Category: General Cyber and IT Security

Categories
General Cyber and IT Security Ransomware

The Rise of Ransomware-as-a-Service: A Roadmap For Executives

The cybersecurity landscape has witnessed an alarming escalation in ransomware attacks, compounded by the proliferation of Ransomware-as-a-Service (RaaS). This model enables even those with minimal technical expertise to launch ransomware attacks, making it a pressing concern for organizations worldwide. RaaS operates much like a traditional SaaS (Software-as-a-Service), where affiliates pay a subscription fee or share a percentage of the ransom profits with the ransomware developers, making this a low-risk, high-yield proposition for the perpetrator. This article delves into the growing trend of RaaS and outlines effective countermeasures and response strategies for organizations to protect themselves and mitigate the impact of these attacks. 

Understanding Ransomware-as-a-Service 

RaaS platforms provide a user-friendly interface, detailed instructions, and customer support, lowering the barrier to entry for conducting ransomware attacks. They have democratized access to sophisticated ransomware tools, leading to an increase in the frequency and sophistication of attacks, even by script-kiddies. The RaaS model has also facilitated the targeting of a wider range of organizations, from small businesses to large enterprises and government agencies. 

Countermeasures to Protect Against RaaS 

Strengthen Email Security 

Since phishing emails are a primary vector for ransomware attacks, organizations should implement advanced email security solutions that include phishing detection and sandboxing capabilities. Educating employees on recognizing suspicious emails and conducting regular phishing campaigns can also significantly reduce the risk of successful attacks. 

Implement Robust Backup and Recovery Procedures 

Regular, secure, and tested backups are the linchpin of ransomware defense. Since backups are a target of the bad actor, ensure backups are encrypted, stored offline or in immutable storage, and regularly tested for integrity and recovery efficiency. A robust backup strategy can significantly minimize the impact of a ransomware attack by enabling the restoration of encrypted data without paying the ransom. 

Apply Least Privilege Access Controls 

Limiting user and system access to the minimum necessary can help contain the spread of ransomware within a network. Implement strong access controls and regularly review access and adjust permissions to ensure they are aligned with user roles and responsibilities. 

Keep Systems and Software Up to Date 

Regularly update operating systems, applications, and firmware to patch vulnerabilities that could be exploited by ransomware. Employing a vulnerability management program with a remediation schedule can help identify and address security gaps promptly. 

Response Strategies for Ransomware Incidents 

Incident Response Planning 

Develop and regularly update an incident response plan that includes specific procedures for responding to ransomware attacks. This plan should outline roles and responsibilities, contact information, communication strategies, and steps for isolating affected systems to prevent the spread of ransomware. 

Rapid Detection and Isolation 

Implement monitoring tools and services to detect ransomware activity early. Upon detection, quickly isolate infected systems from the network to prevent the ransomware from spreading. Disconnecting storage devices and backups can also prevent them from being encrypted. 

Analysis and Investigation 

Conduct a thorough investigation to understand the attack vector, the extent of the compromise, and the ransomware strain used. This information is critical for effectively removing ransomware and implementing solutions or processes to aid in preventing future attacks. 

Legal and Regulatory Considerations 

Consult with legal counsel and consider reporting the incident to relevant authorities. Paying the ransom may have legal implications, and certain jurisdictions require notification of data breaches. Additionally, law enforcement agencies may help in responding to the attack. 

Recovery and Restoration 

Prioritize the restoration of critical systems and data from backups. Ensure that all ransomware has been removed and security vulnerabilities patched before restoring backups to prevent re-infection. 

Post-Incident Review 

After resolving the incident, conduct a post-incident review to identify lessons learned and areas for improvement. Update security policies, employee training programs, and incident response plans based on these insights. 

Conclusion 

The rise of Ransomware-as-a-Service represents a significant and growing threat to organizations of all sizes. By understanding the nature of RaaS and implementing comprehensive countermeasures and response strategies, organizations can enhance their resilience against ransomware attacks. Strengthening cybersecurity defenses, fostering a culture of security awareness, and preparing for efficient incident response are essential steps in mitigating the impact of these malicious campaigns. 

Categories
General Cyber and IT Security

Women In Cybersecurity

A silent war is being waged for a different kind of security: equal representation. While the digital landscape holds immense opportunity, a stark gender gap persists within the cybersecurity industry.

This article delves into the reasons behind the underrepresentation of women in cybersecurity, a field constituting a mere 24% female workforce. We will explore the challenges faced by women, the importance of diversity in this critical domain, and promising initiatives paving the way for a more inclusive future.

The Current Landscape

The cybersecurity industry stands as a vital shield against a relentless barrage of digital attacks. Yet, when we look behind the scenes at the professionals safeguarding our data, a significant imbalance becomes clear. According to reports by the Cybersecurity and Infrastructure Security Agency (CISA) and (ISC)², women currently make up only around 24% of the global cybersecurity workforce. This statistic remains stubbornly consistent year-over-year, highlighting a persistent challenge in attracting and retaining female talent.

While 24% offers a broad picture, a deeper dive reveals further nuances. The distribution of women across different cybersecurity roles and sectors is not uniform. For example, research suggests a slightly higher concentration of women in analyst positions compared to leadership roles like Chief Information Security Officer (CISO). Additionally, some sectors, such as cloud security, may exhibit a slightly higher percentage of women compared to more traditional areas like industrial control systems.

Reasons for Underrepresentation

The underrepresentation of women in cybersecurity stems from a complex interplay of factors, hindering the industry from reaching its full potential. Let us explore some of the key reasons:

  • Societal Stereotypes: From an early age, girls are often subtly discouraged from pursuing STEM (Science, Technology, Engineering, and Math) fields. The stereotypical image of a cybersecurity professional – a lone hacker in a dark room – further reinforces the notion that these careers are not suited for women. This perception can dissuade girls from developing an interest in cybersecurity and taking the necessary steps towards a relevant education.
  • Lack of Role Models: The cybersecurity industry suffers from a dearth of visible female leaders. With few women holding prominent positions, young women may struggle to see themselves thriving in this field. The absence of relatable role models can make cybersecurity seem unwelcoming and limit aspirations.
  • Educational Pipeline Issues: While strides are being made, potential biases may still exist within cybersecurity education and training programs. Unconscious biases in course materials or a lack of female instructors can inadvertently discourage women from pursuing further education in the field. Additionally, limited access to scholarships and financial aid specifically targeted towards women in cybersecurity can create a further barrier to entry.
  • Workplace Culture: Even after entering the workforce, women in cybersecurity can face a challenging environment. Unconscious bias during recruitment and promotion, a lack of mentorship opportunities, and a culture that does not value diverse perspectives can lead to feelings of isolation and hinder career advancement. These factors can push talented women out of the field entirely.

