Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

Malware thought to be a mere cryptominer was actually a sophisticated spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.

StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.

While StripedFly can indeed mine Monero cryptocurrency, that's just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.

"What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity," Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post.

Overall, the platform appears to be "a hallmark of APT malware" that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.

Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.

The researchers said the discovery of the breadth of StripedFly is "astonishing," especially given that it has successfully evaded detection for some six years.

**Breaking Down StripedFly**

The core structure of the malware is as a monolithic binary executable code that supports various pluggable modules so attackers can extend or update its functionality. Each module — which either is there to provide a service or extended functionality — is responsible for implementing and managing its own callback function for communication with a C2 server.

The platform first manifests itself on a network as a PowerShell that appears to use as its initial entry mechanism a server message block (SMB) exploit that appears to be a custom version of EternalBlue, which was leaked in April 2017 and continues to threaten unpatched Windows servers.

StripedFly uses various methods for persistence depending on the availability of the PowerShell interpreter and the privileges granted to the process. "Typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

In terms of its modules, the malware has three to perform specific services related to its functionality, and six that actually execute that functionality. The service modules are for configuration storage, upgrading and uninstalling the malware, and reverse proxy.

The functionality modules are varied and comprehensive to provide attackers with a laundry list of capabilities, allowing them to consistently spy on the activities of a victim's network. In addition to the aforementioned Monero cryptominer, the modules are: a miscellaneous command handler; credential harvester, repeatable tasks that can take screenshots, record microphone input, and perform other tasks on a scheduled basis; a reconnaissance module that compiles extensive system information; SMBv1 and SSH infectors for penetration and worming capabilities.

The researchers also discovered a related ransomware variant called ThunderCrypt that shares the same underlying codebase and communicates with the same C2 server as StripedFly.

**Unsolved Mysteries**

The blog post includes numerous indicators of compromise and other websites and relevant data related to StripedFly to help organizations identify if they've been infected.

In the meantime, numerous questions still hover around StripedFly, including the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component.

"While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead," the researchers wrote.

It's also still unclear if StripedFly is still active, since at the time of writing, the researchers observed only eight updates for Windows systems and four for Linux systems in the Bitbucket repository. This could indicate that "either there are minimal active infections," or that all the victims already infected by StripedFly are still actively communicating with its C2, they noted.

"Only those who crafted this enigmatic malware hold the answer," the researchers acknowledged. "It's difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary."

Complex Spy Platform StripedFly Bites 1M Victims

The threat actor exfiltrated 690GB of uncompressed data, or 767,035 files.

Westinghouse subsidiary BHI Energy, an energy services provider, confirmed that it experienced an Akira ransomware attack in June.

BHI's IT team at BHI discovered network data being encrypted in late June; as it proceeded to investigate the incident, it brought in outside counsel and a third-party cybersecurity firm.

The cybersecurity firm found that Akira, the threat actor, gained initial access in late May through the compromised account of a third-party contractor, resulting in the threat actor reaching "the internal BHI network through a VPN connection."

According to the notice sent to Iowa's consumer protection agency, in the week after first gaining access, the threat actor performed reconnaissance of the internal network on two different occasions. In late June, the threat actor started exfiltrating 690GB of data over nine days, including data like BHI's Active Directory database. Once the threat actor completed this, they then deployed the Akira ransomware.

The threat actor was removed from BHI's network in July, and the company took several steps to secure its environment. Since BHI's cloud backup solution was unaffected, the company was able to recover data without needing a ransomware decryption tool.

In reviewing the affected systems, BHI found that the data affected included personal information such as full names, dates of birth, Social Security numbers, and health information of 896 Iowa residents, who have since been notified. BHI is offering a 24-month membership to Experian's IdentityWorks to these people.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

BHI Energy Releases Details of Akira Ransomware Attack

In the race over Citrix's latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide.

A critical security update is now available for the latest high-profile Citrix NetScaler vulnerability. But so is an exploit. And in some cases, the latter may be simpler to use than the former.

It's been a busy week so far for Citrix customers. On Sept. 23, following reports of active exploitation in the wild, the company released an urgent update for CVE-2023-4966, a sensitive information disclosure vulnerability in its NetScaler application delivery controller (ADC) and Gateway products. The vulnerability was assigned a "High" 7.5 out of 10 CVSS rating by NIST, but a "Critical" 9.4 by Citrix itself.

