Microsoft, three others release patches to fix a vulnerability in their respective products that enables such manipulation. Other EDR products potentially are affected as well.

Many trusted endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing virtually any data on installed systems.

Or Yair, a security researcher at SafeBreach who discovered the issue, tested 11 EDR tools from different vendors and found six — from a total of four vendors — were vulnerable. The vulnerable products were Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne.

**Formal CVEs and Patches**

Three of the vendors have assigned formal CVE numbers for the bugs and issued patches for them prior to Yair disclosing the issue at the Black Hat Europe conference on Wednesday, Dec 7.

At Black Hat, Yair released proof-of-concept code dubbed Aikido that he developed to demonstrate how a wiper, with just the permissions of an unprivileged user, could manipulate a vulnerable EDR into wiping almost any file on the system, including system files. "We were able to exploit these vulnerabilities in more than 50% of the EDR and AV products we tested, including the default endpoint protection product on Windows," Yair said in a description of his Black Hat talk. "We are lucky to have this discovered prior to real attackers, as these tools and vulnerabilities could have done a lot of damage falling in the wrong hands." He described the wiper as likely being effective against hundreds of millions of endpoints running EDR versions vulnerable to the exploit.

In comments to Dark Reading, Yair says he reported the vulnerability to the affected vendors between July and August. "We then worked closely with them over the next several months on the creation of a fix prior to this publication," he says. "Three of the vendors released new versions of their software or patches to address this vulnerability." He identifies the three vendors as Microsoft, TrendMicro and Gen, the maker of the Avast and AVG products. "As of today, we have not yet received confirmation from SentinelOne about whether they have officially released a fix," he says.

Yair describes the vulnerability as having to do with how some EDR tools delete malicious files. "There are two crucial events in this process of deletion," he says. "There is the time the EDR detects a file as malicious and the time when the file is actually deleted," which sometimes can require a system reboot. Yair says he discovered that between these two events an attacker has the opportunity to use what are known as NTFS junction points to direct the EDR to delete a different file than the one that it identified as malicious.

NTFS junctions points are similar to so-called symbolic links, which are shortcut files to folders and files located elsewhere on a system, except that junctions are used to link directories on different local volumes on a system.

**Triggering the Issue**

Yair says that to trigger the issue on vulnerable systems he first created a malicious file — using the permissions of an unprivileged user — so the EDR would detect and attempt to delete the file. He then found a way to force the EDR to postpone deletion until after reboot, by keeping the malicious file open. His next step was to create a C:\\TEMP\\ directory on the system, make it a junction to a different directory, and rig things so that when the EDR product attempted to delete the malicious file — after reboot — it followed a path to a different file altogether. Yair found he could use the same trick to delete multiple files in different places on a computer by creating one directory shortcut and putting specially crafted paths to targeted files within it, for the EDR product to follow.

Yair says that with some of the tested EDR products, he was not able to do arbitrary file deletion but was able to delete entire folders instead.

The vulnerability affects EDR tools that postpone deletion of malicious files till after a system reboots. In these instances, the EDR product stores the path to the malicious file in some location — that varies by vendor — and uses the path to delete the file after rebooting. Yair says some EDR products don't check if the path to the malicious file leads to the same place after reboot, giving attackers a way to stick a sudden shortcut in the middle of the path. Such vulnerabilities fall into a class known as Time of Check Time of Use (TOCTOU) vulnerabilities, he notes.

Yair says that in most cases, organizations can recover deleted files. So, getting an EDR to delete files on a system by itself, while bad, isn't the worst case. "A deletion is not exactly a wipe," Yair says. To achieve that, Yair designed Aikido so it would overwrite files it had deleted, making them unrecoverable as well.

He says the exploit he developed is an example of an adversary using an opponent's strength against them — just as with the Aikido martial art. Security products, such as EDR tools have super-user rights on systems, and an adversary that is able to abuse them can execute attacks in a virtually undetectable manner. He likens the approach to an adversary turning Israel's famed Iron Dome missile defense system into an attack vector instead.

For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers

Software firms and the National Security Agency urge developers to move to memory-safe programming languages to eliminate a major source of high-severity flaws.

The software industry is making headway against a group of pernicious vulnerabilities that are responsible for the vast majority of critical, remotely exploitable, and in-the-wild attacks, software-security experts said this week.