The Importance of Diversity

The underrepresentation of women in cybersecurity is not just a question of fairness; it is a significant missed opportunity. A diverse workforce, with a healthy representation of women, brings a multitude of benefits to the cybersecurity landscape:

  • Different Perspectives and Problem-Solving Approaches: Women bring unique viewpoints and experiences to the table. This diversity of thought allows cybersecurity teams to consider a wider range of attack vectors and develop more comprehensive defense strategies. By incorporating female perspectives, the industry can move beyond traditional solutions and uncover innovative approaches to combat cyber threats.
  • Improved Decision-Making: Research has shown that diverse teams make better decisions. When women are included in the conversation, teams are more likely to consider all angles of a problem and arrive at a more effective solution. This collaborative approach is crucial in the fast-paced world of cybersecurity, where quick and accurate decisions can make all the difference in containing a cyberattack.
  • Stronger Talent Pool: By fostering a more inclusive environment, the cybersecurity industry opens itself up to a wider pool of talented individuals. This not only benefits companies seeking top talent, but also strengthens the overall resilience of the cybersecurity workforce. A more diverse workforce can better reflect the global community we aim to protect, ensuring a well-rounded understanding of potential threats and vulnerabilities.

Initiatives and Solutions

The tide is turning. Recognizing the importance of diversity, several promising initiatives are underway to attract and retain women in cybersecurity:

  • Educational Programs and Scholarships: Organizations are developing targeted educational programs specifically designed to introduce young women to cybersecurity concepts and career paths. Additionally, scholarships are being offered to support women pursuing cybersecurity degrees and certifications. These initiatives aim to build interest and equip women with the necessary skills to excel in the field.
  • Mentorship and Sponsorship Programs: Mentorship programs pair experienced women in cybersecurity with aspiring female professionals. This provides valuable guidance, career advice, and a supportive network for women navigating the industry. Sponsorship programs provide financial and professional support to women pursuing leadership roles within cybersecurity companies.
  • Highlighting Achievements of Women in Cybersecurity: Highlighting the achievements of successful women in the field is crucial. By sharing their stories and expertise at conferences and through online platforms, these role models can inspire young women to pursue careers in cybersecurity. They demonstrate the breadth and depth of career opportunities available and dismantle stereotypes about who can excel in this field.
  • Creating a More Inclusive Workplace Culture: Companies are actively working to cultivate a more inclusive work environment for women in cybersecurity. This includes unconscious bias training for all employees, promoting flexible work arrangements, and establishing clear policies against harassment and discrimination. Additionally, fostering a culture of collaboration and open communication can ensure that women feel valued, and their contributions are recognized.

Conclusion

The cybersecurity industry stands at a crossroads. While progress is being made, the persistent underrepresentation of women remains a significant hurdle. We have explored the societal factors, educational challenges, and cultural barriers that contribute to this gap. Yet, amidst these obstacles, there is a growing recognition of the vital role diversity plays in building a stronger cybersecurity ecosystem.

By fostering a more inclusive environment, the industry unlocks a wealth of talent and perspectives. Women bring unique approaches to problem-solving, strengthen decision-making capabilities, and contribute to a more comprehensive understanding of cyber threats. The initiatives and success stories we have highlighted offer a glimpse into a future where women are not just present but thriving leaders in cybersecurity.

The journey towards a truly representative cybersecurity workforce is ongoing. It requires sustained efforts from educational institutions, industry leaders, and individual women passionate about the field. As we move forward, let us celebrate the achievements of women in cybersecurity and continue paving the way for a more inclusive and secure digital future.

Categories
General Cyber and IT Security

Do I Pay the Ransom? Insights from an Incident Responder

When people meet me, and I identify as a Cyber Incident Responder who has been a part of several ransomware extortion cases, everyone asks, “Should I pay the ransom if I am attacked?” I am about to share some insights gathered while working with companies that faced these questions in real life. Now, there are some people out there who hold absolute hardlines on this position, and while hardlines are always a good place to start, the reality is that many companies need to step off that first position and find a position that works best for them. 

Each company needs to make its own decision in concert with qualified specialized legal counsel. In sharing this information, I hope it helps you determine whether you should pay their ransom if that fateful day arrives. Viewer discretion is advised.

First, You may not even need to pay at all.

Our good friends at CISA and the FBI have developed several tools to decrypt files damaged by many popular threat actors. They are 100% free to acquire and use. CISA has created the ESXiArgs-Recover tool to assist networks whose ESXi infrastructure may have been encrypted.1 The FBI has created keys for victims of Blackcat, AlphV, and Sphynx ransomware variants.2 Obtaining the keys from these groups will strengthen your ability not to have to pay ransom much.

Now, the Company hard line.

At a recent security conference that I was speaking at I was fortunate enough to be sitting at a table with a bunch of local liaisons to a government agency that is very involved in ransomware activities. When one of the gentlemen asked me what I was speaking on, I told them to title my session, which was called “ESXi Host Protection 2024, why you can’t ignore this anymore”. This session was on ESXi hosts targeted by ransomware threat actors and how to prepare/prevent such attacks. 

Upon hearing my session title, the gentleman asked me my thoughts on paying the ransom while simultaneously telling me his staunch view. Unsurprisingly, he echoed the agency line that nobody should ever pay the ransom. Paying ransomware is the equivalent of negotiating with terrorists. You should never negotiate with terrorists. It just encourages them to continue. That is a valid point.

I stated that, in my experience, every situation was unique. Then I mentioned that I had recently worked with a company willing to pay their ransom even if they did not receive the encryption keys, which sometimes happens. (Newsflash, criminals are not honest. More on that later). Puzzled, the gentleman across the table asked why they would do that. My response was, well, it was simple. 