Then on Sept. 24, researchers from Assetnote published a proof-of-concept (PoC) exploit to GitHub. The widely available exploit is, relative to the severe consequences it can wreak, remarkably simple.

"It's a remote access solution in the vast majority of places and, as a result, it's exposed to the Internet most of the time," explains Andy Hornegold, VP of product at Intruder. "The risk is somebody will be able to exploit this vulnerability, read session tokens, connect to your device as one of your standard users, and then access your environment with those privileges."

**The New Citrix Exploit**

Researchers from Assetnote discovered two related functions at the heart of CVE-2023-4966 — _ns\_aaa\_oauth\_send\_openid\_config_ and _ns\_aaa\_oauthrp\_send\_openid\_config_ — both responsible for implementing the OpenID Connect (OIDC) Discovery endpoint. OIDC is an open protocol used for authentication and authorization.

On an unpatched NetScaler device, an attacker could easily overload the buffer by sending a request exceeding 24,812 bytes. With a request hardly three lines long, the researchers discovered they could cause the device to leak memory.

"It feels like hacking back in 1999," Hornegold says, only half-jokingly. "Back in the day it was, like, the default way of trying to carry out these kinds of attacks — to just stuff a whole load of 'a's into a packet and see what comes back."

In this case, he explains, "I can send one request with a whole bunch of 'a's in one go, and then in the body of the response, it starts to expose session tokens for people who are logged in to that NetScaler device, which I can reuse to log in as those users." By hijacking an authenticated session, a malicious actor could potentially bypass any checks, including multifactor authentication (MFA).

**Why Patching Isn't Enough**

According to Citrix, its software is used by more than 400,000 organizations across the globe, including 98% of Fortune 500 companies. According to Enlyft, NetScaler in particular is used by nearly 84,000 companies, including brand names like eBay and Fujitsu.

NetScaler isn't just popular. As Intruder noted in a Sept. 25 blog post, it's popular most notably within critical industries, which often prefer to run infrastructure on-premises rather than in the cloud.

So while Citrix advised customers on Sept. 23 to patch as soon as possible, doing so won't be equally easy for everyone. For organizations that require 24/7 uptime, "It's a bit of a balancing act," Hornegold says, "because you obviously need to keep that service live for as long as possible, especially when you're talking about critical national infrastructure. Any downtime needs to be taken as part of a risk consideration."

Regular businesses won't be able to just patch and forget about it, either. As Mandiant pointed out last week, hijacked sessions could persist even through patches, so organizations have to take the extra step of terminating all active sessions.

And even that may not be enough. Mandiant observed threat actors exploiting CVE-2023-4966 as early as August, leaving a healthy window of time for further post-exploitation persistence and downstream access.

"There's a whole two months of opportunity there," Hornegold points out. "So if the question is 'what is the worst that could happen if you don't patch this?' —realistically, the worst may well have happened already."

As Citrix Urges Its Clients to Patch, Researchers Release an Exploit

VMware vCenter Servers need immediate patch against critical RCE bug as race against threat actors begins.

VMware urged customers to update VMware vCenter Servers against a critical flaw that could potentially lead to remote code execution (RCE) and assigned a CVSS severity score of 9.8.

The vCenter Server flaw, tracked under CVE-2023-34048, could allow an attacker with network access the ability to trigger an out-of-bounds write, the VMware advisory explained. Software for "vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol," the vendor added.

The vCenter Server platform is used for managing vSphere installations in hybrid cloud environments.

John Gallagher, vice president with Viakoo Labs, characterized the bug in a statement as "serious as it gets," because it's both dangerous and impacts VMware vCenter Servers, which are widely used across a variety of organizations and industry sectors.

"The reason for it having a severity score of 9.8 is in how it devastates the entire CIA Triad of confidentiality, integrity, and availability," Gallgher explained. "Successful exploit of this CVE gives complete access to the environment, and enables remote code execution for further exploitation."

Another sure sign of the severity is VMware taking the unusual step of offering up patches for old versions, Mayuresh Dani, security research manager at Qualys, explained in a statement.

"The fact that VMware released patches for end of life (EOL) versions that are affected by this vulnerability speaks to how critical it is, since EOL software seldom gets patched," Dani added.