The class of vulnerabilities — so-called memory-safety issues — include buffer overflows and use-after-free errors and have accounted for the majority of application security issues disclosed by software companies. Now, the latest data show that the increasing use of memory-safe languages — such as Java, C#, and more recently, Rust — has resulted in a rapid decline of the entire class of vulnerabilities.

Last week, for example, Google revealed that the latest version of the Android operating system has more new code written in memory-safe programing languages — such as Java, Rust, and Kotlin — than memory-unsafe languages such as C and C++, resulting in a drop in memory-safety vulnerabilities from 223 to 85 over the past three years.

"We are continuing to focus on eliminating entire classes of vulnerabilities, focusing on the most severe first," says Jeffrey Vander Stoep, a software engineer at Google. "As memory safety vulnerabilities become more scarce, we anticipate the research community to focus their vulnerability-findings efforts on other classes of vulnerabilities."

    

Memory-safety vulnerabilities are disproportionately severe. Source: Google

For decades, C and C++ have been the workhorse programming languages of the software industry. Yet they lack the memory protections of more modern languages, such as C#, Go, Java, Python, Ruby, Rust, and Swift. The result? Fifty-nine percent of applications written in C++ have high-severity or critical-severity flaws, compared to 9% for JavaScript and 10% for Python, according to application-security firm Veracode's State of Software Security Vol. 11 report.

**Buffer Overflows and Wormable Flaws**

The ease with which programmers can create flawed code has become a major problem for large software companies. Microsoft, for example, found that, up until 2018, memory-safety issues accounted for 70% of the vulnerabilities discovered in the company's software. Overall, memory safety issues have accounted for 60% to 70% of all vulnerabilities across a wide variety of ecosystems, according to 2020 research by software resilience engineer Alex Gaynor.

And because the flaws can easily be exploited to attack applications, they are the root causes behind a significant number of compromises, says Chris Wysopal, chief technology officer of Veracode.

"Memory corruption issues are amongst the highest severity flaws as they often allow attackers to exploit with code execution which allows them to take complete control of the application," he says. "In the worst case scenario this allows the creation of a worm exploit which can go on to attack other instances of the vulnerability."

In its recent blog post on its shift to memory-safe languages for Android development, Google noted that while memory-safety vulnerabilities now only account for 36% of issues disclosed in Android, they account for 86% of the critical security vulnerabilities and 89% of remotely exploitable issues.

**Making the Switch to Safe Languages**

For that reason, Google and others have urged developers to adopt memory-safe languages.

In Google's case, C and C++ now account for just less than half of all new code. In fact, Android 13, the latest version, is the first where the majority of code has been written in memory-safe languages, with Rust replacing C and C++ for many developers. Rust is an efficient programming language focused on creating secure code.

Even the National Security Agency is urging companies to adopt memory-safe programming languages.

Switching to a memory-safe language is not sufficient, however. While the languages do make it harder for programmers to write insecure code, every language has a different level of protection. For that reason, the NSA has also recommended that developers use a variety of application-security tools — from compiler options to static scanners to runtime analysis — to harden applications as much as possible.

"Software analysis tools can detect many instances of memory management issues and operating environment options can also provide some protection, but inherent protections offered by memory safe software languages can prevent or mitigate most memory management issues," the NSA's report stated.

In the end, while memory-safe programming languages are not a standalone solution to the problem of software vulnerabilities, they give guidance to developers who can then avoid some of the most severe programming errors, says Veracode's Wysopal.

"It's hard to generalize and say that there is a lower volume of vulnerabilities in memory safe languages since the way they are used is different," he says. "But if you were using two different languages to accomplish the exact same task, and one was memory safe, you'd expect fewer vulnerabilities in that one and typically less critical vulnerabilities."

Shift to Memory-Safe Languages Gains Momentum

If compiling a software bill of materials seems daunting, attack surface management tools can provide many of the benefits.

A software bill of materials (SBOM) is an important tool enterprise defenders can use to track the impact of software security bugs, manage sane patch management, and protect the integrity of the software supply chain as a whole. Scores of industry leaders say so. The Office of the President of the United States says so.

So why are they not widely used yet? What are software vendors worried about? Do they know something that we don't?

In a recent CISO Forum in Whitehall, London, many CISOs felt that the challenges and speed of change in application security, particularly in a cloud-enabled environment, had left them a little nonplussed and challenged to change their architectural models and thinking to become fully cloud native. In particular, there was a reluctance to let go of legacy control methods such as IP-based access lists and endpoint-based security controls.

