How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian government's defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.

How effective the country's newly announced "joint standing operation against cybercriminal syndicates" will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.

**Pressure for Hack-Back Legislation May Be Mounting**

"As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in," says Richard Stiennon, chief research analyst at IT-Harvest. "I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much."

Australian prime minister Anthony Albanese's government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups."

The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia's total population of some 26 million people.

The cyberattacks were among the largest in scope in the country's history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank's refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia's notorious REvil threat group.

The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the _Guardian_ quoted Australian home affairs minister Clare O'Neil promising to "day in, day out hunt down the scumbags" responsible for the recent attacks.

"The smartest and toughest people in our country are going to hack the hackers," the Guardian quoted O'Neil as saying.

**An Ongoing Practice**

The strong language notwithstanding, it's unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.

"It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up," Stiennon says. "Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers."

Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft's participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.

"Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption," says Casey Ellis, founder and CTO of Bugcrowd. "In my opinion this makes proactive hunting a viable pursuit," he says, pointing to examples like law enforcement's takedown of the Conti and REvil group operations.

Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.

"Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted," Ellis says.

US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization's own network under certain circumstances.

Another bill in 2021, titled "Study on Cyber-Attack Response Options Act," would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation's current computer abuse law to provide provisions for hacking back at attackers.

The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.

**The Need for Caution**

Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.

Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.

"In general, truly attributing an attack is quite difficult," says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. "Attribution may be one of the hardest problems in all of cybersecurity."

There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. "Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?" he asks.

There are also potential legal landmines to consider. A law that Georgia's state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of "active defense."

As Rapid7 has noted, the term "active defense" as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. "Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access," the company said.

The main con is that you don't want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. "This type of activity certainly has the potential to escalate into an international incident," he says. "The upside is the opportunity to use the cyberattacker's advantage against them, thereby leveling the playing field a little better."

Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. "Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities."

Australia's Hack-Back Plan Against Cyberattackers Raises Familiar Concerns

As carriers rewrite their act-of-war exclusions following the NotPetya settlement between Mondelez and Zurich, organizations should read their cyber insurance policies carefully to see what is still covered.

The consequences from NotPetya, which the US government said was caused by a Russian cyberattack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an "act of war." Indeed, the 5-year-old cyberattack appears to be turning the cyber insurance market on its head.

Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.

Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that wasn't until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.

Back in 2017, cyber insurance policies were still nascent, so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10 billion in damage worldwide — against corporate property and casualty policies.

**What's Changed?**

The significance of these settlements illustrate an ongoing maturation of the cyber insurance market, says Alla Valente, senior analyst at Forrester Research.

Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cybersecurity profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.

Once a large number of ransomware attacks occurred that built off of the lax cybersecurity many organizations demonstrated, insurance carriers began changing their requirements and tightening the requirements for obtaining such policies, Valente says.

The business model for cyber insurance is dramatically different from other policies, making the cyber insurance policies of 2017 obsolete. Cyber insurance is in a state of flux, with turnover in the carrier market, lower limits on covered offered, and more aggressive terms, including exclusions, over what was in place prior to 2020.

**Defining an Act of War**

Acts of war are a common insurance exclusion. Traditionally, exclusions required a "hot war," such as what we see in Ukraine today. However, courts are starting to recognize cyberattacks as potential acts of war without a declaration of war or the use of land troops or aircraft. The state-sponsored attack itself constitutes a war footing, the carriers maintain.

In April 2023, new verbiage will go into effect for cyber policies from Lloyd's of London that will exclude liability losses arising from state-backed cyberattacks. In a Market Bulletin released in August 2022, Lloyd's underwriting director Tony Chaudhry wrote, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage."

Lloyd's went on to publish additional supplemental requirements and guidance that modified its rules from 2016, just prior to the NotPetya attack.

Effectively, Forrester's Valente notes, larger enterprises might have to set aside large stores of cash in case they are hit with a state-sponsored attack. Should insurance carriers be successful in asserting in court that a state-sponsored attack is, by definition, an act of war, no company will have coverage unless they negotiate that into the contract specifically to eliminate the exclusion.

When buying cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms," says Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg. "Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms."

For small and midsize businesses (SMBs) that get hit by a state-sponsored attack, it could be "lights out," Valente says. Plus, she emphasizes, SMBs often are targeted if they are primary or secondary suppliers to a large enterprise with information the attacker wants. That means a state-sponsored attack on a small company without the right insurance coverage could be out of business simply because the attacker was a nation-state rather than a cybercriminal.

**Understand What Is Covered**

While the European and North American cyber insurance markets are similar, they are by no means identical.

"Not every \[American\] policy will have language recommended by the London insurance market, and those rules do not apply to American insurance carriers," Godes says. "As a best practice, policyholders should consider whether London market insurance carriers are offering the most robust coverage after the recommended changes go into effect."