The advisory said patches will be issued for vCenter Server 6.7U3, 6.5U3, and VCF 3.x, as well as vCenter Server 8.0U1.

**Second Patch for VMware Cloud Foundation**

An additional flaw was reported by VMware in its VMware Cloud Foundation, but this bug, tracked under CVE-2023-34056, has been assigned a less urgent CVSS score of 4.3. The vulnerability could allow an unauthorized user access data, the advisory explained.

Both flaws were responsibly reported by researchers, VMware added in its advisory, however as organizations rush to patch, there will be an inevitable "window of vulnerability" for threat actors to take advantage of unpatched systems, Gallagher added.

"Organizations using vCenter Server should ensure they have a current inventory of its usage, and a plan to patch," Gallagher advised. "Mitigation for this directly appears limited, but using network access control and monitoring might catch lateral movement once a threat actor uses this to gain a foothold."

Virtual Alarm: VMware Issues Major Security Advisory

The YoroTrooper group claims to be from Azerbaijan and even routes its phishing traffic through the former Soviet republic.

A Kazakhstan attack group with a penchant for sending phishing messages is doing its dirty work in an Azerbaijani disguise.

YoroTrooper was first detected in June 2022 and often targets former Soviet republics, including Russia, Armenia, Belarus, and Moldova, as well as Azerbaijan, and typically targets government entities.

But given YoroTrooper's language preferences, its use of Kazakhstani currency, and very limited targeting of Kazakhstani entities, researchers from Cisco Talos have concluded that the group is from Kazakhstan.

Researchers also determined "with high confidence" that YoroTrooper made numerous efforts to disguise its origin by hosting a majority of their infrastructure in Azerbaijan, while still targeting institutions in that country.

Most of YoroTrooper's operations are routed via Azerbaijan, although the attackers do not appear to speak the Azerbaijani language.

"Our primary observation that points toward the actor being of Kazakh origin is that they speak Kazakh and Russian, both of which are official languages of Kazakhstan," researchers said. "YoroTrooper frequently visits websites written in Kazakh and has used Russian in debugging and logging messages in their custom Python Remote Access Trojans."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Kazakh Attackers, Disguised as Azerbaijanis, Hit Former Soviet States

We have too much cybersecurity awareness. It's time to implement repeatable, real-world practice that ingrains positive habits and security behaviors.

I know I shouldn't drink Diet Coke, but every few weeks I find myself happily sipping from another silver can. I'm not oblivious to the health risks. I've read the latest WHO report on aspartame. Heck, it even says right on the can, "Warning: Contains phenylalanine." (If I can't pronounce it, and Coca-Cola has to warn me about it, _surely_ it can't be good for me.) But awareness of some mysterious chemical isn't going to stop me from enjoying an occasional Diet Coke; I need help changing my behavior.

To borrow a line from social scientists, "abundant research shows that people who are simply given more information are unlikely to change their beliefs or behavior." And yet, here we are again, another Cybersecurity _Awareness_ Month: the industry's Hallmark holiday that promotes spending on cybersecurity training videos, phishing simulators, and free lunches to feed employees a smorgasbord of security education, training, and awareness.

**Awareness Isn't the Issue**

But employees are already aware of cybersecurity. Whether it's the obligatory training they suffer through, the fake phishing traps we send, the steady drip of cyberattacks making headlines, or the family member who was recently scammed online, cybersecurity awareness has never been greater. And yet, it's made little difference in reducing the volume of successful cyberattacks involving the human element.

It's time to shift our collective efforts from awareness to actual behaviors. Instead of a month-long campaign, we should focus on creating real-world opportunities for employees to build and flex their cyber judgment muscle memory all year long.

Consider the 15-year-old pursuing that coveted freedom of a driver's license. With an outsized motivation to learn, they start in a classroom, absorbing everything they possibly can about driving, observing adults driving, and passing a written test to obtain a permit. But, that first time behind the wheel, a new learning curve begins — one with higher, real-world stakes. It ultimately takes months of practice, driving in all sorts of conditions, to prepare someone to drive safely on their own.

Why assume cybersecurity is any different?

**Training Isn't the Answer**

The universal approach to addressing the human element of cybersecurity has been to "train" employees to deal with whatever threat du jour occupies our attention. Training is preventative, theoretical, and out of context: a memo, a webinar, a campy click-through video with a quiz — all in hopes that an employee will remember _exactly_ what they are supposed to do should a similar situation arise in some unknown future. This is not how we learn in any other context, but for some reason, we continue to pursue this failed approach in cybersecurity. Why? To check a box in a compliance audit?