**Hesitant to Set Off the SBOM**

There are several interesting possibilities that may be driving the tendency to delay providing SBOMs.

The first is **ignorance of their own supply chain**. It's possible that the vendors don't actually know the origin of some of their software. It is common practice in large development teams and long, complex projects to effectively "black box" entire sections of code.

If that is the case, the fact that the organization may not fully know the origins of its software raises a myriad of concerns. It could indicate anything from bad version tracking to the existence of potentially indispensable employees that hold the fate of the entire company in their coding hands. It's completely understandable that such a company would hesitate to release SBOMs for its products.

Another scenario that might make a company leery of SBOMs is **if the product is almost entirely an assembly of other products**. It's the reality of modern software development that programs are the result of custom code cobbled together with third-party libraries and components. If the company has written a very low percentage of its own code, then the SBOM could essentially become a recipe card for someone else to clone the product.

But the likely scenario is that software firms may **see no upside, only potential downside** to releasing SBOMs. Currently there's very little market pressure on releasing SBOMs for their product lines. They may have created one for internal use, but there is no real push to make them public. The main concern voiced by CISOs is that while an SBOM may improve visibility, it provides little impetus towards remediation and no liability for fixing software flaws — leaving the problem squarely in the lap of the end user, the CISO.

**Getting Past the SBOM**

It's unlikely that the industry or the purchasing public will be able to generate the market pressure required to force every major player to release an SBOM for all their products. In May 2021, the US government issued an executive order to improve the nation's cybersecurity that explicitly called for SBOMs as a control measure for the software supply chain. The EU government, for its part, has planned a Cyber Resilience proposal to echo and support the requirements of the US order.

If the main purpose of an SBOM is patch management and vulnerability attribution, there is a secondary layer of monitoring and protection that cybersecurity personnel should be looking at: attack surface management (ASM).

While it would be slightly easier for enterprise security teams to know that the software they use contain packages X, Y, and Z, that isn't the only way to manage application security. By tracking the security advisory history of these software suites, we can estimate the most likely attack vectors that they can fall victim to.

The combination of these vulnerabilities compiled from every piece of software that a company uses makes up an organization's attack surface. What ASM tries to do is intelligently categorize these weaknesses and automate the discovery, remediation, and continuous monitoring of new threats.

It's like tying together a vulnerability advisory service with an enterprise software management solution. The way that the ASM does this varies from product to product, but generally some amount of machine learning is involved. That way predictive models can be built so that when certain zero-day exploits are discovered, you will know how likely they are to apply to your attack surface even if you don't have a detailed SBOM from every vendor.

A good ASM has the additional benefit of treating ducks like ducks. You know: If it looks like a duck and quacks like a duck, it doesn't really matter if someone else labeled it as a swan instead. The ASM only cares about results. If a company insists that it's using the Open Dynamics Engine, but for some mysterious reason it falls victim to all the same vulnerabilities as the PhysX engine, ASM will completely ignore labels and suggest the fixes that actually fit the situation and not the ones that correspond to the names.

Even if the movement toward mainstream adoption of SBOM continues to be slow, security professionals have a strong alternative with ASM. It's also worth noting that ASM will complement any SBOM-based software governance with a dynamic risk mitigation system.

Instead of adopting and deploying something locally to cover your vulnerability discovery and monitoring needs, another alternative is to embrace an agentless security model that can monitor extended asset attack surfaces. The device intelligence firm Armis, for example, does this with a fully cloud-native approach. Think of it as an ASM solution that covers IoT devices, cloud instances, and edge networking setups, as well as traditional on-premises.

Such a model presents a different, more global way of looking at asset intelligence that might be more attractive to large enterprise operations. Smaller operations, however, would likely want to save their money for a good ASM and rely on extra vigilance for their extended network devices.

ASM Can Fill Gaps While Working to Implement SBOM

**BERKELEY, Calif.****,** **Dec. 6, 2022** **/PRNewswire/ --** In a report released today, The Cambridge Centre for Risk Studies (CCRS) and Kivu Consulting, Inc. have combined efforts to research and benchmark cost-effective responses to cybercrime. The research report, MITIGATING RANSOMWARE RISK: DETERMINING OPTIMAL STRATEGIES FOR BUSINESSES, assesses the threats posed by ransomware, reviews trends in ransom demands and payments, highlights the effectiveness of controls, and ranks the most pervasive ransomware in terms of both frequency and severity.

