenge for government entities, where nation state-backed threat groups aim to collect geopolitical leverage within their regions in order to get ahead in the international arena.

Thread Hijacking: Phishes That Prey on Your Curiosity

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a recent thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

The LancasterOnline story about Adam Kidan.

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline’s Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

The phishing lure attached to the thread hijacking email from Mr. Kidan.

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these mutli-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Exit Sandman | How SentinelOne Deflects APT-Level Identity Security Risks

Information theft and the number of data breaches rooted in identity-based risks are rising as attackers continue to exploit vulnerabilities and find ways to evade detection. This makes early detection one of the most critical pillars of defense across today’s attack surfaces. As identity-based threats continue to develop, organizations that focus on advanced detection and response can protect their data from skilled adversaries.

Advanced persistent threats (APTs) like Sandman, for example, have been observed using identity-based attacks to achieve initial access and lateral movement. These kinds of threat groups are not looking for ransom payments, meaning information theft is their most likely objective.

Increasing cases of information theft put organizations at risk of cyber espionage, financial loss, and brand damage. For organizations to counter such threats, early discovery is key. In this post, we pinpoint how robust identity security measures can help mitigate the tactics, techniques, and procedures (TTPs) used by threat groups like Sandman APT.

Case Study | Identity-Based TTPs Used by Sandman APT

In September 2023, SentinelLabs exposed a series of attacks targeting telecommunication providers in the Middle East, Western Europe, and South Asia. This was the work of a previously undiscovered threat actor they dubbed “Sandman”.

In their findings, SentinelLabs researchers noted that Sandman’s activities were characterized by strategic lateral movement to targeted workstations and minimal engagement. This suggests a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.

Sandman likely targeted major telcos for espionage purposes, using credential theft techniques and limiting engagement to evade detection. After infiltration, the threat group would wait before proceeding with their activities, suggesting a reliance on stealth for malicious purposes.

New Attack Tactics, Same Attack Cycle

Although the intrusions were detected and interrupted before the threat actor could progress the attacks, they illustrate how advanced intrusions still conform to a typical attack chain depicted below.

In this attack chain, threat actors will gather intelligence to identify the target and any exploitable entry methods. They will compromise an internal endpoint system to gain access and establish a foothold. Once in, they enter the persistence cycle of gathering information, identifying targets, moving laterally, and establishing backdoors while staying undetected. They will remain in this cycle until they finally execute their planned objectives and complete their mission.

Sandman APT established a foothold within the target organization after stealing administrative credentials and gathering intelligence through internal reconnaissance. Then, the APT infiltrated specifically targeted workstations using the pass-the-hash (PtH) technique over the NTLM authentication protocol. These tactics can be counteracted by having robust identity security controls in place.

To protect against attacks like those perpetrated by Sandman, SentinelOne suggests looking at its Singularity Identity and Singularity Hologram cyber deception solutions for cyber risk mitigation.

Preventing Identity-Based Attacks with Singularity Identity

As part of the SentinelOne agent, Singularity Identity protects an organization’s digital identities and identity infrastructure by safeguarding credentials on the endpoints and Active Directory (AD) objects, including accounts, groups, domain controllers, and more.

Singularity Identity provides cyberattack prevention by protecting identities through concealment and misdirection. After attackers like Sandman establish a foothold on an endpoint, they conduct local and network reconnaissance for usable identity data (e.g., credentials, passwords, AD objects, etc.) because masquerading as legitimate users provides access to resources while minimizing detection. This activity also helps them identify high-value assets such as privileged or sensitive accounts, servers, and data for future attacks.

As they gather intelligence, Singularity Identity conceals the locally stored credentials from discovery, whether memory-resident or stored locally in applications and the operating system. It also identifies AD queries attempting to harvest data from the domain controller like members of privileged groups, domain controllers, or service principal names (SPNs), and conceals the results. It then creates an alert on the SentinelOne console while giving decoy identity data as lures and bait so the attackers do not suspect anything is wrong and continue their activities.