Godes, whose firm represents the insured rather than the carriers or brokers, notes, "This case is an example to policyholders that when claims get really expensive, carriers will do everything they can to fight coverage. The insured always should remember that the insurance carrier must prove that an exclusion applies. And sometimes," he quips, "the insured will need to litigate with its carrier to get the coverage it thought it was buying."

The upshot from the Merck and Mondelez cases, as well as Lloyd's recent announcement: State-sponsored attacks now fall into the act-of-war exclusion.

"Many carriers are in the process of rewriting their act of war exclusions to address the realities of state-sponsored or assisted cyberattacks and also because courts, as indicated in a few recent decisions and perhaps implied by the Mondelez settlement, are looking skeptically at the application of clauses written for traditional guns and bullets warfare to cyberattacks," says Kenneth Rashbaum, a partner at New York law firm Barton. "I think this is the most significant takeaway from Mondelez and those recent court decisions. Carriers who update their clauses will be more aggressive in denials of coverage for attacks that may be considered state-sponsored, while those that do not update the clauses may be less inclined to rely on them."

Amid Legal Fallout, Cyber Insurers Redefine State-Sponsored Attacks as Act of War

PAN plans to add Cider's CI/CD security platform to its Prisma Cloud suite of AppSec tools.

Palo Alto Networks will acquire application-security specialist Cider Security for $195 million, in a bid to round out its cloud security offering.

Cider is particularly focused on secure developer approaches and software supply chain security. Its platform specifically offers visibility into the hundreds of developer tools that are connected to the average CI/CD pipeline.

"While much attention has been put on where code comes from, very little has been placed on the applications and software used in the development pipeline," according to a Thursday announcement of the deal.

PAN plans to combine the platform with its recently announced software composition analysis (SCA) tools, all integrated into its Prisma Cloud offering for what it calls a soup-to-nuts security strategy for the software engineering ecosystem, from "code to cloud."

"Any organization using public cloud has an application infrastructure with hundreds of tools and applications that can access their code and yet, they have limited visibility to their configuration or if they are secured," Lee Klarich, chief product officer at PAN, said in a statement. "Cider has made it possible to connect into infrastructure, analyze the tools, and identify the risks, as well as how to remediate them. We are acquiring Cider for their innovation that will help enable Prisma Cloud to provide this capability that anyone doing cloud operations has to have."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Palo Alto Networks Focuses on Secure Coding with $195M Cider Deal

A secure-by-design culture is needed to develop a comprehensive offboarding and identity management strategy that limits potential for broader compromise in case of unauthorized access.

Increased turnover is putting a strain on existing offboarding processes — especially manual ones — for departing employees and contractors. Recent high-profile layoffs at major tech companies have put the spotlight on this issue.

Meanwhile, efforts to limit access to sensitive company information are growing more complex as data access points multiply.

The rise of distributed workforces, cloud computing, work from home, and shadow IT suggest a comprehensive offboarding policy is required, aided by automation.

A recent survey from Oomnitza found, however, that nearly half of IT leaders have doubts about their company's onboarding and offboarding automation capabilities.

The study found a third of enterprises lose more than 10% of their technology assets when offboarding workers, and more than four in 10 (42%) said they experienced unauthorized access to SaaS applications and cloud resources.

**Deploying ETM to Fortify Endpoints and Applications**

Ramin Ettehad, co-founder of Oomnitza, explains that enterprise technology management (ETM) solutions, with built-in integrations, rich analytics, and simplified workflows, allow organizations to define and continuously improve onboarding and offboarding processes.

"They can fortify onboarding user experience by ensuring the right endpoints, accessories, applications, and cloud resources are available at the start so that the new hire can be productive on day one," he says.

These solutions can also enable secure offboarding by ensuring endpoints and their data are secured, software licenses are reclaimed, and access to systems, SaaS, and cloud resources are deprovisioned.

Furthermore, departing workers' email, applications, and workplaces can be reassigned automatically to ensure business continuity.

"All of this is done with true process automation across teams and systems, and is not driven by tickets and requests, which rely on manual workloads and are prone to delays and errors," Ettehad adds.

Cyberhaven CEO Howard Ting explains that most organizations today have a single sign-on product that can turn off an employee's access to all apps with one click and device software that can lock and remotely wipe a laptop.

"While many companies today turn off access as soon as, or even before, they notify employees they're being let go, people can sense what's coming and they preemptively collect customer lists, design files, and source code in anticipation of losing access," he adds.

When an employee voluntarily quits, companies have even fewer tools to prevent data exfiltration because the employee knows they're going to depart before their employer.

While many organizations more closely monitor employees from when they give notice to quit until their last day, a Cyberhaven survey found employees are 83% more likely to take sensitive data in the two weeks before they give notice when they're under less scrutiny.