"Leveraging Kivu's evidence-based data set from +8 years of experience, this research partnership with CCRS is designed to quantify the value of specific cybersecurity defenses and connect it with the company's bottom line," said Winston Krone, Co-Founder and Chief Research Officer at Kivu.

"Incident responders like Kivu play a critical role in attack management and ransom negotiation and thus have access to a rich dataset. This is the first study analyzing real-world event data which will better inform a more strategic approach to cybersecurity risk management," said Jen Copic, Senior Risk Researcher, Centre for Risk Studies.

 \*Key takeaways:

*   The global dataset provides an aggregate, real-world view of 422 attacks carried out on 416 organisations.
*   Industrials is the most impacted sector in the dataset, driven by a large number of events targeting capital goods manufacturing firms and professional services firms.
*   84% of the ransom events occurred in the Americas.
*   A ransom was paid 72% of the time as observed in this dataset.
*   94% of the ransomware variants accept negotiation on their pricing.

To download the paper and sign up for upcoming webinars, please visit:  https://kivuconsulting.com/mitigating-ransomware-risk/

About CCRS:

*   The Cambridge Centre for Risk Studies is based within the University of Cambridge Judge Business School. The Centre works closely with business partners in tackling complex issues of management science in risk.

About Kivu:

Kivu is a leading global cybersecurity firm that offers a full suite of cybersecurity services, including forensic investigation of, and recovery from, all forms of cyberattacks, continuous monitoring/detection/blocking of cyber threats, and strategy/compliance and testing. Kivu is an approved and trusted cybersecurity partner by 60+ insurance carriers and delivers its services to organizations in all industries. 

SOURCE Kivu Consulting

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cambridge Centre for Risk Studies and Kivu Release Benchmark of Cost-Effective Responses to Cybercrime

CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.

Although details about its real-world impact are vague, the Cybersecurity and Infrastructure Security Agency (CISA) added a Google Chrome flaw to its list of Known Exploited Vulnerabilities Catalog.

Google has already released a fixed version of Chrome browser for Windows, Mac, and Linux users. CISA has given government agencies until Dec. 26 to get a patch in place.

Tracked under CVE-2022-4262, CISA described the Google Chrome V8 Engine flaw as a "type confusion vulnerability." Attackers can exploit this kind of vulnerability by using a specially crafted HTML page to corrupt the heap and crashing the browser. Attackers can also exploit type confusion flaws to execute arbitrary code. An exploit for CVE-2022-4262 already exists in the wild, according to Google.

"Specific impacts from exploitation are not available at this time," CISA added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Chrome Flaw Added to CISA Patch List

Microsoft warns that the Kremlin is ramping up cyberattacks against infrastructure and supply chains and starting disinformation campaigns as Russian troops lose on the battlefield.

With a beleaguered and retreating Russian military, analysts warn that winter's chill will be accompanied by a new barrage of cyberattacks against Ukraine's infrastructure, supply chains, partners, and political support across Europe and beyond.

Microsoft's Digital Threat Analysis Center predicts a significant increase in Russian cyberattacks over the coming months, as well as an expansion of existing campaigns like Prestige ransomware and wiper attacks on energy, water, and other vital infrastructure.

The Kremlin is also likely to push disinformation across social media across Europe with the intent of weakening public resolve to withstand skyrocketing energy costs and provide support for Ukraine's military.

It's time for organizations and security teams to prepare defenses against what Microsoft described as "multidimensional threats" from Russia.

"Ukraine has fought a brave defense both online and on-the-ground against a merciless Russian assault," the Microsoft report on Russian cyberattacks said. "With the help of its partner nations, companies and democratic citizens, we all can ensure that Ukraine and Europe's infrastructure is protected and democracy resilient in the face of authoritarianism this winter."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russia Readies Winter Cyberattacks As Troops Retreat From Ukraine

There's no quick fix after decades of underinvestment, but the process has started. Cybersecurity grants, mandatory reporting protocols, and beefed-up authentication requirements are being put in place.

Securing critical infrastructure is complicated because of the vast network of facilities and management systems. Threats targeting this sector can have dire consequences, and when attacks do happen, they're often accompanied by a media storm. This generates interest among concerned citizens, which prompts a reaction from politicians, who are spurred into action to ensure the necessary cyber protections are implemented to calm the concerned citizens — the electorate.