When performing PtH, attackers may capture valid password hashes for accounts using a credential access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH performs actions on local or remote systems. Singularity Identity detects and alerts on this and many other credential-based attacks.

Additionally, Singularity Identity supports deploying deceptive credentials across different storage locations, such as browsers, keychains, Windows Credential Manager, and password managers. Credentials taken from these locations will generate an alert and attackers are misdirected away from a production asset.

Preventing Identity-Based Attacks with Singularity Hologram

The cyber deception technology of Singularity Hologram takes protection one step further by supplying enterprise-wide decoys to engage the attackers. Hologram is capable of detecting attacks using alternate authentication mechanisms such as the PtH technique. The solution then alerts on attempts to use such methods to move laterally into decoys.

The decoy identity data can point to a black hole destination IP or system. However, having Hologram decoys in the network adds another layer of realism by providing a destination and service for the bait and lures. It also provides a way to engage with attackers like Sandman, who rely on minimal engagement to avoid detection.

Hologram learns the environment and can automatically create and deploy these decoys adjacent to production systems on the same network segments. These decoys match the production environment, mimicking systems and services throughout the network. They also allow defenders to collect data on the attack, as they record all attack activity that engages with them on the network, in memory, and on local storage.

Conclusion

Imagine being an attacker that breaks into a network with the goal of stealing enterprise credentials. After accessing the network resource the attacker is then kicked out because the defense mechanisms in place detected the attempted credential theft, misdirected the attack to a decoy, and recorded all the malicious activity. Such is the power of SentinelOne’s identity security and cyber deception solutions.

As more APTs go the route of leveraging stealthy, prolonged attacks through identity-based TTPs, focusing on early detection and vigilant monitoring allows organizations to stay steps ahead of even the most advanced threats.

SentinelOne’s Identity Suite delivers robust defenses to defend the infrastructure that houses business-critical digital identities. To learn more or request a demo, please visit https://www.sentinelone.com/lp/identity-suite-demo/.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Some of the many notifications Patel says he received from Apple all at once.

Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.

But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.

Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.

THE PHONE NUMBER IS KEY

Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.

“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”

Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.

“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”

Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.

Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — all the while still sitting at the local Apple Genius Bar.

Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the only aspect of Chris’s new iPhone and iCloud account that hadn’t changed.

WATCH OUT!

“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.

“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”

Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the “Don’t Allow” button.

Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.

A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.

Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.

KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.

After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.

The password reset page at iforgot.apple.com.

RATE LIMITS

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Apple has not yet responded to requests for comment.

Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.

Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.

“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.

Insights from the CyberLaw Forum | Intersecting Cybersecurity, Insurance & Regulation

SentinelOne’s CyberLaw Forum brings together lawyers, technical experts, and insurance executives to dive deep into challenges faced in today’s cyber insurance and legal realms. From the tactics of threat actors to contemplating the impact of artificial intelligence (AI) on enterprise security strategies, panelists from the event delved into the intricacies of cybersecurity in a rapidly evolving digital landscape.

This blog post highlights the key discussion questions from the event regarding cyber insurance viability post-breach and the intricacies of regulatory compliance, particularly in the wake of new SEC regulations.

Presentations From SentinelOne’s CyberLaw Forum

In partnership with Charleston Law School, the event covered a range of topics that many SentinelOne clients face each day:

  • What are threat actors doing and which ones should I be concerned about?
  • How will artificial intelligence (AI) impact my plans for securing my enterprise? Will threat actors use AI to overcome defenders?
  • Can I get cyber insurance? Or, will they renew my policy now that I have had a breach?

Keynote | Geopolitical Conflict and the Impact on Multinationals

Speakers: Alex Stamos & David Lashway

The event provided a platform for industry experts such as Alex Stamos to share his insights on the cybersecurity leadership landscape within the US government, Ukraine’s resilience in the face of cyber warfare, and the geopolitical dynamics shaping global cybersecurity strategies. Watch the keynote here.

Panel | What’s Concerning Cyber Insurers

Speakers: Chris Keegan, Tiffany Calhoun Pierce, Marcin Weryk, and Peter Castillo

Chris Keegan, who moderated the insurance panel, noted the willingness of senior underwriters to divulge valuable insights into cyber risks and market trends, shedding light on the complexities of insurance underwriting in the digital age.

