SiegedSec threat group leaked data that Atlassian says was taken from app used to coordinate in-office resources.

_Ed. note: This story has been updated to include a statement from Envoy provided to Dark Reading about the incident._

A threat group called SiegedSec recently posted a cache of employee and operations information allegedly stolen from software workforce collaboration tool provider Atlassian.

Now Atlassian, best known for its Trello, Jira, and Confluence brands, is reassuring its customers their data is secure, and according to reports, explained that a third-party app was breached, compromising employee data including names, emails, departments, and floor plans of segments of Atlassian offices located in San Francisco, Calif., and Sydney, Australia.

"On February 15, 2023 we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published," an Atlassian spokesperson told CyberScoop. "Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk."

The company statement added there is an ongoing investigation into the breach.

Envoy says the breach likely occurred due to the threat actor gaining access to employee credentials.

"We’re investigating this right now and are not aware of any compromise to our systems,” an Envoy spokesperson said in a statement emailed provided to Dark Reading. “Our initial research shows that a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Atlassian: Leaked Data Stolen via Third-Party App

**REDWOOD CITY, Calif.****,** **Feb. 16, 2023** **/PRNewswire/ --** According to a recently published report from Dell'Oro Group, the trusted source for market information about the telecommunications, security, networks, and data center industries, the modernization of networking and security for enterprise branches and hybrid workers is expected to drive the total SASE revenue to surpass $60 B between 2022 and 2027.  The report further divides the total SASE market along its two components, Security Service Edge (SSE) and SD-WAN, and details how the strong demand for security is expected to fuel SSE revenue to double between 2022 and 2027.

"The last three years of the pandemic, and the subsequent need to modernize enterprise branches and address hybrid work needs, have fueled great interest in SASE as evidenced by the total SASE market to double in size to over $6 B in 2022," said Mauricio Sanchez, Research Director, Network Security, and SASE & SD-WAN at Dell'Oro Group. "While angst about the macroeconomic environment is starting to lead to some belt-tightening, we expect growth in SASE to continue unabated and double again by 2027," added Sanchez.

Additional highlights from SASE and SD-WAN 5-Year Forecast Report:

*   SD-WAN and SSE revenues are expected to see a double-digit compounded annual growth rate (CAGR) over the 2022 to 2027 timeframe.
*   Unified SASE revenue is anticipated to grow 5X by 2027.

**About the Report**

Dell'Oro Group SASE and SD-WAN 5-year forecast report offers a complete industry overview with tables covering SASE by technology (SSE versus SD-WAN) and by the implementation (unified versus disaggregated) as far back as 2019. SSE has further segmented across SWG, CASB, ZTNA, and FWaaS technologies. In addition, the report provides historical data as far back as 1995, covering revenue, port/unit shipment, and average selling prices for access routers. To purchase this report, please contact us at \[email protected\].

**About Dell'Oro Group**

Dell'Oro Group is a market research firm that specializes in strategic competitive analysis in the telecommunications, enterprise networks, data center infrastructure, and network security markets. Our firm provides in-depth quantitative data and qualitative analysis to facilitate critical, fact-based business decisions.  For more information, contact Dell'Oro Group at +1.650.622.9400 or visit www.delloro.com.

SOURCE Dell'Oro Group

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SASE Market to Exceed Over $60B Between 2022 and 2027, According to Dell'Oro Group

Top athletes compete both on and off the track in a mix of track and field events and cyber games.

**ASHBURN, Va.****,** **Feb. 16, 2023** **/PRNewswire/ --** Led by MVP Track and Field in cooperation with US Cyber Games®,  the MVP VIBE FEST will take place February 18, 2023, at the Gately Park Track and Field Center in Chicago, IL. The program will bridge the gap between athletics and technology by exposing some of the top US track and field athletes to the world of cybersecurity and cyber sports while competing for awards in their sport.

MVP VIBE FEST will attract thousands of the best athletes in the nation, including college-bound and nationally-ranked high schoolers. The track meet serves as a qualifier for the NIKE Indoor Nationals.

"We need to energize the track and field community and use it as a platform to open doors. Our unique meet format and partnership with the US Cyber Games allows us to do just that," states Maurice Hutton, USATF Region 3 Coordinator | VA Youth Chair.

"This USATF sanctioned event not only provides an excellent opportunity for youth to compete alongside some of the top performing youth track athletes but also learn from our country's top cybersecurity athletes. It provides a unique bridge to both high performance junior and elite programs as well as high tech college degrees and careers helping to grow well-rounded athletes on and off the track," Jacci White, USATF National Youth Chair.