They viewed themselves as having a large liability for possibly causing the ransomware incident to take place in the first place. Therefore, their legal counsel was telling them that since they may not have done everything, they should have to protect the data; they now need to do everything possible, including paying a ransom, to demonstrate (to potential future judges and jurors) that they did everything they could to recover the data.  The company was preparing itself for pending litigation due to the cyber incident. 

I could tell by the look on his face that he didn’t like the answer. but he nodded and said he understood why someone would do that. Then, he immediately pivoted back to his agency’s line. As you can see here, the theory of never paying the ransom has real merit. But when the theory makes first contact with the enemy, companies need to be ready to adjust their stance. In this case, what was best for the government agency wasn’t necessarily the best thing for the business affected. The two can co-exist and do. Not paying is a good position to start at, but be ready to pivot if needed.

Can you restore and recover in time?

One factor to consider in whether you’ll pay the ransom is, once you receive decryption keys, how long will it take to decrypt your data (if you even receive the key)? The way ransomware works is that it’s designed to encrypt data for maximum impact rapidly. It can take just hours to encrypt a medium to large-sized network completely. Still, it is extremely slow to decrypt the same data, especially large data sets (hundreds of gigabytes or more). Therefore, you need to plan accordingly for just how long your restoration will take once you begin.

I witnessed one company days away from financial ruin and closing its doors for good due to the vast amount of encryption that had taken place with ransomware in its environment. The timing of the attack could not have been worse, and that was the point. The ransomware gang had stalked this company internally and knew the business cycle and when the company was most vulnerable. These people were under tremendous pressure to get their systems restored. Therefore, paying the ransom seemed viable, or at least harder to say no to, when all the other options may have led to total failure.

But here’s the catch. Is it really a viable solution? What if this company could not get the data restored within a couple of business days it needed? What if the ransomware actors don’t respond to your request or payment as quickly as you need them to? Threat Actors don’t work under Service Level Agreements. 

In this scenario, if it will take you a week or more to restore all the necessary data, what’s the point in paying when you exceed your window for restoration? The harm will happen either way, so you might as well not pay. Many people don’t factor in the time it takes to restore the data or systems in their decision-making process. They should. This might be a reason, albeit a sad reason, not to pay. Better yet, if you know that you can restore your systems from backups in a rapid time, the need to pay the ransom may no longer exist or never exist to begin with.

Should you trust a criminal?

Do I really need to answer this one? Despite working with some smart businessmen and women and helping them navigate some tough waters, I am always surprised when they express shock when the ransom is paid, and the other side doesn’t completely hold up their end of the deal. Maybe this is because they are looking at this like they would negotiate a contract for services with AT&T. Now, while the feeling of being held up for ransom and having to deal with poor customer service may be the same in both scenarios, I assure you that they are not the same situation, or at least not yet. Please repeat after me.

CRIMINALS CAN NOT BE TRUSTED

CRIMINALS CAN NOT BE TRUSTED

CRIMINALS CAN NOT BE TRUSTED

The recent takedown of LockBit Ransomware Group leadership shows what I have advised many customers about. Just because someone says they will delete your stolen data doesn’t mean they will. There are ways to easily fake the evidence that ransomware gangs provide as proof of deletion. You are taking a thief at their word that they will do what they claim after they just willfully wrecked your business. 

Investigators who took down LockBit have found massive amounts of stolen victim data on the servers of the ransomware gangs, even those victims who paid and were given proof of the deletion. The gangs hoarded the data for the next round of extortion or marketplace sale to other threat actor groups. While you are negotiating with them, the threat actors are selling your data to other criminal groups so that they may attempt extortion later.

To make things worse, the ransomware group is also selling to others how they initially gained access to your network to steal/encrypt your data, to begin with. The goal is that someone else will attack your network when they are done in hopes that the initial access was not properly fixed. Now, the ransomware group will have deniability that they were involved with your second or third cyber incident, thus giving them the appearance of credibility when there never was any. 

Not only is this being discovered by law enforcement, but now, sadly, a new wave of victims is emerging: those who paid group #1 but are now being extorted by group #2. All this being said, there has always been evidence of some ransomware groups skipping town with the ransom and not providing the decryption keys or not providing decryption keys that work properly, which is just as bad. Like before, the ransomware gang can claim that they held up to their end of the deal by giving you the working keys when they did not or falsely advertise their capabilities. There is no honor among thieves.

Insult to Injury

It should surprise no one that the cost of cyber liability insurance and services around ransomware has skyrocketed. Just like your auto insurance rates increase when you open a claim for an accident, your cyber liability insurance will most likely increase dramatically, or you may get dropped completely when the matter is over. Those are business costs that sometimes get overlooked during the heat of the battle. You may have paid $25,000 in one-time ransom, but if your insurance premiums go up $25,000 per year for every year you are in business from now on, is this a wise financial move? 

I hate to paint Insurance as a bad guy, as they provide a much-valued service for businesses today. But at the end of the day, ransom payments are a business decision with wide-reaching implications long after the battle. Costs are still costs. Paying a ransom might cost your business more in the long run than enduring the short-term financial pain today.

Final Advice

I will summarize what you need to know and incorporate it into your business equations to determine whether you should pay the ransom.

1. Check to see if your variant of ransomware is one that either CISA or FBI has decryption tools available before you start any discussions on paying ransom.

2. You cannot trust the extortion groups regarding their capabilities or commitments. They will lie, and they have. They are criminals.

3. Ransomware/Theft negotiations ARE NOT enforceable business contracts. Don’t treat them as such. You can’t sue them for breach of contract when they double-cross you.

4. Don’t get caught up in the emotions. I’ve seen people think this is a scene from a movie and get the adrenaline rush of “talking to the bad guys” or have strong emotions as they feel violated or the pressure of the situation gets to them. It’s human. But adrenaline and emotions skew the rational, analytical conversations that need to take place. Take a breath before moving on.