To create true, lasting security behavior change, we must put our employees behind the wheel on the open Internet superhighway. This seems hard and scary, I know. But it doesn't have to be. Small, simple changes in how we engage employees and intervene with cybersecurity information can have an outsized impact.

For example, instead of arbitrarily "training" employees in October to use multifactor authentication (MFA) on all of their accounts and hoping they'll remember to do so when they sign up for a new generative AI tool in July, that message should arrive at the moment they create a new account, while they're in the right context. With additional bits of information, such as the benefits of using MFA or preempting questions or doubts, we can further encourage the desired behavior and thus, desired security outcomes.

**It's Time to Take the Next Step**

We have reached a collective fever pitch of cybersecurity awareness. We don't need more of the same this month. It's time to take the next step toward implementing repeatable, real-world practice that ingrains positive habits and security behaviors. By leveraging our modern understanding of neuropsychology and behavioral science, lessons learned from other industries and disciplines, and emerging human-centered cybersecurity technologies, we can make cybersecurity understanding a reality today and every day.

Cybersecurity Awareness Doesn't Cut It; It's Time to Focus on Behavior

A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.

Low-profile threat group Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube user's browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as CVE-2023-5631. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported in a blog post published Oct. 25.

Roundcube is a freely available, open source webmail solution that's especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of "program/lib/Roundcube/rcube\_washtml.php," according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.

ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions 1.6.4, 1.5.5, and 1.4.15 to address the flaw.

**Long-Term Targeting**

Winter Vivern's activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group MoustachedBouncer.

The latest activity observed by ESET— which has been tracking Winter Vivern closely for about a year — is consistent with the group's typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.

"Since at least 2022, they have been exploiting XSS vulnerabilities in Zimbra and Roundcube to load arbitrary JavaScript code and steal emails," he tells Dark Reading. "However, most of those vulnerabilities were known and as such they could only work on unpatched mail servers."

The fact that the group is now "burning zero-day vulnerabilities" and attacking even updated versions of widely-used webmail servers could be a harbinger of future activity, as it demonstrates a long-term interest in European governmental organizations as primary targets, Faou says.

**How the Campaign Works**

The latest campaign begins with a phishing email to targets sent from the address \[email protected\] with the subject line "Get started in your Outlook." The message purports to be from The Microsoft Accounts Team and aims to guide users with their Outlook accounts, seeming innocent enough.

However, just viewing the email sets into motion a process spurred by an SVG tag at the end of the email's HTML source code that includes a base64-encoded payload. Decoding the payload produces a JavaScript code that is executed in the browser of the victim in the context of their Roundcube session, according to ESET.

The researchers realized that the exploit was for a zero-day flaw when the JavaScript injection worked on a fully patched Roundcube instance. They found that the XSS vulnerability being exploited affected the server-side "script rcube\_washtml.php," which doesn't properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user.

The final JavaScript payload in the attack can list folders and emails in the current Roundcube account and exfiltrate email messages to Winter Vivern's command and control server by making HTTP requests to "https://recsecas\[.\]com/controlserver/saveMessage."

**Patch Now**

Users of vulnerable Roundcube instances are urged to update to the patched versions to avoid compromise. However, in the case of any future zero-day flaws discovered and subsequently exploited by Winter Vivern, this defense would not be sufficient enough, Faou notes.

Other endpoint-defense practices that can protect vulnerable systems in the event of similar zero-day exploits would be to put technology in place that automatically block the loading of JavaScript payloads and exfiltration of emails, he advises. "As such, it is also recommended to deploy an endpoint security solution on all machines."

Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit

Cyber threats on satellite technology will persist and evolve. We need a comprehensive cybersecurity framework to protect them from attackers.

Satellite systems play a crucial role in supporting communication, weather monitoring, navigation, Internet access, and more. However, these systems face numerous threats that compromise security and integrity. To address these challenges, we must implement a robust cybersecurity framework to protect satellite operations.

**Cyber Threats to Satellites**

The threats faced by satellite systems are diverse and range from denial-of-service (DoS) attacks and malware infiltration to unauthorized access and damage from other objects in their orbit that disrupt digital communications.