MVP VIBE FEST seeks to introduce cybersecurity and data analytics careers to high-performing track and field athletes, coaches, and fans. Critical to national security and economic growth, developing a workforce pipeline outside of traditional educational recruiting will help to close a global cybersecurity workforce gap. Track and cyber athletes are used to operating in a digital environment with precision-based metrics and also share many characteristics that will allow them to successfully serve in roles such as security analysts, penetration testers, and digital forensics investigators. All athletes are encouraged to sign up for the Cyber Exhibit Hall after completing their race - _NO EXPERIENCE NECESSARY!_

The US Cyber Team® will be on site for their spring camp preparing for this year's International Cybersecurity Championship and Conference (IC3) in San Diego this summer!

Sponsors of MVP Vibe Fest include MVP League, US Cyber Games, ASM Global, and the National Scholastic Athletics Foundation (NSAF). More information is available at https://www.mvpvibefest.com/.

**About MVP League**

The mission of the MVP League is to develop track and field and road running athletes of all levels from elementary age to pro athletes. Through athletics, we provide positive images and opportunities to demonstrate that we can achieve all we desire in life and sports through hard work, dedication, and a competitive spirit.

**About US Cyber Games**

The US Cyber Games was founded by Katzcy in cooperation with the National Initiative for Cybersecurity Education (NICE) program at the National Institute of Standards and Technology (NIST).

MVP Vibe Fest Bridges Gap Between Athletics and Cybersecurity

Powered by WatchGuard’s Unified Security Platform® architecture, new Fireboxes deliver enhanced performance and added security capabilities that MSPs and IT admins can easily manage in WatchGuard Cloud.

**SEATTLE – February 16, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the release of its new Firebox T25/T25-W,T45/T45-POE/T45-W-POE, and T85-POE tabletop firewall appliances. Powered by WatchGuard’s Unified Security Platform® architecture to deliver comprehensive security and simplified management through WatchGuard Cloud, these new firewalls are engineered to provide the performance that remote and distributed business environments need for better protection against the latest network security threats.

With more memory and faster processing speeds for enhanced throughput,this new line of Firebox products enables WatchGuard partners, MSPs, and IT administrators to securebranch offices, office equipment, remote devices, retail point-of-sale (POS) software, and remote users from complex and emerging threats, while minimizing network configuration and management requirements.

“IT environments of all types and sizes face advanced and sophisticated threats from attackers, but SMBs and branch offices typically don’t have dedicated technical staff to configure, install and manage network security appliances,” said Ryan Poutre, product manager at WatchGuard Technologies. “This new generation of Fireboxes takes full advantage of our Unified Security Platform architecture, enabling MSPs to provide the robust solutions and simplified management they require to meet the needs of a wide range of customers and deployment scenarios.”

With enterprise-class security services likeAPT Blocker (sandbox malware detection) and ThreatSync for shared knowledge between endpoint and network, the new Fireboxesare idealfor small businesses that lack a designated security team. Beyond providing advanced malware protection for distributed environments, the new appliances include SD-WAN to optimize network performance by dynamically distributing network traffic across multiple connections based on defined policies.These new Fireboxes take advantage of the latest updates in WatchGuard Cloud to display a graphical real-time update of SD-WAN link status and any failovers, and they also support the latest Fireware capabilities for load sharing across multiple links. These capabilities are included in all of WatchGuard's service packages.

“WatchGuard’s tabletop Firebox appliances give us all the features and security protection of their bigger rackmount brothers, and make us more efficient with zero-touch provisioning to deploy and configure devices, upgrade firmware and apply policies after a remote user activates a device. We can quickly deploy and configure SD-WAN via WatchGuard Cloud from remote locations,” said Troy Midwood, chief technology officer at Aabyss. “These appliances are another example of WatchGuard’s focus on building great products that enable our MSP business.”