5. Don’t do this alone. You need to have good, experienced legal counsel advising you along the way.

6. Don’t do this alone. You need a good, experienced Incident Response Team to help your company’s recovery efforts while you have a business conversation with legal counsel. Remember, these gangs are selling information on how they broke into your systems. You need experienced experts to determine how they did it and provide a path to remediation so that future attacks can be properly fended off. While multitasking during negotiations with Khan may have worked for Captain Kirk, in the movie The Wrath of Khan, it is not a good foundation for success, and we’re not Captain Kirk.7. Companies that prepare for ransomware/breaches fare better than those that do not. Do you know how long it will take to restore your systems? Is this good enough for a business to survive? The best time to handle ransomware is during the preparation stage when you can plan your defenses and response strategies and when things are calm. Engage with an experienced Incident Response team to help you prepare. Your Cyber Insurance carrier may even have plans or programs to help you at no additional cost. Don’t overlook these policy benefits.

 

8. Finally, don’t hide from regulators. Some business leaders discuss the pros and cons of not disclosing the breach if they get their data back. It’s been my experience that you were breached will eventually come to light, whether you want it to or not. You won’t be able to hide this forever.

If you become a victim, there is no one-size-fits-all answer for dealing with extortion gangs. Learning what happened to others in similar situations may help you consider those facts while determining what to do. I never fault a company for doing what is best for them in these situations. What works for one company may not be appropriate for another. If you are a ransomware or data theft victim, the experienced team at SecurIT360 is ready to lend a hand. You can contact us at https://securit360.com/contact. I hope this has been helpful and we can meet someday under favorable circumstances and not when my team’s response services are not needed.

1 To obtain a copy of ESiArgs-Recover tool, visit CISA’s GitHub page at: https://github.com/cisagov/ESXiArgs-Recover.

2 For the FBI tool, you need to open an IC3 report at: https://www.ic3.gov

In the description, ask for the specific decryptor tool that you need to route your request to the right team. (Blackcat, AlphV, Sphynx variants only).

Categories
General Cyber and IT Security

Aligning Cybersecurity with Business Goals: A Roadmap for Executives

The alignment of cybersecurity initiatives with overarching business goals is not just a strategic advantage—it is a fundamental necessity. As the cyber threat landscape becomes more sophisticated, executives must ensure that their cybersecurity strategies not only protect the organization’s digital assets but also support its business objectives. Internal controls are the policies, procedures, mechanisms, systems, and other means designed to reduce risk and facilitate the achievement of business objectives.  

Understanding the Synergy 

The first step in aligning cybersecurity with business goals is recognizing that cybersecurity is not just an information technology problem but an integral part of the overall business strategy. It should be seen as a business enabler rather than a cost center. This paradigm shift is crucial for developing a cybersecurity strategy that contributes to the achievement of business objectives, such as market expansion, customer satisfaction, and innovation. 

Establishing a Common Language 

One of the main challenges in aligning cybersecurity with business goals is the communication gap between technical cybersecurity teams and business executives. To overcome this, organizations must establish a common language that translates cybersecurity risks into business impacts. This involves quantifying the potential financial, reputational, and operational impacts of cyber threats and incidents in terms executives can understand and act upon. 

Integrating Cybersecurity into Business Planning 

Cybersecurity considerations should be integrated into the business planning process from the outset. This includes involving cybersecurity leaders in strategic business meetings, decision-making processes, and the development of new products and services.  By doing so, organizations can ensure that cybersecurity measures are designed to support business objectives, rather than being retrofitted as an afterthought. 

Prioritizing Based on Business Impact 

Not all data and systems hold the same value to an organization. Executives should work with cybersecurity teams to identify and prioritize assets based on their importance to business goals. This risk-based approach ensures that cybersecurity resources are allocated efficiently, focusing on protecting the most critical assets that could impact the organization’s ability to achieve its objectives. 

Fostering a Culture of Security 

Aligning cybersecurity with business goals requires a cultural shift towards recognizing cybersecurity as everyone’s responsibility. This involves training and awareness programs that emphasize the role of each employee in maintaining the organization’s cyber resilience. A strong culture of security supports business goals by minimizing the risk of data breaches and ensuring that employees are prepared to respond to cyber threats effectively. Training should be mandatory for everyone and there should be consequences for not participating. 

Measuring Success 

To effectively align cybersecurity with business goals, organizations must establish metrics and Key Performance Indicators (KPIs) that reflect this alignment. These metrics could include the reduction in the number of security incidents impacting critical business operations, improvements in compliance with regulatory requirements, and the effectiveness of employee cybersecurity training programs. Regularly reviewing these metrics helps executives adjust their strategies to better support business objectives. 

Conclusion 

Aligning cybersecurity with business goals is an ongoing process that requires commitment, communication, collaboration, and enforcement across all levels of the organization. Information Technology risk management should be aligned with enterprise risk management.  By viewing cybersecurity as a strategic business enabler, executives can create a more resilient, agile, and competitive organization. This alignment not only enhances the organization’s security posture but also supports its overall strategic vision, ensuring long-term success in an increasingly digital world. 

 

Categories
General Cyber and IT Security

Introducing New Managed Detection and Response Capabilities: Enhanced Security for Microsoft 365

Announcing two new capabilities within our Managed Detection and Response (MDR) services, specifically designed to enhance the monitoring and security of your Microsoft 365 environment. These additions are part of our ongoing commitment to provide the best possible protection against evolving cyber threats.

  1. Microsoft 365 Account Isolation: Our first new feature, Microsoft 365 Account Isolation, is a significant step forward in securing M365 user accounts and sensitive data. Compromised accounts can lead to Business Email Compromise (BEC) attacks and even data exfiltration. Let us help you remediate this faster by acting on the suspected accounts to prevent further compromise and loss when your IT staff or MSP are not available to respond.

This capability allows us to:

  • Isolate Compromised Accounts: In the event of a suspected compromise, we can now quickly isolate affected accounts, minimizing the risk of data breaches or further infiltration.
  • Faster Remediation: Our SOC analysts can disable accounts and revoke all user sessions when suspicious activities are detected, ensuring faster remediation action.  We will also have the ability to re-enable accounts if needed.
  1. Microsoft Risky Users Alerting: The second feature, Microsoft Risky Users Alerting, provides enhanced monitoring of account activity classified as Risky Users within your Microsoft 365 environment. Previously we were unable to see this activity.  To take advantage of this enhanced monitoring, you must have a Microsoft Identity Protection with a P2 license level.  Additional permissions will be required and we can provide instructions to help you make the necessary changes.