The 2021 ransomware attack on Colonial Pipeline, which caused long lines at gas stations, followed this very timeline and served as a much-needed wake-up call to protect critical infrastructure services against cyberattacks. The attack prompted action at the highest levels of US government, causing the president to expedite an executive order aimed at strengthening US cybersecurity defenses. The executive order, in brief, requires disclosure of incidents, creates a federal playbook for incidents, mandates cybersecurity upgrades, creates a review board, and, importantly, encourages an ethos of cyber-intelligence sharing between government agencies and the private sector.

**Wake-Up Call**

The emphasis on cybersecurity due to the increased threats to critical infrastructure — including cybercriminals attempting to monetize their efforts, terrorism, and the conflict in Ukraine — is unprecedented. In the current budget proposal, the Cybersecurity and Infrastructure Security Agency (CISA) will receive $2.93 billion, $417.1 million more than it requested. There are numerous grants available to critical infrastructure organizations to assist funding the much-needed improvements to cybersecurity; in April 2022, CISA and FEMA began rolling out the first $1 billion from the Rescue Act to help state and local entities improve cybersecurity. Testifying before the House Homeland Security Subcommittee, Jen Easterly, director of the CISA, used the cyberattack on the Oldsmar, Fla., water utility plant as an example of an attack on critical infrastructure to justify the original request.

Enormous would be an underestimate of the task of upgrading the cybersecurity of water supply and wastewater systems in the US. According to American Water, there are 53,000 water supply and sanitation providers in the US. The Environmental Protection Agency (EPA) calculates this differently, and lists 148,000 public water systems (not companies).

If, like me, you live in a rural community, the company supplying your water is likely a small local business providing a critical infrastructure service. On Feb. 5, 2021, the water treatment system servicing Oldsmar City suffered a cyber incident: A poorly secured remote-access solution based on TeamViewer was accessed by a perpetrator, who adjusted the amount of sodium hydroxide in the water from 100 parts per million to 11,000 parts per million. Fortunately, a city water plant operator noticed the increase and reversed it, stopping the attack and the potential poisoning of thousands of people. It was later disclosed that the system accessed wasn't protected by two-factor authentication and was protected by a weak, shared password. There really is no excuse.

The Wall Street Journal's CIO Journal suggests that technology spending as a percentage of revenue in banking and securities is around 7%, and in construction and manufacturing just 2%. Given that water supply is a critical infrastructure service and has been specifically called out as needing cybersecurity investment, it is reasonable to expect spending on IT, including cybersecurity, to be at the higher of these two levels. A report by Deloitte breaks this number out for cybersecurity spending, which they estimate to be 10.9%.

**The $2.5 Billion Scope of the Problem**

What does this mean in a rural water system company, without shaming any particular company? I will use a real-life example without naming the company. Company X has a total revenue budget of $12.4 million per year, with an operating cost for computer services of $211,000 for the same period. There are some costs for IT-related items that may be outside of the operating budget and are attributed to capital spending. For the fiscal year 2021–22, the only item that could have cybersecurity element is a $50,000 cost for SCADA/telemetry/electrical control replacement.

This equates to IT spending (listed as computer services) of 1.7%, and even allowing that 50% of the capital expenditure item is cybersecurity, which is unlikely, this becomes 1.9%. Using the earlier mentioned cybersecurity estimate of 10.9%, the spending on cybersecurity is just under $22,000 per year, for an organization with $12.4 million in revenue. In a sector under continual threat, it's not unreasonable to expect spending to replicate that of financial organizations, which, in this instance, would equate to an IT spending of $868,000, with cybersecurity accounting for just under $94,000 per year.

The water sector does benefit from federal assistance, and the EPA has requested $25 million in fiscal year 2023 for a new grant program to advance cybersecurity infrastructure capacity and protections within the water sector. If you do raw math on this and distribute it among the 54,000 organizations, it equates to less than $500 each. There may be other funding and grants available, but the point isn't the numbers, it’s the magnitude of the problem. To fund each water supply organization $50,000 for cybersecurity, a more realistic number, a budget of $2.5 billion would need to be set aside.

Years of underinvestment in critical infrastructure security isn't something fixable in the short term. The complexity of dealing with 53,000 organizations (around 50,000 of them rural) and attempting to bring them all to a basic level of compliance is a mammoth task. All of this comes at a time when inflation is rampant, and the cost of energy is high.