Key features for each of the new Firebox products include:

*   **WatchGuard Firebox T25/T25-W:** Provides stand-alone or centrally managed protection forsmall offices, home offices, and retail environments with complete enterprise-level network security. Zero-touch deployment via WatchGuard Cloud enables quick setup at remote locations to ensure secure connections. Provides up to 403 Mbps UTM throughput (running Gateway AntiVirus, IPS, and Application Control) and five 1 Gigabit Ethernet ports.
*   **WatchGuard Firebox T45/T45-POE/T45-W-POE:** Deliversstand-alone or centrally managedenterprise-level securityforsmall and midsize businesses. Boosts visibility into network activity/security events. Provides flexible management tools that enable quick setup at remote locations for secure business connections. Provides up to 557 Mbps UTM throughput and includes five 1 Gigabit Ethernet ports. The -POE models include one POE+ port to provide power to other devices like Wi-Fi access points.
*   **WatchGuard Firebox T85-POE:** Delivers high-performance, enterprise-level security that evolves with network requirements. Features SD-WAN, full UTM protection at over 940 Mbps, and expansion modules for integrated fiber or 4G connectivity. Also provides users with two Power-over-Ethernet (PoE+) ports enabling power to peripheral devices.

Additional Resources:

*   WatchGuard Firebox T25/T25-W Datasheet
*   WatchGuard Firebox T45/T45-POE/T45-W-POE Datasheet
*   WatchGuard Firebox T85-POE Datasheet
*   WatchGuard Network Security Product Matrix

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform™ approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org.Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches New Line of Firewall Products to Enhance Unified Security for Remote and Distributed Businesses

Only 10% of corporate executives expect to lay off members of cybersecurity teams in 2023, much lower than other areas, as companies protect hard-to-find skill sets.

Cybersecurity professionals will likely weather an economic downturn better than most other workers, as corporate executives worry that a recession could bring an increase in cyberattacks and acknowledge the difficulty in hiring knowledgeable workers, according to a new study by (ISC)2, a cybersecurity certification group.

The survey of 1,000 nontechnical C-level business leaders found that companies are more likely to cut employees in human resources, finance, and operations, and least likely to cut in cybersecurity, IT, and operations.

The reasons are pretty clear: 87% of executives thought a reduction in their cybersecurity team would increase their business risk, and 80% believed that economic troubles will lead to more cyber threats.

The results suggest that even non-technical executives have increased the priority of cybersecurity, says Clar Rosso, CEO of (ISC)2.

"In the workforce study every year, we're talking to cybersecurity professionals, so we know what they think," she says. "Now we see that organizational leaders are saying that \[cybersecurity professionals\] are on the bottom of our list to cut, and they're on the top of our list if we need to hire back."

Economists still widely expect a recession in 2023, despite strong job data and the Federal Reserve's continued efforts to increase interest rates and reduce money supply. In December, a Bloomberg poll showed economists predicted a 70% chance of a recession, and in January, a Wall Street Journal poll of economists suggested a 61% chance of a recession.

    

Cybersecurity has the least likelihood of suffering staff cuts in 2023. Source: (ISC)2

Yet, with annual inflation remaining above 4% for the past 22 months, companies have already started taking steps to prepare for an economic downturn, including staff reductions. In the cybersecurity industry, for example, more than 55 vendors have already laid off workers, according to Layoffs.fyi.

**Cybersecurity Gigs Are Resilient**

The (ISC)2 survey suggests that most layoffs are not cybersecurity or IT jobs, but administration and support. In cybersecurity, only 31% of companies expect to reduce their cybersecurity workforce if the economy declines, while 51% will prioritize reinvestment in cybersecurity if the economy improves, according to the survey.

The spread between the two sentiments is the highest for cybersecurity among all business units, with IT teams coming in second place, facing a 35% expectation of a reduction in bad times and 49% expectation of reinvestment in good times. Human resources and sales are the most at risk, with 44% and 41% of executives indicating they will lay off HR and sales staff in bad times, respectively, while 29% and 30% will prioritize the reinvestment in those departments if the economy improves.

Highlighting the pent-up demand in cybersecurity, three-quarters of executives (74%) would consider hiring cybersecurity workers laid off from other companies, the (ISC)2 survey found.

"With reports of job cuts at organizations including Twitter, Meta, Microsoft, Amazon and Google, cybersecurity staff could benefit from proactive hiring targeted towards those recent layoffs," the report stated. "With so many tech jobs impacted by recent layoffs, it is possible that many of those individuals may find opportunity in pursuing a career in cybersecurity, where they can apply related skills and expertise."

The resilience in demand for cybersecurity professionals comes as many workers burned out and resigned, part of the Great Resignation in 2022.

Organizations that lost valuable specialists did so for three main reasons, Rosso says. Cybersecurity teams have traditionally not had great career advancement opportunities, so their ability to gain promotions and increased salaries at their current company are often limited. In addition, the culture surrounding many security teams has often led to burnout and mental stress, she says.