Microsoft documentation classifies Risky users as:

  • The user has one or more Risky sign-ins.
  • One or more risk detections have been reported

        For more information on Risky Users, see the official Microsoft Identity Protection documentation.

What This Means for You

  • Enhanced Security: These new capabilities can significantly bolster your defense against cyber threats, particularly in visibility and protecting your Microsoft 365 environment.
  • Peace of Mind: With these new capabilities, you can be assured of a safer and more secure digital workspace.
  • Seamless Integration: These features are integrated into our existing MDR services, ensuring a smooth and uninterrupted experience.

Next Steps

  • Opt-in for these new capabilities: Contact us via email at soc@securit360.com or by telephone at 205-419-9066 or toll-free 844-474-1244. Not yet a client? Contact us through this form.
  • Establish rules of engagement: We can discuss your preferences for utilizing the account isolation features such as:
    • Should we disable accounts upon suspicious activity?
    • Or only use isolation when we receive email or voice approval?
  • Setup Additional Permissions in Microsoft Entra ID (formerly Azure) / 365: Your team will need to enable some additional API permissions within your Microsoft Entra ID / 365 environment to allow these additional capabilities.
    • We have instructions we can provide to you during the setup process

We are committed to continuously enhancing your cybersecurity posture, and these new MDR capabilities are a testament to that commitment. Thank you for your ongoing support and cooperation in maintaining a secure and resilient digital environment.

 

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 2

Security should be a lifestyle and not just a “To-Do” list. As a Cybersecurity Professional myself, I cannot preach enough about the importance of Layered Security. No matter how big or small your environment, remember that even David took down a GIANT with a slingshot and pebble. Threats in our industry are diverse and dangerous. Staying ahead of the curve is no walk in the park and that is why a series of this magnitude is important for proactive reasoning.

In the first installment, we briefly covered threats such as Phishing (BEC Attacks), Malware Attacks, and Insider Threats. In this second installment, we will dive into Ransomware Attacks, Distributed Denial of Service attacks, and Zero-Day Exploits.

4. Ransomware Attacks:

Ransomware involves the encryption of a victim’s data by an attacker, who then demands a ransom in exchange for the decryption key. The impact of ransomware attacks ranges from financial loss to severe disruption of operations. This form of attack is huge in critical sectors such as healthcare, finance, and government.

Motions to Mitigate:

Mitigation against Ransomware attacks can consist of:

· Endpoint Security: Install and regularly update endpoint security software to detect and prevent malicious software from running on a user’s device.

o Some popular Endpoint Detection and Response solutions include Microsoft Defender for Endpoint, VMware’s Carbon Black, and CrowdStrike Falcon Platform.

o If Endpoint Security is something your company is interested in implementing, SecurIT360 would love to assist you on this journey through our SOC services.

· User Behavior Analytics: Using user behavior analytics tools to identify deviations from normal user behavior can help detect compromised accounts more efficiently.

o This can be achieved through SecurIT360’s 24/7/365 security operations center, which provides real-time monitoring through utilization of MDR and EDR solutions.

· Disable Unnecessary Services: Disabling or restricting services and features that are not essential for business operations can prevent Ransomware from exploiting these services.

· Network Segmentation: Segmenting your network to isolate critical systems and data from the rest of the network can help contain the spreading of ransomware.

· Backup and Disaster Recovery: Regularly backing up critical data and systems to offline or secure locations is another helpful tip. Ensuring backups are not accessible from the network and testing data recovery procedures can go a long way when ensuring you can restore your systems in case of an attack.

· Patch and Update Software: Keeping operating systems, software, and applications up to date with the latest security patches will combat and address vulnerabilities that ransomware may exploit.

5. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks:

DoS and DDoS attacks aim to make a network, service, or system unavailable to its intended users. This type of attack is aimed to hinder the “A”, availability, within the CIA (Confidentiality, Integrity, and Availability) triad. This is achieved by overwhelming the target with a flood of internet traffic that the target was not built to withstand. In a DDoS attack, the attacker uses multiple compromised computers (Botnets) as sources of traffic, making these attacks particularly challenging to mitigate.

Motions to Mitigate:

A few ways to mitigate this are by implementing Distributed Traffic Filtering, Content Delivery Networks, and Geographic Blocking in your environment. Other forms of DOS/DDOS mitigation consist of:

· IP Reputation Lists: Utilize IP reputation lists and databases to block known malicious IP addresses and networks. This should be updated quarterly due to the frequency of IPs switching hands or ISPs (Internet Service Providers).

o We know that this can become quite a task but our Security Operations Center can help relieve this pressure through our managed firewall services.

· Network and Server Redundancy: Build redundancy into your network and server infrastructure to ensure that a failure in one component does not result in a complete service outage.

· Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): Deploy IPS solutions to detect and block malicious traffic and behavior at the network level.

o The SecurIT360 SOC Team can assist with detecting malicious activity through our MDR solutions and blocking known malicious with some of our other managed services (EDR, Managed Firewalls, etc).

· Black Hole Routing (BGP Sink holing): Configure your network to use black hole routing to discard malicious traffic. BGP sink-holing can redirect DDoS traffic to a “black hole” where it is discarded.

6. Zero-Day Exploits:

A zero-day exploit targets a software vulnerability that is unknown to the software’s developer. The term “zero-day” refers to the fact that the developer has zero days to fix the vulnerability once it becomes known. This method is one of the most dangerous to defend which is why organizations need to have a more proactive approach rather than reactive when regarding this subject.

Motions to Mitigate:

· Advanced Threat Detection Solutions: Deploy advanced threat detection solutions that can identify zero-day attacks based on abnormal behavior and anomaly detection.

· Application Security Testing: Conduct regular security assessments, including penetration testing, to identify and address potential weaknesses in your applications and systems.

o If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.

· Behavior-Based Analysis: Employ behavior-based analysis tools that can detect unusual or malicious behavior on endpoints and networks. Zero-day exploits often exhibit abnormal patterns.

o This can fall under the umbrella of EDR services. Detecting User/Behavior-Based Analytics to determine your environment’s baseline behaviors in comparison to anomalies is something SecurIT360’s SOC works with daily.