For satellite systems, these critical threats can corrupt sensor systems, resulting in harmful actions based on incorrect data. For example, a corrupted sensor system could change a satellite's orbit path to collide with another satellite or natural space object. If a sensor system becomes unusable, it could cause failure of other space and terrestrial systems that depend on those sensors. Jamming or sending unauthorized commands for satellite guidance and control could also damage other orbiting space vehicles.

DoS attacks can render satellites unresponsive or, even worse, shut them down. This could create physical safety risks and damage other countries' space vehicles or the ground from satellite debris fallout. Planting malware within the systems through insufficiently secured access points could impact the satellite and spread to other systems the satellite connects with.

Many of the 45,000 satellites have been operating for many years and have little (if any) built-in cybersecurity protection. Consider the Vanguard 1 (1958 Beta 2), a small solar-powered, Earth-orbiting satellite. It was launched by the United States on March 17, 1958, and is the oldest satellite still orbiting Earth.

What would a cybersecurity vulnerability analysis of that satellite reveal today? What if hackers exploit those vulnerabilities? It's possible some already have. Could they obtain sensitive data? Modify the satellite's software code? Change the controls? Perhaps newer satellites have taken hackers' attention away from the Vanguard 1. More likely, there may have been successful hacks not reported to the public.

Looking ahead, artificial intelligence's (AI) rapid adoption across industries means it is essential to validate the accuracy of any AI used within a satellite system and thoroughly test it before putting it into production.

Given the potential threats satellites face, a comprehensive cybersecurity framework is necessary to mitigate these risks. Engineering universities and tech organizations must also collaborate with government agencies and other entities engineering and building satellites to create and implement a comprehensive cybersecurity, privacy, and resilience framework to regulate the industries expanding the use of space vehicles.

**A Cybersecurity Framework for Satellite Security**

There are five key steps within the NIST Cybersecurity Framework (CSF) necessary to mitigate common risks, including those associated with satellite systems: identify, protect, detect, respond, and recover.

**1\. Identify**

First, identify the satellite data, personnel, devices, systems, and facilities that enable the satellite's uses, goals, and objectives. Document where each satellite is located and all connections between each satellite component and other systems. Knowing what data is involved and how it's encrypted can assist contingency, continuity, and disaster-recovery planning. Finally, understand your risk landscape and any factors that may impact the mission so that you can prepare for and prevent potential incidents. This information will help effectively manage cybersecurity risk to satellite systems and associated components, assets, data, and capabilities.

**2\. Protect**

Using the identified information, choose, develop, and implement the satellite's security ecosystem to most appropriately protect all of its components and associated services. Be aware that legacy space operations and vehicles typically use proprietary software and hardware not designed specifically for a highly interconnected satellite, cyber, and data ecosystem. This means legacy components may lack certain security controls. Therefore, develop, implement, and use verification measures to prevent the loss of assurance or functionality within the physical, logical, and ground segments of satellite systems and enable a response to and recovery from cybersecurity events. Securing physical and logical components, reviewing access controls, and conducting cybersecurity training are vital for protecting satellite systems.

**3\. Detect**

Develop and deploy appropriate activities to monitor satellite systems, connections, and physical components for anomalous events and notify users and applications upon detection. Use monitoring to enable detection and employ a process for handling detected anomalies within space components. Use multiple sensors and sources to correlate events, monitor satellite information systems, and maintain access to ground segment facilities to detect potential breaches in security.

**4\. Respond**

Contain the impact of a cybersecurity attack or irregular incident on a satellite system, ground, or digital ecosystem with appropriate actions. Cybersecurity teams should communicate the event and its impact to key stakeholders. They should also implement processes to respond to and mitigate new, known, and anticipated threats or vulnerabilities and continuously improve these processes based on lessons learned.

**5\. Recover**

Develop and implement appropriate activities to maintain cybersecurity and resilience and restore all capabilities or services impaired due to a cybersecurity event. The goals are promptly recovering satellite systems and associated components to normal operations, returning the organization to its proper working state, and preventing the same type of event from recurring. Coordinate restoration activities with internal and external parties and include corrections for anomalies, calibrations, verification, and validation procedures.