"We know, for example, that at the end of 2021 and beginning of 2022, the Log4j issue was causing people to clock a lot of hours, and that led to some burnout," she says. "Not that cybersecurity professionals aren't always working long hours and hard, but it's just kind of a spike above and beyond."

Finally, the push to bring workers back to the office has often led people with in-demand specialties to look elsewhere.

**Cyber Threats Abound**

The resilience of cybersecurity jobs is buoyed by the constant reminders of business risks that come in the form of ransomware attacks, data breaches, and stolen intellectual property. The vast majority of executives (81%) believe that threats will increase in 2023.

The survey did not poll technical executives, such as chief technology officers (CTOs) or chief information security officers (CISOs), but gathered opinions from the nontechnical executives, such as CEOs and chief financial officers (CFOs).

"It is likely this maturing view of cybersecurity has been shaped by a continuing series of high-profile and damaging breaches," the report stated. "Security incidents have left no doubt as to the lengths threat actors will go to steal data or disrupt operations, in some cases even putting lives at risk."

In the last (ISC)2 workforce survey, the gap between available cybersecurity workers and demand shrank to 2.7 million, from 3.1 million the prior year. Many companies had closed out positions as the economy became unpredictable, leading to decelerating demand, Rosso says.

"When we were heading into 2021, our predictions were that we would see the workforce gap go up incredibly, and it actually contracted," she says. "The reason it contracted was because there was economic uncertainty, and what organizations did was they froze, or they eliminated, their open positions."

With economic growth, however, the need for cybersecurity workers will continue, she says.

Cybersecurity Jobs Remain Secure Despite Recession Fears

The nation-state threat group has been attacking a wider range of victims and regions than previously thought.

Researchers have linked the slippery SideWinder APT to two malicious campaigns — one in 2020 and one in 2021 — that add more volume to an attack spree attributed to the prolific threat actor over the past several years and demonstrate how extensive its arsenal of tactics and tools really is.

A report published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known 2020 attack on the Maldivian government, as well as a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.

The findings show the group casting a far wider net than previously thought using a trove of tools, including previously unidentified remote access Trojans (RATs), backdoors, reverse shells, and stagers. Researchers' investigation of these attacks also links the group to other known APTs, including Baby Elephant — which may in fact be SideWinder itself — and Donot APT, they said.

The report also sheds more light on the geographically dispersed nature of the group's operations, with researchers uncovering IP addresses controlled by SideWinder located in the Netherlands, Germany, France, Moldova, and Russia, the researchers said.

SideWinder, active since 2012, was detected by Kaspersky in the first quarter of 2018 and thought to primarily target Pakistani military infrastructure. However, this latest report shows that the target range of the group — widely believed to be associated with Indian espionage interests — is far broader than that.

"SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years," Dmitry Kupin, a senior malware analyst on Group-IB's Threat Intelligence team, wrote in the report.

Specifically, researchers identified more than 60 targets — including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations, and more — of the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.

**Sophisticated Phishing Resources**

The phishing attacks — in which SideWinder impersonates known entities in an attempt to lure victims — also demonstrated how vast its phishing infrastructure is, the researchers said. This makes sense, as spear-phishing has long been the group's initial-access method, they said.

The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.

In the phishing attacks between June 2021 and November 2021, the group impersonated both the Central Bank of Myanmar, using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as Nitro Network.

The campaigns also are notable because they demonstrate SideWinder trying to steal cryptocurrency by imitating an Airdrop of NCASH crypto, the researchers said. NCASH is used as a payment means in the Nucleus Vision ecosystem, which retail stores in India have been using, they said.

Specifically, researchers uncovered a phishing link related to Airdrop — an Apple technology for sending files via its mobile devices. When users visited the link (http://5\[.\]2\[.\]79\[.\]135/project/project/index.html) they were asked to register in order to participate in an Airdrop and receive tokens, though it was not specified which ones. By pressing the "Submit details" button, the user activates a script login.php, which researchers believe the group is using to further develop this attack vector.

**Tools and Telegram**

Group-IB also discovered a trove of custom tools used by SideWinder, only some of which had been described publicly before, developed in various programming languages including C++, C#, Go, Python (compiled script), and VBScript.

Part of that arsenal is the group's newest custom tool, SideWinder.AntiBot.Script, an info-stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.