**One Possible Solution**

There is always a solution. One idea is that the IT services of water supply companies would be better serviced if they were grouped together, centralizing internal services.

If, for example, 10 companies joined together for IT and cybersecurity, there would be numerous benefits: financial, resources, communication, compliance, policy, etc. This would be similar to the way individual schools are part of a school district, with one, single governing body. This is just one solution, and I'm sure there are many options that could be pursued that could help alleviate the financial and resources burden facing the critical infrastructure sector.

What Will It Take to Secure Critical Infrastructure?

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Somebody is wide awake despite their winter hibernation bedtime. Any idea what's going on? Send us a witty cybersecurity-related caption for the cartoon, above, and you could win a $25 Amazon gift card.

The contest closes on Wednesday, Dec. 28, 2022. Here are four convenient ways to submit your ideas: 

*   Email _\[email protected\]_ with the subject line "The Edge December 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congratulations go to Alex B., a business development pro in Alabama. Dark Reading editors were tickled over his caption for last month's "Turkey Time" contest, earning him a $25 Amazon gift card.

    

A big thanks to all who participated.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Not Your Average Bear

Global security technology provider with 20+ years of experience embraces the next evolution of its business with refreshed brand and invigorated leadership.

**MELVILLE, NY, Dec. 6, 2022 —** Intellicene, a provider of intelligent software platforms that empower organizations to better understand and respond to mission-critical events, today announced the close of its acquisition by Volaris Group and the launch of its new brand. Previously known as Cognyte Situational Intelligence Solutions (SIS), the new Intellicene embodies a strategic new direction and an ambition to being a global security intelligence leader of choice.Led by veteran security executive Alan Stoddard, Intellicene incorporates former SIS employees and assets, including the Symphia suite of technologies. The new name and strategic direction also introduces “The Age of Intelligence” which showcases Intellicene’s mission to transform security management from a reactive endeavor to a proactive process that is highly effective, data-driven, and measurable.

The launch of Intellicene follows an incredibly successful year, which saw the company strengthen its presence with new customer wins. Volaris’ buy-and hold philosophy provides stability, shared best practices and a global footprint that can create new opportunities for Intellicene.Sitting at the nexus of awareness, insight, and action, Intellicene delivers integrated, intelligent software platforms that help leaders better understand and respond to critical situations across their organizations. The company has provided intelligent security management platforms to a wide variety of mission-critical, global businesses for more than 20 years since its formation under Verint Systems in 2002.

“We are excited for Intellicene to enter this next chapter and together with Volaris see compelling opportunities to accelerate our growth trajectory and enhance customer focus,” said CEO Alan Stoddard. “With the strong support of our new owners, we are well positioned to capitalize on the many opportunities before us, and we see tremendous potential to expand our reach into new markets and drive new innovations and capabilities.”

Intellicene is focused on ensuring stakeholders have the right tools to help protect operations, assets, and people. With extensive expertise in the security and IT realms, the company and its team has helped ensure the safety of well-regarded brands by developing solutions that help leaders better understand and respond to critical situations. Its Symphia software platform connects to and correlates data from virtually any device, system, or software, providing the real-time awareness and actionable insights needed to identify potential threats and respond effectively.

“We’re pleased to complete this acquisition and support Alan and the management team in building their vision for Intellicene,” said Carl Bruce, Volaris Group. “We see this market as holding tremendous opportunity, and under our ownership, Intellicene is well positioned for future growth.”

Stoddard brings significant experience in leading global organizations and has more than 12 years of experience in the security industry. In addition to Stoddard, the senior leadership team includes Uri Shaffer, Vice President of Sales for EMEA and APAC; Craig Levin, Chief Financial Officer; Yosi Rahamim, Vice President of Research and Development; Mike Howanitz, Vice President of Sales and Business Operations; Joey Caluori, Vice President of Operations; Eran Wachman, Vice President of Product Management; Tracy Markum, Vice President of Sales for the Americas; and Jeffrey Lewis, Chief Marketing Officer.

**About Intellicene**

Intellicene sits at the nexus of awareness, insight, and action. Our mission is to help organizations worldwide harmonize security, business continuity, and risk management to protect what matters most. By delivering integrated, intelligent software platforms that help you better understand and respond to mission-critical events, Intellicene empowers you to manage the most complex security and business operations efficiently. From mobile applications and AI-driven analytics to infinitely scalable software and intelligent devices, we’re building advanced technology that raises the bar and makes the world safer. For more information, visit intellicene.com.