NIST recently released NIST IR 8441: Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN). NIST defines an HSN as: "an aggregation of independently owned and operated terminals, antennas, satellites, payloads, or other components that comprise a satellite system." NIST IR 8441 maps the five CSF categories above into an HSN profile. This provides a valuable resource to engineers and HSN users and provides a great example to cybersecurity practitioners and other satellite network engineers to create cybersecurity profiles for other satellite networks.

As our world continues to rely on satellite technology, cyber threats will persist and evolve. It is crucial to protect these systems by implementing a comprehensive cybersecurity framework describing how to engineer, build, and use them. Such a framework enables organizations to respond effectively to incidents, recover quickly from disruptions, and stay ahead of evolving threats.

A Cybersecurity Framework for Mitigating Risks to Satellite Systems

**PRESS RELEASE**

**BOSTON****,** **Oct. 18, 2023** **/PRNewswire/ --** Tines, the trusted leader in smart, secure workflows, published the 2023 Voice of the SOC report, which examines job satisfaction and workloads among security operation center (SOC) teams, the obstacles analysts encounter, and the impact of automation on the lives of security professionals. Sixty-three percent of the security decision-makers and practitioners surveyed are experiencing burnout amid relentless cyberattacks, internal pressures, and limited resources. Nine out of 10 security teams are automating at least some of their work, and almost all (93%) of respondents believe that more automation would improve their work-life balance.

The _2023 Voice of the SOC_ report reveals that security professionals want to pursue high-impact work, but they're being held back by growing workloads, shrinking budgets, and a worsening skills shortage. This year's report surveyed 900 security decision-makers and practitioners. Tines expanded the scope beyond the United States to include Europe, and garnered perspectives from security leaders, practitioners and analysts.

According to the research, overall job satisfaction in the SOC remains high — security teams love the work they do. However, burnout is an issue. Respondents continue to feel teams are understaffed and don't have access to tools that could automate the most mundane aspects of their work. More than half (55%) of respondents say they're likely to switch jobs in the next year.

"Security practitioners love the work they do, but burnout is taking a heavy toll," said Eoin Hinchy**, co-founder and CEO of Tines**. "The _Voice of the SOC_ shows organizations need to move quickly to address the lack of resources in their SOC before their teams find the escape hatch. Leading SOC teams have found a solution in automation. Smart workflows are helping run mission-critical tasks and achieve greater productivity at scale, freeing analysts to focus on high-impact work and reinforcing the business against threats."

**Lack of budget, people, time, and effective tools are inhibiting SOC teams**

In the survey, SOC teams identified three clear challenges they face each day: too much data; too many tedious tasks; and, too many reporting requirements. These pain points are amplified by a lack of time, budget, tools and people. Asked to rank the top five most frustrating aspects of their work, security decision-makers and practitioners chose a familiar answer: Spending time on manual work (53%). A quarter of respondents are spending more than half their time on tedious tasks.

Business leaders who are focused on streamlining processes and achieving operational efficiencies have found an effective way to do so with automation. The survey discovered that most security teams are embracing the technology, with 92% of SOC teams indicating that they have already adopted automation to some extent. The study identified the tasks that security decision-makers and practitioners wish they could automate, such as intelligence analysis and threat hunting, and the high-impact tasks — like researching new tools and developing advanced detection rules — that they would work on instead if automation was deployed to full effect.

Other key findings from the _2023 Voice of the SOC_ include:

*   More than 80% of respondents said their workloads have increased in the past year.
*   Spending time on manual work is the most frustrating aspect of the job. If respondents had to spend less time on manual tasks, they would use that time to develop more advanced detection rules, research and evaluate new tools, and integrate more systems and logs.
*   Organizations could increase retention by paying more, supplying modern tools with advanced capabilities, hiring more staff, and investing in solutions that automate manual tasks.
*   The percentage of respondents satisfied with their current job rose from 88% last year to 99% in 2023, and 98% of analysts are engaged with their work.

For more information, visit https://www.tines.com/reports/voice-of-the-soc-2023 to access the full Tines _2023 Voice of the SOC_ report. Join Tines on October 26, 2023 for a live webinar on the findings.

**Research Methodology**

Tines surveyed 900 full-time security decision-makers and practitioners from companies with 200 or more employees. Nearly half (46%) work at companies with more than 1,000 employees. There were 500 U.S. respondents, along with 100 each from Benelux, Ireland, the Nordic region and the United Kingdom. The survey was conducted online by Sago, a research panel company, in May and June 2023.