The script can extract a victim's browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of .docx, .pdf, and .txt files. It's a key part of the group's notoriety for conducting "hundreds of espionage operations within a short span of time," Kupin wrote.

Another and perhaps the "most interesting finding" regarding SideWinder's tools arsenal were RAT samples that used the Telegram messaging app as a channel for receiving the results of malware commands and thus retrieve data stolen from compromised systems, Kupin noted.

This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.

**How to Stave Off SideWinder**

The report includes a vast array of indicators of compromise as well as URLs associated with SideWinder attacks.

Because like many other APT groups SideWinder relies on targeted spear-phishing as the initial attack vector, it's important for organizations "to set up business email protection solutions that are capable of detonating malicious attachments in an isolated virtual environment," Kupin tells Dark Reading. Enterprises should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.

Organizations at risk from SideWinder also should continuously monitor network activity within the organization's perimeter by employing managed extended detection and response (MXDR) solutions that are regularly updated with fresh network indicators and rules, Kupin says.

SideWinder APT Spotted Stealing Crypto

Thistle's technology will give device makers a way to easily integrate features for secure updates, memory management, and communications into their products, Snyder says.

Renowned security expert Window Snyder, whose experience includes helping companies such as Apple, Microsoft, and Mozilla bolster the security of their products, is betting she can do the same thing for IoT device manufacturers.

Snyder's company Thistle Technologies today is making generally available a new platform that aims to help IoT manufacturers securely deploy updates and implement capabilities for secure communications and memory management into their devices. The new Thistle Security Platform will give development teams working for embedded device manufacturers a way to directly incorporate security functionality into their products during the build phase.

**Crucial Capabilities**

Snyder says the technology is crucial because embedded devices are like fully functional computers that face the same kind of threats that operating systems and applications software do, but often don't have basic security mechanisms for protecting against them.

"What we are trying to do is democratize security," says Snyder, who launched Thistle in early 2021 after a stint as chief security officer at financial technology company Square. The goal is to give IoT and embedded device makers an infrastructure for quickly adding security functions to their devices without needing to develop it themselves. "These devices have all the same type of threats that general purpose operating systems have but with a lot less security," she says.

Thistle's set of security tools and services include an update component, a memory allocator, and an integrated memory-safe Transport Layer Security (TLS) stack for secure communications.

The update client, for Linux and Windows-based devices, enables IoT manufacturers to securely deliver signed updates to their device fleet from a single, central location. The updates could include new device features, security functions, and vulnerability fixes. It includes a failover feature that allows a device to return to a last known good state--without having to reboot—in case an update creates problems. The update client also supports vulnerability monitoring and access control capabilities. Thistle's memory allocator manages device memory in such a way as to mitigate buffer overflows and other common memory-related issues.

**Automated Updates**

When implemented, Thistle's technology will enable IoT devices to receive automated updates in much the same way that general-purpose operating systems and applications receive updates. When a vulnerability surfaces in a product, or new functionality becomes available for it, the device manufacturer then can securely push the update out centrally to all installed devices, thereby eliminating the need for manual intervention.

In her various stints as a senior security executive at some of the world's largest technology companies, Snyder has contributed to advances in areas such as secure software development lifecycles, memory management ,and attack surface reduction.

She perceives the technology her company is now bringing to the IoT market as giving resource-strapped device manufacturers a way to integrate baseline security features—such as encrypted communications and memory management capabilities—into their devices. Her hope is that device makers will then leverage her company's platform to build on those features going forward.

Thistle's immediate focus will be on IoT players in key markets such as automotive, power, water, networking, and the industrial sector.

Update mechanisms—when they exist—in the IoT space can be buggy and unreliable, Snyder says. She points to multiple incidents when a bad update bricked a device or caused other problems. One example: a 2017 incident where a bad firmware update bricked hundreds of smart locks from Lockstate that Airbnb was using as part of a program for its hosts. There have been other instances where key fobs and even cars have been bricked because of a faulty update, Snyder notes.

"The tolerance for update mechanisms is incredibly low," Snyder says. "When you have really low tolerance for update failures, you need to have an update mechanism that is highly reliable in addition to being supported."

**Integration with Build Environments**

The new Thistle security platform integrates with build environments and provides developers with tools such as those for integrating Thistle's security features into their devices and for things like signing and processing updates. Thistle's platform integrates with the open-source Yocto build system, which allows developers to add features to Linux products relatively quickly. It also integrates with the OpenWrt router operating system and with the U-Boot open-source bootloader.