**Coordinating Offboarding Programs**

Ting says the best employee offboarding programs are coordinated across HR, IT, IT security, and physical security teams working together to protect company data and assets.

The HR team finalizes departures and notifies employees, IT ensures access to apps and company laptops is shut off in a timely manner, the physical security team disables access to company facilities, and the IT security team monitors for unusual behavior.

"These teams perform specific tasks in sequence the day an employee or group of employees is let go," he says.

Ting adds he's also seeing more companies monitor for employees putting company data on personal devices or applications. When offboarding, they make the employee's severance agreement contingent on returning or destroying that company data.

Ettehad adds managing and enabling a remote workforce today requires executives to break down silos and automate key technology business processes.

"They must connect their key systems and orchestrate rules, policies, and workflows across the technology and employee lifecycle with conditional rule-based automation of all tasks across teams and systems," he says.

**The Need for 'Controlled Urgency'**

Tom McAndrew, CEO at Coalfire, calls for "controlled urgency" to tackle the secure offboarding challenge.

"When we look at identity management more broadly, it can often be a complex problem, spanning many applications, internal, external, SaaS, on-prem, and so on," he says. "The identity strategy is the central point. The fewer sources of identity and access control there are to manage, the more automation can support these operations at scale."

He argues that when HR and information security are not operating as a team, it's easy to see platforms spinning to solve point solutions rather than looking at the "what-if" scenarios.

"Every system that is not integrated with a core identity platform becomes one more manual task or another tool that needs to be invested in to solve a problem that could have been avoided with sensible planning," he says.

McAndrew adds that a rogue employee with authorized access to critical, sensitive information is a significant threat.

"When you look at the potential risk from a disgruntled staff member, combined with an HR team struggling to manage a substantial scale of departures, it's easy for mistakes to be made and for frustrated or disaffected staff to take matters into their own hands," he says.

He warns that this can also trigger legal complications, often requiring further professional forensic support, making a poor business decision even more costly.

**Unauthorized Access to SaaS, Cloud Apps a Major Challenge**

Corey O'Connor, director of products at DoControl, a provider of automated SaaS security, points out that unauthorized access to SaaS applications and cloud resources is an identity security problem for both human and machine identities.

"However, preventative controls and detective mechanisms could help mitigate the risk of unauthorized access," he explains.

This means having full visibility and a complete inventory (i.e., users, assets, applications, groups, and domains) will enable security and IT teams to put in place the appropriate preventative controls.

"From there, implementing detective mechanisms that identify high-risk or anomalous activity" is the next step, he says.

Application-to-application connectivity, including machine identity, needs to be secure as well; otherwise the organization increases the risk of supply chain based attacks.

"Machine identities can be over privileged, unsanctioned, and not within the security team's visibility," he says. "When they become compromised, they can provide unauthorized access to sensitive data within the application that it's connected to."

That means both human user and machine identities need preventative controls and detective mechanisms to reduce risk.

**Detecting Exfiltration, Managing Applications**

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, says that post-pandemic, many organizations increased their utilization of various cloud and SaaS platforms.

"Because different departments use different applications, and some individuals integrate with interim solutions, IT departments found themselves drowning in the white noise of XaaS, with no standard way of managing it," he says.

While IT admins generally lock down the corporate email account during offboarding, ex-employees may still have access to unknown services that contain sensitive data.

"Putting the idea of an insider threat aside, if one of those unknown services is hacked and needs the password changed, no one may know to take action," he warns.

McCarthy says network defenders need to determine where sensitive data is stored and develop ways to detect exfiltration.

"Deploying an egress filtering solution limits how a threat can exfiltrate data, while also providing the needed visibility to verify it has not occurred," he says. "The impact of stolen data varies from industry to industry, but most data breaches result in monetary fines and loss of customer confidence."

He adds that if IT security teams are bogged down with managing all the SaaS applications an organization uses, having too many of their own tools is also a burden.

"Deploying scalable, multi-cloud management tools that consolidate visibility and policy enforcement reduces their operational overhead," McCarthy says.

Secure Offboarding in the Spotlight as Tech Layoffs Mount

With the proliferation of interconnected third-party applications, new strategies are needed to close the security gap.

Earlier this year, Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains — a three-fold increase from 2021. Not only are these attacks increasing, but the level at which they are penetrating systems and the techniques attackers are using are also new. Attackers are now taking advantage of access granted to third-party cloud services as a backdoor into companies' most sensitive core systems, as seen in recent high-profile attacks on Mailchimp, GitHub, and Microsoft. A new generation of supply chain attacks is emerging.

**Rise of App-to-App Integrations**

As the vast majority of the workforce has gone digital, organizations' core systems have been moving to the cloud. This accelerated cloud adoption has exponentially increased the use of third-party applications and the connections between systems and services, unleashing an entirely new cybersecurity challenge.