This panel focused on:

  • Understanding the market and the players, including insurance carriers, currently occupying in the cyber insurance domain
  • Current strategies on risk mitigation before risk transfer, in-house versus third-party breaches, and quantifying risk assessments
  • Rising challenges as the insurance market grows, including systemic risks, war and nation-state attacks, data privacy, artificial intelligence, and supply chain risks for manufacturers

Watch the presentation here.

Panel | Hacking Incident Response

Speakers: Justine Phillips, Nikole Davenport, Brendan Rooney, and Terry Oehring

Meanwhile, Justine Phillips underscored the critical importance of proactive measures and swift response strategies in mitigating the impact of data breaches, emphasizing the need for robust incident response protocols. “There are only two things in life and cyber we can control: Everything we do or don’t do leading up to an event and what we do or don’t do in response to an event.”

This panel focused on:

  • Understanding the current threat landscape through the tactics, techniques, and procedures (TTPs) seen both left and right of boom
  • Key cyber regulations and enforcement actions
  • How to evaluate and manage your enterprise cyber risk
  • How to build a smart and flexible program through People, Process & Technology
  • Cybersecurity trends to watch out for in 2024

Watch the presentation here.

Panel | Automotive Security & Liability

Speakers: Amy Mushahwar, Todd B. Benoff, and Michael Bryant

For those navigating the intersection of automotive technology and cybersecurity, Amy Mushahwar’s panel offered invaluable insights into the future of driverless electric vehicles and the implications for data security and privacy.

This panel focused on:

  • How National Highway Traffic Safety Administration (NHTSA) is approaching the discussion of self-driving cars
  • State-to-state travel, creating one set of standards for performance and safety, and strict liability
  • The complications between strict and absolute liability, particularly for exploit-based accidents

Watch the presentation here.

Panel | National Cyber Strategy & Federal Regulations

Speakers: Evan Wolff, Megan Stifel, and Rob Knake

Evan Wolff led discussions on regulatory compliance and incident handling, providing clarity on navigating the intricacies of breach notification requirements and strategic decision-making in the aftermath of cyber incidents. This panel also looked at the national cyber strategy implementation with Rob Knake suggesting that “ransom payments should be banned.”

This panel focused on:

  • The five-pillar overview of the National Cybersecurity Strategy
  • SEC mandatory cybersecurity disclosure and risk management rules
  • DFARs and 7012 history – A timeline of changes to how the federal government contracts cybersecurity
  • Compliance trends in the cyber supply chain

Watch the presentation here.

Panel | Artificial Intelligence Transforming Cybersecurity

Speakers: Randy Sabett, Kristy Hornland, Jason Ingalls, and Chris Martenson

This interactive and open discussion led by Randy Sabett covered the intersection of artificial intelligence (AI) and cyber law in 2024. The panelists delved into how AI is transforming the legal landscape, from automating routine legal tasks to aiding in decision-making processes. As AI continues to impact privacy, data protection, intellectual property rights, and cybersecurity regulations, we are seeing emerging challenges and opportunities presented by AI in the legal domain.

This panel focused on:

  • The multidimensional nature of AI and machine learning (ML) for cyber
  • The increasingly commercial use of AI and ML across various industries and disciplines
  • How threat adversaries are leveraging AI and ML to monitor and model user behavior to create automated and tailored attacks
  • How cyber defenders are embedding AI and ML to accelerate threat identification, improve existing processes, and continuously monitor in real-time

Watch the presentation here.

Conclusion

As we reflect on the wealth of knowledge shared at this year’s CyberLaw Forum, we extend our gratitude to the esteemed panelists, sponsors, and moderators who helped deepen the conversations around these complex and dynamic cybersecurity issues. Learn more about how to participate in next year’s forum here.

The State of Cyber Law
Hear from the leading voices in cyber risk response, insurance, and law as we discuss the ever-changing threat landscape, how the industry is adapting, and what it means for organizations in 2024 and beyond.