Christ Wysopal, founder and chief technology officer at Veracode and seed investor in Thistle, says many of the capabilities that the company is making available are new to the space -- especially among smaller IoT device makers. The technology should help embedded device makers implement a secure by design approach where key security features get integrated into the product.

"Thistle is making it easier for people to incorporate this technology at a price point they can afford," Wysopal says. "It is changing the market by making security functionality available where it wasn't before."

Thistle's platform launch comes at a time when interest in technologies for securely updating IoT devices appears to be increasing. In recent years, vendors and security researchers have been reporting a growing number of vulnerabilities in IoT products.

A report from Claroty last year showed that in the first half of 2022, IoT vulnerabilities accounted for 15% of all vulnerabilities in the so-called Extended IoT (XIoT) compromised of all connected cyber-physical systems. In the previous six-month period, IoT vulnerabilities accounted for just 9% of all XIoT vulnerabilities.

**Pressure Mounts on Device Makers**

The trend is significant because organizations across industries such as transportation, telecommunications, manufacturing, and other sectors are connecting all sorts of embedded devices to their networks to support digital transformation and operational requirements.

"The devices have a unique profile because they are not a general-purpose computer and yet they have a processor, memory, are connected to the network and a lot of the time are doing something critical," Wysopal says.

He expects that enterprise organizations are going to increasingly demand better security capabilities from their IoT suppliers. The availability of technologies like that from Thistle is going to make it harder for device manufacturers to explain away their failure to implement fundamental security mechanisms in their products, Wysopal says.

Just this week the National Institute of Standards and Technology released a new encryption standard for IoT devices, which means enterprise organizations and consumers could soon begin expecting device makers to implement it in their products.

Measures like the Internet of Things Cybersecurity Improvement Act of 2020 are another factor because they require organizations selling IoT devices to government agencies to ensure minimum security standards for their technologies.

Embedded and IoT device makers are feeling more pressure than before to respond to security threats, Snyder says.

"Customers are also asking better questions and there have been more and more demonstrations over time that these devices are deeply vulnerable," she says.

Window Snyder's Start-up Launches Security Platform for IoT Device Makers

Simplification can result in efficiencies, reduced overhead, and the ability to respond to cyber threats more quickly.

Managing the "polycrisis" was the issue on everyone's mind at the World Economic Forum in Davos this year and, with cyber-risks emerging as the third-highest risk to growth for CEOs, navigating the cyber landscape in 2023 is high on the agenda.

New cyber threats continue to emerge, including the rise of state-backed cybercrime and the uncertainties posed by emerging technologies, such as quantum computing, artificial intelligence (AI)/machine learning (ML), 5G, and the metaverse. This comes on top of the struggles companies already face defending themselves against long-established vulnerabilities like business email compromise, ransomware attacks, and supply chain software risk.

At the same time, penalties for compliance failures are getting harsher as the regulatory screws tighten, notably the European Union's Digital Operational Resilience Act (DORA) and NIS2 Directive, Australia's amended Security of Critical Infrastructure Act, as well as a whole new suit of cybersecurity regulations in the US. The economic crunch, meanwhile, is putting the brakes on cyber budgets.

Paradoxically, this more complex, volatile cybersecurity environment means that to survive the year ahead relatively unscathed, companies must radically simplify and streamline, by rationalizing their architecture, technology stacks, and decision-making.

A technology declutter is required. Our research has found that most organizations use only 10% to 20% of the technology they own, while continuing to pay higher license costs for technology that they have not leveraged for other business needs. Pressure on cyber budgets can provide an opportunity to review and rationalize. This could also help identify and eliminate the sharp edges and risks that come with a multilayered software, application programming interface (API), and technology stack, coupled with the fact that more and more cyber technology is being bundled with cloud licenses, making a strong economic argument for consolidation.

Companies are likely to shift more cybersecurity to managed services providers, especially to fill the human resources and skills gap. There are cost savings here too, and, in addition, managed services providers typically have better access to talent, thanks to the more varied projects they offer, compared with a cyber role within the four walls of individual companies, especially if the company is in a sector perceived as humdrum or conventional.

**Keep It Simple**

Simplification isn't just a technology story, though. The C-suite will need to put in place more simplified and streamlined decision-making processes to be utilized during a cybersecurity incident, such as securing board-level approval for corporate ransomware policies and thresholds for payment, if any, allowing the leadership team to take swift action when a crisis hits. Governance and operating models for cybersecurity can also be simplified, by leveraging existing forums for cybersecurity decision-making, such as the safety Committee, as well as, of course, the audit and risk committee.