· Threat Intelligence Sharing: Participate in threat intelligence sharing communities and organizations to stay informed about the latest threats, including zero-day vulnerabilities.

· Sandboxing: Use sandboxing techniques to run potentially risky or untrusted code in an isolated environment, preventing it from affecting the rest of the system.

· Vulnerability Management: Proactively discover and mitigate weaknesses in your systems before attackers can exploit them. This includes software, hardware, and even human behaviors.

o SecurIT360’s ISSO department specializes in internal scan assessments.

o SecurIT360’s Security Operations Center services include External Scan Assessments monthly or per request.

As you can see, there are many threats in our industry and the need for persistent protection is constant. My goal for this second installment was to provide easily digestible information on some common threats Cybersecurity Professionals like myself witness on a day to day.

If you have enjoyed this second installment of the Decoding Digital Dangers: Common Cybersecurity Threats Explained series, be sure to go back and check out Part 1 as well.

Additionally, If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 1

Have you heard the phrase “Don’t bring a knife to a gunfight”? Well, this phrase holds the same truth within the realms of modern cybersecurity. There are a wide range of dangers in our industry and one must know what they are, to properly prepare for the battle against these. The sheer volume of these risks alone should emphasize how critical it is to comprehend them while also developing mitigation solutions.

One might ask, well what are a few common threats that we as cybersecurity professionals should look out for in this constantly changing digital environment? This series was created to highlight just that. In this first installment, we will cover Phishing (BEC Attacks), Malware Attacks, and Insider Threats.

  1. Phishing Attacks:

Phishing attacks are the most common form of cybersecurity threats. This is where an attacker masquerades as a legitimate entity to “reel” victims into revealing sensitive data such as usernames, passwords, and credit card information. Phishing attacks often take the form of emails, website pop-ups, or text messages. Which stresses the importance of always verifying that you are communicating with whom the entity states they are.

Once a successful Phishing Attack has occurred this can lead to a Business Email Compromise or BEC for short. As Cybersecurity professionals we must empower ourselves against BECs. Implementing the following recommended strategies can assist in strengthening your cybersecurity posture:

Motions to Mitigate:

A few ways to stay proactive against Phishing attempts are:

  • User Education and Training: Provide regular cybersecurity training and awareness programs to educate users about the risks of phishing.
    • The SecurIT360 SOC Team can assist with this through our KnowBe4 managed services. Through this service, we can set up Phishing Simulations along with Awareness Training.
  • Email Filtering and Authentication: Implement email filtering solutions to block or flag potential phishing emails before they reach users. Configure email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of incoming emails.
  • Multi-Factor Authentication (MFA): Enforce MFA for email and other critical accounts. Even if a phishing attack results in stolen credentials, MFA can provide an additional layer of security.
    • SIEM and MDR services can even help to identify and respond to suspicious MFA activity. These services can collect and analyze logs from a variety of sources, including MFA devices, applications, and servers. This data can be used to identify patterns of behavior that may indicate an attack, such as MFA Bombing, logins sourced from known malicious IPs, and logins originating from non-approved countries.
    •  As a SecurIT360 SOC MDR client, we can add this particular log source type in our SIEM solution to best accommodate your environment’s real-time monitoring.
  • Phishing Simulations: Conduct phishing simulations and tests within your organization to assess user awareness and response. Use the results to tailor training and awareness efforts.

Additional helpful articles for improving awareness of BEC attacks/Phishing:

  1. Malware Attacks: 

Malware, short for malicious software, refers to any software designed to damage or disrupt a computer system. Types of malware include viruses, worms, Trojans, spyware, and adware. Malware attacks typically involve the installation of this malicious software onto a victim’s device without their knowledge, leading to data loss or theft. Another way Malware can be downloaded unknowingly is by clicking unfamiliar links such as from a Phishing email. This illustrates how some of these attacks can be combined to get what the Threat Actor is after.

Motions to Mitigate:

Malware can be a pest but implementing the following can assist in reducing the appearance in your environment:

  • Application Whitelisting: Implement application whitelisting, which allows only authorized and known applications to run on endpoints. This can prevent unapproved applications, including malware, from executing.
  • Network Monitoring and Alerting: Implementing network monitoring tools to detect unusual network traffic and behaviors that may indicate a malware infection can be helpful.
    • The SecurIT360 SOC Team can assist with this through our 24/7/365 operations of real-time monitoring and utilization of MDR and EDR solutions.
      • Through our EDR services, we can detect User Behavior Analytics to assist with determining baseline behaviors in comparison to anomalies.
  1. Insider Threats: 

Insider threats involve cybersecurity threats that originate from within an organization. These can be intentional – for instance, a disgruntled employee causing harm – or unintentional, such as an employee unknowingly clicking on a phishing link or accidentally uploading sensitive login credentials of your company’s own infrastructure on a site like GitHub (In reference to: https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github

Motions to Mitigate:

  • Least Privilege Access: Limit user and system access to only the resources and data required for their tasks. This principle minimizes the potential impact of a ransomware infection.
    • A great way to test your current Access Controls is by performing a Pentest. It is recommended to get a Penetration Test done once to twice a year at a minimum. If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.
  • Data Loss Prevention (DLP): Use DLP solutions to monitor and prevent the unauthorized transfer or leakage of sensitive data. This can help prevent both accidental and intentional data breaches.
  • Secure Offboarding: Ensure that when employees leave the organization, their access is immediately revoked. This includes disabling accounts, collecting company-owned devices, and updating access control lists.
  • Data Access Auditing: Implement auditing and logging for data access to track who accessed sensitive data and when.
  • Secure Mobile Device Management (MDM): Manage and secure mobile devices that employees use for work, including the ability to remotely wipe devices in case of loss or theft.

All mitigation strategies require a comprehensive approach that includes a combination of technology, user education, and proactive security measures. By implementing these practices, your organization can significantly reduce its vulnerabilities and minimize potential damage.

One takeaway is the mantra of the “12 P’s”:

“Positive Proper Preparation Prevents Piss Poor Performance; Piss Poor Performance Promotes Pain” and we don’t want your organization to experience the pain of improper preparation.