**About Volaris Group**

Volaris acquires, strengthens, and grows vertical market technology companies. As an Operating Group of Constellation Software Inc., Volaris is all about strengthening businesses within the markets they compete and enabling them to grow – whether that growth comes through organic measures such as new initiatives and product development, day-to-day business, or through complementary acquisitions. Learn more at volarisgroup.com.

Intellicene Brand Launches After Completion of Acquisition by Volaris Group

Extending multifactor authentication to include device identity assurance offers more authentication confidence than what multiple user-identity factors can by themselves.

For many years, multifactor authentication (MFA) has been key to mitigating password risk. But as MFA use has increased, cybercriminals have adapted their credential theft tactics.

In January 2022, the Office of the Management and Budget (OMB) issued a memo recommending that federal agencies move to passwordless MFA. And while this memo is only directed toward federal agencies, the US government is raising the cybersecurity baseline. It’s up to private-sector organizations to take notice.

One strategy that has emerged is zero trust. At least 76% of organizations have started implementing their zero-trust strategies, with MFA taking a prominent role. The National Institute of Standards and Technology recommends extending your MFA strategy to include assurance of device identity. This leads to more authentication confidence than what multiple user identity factors alone can provide.

Keep reading to learn how you can harden identity policies by extending your MFA strategy and leveraging existing security options.

**Understanding MFA Limitations**

Traditionally, strong passwords were the go-to strategy for reducing brute-force attacks. But most people can’t remember all of their complex passwords, so they end up recycling them across multiple accounts. The average person reuses their password 14 times, and they often use the same password across both personal and organizational accounts. This creates a blind spot in which organizational accounts can be compromised by phishing attacks on personal accounts — something that is completely outside of organizational email protection capabilities.

We’ve also seen an increase in man-in-the-middle (MiTM) phishing, SMS hijacking, and email hijacking attacks. MiTM phishing happens when adversaries exploit second factors with out-of-band authentication paths, such as app notification, email, or SMS. The user initiates a password authentication request that is intercepted by the adversary, who then creates a separate authentication request and accompanying out-of-band second factor prompt. Users often approve these prompts since they’re indistinguishable from their own.

In an SMS hijacking attack, the adversary redirects the SMS notification destination to their own device. This allows them to initiate an authentication request that can be approved without the knowledge of the user. Similarly, adversaries can use a compromised email mailbox to approve email-based second factors. Since email is also often used as a path for recovery of credentials to non-SSO services, a compromised mailbox can also lead to the compromise of a long chain of dependent services through third-party password resets.

Another possible blind spot is with phishing attacks that use illicit consent grants, as these can be harder to detect than traditional phishing attacks. In an illicit consent grant attack, the adversary tricks end users into granting a malicious application consent to access their data on their behalf, usually via an email with a link. This is challenging because the link destination itself is not malicious, only the application. After the malicious application has been granted consent, it uses application-level access to data without requiring the user’s credential.

Unfortunately, typical mitigation steps, such as requiring MFA or resetting passwords for breached user accounts, are not effective against these types of attacks. Because the attacks take place downstream of authentication using third-party applications external to the organization, adversaries can create their own external persistent access paths. So how do organizations address this challenge?

**Implementing Phish-Resistant Authentication**

Having stronger means of authentication and more modern options doesn’t mean organizations can roll them out overnight. In most cases, it makes sense to ensure MFA is used everywhere. For example, organizations can layer in conditional access policies requiring users to limit their activities to organizational devices, helping to mitigate external phishing scenarios.

Phish resistance is an important goal that should be combined with additional objectives to maximize authentication strength. We recommend organizations go passwordless by removing the user's password as a factor. Provide authentication options with broad applicability covering desktop and mobile scenarios, and assess device identity and health status prior to authorization.

Zero-trust principles should also be used to define an implementation road map that addresses all points in the authentication chain with a layered defense. Take steps to harden the authentication infrastructure itself, apply identity protection to users, identify and monitor applications for illicit grants, and identify devices explicitly during authentication while continually monitoring them after authorization as they use access tokens. In doing so, organizations can better create modern, phish-resistant authentication strategies.

Source

DARKReading