Simplification will not just be an imperative for the companies that consume cybersecurity products and services. The vendor landscape will also consolidate as the technology companies themselves make more acquisitions. "Cyber suite" providers will be the winners in the year(s) ahead, as opposed to the many point-solution startups and companies offering firewalls, monitoring software, data protection software, email security, and the like.

Simplification will make companies more adaptive and pragmatic. It will support a shift from a complexity-_inducing_ approach, created when cyber leaders try to invest in and uplift every control, and thereby create a spray of projects, to an adaptive approach that works backward from core risks and sets companies up to move swiftly when attacks strike. Simplification will result in operational efficiencies, reduced technology and infrastructure overhead, and ultimately the ability to respond to cyber threats more quickly.

Cyber leaders should address this simplification requirement by taking an inventory of the assets they currently use and maximizing the capabilities of technology stacks they own, especially in conjunction with a move to cloud. Going forward, they should limit new investment in niche solutions that only address single cyber use cases. Broadly, decision-makers should take a risk-based approach to uplifting controls, prioritizing those that manage the risks they face, rather than those that have been identified as weak during an audit. Finally, they should simplify and consolidate cyber incident response processes with other crisis management processes that exist in the organization.

The year ahead will not be easy for cyber teams. The best defense is to build an organizational infrastructure that is nimble and adaptive. That starts with simplifying.

Simplify to Survive: How Organizations Can Navigate Cyber-Risk

It's a classic attacker move: Use security protections against those who deploy them. But organizations can still defuse and prevent these encrypted attacks.

Once upon a time, encrypted traffic was considered the safe, secure option for browsing and doing business online. However, going back to December 2013, the Google Transparency Report shows just 48% of Web traffic was encrypted. Flash forward to today, and the volume of encrypted Web traffic is up to 95%. However, the threat landscape has changed a lot since 2013, and now we find the majority of cyberthreats lurking within encrypted channels.

Hidden in your encrypted Internet traffic layers are malware payloads, phishing scams, sensitive data leaks, and more. To understand this better, the State of Encrypted Attacks 2022 Report analyzed 24 billion threats from October 2021 to September 2022 to reveal details on threats embedded in HTTPS traffic, including SSL and TLS. The report shows a consistent upward trend of attacks using encrypted channels — from 57% in 2020 to 80% in 2021 — ultimately finding that more than 85% of attacks were encrypted in 2022. There were other major findings as well.

**Most Encrypted Threats Involve Malware**

While cybercriminals hide a variety of attack tactics in encrypted traffic, malware remains the most prevalent. Malicious scripts and payloads used throughout the attack sequence make up nearly 90% of the encrypted attack tactics blocked in 2022.

    

Fig. 1. Distribution of 2022 encrypted attacks. Source: Zscaler ThreatLabz

Malware continues to pose the greatest threat to individuals and businesses across nine key industries, with manufacturing, education, and healthcare the most common targets. This category includes ransomware, which remains a top concern for CISOs, as ransomware attacks have increased by 80% year over year.

The most prevalent malware families the ThreatLabz team observed abusing encrypted channels include ChromeLoader, Gamaredon, AdLoad, SolarMarker, and Manuscrypt.

**US, India Are Top Targets for Encrypted Attacks**

The five countries most targeted by encrypted attacks in 2022 were the US, India, South Africa, the UK, and Australia. In addition, several countries saw significant upticks in targets year over year, including Japan (+613%), the US (+155%), and India (+87%).

**Encrypted Attacks Increased in Manufacturing, Education**

More than doubling in encrypted attacks (239%), manufacturing displaced technology as the most targeted industry in 2022. Encrypted attacks against the education industry were also up significantly (134%). Attackers particularly favored manufacturing over other sectors as a target for ad spyware. It is also one of two industries most often phished via encrypted channels — the other being healthcare.

    

Fig. 2. Top vertical industries targeted by encrypted attacks in 2022. Source: Zscaler ThreatLabz

Today, most attacks leverage SSL or TLS encryption, which is resource-intensive to inspect at scale and best done with a cloud-native proxy architecture. While legacy firewalls support packet filtering and stateful inspection, their resource limitations make them poorly suited for this task. This creates a critical need for organizations to implement cloud-native architectures that support full inspection of encrypted traffic in alignment with zero-trust principles.