Understanding the common cybersecurity threats listed in this first installment is the initial step toward strengthening your cybersecurity defenses. Your organization’s defenses should mimic that of an Onion. An onion has many layers to it and your defense should follow this same blueprint. We recommend investing in regular staff training and maintaining a culture of cybersecurity awareness to protect against these threats along with utilizing robust cybersecurity solutions. For instance, utilizing a Cybersecurity Framework could be essential to your business long term.

To get more information on implementing the best Cybersecurity Framework for your environment, check out: The Building Blocks of Cyber Defense: Why Your Business Needs a Cybersecurity Framework – SecurIT360

If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Additionally, be sure to be on the lookout for the second installment of this Decoding Digital Dangers: Common Cybersecurity Threats Explained series releasing in the coming weeks.

Categories
General Cyber and IT Security

New Techniques Threat Actors Are Using To Steal Your Secrets

In a digital era where information is vital, understanding the new techniques that threat actors are using to steal your secrets is critical. As technological advancements surge forward, so do the methods employed by malicious agents seeking to exploit those technologies for their gain. Let’s explore these techniques to equip ourselves with knowledge that will serve as our first line of defense against these threat actors.

The Emergence of Deepfake Technology

In the realm of cybersecurity, the emergence of deepfake technology poses a significant and growing threat. Deepfakes, powered by artificial intelligence, allow threat actors to create realistic, manipulated content that can deceive individuals and organizations alike. With sophisticated AI algorithms, they can create incredibly realistic video and audio content, impersonating individuals to bypass security measures, manipulate public opinion, or commit fraud.

Deepfakes open new avenues for social engineering attacks. Threat actors can use manipulated videos or audio recordings to impersonate trusted figures, such as CEOs or government officials, leading to misinformation, reputational damage, or even financial loss. The ability to create realistic content makes it challenging for individuals to discern between authentic and manipulated information.

Deepfake technology can be utilized in business email compromise attacks where threat actors impersonate high-ranking executives or colleagues. Additionally, voice phishing (vishing) attacks can leverage deepfake-generated voices to trick individuals into divulging sensitive information over the phone. The combination of realistic voices and manipulated content enhances the success rate of such attacks.

Rise of Cryptojacking

Cryptojacking has rapidly gained momentum as a preferred technique of many cyber criminals. Cryptojacking is a form of cyber-attack where malicious actors hijack computing resources, such as computers, servers, or mobile devices, to mine cryptocurrencies. Unlike traditional cyber-attacks that focus on data theft or ransom, cryptojacking operates in the background, leveraging the victim’s processing power to mine digital currencies.

Threat actors employ various methods to deliver cryptojacking payloads. This can include malicious websites that run in-browser mining scripts, phishing emails with infected attachments, or exploiting vulnerabilities in software and hardware. Once executed, the cryptojacking code operates quietly, siphoning off computing resources to mine cryptocurrencies without the user’s awareness. In recent years, threat actors have organized cryptojacking campaigns using botnets—networks of compromised devices under the control of a single entity. These large-scale operations enable attackers to amass significant mining power, intensifying the impact on targeted systems.

Cloudjacking

As organizations transition their data and operations to the cloud, a new form of attack has taken center stage – Cloudjacking. Threat actors exploit inadequately secured cloud configurations to gain unauthorized access to data, disrupt services, or even hold the data hostage for ransom. Given the sensitive nature of the information usually stored in the cloud, this technique poses a severe threat to businesses and individuals alike.

Cloudjacking attacks can be mitigated in several ways.

  • Implement Robust Access Controls: Organizations should enforce strong authentication mechanisms, regularly review, update access permissions, and adopt the principle of least privilege.
  • Regular Security Audits: Conducting regular security audits and vulnerability assessments of cloud environments can help identify and address potential weaknesses before they are exploited.
  • Implement Multi-Factor Authentication (MFA): Implementing MFA on cloud resources can help to prevent most attacks by threat actors to access a business cloud environment.
  • Educate and Train Personnel: Employee awareness and training programs are crucial for preventing phishing attacks and ensuring that cloud security best practices are followed.

The Growing Threat of Ransomware

Ransomware is a type of malicious software designed to encrypt files or systems, rendering them inaccessible. The attackers then demand a ransom, usually in cryptocurrency, in exchange for providing the decryption key. This digital extortion tactic has become increasingly sophisticated, with ransomware attacks evolving in both scale and complexity. Today’s iterations of ransomware are becoming more potent, with threat actors increasingly targeting large organizations and critical infrastructure. The potential for massive disruption and financial gain ensures that ransomware remains a popular method for stealing secrets and causing havoc. Best practices to mitigate ransomware include:

  • Regularly backing up critical data and ensuring that backups are stored securely and can be quickly restored in the event of an attack.
  • Educating employees about phishing threats, social engineering tactics, and the importance of maintaining a vigilant cybersecurity posture.
  • Keeping software, operating systems, and security solutions up-to-date to address vulnerabilities that could be exploited by ransomware.
  • Implementing network segmentation to limit the lateral movement of ransomware within a network, preventing widespread damage.

Defending Against These Threats

Understanding these techniques is only the first step; defending against these threats is the next. It requires implementing robust cybersecurity measures, including secure cloud configurations, multi-factor authentication, data encryption, regular system updates, and comprehensive employee training programs. Being proactive rather than reactive in cybersecurity is paramount to securing your secrets in the digital landscape.

Categories
General Cyber and IT Security

The Critical Role of Cyber Threat Intelligence for SMBs

Hello, savvy business owners and entrepreneurs!  Let’s cut to the chase: cybersecurity isn’t just a buzzword; it’s a necessity. And while you might be doing the basics like firewalls and endpoint security software, there’s a hidden gem you’re likely missing out on: Cyber Threat Intelligence (CTI). 

What is CTI and Why Should You Care? 