**About Tines**

Tines offers a smart, secure workflow platform for systems, thinkers, and problem solvers. It's the only platform that bypasses the need for programming skills, delivering powerful workflows straight into the hands of every team within an organization. Tines brings an impact-first approach to all teams, securely building thousands of mission-critical workflows per day across a diverse range of customers, including Canva, Databricks, Elastic, Kayak, Mars, McKesson and Oak Ridge National Laboratory. The company was co-founded in 2018 in Dublin, Ireland, by former security practitioners Eoin Hinchy and Thomas Kinsella, and has raised $96.2M in funding to date from investors including, Felicis, Addition, Accel, Blossom Capital and Lux Capital.

Tines Report Finds More than Half of Security Professionals Likely To Switch Jobs Next Year

Organizations should focus on four key areas to advance employee education and "cyber smartness."

This month we celebrate the 20th anniversary of Cybersecurity Awareness Month — a dedicated time for industry, government, academia, and nonprofits to come together and raise awareness about the importance of cybersecurity for everyone.

Since its creation, Cybersecurity Awareness Month has grown from a national US initiative to a global movement that educates individuals and organizations about best practices and promotes a culture of cybersecurity. By dedicating a specific month to awareness, the industry encourages proactive measures, knowledge-sharing, and collective responsibility — ultimately helping more people envision their roles in cybersecurity and in making organizations and the world safer.

Cybersecurity knowledge-sharing is particularly important, as human risk has become one of the strongest vectors that modern security organizations must contend with. Today it accounts for more than 80% of cybersecurity incidents. Companies must find an effective way to uplevel cybersecurity education across the entire organization — not just within their security teams — if we hope to strengthen our collective security postures.

Read on to learn how technology can help security teams drive greater results, and explore key behaviors to focus on when spreading cybersecurity awareness across your organization.

**4 User Behaviors to Emphasize In Cybersecurity Education Materials**

At its core, cybersecurity awareness is about managing human risk. Companies can help advance this mission by providing cybersecurity education and skilling resources across their organizations. Education can include tips ranging from the fundamentals of cyber hygiene to day-to-day behaviors, such as identifying and avoiding tech support scams, advice on improving data and device security practices, and more.

In honor of Cybersecurity Awareness Month, here are the top four areas that Microsoft recommends focusing on to advance employee education and "cyber smartness."

**Enabling Multifactor Authentication

Multifactor authentication (MFA) can protect against 99.2% of attacks by offering stronger security than traditional passwords. As such, it's an incredible tool in the average employee's arsenal to uplevel security practices across your organization. We recommend periodically reminding users to enable MFA measures, such as biometrics or single-use codes, across their devices, apps, and account settings.

****Strengthening the Sign-In Process**

Along the same lines, it's important to remember that hackers don't break in. They sign in. If passwordless authentication is not an option, encourage employees to create stronger passwords using their browser's password generator. Length matters more than complexity here, so any passwords created should be at least 12 characters long. A password manager can be particularly helpful in tracking all current passwords.

**Updating Software**

Keeping software current with the latest security updates and patches is a vital step in protecting Internet-connected devices. On the individual user level, employees should be encouraged to set up automatic software updates to decrease the risk of vulnerabilities that can lead to ransomware and other malware. Likewise, consider creating an educational pamphlet that teaches employees how to check privacy and security settings against your desired level of information-sharing any time they register a new account, download an app, or acquire a new device.

**Recognizing and Reporting Phishing**

Finally, phishing scams are a significant threat vector that criminal actors leverage to infiltrate networks and steal sensitive data. Employees should be educated on best practices to avoid phishing scams, such as checking the sender's email address for verifiable contact information or an unrelated sender address and verifying the sender before clicking on links or opening email attachments. 

While the above tips are focused on changing user behaviors, technology has a role to play, too. Innovation is critical in creating new efficiencies for already overburdened security teams. By embracing leading technology advancements, such as generative AI, security teams can simplify complex toolsets and surface deeper insights across their entire data estates to better monitor threat activity in real time. This combination of leading technical innovations and broader user education can help empower security teams to streamline workflows and focus more of their time on the day-to-day work of cyber defense.

We invite you to leverage cybersecurity awareness not only this month, but all year round, to make sure everyone in your organizations is empowered to be cyber smart and assume a role in fighting cyber threats.

Source

DARKReading