**How to Protect Yourself**

For defenders, the imperative is clear: all encrypted traffic must be thoroughly inspected to detect and stop cyberthreats before they cause damage. While we wait for governments, compliance frameworks, and other vendors to catch up with this reality, it will be up to defenders and leaders to raise the flag and champion initiatives to mitigate this common threat tactic. Zero-trust strategies and architectures — in which you trust nobody and inspect and authenticate everything — are the most effective way to protect your organization from encrypted attacks and other advanced threats.

Attacks start with reconnaissance and an initial compromise of an endpoint or asset exposed to the Internet. Once inside, attackers perform lateral propagation, including reconnaissance and establishing a network foothold. Finally, attackers act to achieve their objectives, which often involve data exfiltration.

Your defenses should include controls for each of those stages. Minimize the attack surface by making internal apps invisible to the Internet, and prevent compromise by using cloud-native proxy architecture to inspect _all_ traffic inline and at scale, enforcing consistent security policies. Organizations should also stop lateral movement by connecting users directly to applications (rather than the network) to reduce the attack surface, and contain threats using deception and workload segmentation. They can also stop data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

If you are looking to minimize the risk of encrypted attacks for your organization, consider these recommendations as part of your adoption strategy:

*   Use a cloud-native, proxy-based architecture to decrypt, detect, and prevent threats in all encrypted traffic at scale.
*   Leverage an AI-driven sandbox to quarantine unknown attacks and stop patient-zero malware.
*   Inspect all traffic, all the time, whether a user is at home, at headquarters, or on the go, to ensure everyone is consistently protected against encrypted threats.
*   Terminate every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real-time — before it reaches its destination — to prevent ransomware, malware, and more.
*   Protect data using granular context-based policies, verifying access requests and rights based on context.
*   Eliminate the attack surface by connecting users directly to the apps and resources they need, never to networks.

Read more Partner Perspectives from Zscaler.

Encrypted Traffic, Once Thought Safe, Now Responsible For Most Cyberthreats

Developers don't have to build authentication and user management from scratch, and can devote their energies to the core functions of the application, instead.

Descope emerged from stealth on Wednesday with a frictionless, secure, and developer-friendly authentication and user management service.

There is always a point in application development when a decision has to be made, to either build user authentication in-house or use someone else's. It's not a one-time decision, either, since user authentication is more than just setting up a username and password. There has to be a process for password resets, a way to add layers of authentication, a mechanism to securely store credentials, and controls to detect and prevent fraud and bots. All that comes before figuring out user provisioning, tackling access control, or even incorporating single sign-on.

"Authentication is never finished for any application," wrote Slavik Markovich, co-founder and CEO of Descope.

Descope's core premise is based on a simple fact: developers should not be spending time and resources on authentication and user management if that is not the core part of the service they are building. With Descope's authentication user management platform, developers can create authentication flows, add passwordless authentication methods to their applications, manage access privileges and identities, and implement security controls to prevent account takeovers and other types of fraud – and they don't need to be security experts to have these capabilities.

“Authentication is too important to be done incorrectly, but it’s also too complicated and time-consuming to be done in-house by engineering teams,” Guru Chahal, a partner at Lightspeed Venture Partners, said in a statement.

Identity-based attacks are on the rise, which has renewed interest in passwordless technologies. The Verizon Data Breach Investigations Report found that 80% of basic web application attacks can be attributed to stolen credentials. Google and Apple have rolled out passkeys to phase out passwords and open standards like FIDO2 and WebAuthn make it easier for users to rely on their devices as an authentication factor. Descope's passwordless technology stack means organizations can make that shift to deliver a passwordless experience to users.

"Our vision is to “de-scope” authentication from every app developer’s daily work, so they can focus on business-critical initiatives without worrying about building, maintaining, or updating authentication,” Markovich said.

The platform supports different types of developers, including those who prefer no-code/low-code tools, rely on software development kits (SDKs), or prefer working with APIs. Developers can use the Descope platform without charge for up to 7,500 monthly active users for business-to-consumer (b2c) applications and up to 50 tenants for business-to-business (b2b) applications.

Descope has raised $53 million in seed funding, the company said. The founding team has worked together for years, at security orchestration, automation, and response startup Demisto, which was acquired by Palo Alto Networks in 2019, and database security company Sentrigo, which was acquired by McAfee in 2011.

Source

DARKReading