Imagine CTI as your business’s personal meteorologist, but for cyber threats. It’s not just about telling you it’s going to rain; it gives you the exact time, the severity, and even what kind of umbrella to use. Here’s the breakdown: 

  • Reduce the Noise: CTI is like a museum curator for your cybersecurity, carefully selecting the most relevant information and discarding the noise.  This allows you to focus your time on the threats that matter. 
  • Navigation Assistance: Imagine CTI as your ship’s captain, steering you through the treacherous waters of cyber threats and ensuring you reach your destination safely.  Don’t let decision fatigue set in, know where you’re heading.   
  • Be Proactive: CTI serves as your watchtower, giving you a bird’s-eye view of the cyber landscape and alerting you to any approaching dangers.  With this knowledge you can be proactive before it’s too late. 

The SMB Dilemma: Size Doesn’t Matter to Cybercriminals 

One of the biggest myths in the cybersecurity world is that small to medium-sized businesses (SMBs) are too insignificant to be targeted. Wrong. Cybercriminals are opportunists; they go for easy targets. Without CTI, you’re essentially putting a “Kick Me” sign on your business. 

Statistics: Cyber Attacks on SMBs 

Nearly 43% of cyberattacks are on small businesses, with most unprepared to face such an attack. Over the past twelve months, there has been a spike in attacks against SMBs. The trend is only continuing and evolving. CTI reduces cyber risk, allowing businesses to identify potential attacks and apply countermeasures. 

The ROI of CTI: An Investment, Not a Cost 

Let’s talk about numbers. A single cyber-attack can cost an SMB thousands, if not millions, in damages, not to mention the loss of customer trust. CTI is your insurance policy. It helps you allocate your limited resources where they’re needed most, giving you the best bang for your buck. 

The Future is Now: AI and CTI 

The world of CTI is evolving at warp speed, thanks to advancements in AI and machine learning. These technologies are making CTI more accurate, faster, and incredibly efficient. It’s not science fiction; it’s your new reality. 

Your Next Steps: We’ve Got Your Back 

Here at SecurIT360, we’re not just another cybersecurity company. We’re your cybersecurity partners. We offer several services including but not limited to 24/7 SOC monitoring, incident response, compliance assessments, customized program and policy development, pen testing and vulnerability management to fit your unique needs. 

If you’re already using one of our Managed SOC services, then our Threat Intelligence team is already working alongside you. 

And because we believe knowledge is power, we’ve got a free threat intelligence newsletter that’s like a weekly cybersecurity masterclass. It’s actionable, it’s insightful, and it’s free.  Subscribe here 

Ready to make cybersecurity your strength, not your weakness? Contact us today and let’s build a safer, more secure digital future for your business. 

Categories
General Cyber and IT Security Uncategorized

Understanding DNSSEC and DNS Security

In our increasingly interconnected world, where the digital landscape expands every day, safeguarding our online presence has become vital. One fundamental yet often overlooked aspect of online security is Domain Name System (DNS) security. DNS is the backbone of the internet, responsible for translating domain names into IP addresses that computers can understand. To protect this system from threats, DNS security extensions (DNSSEC) plays a pivotal role.

How DNS Works

DNS Attacks

DNS spoofing and DNS cache poisoning are malicious techniques aimed at manipulating the Domain Name System (DNS) to redirect users to fraudulent websites or compromise network security. DNS spoofing involves forging DNS responses to trick a user’s device into believing it has received legitimate information when, in reality, it’s been directed to a malicious site. This can lead to various security breaches, including phishing attacks. On the other hand, DNS cache poisoning involves corrupting a DNS server’s cache with fraudulent data. Once the cache is poisoned, the server can distribute this tainted information to users, redirecting them to attacker-controlled websites. Both DNS spoofing and cache poisoning are serious threats to the integrity of the DNS infrastructure that highlight the importance of DNSSEC.

DNSSEC

DNSSEC is a suite of extensions to DNS that adds an extra layer of security by digitally signing DNS data. This verification process ensures that the data retrieved from DNS servers is authentic and hasn’t been tampered with by malicious actors. Here’s how it works:

  1. Signing Zone Data: DNSSEC involves signing zone data with cryptographic signatures. Each DNS record in a zone is signed using a private key.
  2. Public Key Distribution: The public key for each zone is published in a DNS record called the Delegation Signer (DS) record. This record is stored in the parent zone, creating a chain of trust. The public key is paired with a private key which is typically stored offline. This creates a digital signature which is published to DNS.
  3. Authentication: When a user’s device queries a DNS server for a domain, the server provides not only the requested data but also the corresponding digital signature. The user’s device uses the public key stored in the DS record to verify the signature’s authenticity.
  4. Validation: If the signature is valid, the DNSSEC client trusts the data it received, knowing it hasn’t been altered during transmission.

How DNSSEC Works:

Benefits of DNSSEC:

  1. Data Integrity: DNSSEC ensures that the DNS data remains unchanged, preventing attackers from redirecting users to malicious websites.
  2. Authentication: It guarantees that the data comes from a legitimate source, reducing the risk of DNS spoofing attacks.
  3. Trust Chain: By establishing a trust chain through DS records, DNSSEC enhances the security of the entire DNS hierarchy.

Challenges with DNSSEC:

While DNSSEC offers robust security, its adoption faces some challenges:

  1. Complex Implementation: DNSSEC implementation can be complex and may require significant effort. However, other DNS providers may offer to enable DNSSEC as part of your DNS package.
  2. Compatibility: Not all DNS servers and clients support DNSSEC, which can lead to compatibility issues.
  3. Key Management: Managing cryptographic keys can be challenging and requires careful consideration.
  4. Increased Packet Size: DNSSEC can result in larger DNS responses, which may impact network performance.

Other DNS Security Options:

DNSSEC is a cornerstone of DNS security, but several other extensions complement it:

  1. DNS-based Authentication of Named Entities (DANE): DANE allows domain owners to associate their TLS certificates with DNS records, improving the security of encrypted connections.
  2. Response Policy Zones (RPZ): RPZ enables DNS servers to block or redirect requests to known malicious domains.
  3. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT): These protocols encrypt DNS traffic, preventing eavesdropping and manipulation.

In conclusion, DNSSEC is an essential component of our digital defense. DNSSEC provides a robust framework for ensuring the integrity and authenticity of DNS data. The benefits of a more secure and trustworthy internet make the adoption of DNS security extensions a worthy investment in our digital future.