There are three main factors that lead to the rise in app-to-app connectivity:

*   **Product-led growth (PLG):** In an era of PLG and bottom-up software adoption, with software-as-a-service (SaaS) leaders like Okta and Slack
*   **DevOps:** Dev teams are freely generating and embedding API keys in
*   **Hyperautomation:** The rise of hyperautomation and low code/no code platforms means "citizen developers" can integrate and automate processes with the flip of a switch.

The vast scope of integrations are now easily accessible to any kind of team, which means time saved and increased productivity. But while this makes an organization's job easier, it blurs visibility into potentially vulnerable app connections, making it extremely difficult for organizational IT and security leaders to have insight into all of the integrations deployed in their environment, which expands the organization's digital supply chain.

**Third-Party Problems**

There is some acknowledgement of this problem: the National Institute of Standards and Technology (NIST) recently updated its guidelines for cybersecurity supply chain risk management. These new directives consider that as enterprises adopt more and more software to help run their business, they increasingly integrate third-party code into their software products to boost efficiency and productivity. While this is great recognition, there is another whole ecosystem of supply chain dependencies related to the mass amount of integrations of core systems with third-party applications that is being overlooked.

For companies whose internal processes are irreversibly hyperconnected, all it takes is an attacker spotting the weakest link within connected apps or services to compromise the entire system.

Businesses have to determine how best to manage this kind of scenario. What level of data are these apps gaining access to? What kind of permissions will this app have? Is the app being used, and what is the activity like?

Understanding the layers in which these integrations operate can help security teams pinpoint their potential attack areas. Some forward-looking chief information security officers (CISOs) are aware of the problem but only seeing a fraction of the challenge. In the era of product-led growth and bottom-up software adoption, it's difficult to have visibility into all the integrations between an organization's cloud applications, as the average enterprise uses 1,400 cloud services.

**Closing the Security Gap**

The risks of digital supply chain attacks are no longer confined to core business applications or engineering platforms — these vulnerabilities have now expanded with the proliferating web of interconnected third-party applications, integrations, and services. Only new governance and security strategies will close this expanding security gap.

There needs to be a paradigm shift within the market to protect this sprawling attack surface. In doing so, the following would need to be addressed:

*   **Visibility into all app-to-app connections:**Security teams need a clear line of sight not only into systems that connect to sensitive assets, but into
*   **Threat detection:**The nature of every integration — not just the standalone applications — need to be evaluated for risk level and exposure (e.g., redundant access, excessive permissions).
*   **Remediation strategies**_:_ Threat prevention strategies cannot be a one-size-fits-all affair. Security professionals need contextual mitigations that acknowledge the complex range of interconnected apps that comprise the attack surface.
*   **Automatic, zero-trust enforcement:**Security teams must be able to set and enforce policy guardrails around app-layer access (e.g., permission levels, authentication protocols).

The good news is that we are starting to see a shift in the industry's mindset. Some businesses are already taking the initiative and putting processes in place to stay ahead of a potential service supply chain attack — like HubSpot, which just released a message to help eliminate potential risks associated with the use of API keys. GitHub also recently introduced a fine-grained personal access token that offers enhanced security to developers and organization owners to reduce the risk to data of compromised tokens.

Ultimately, the digital world in which we live is only going to become more hyperconnected. In parallel, the industry needs to further its understanding and knowledge of these potential threats within the supply chain, before they cascade into more headline-making attacks.

The Next Generation of Supply Chain Attacks Is Here to Stay

The county reports unauthorized access to files in its Department of Social Services' systems between Nov. 18, 2021, and April 9. It has added enhanced alert and monitoring software and is offering complimentary credit monitoring and identity theft protection services to those whose personal information may have been compromised in the breach.

**RED BLUFF, Calif., Nov. 17, 2022 /PRNewswir****e/** — Today, the County of Tehama, Calif. announced that it has addressed a data security incident that resulted in unauthorized access to files on its systems.

On Aug. 19, 2022, the County of Tehama concluded its investigation of a data security incident that resulted in unauthorized access to personal information pertaining to certain County of Tehama Department of Social Services files. The County of Tehama first learned about the incident on April 9, 2022, when the County of Tehama detected suspicious activity on its IT systems. Upon identifying this suspicious activity, the County of Tehama immediately took steps to protect and secure its systems. The County of Tehama also launched an investigation and notified law enforcement. Through the investigation, the County of Tehama determined that an unauthorized party gained access to its IT network between the dates of Nov. 18, 2021, and April 9, 2022. The investigation further determined that the unauthorized party accessed files on the County of Tehama Department of Social Services' systems. The County of Tehama conducted a review of the files that may have been accessed as a result of this incident. Through this review, the County of Tehama determined that information pertaining to certain current and former County of Tehama employees, recipients of services from the County of Tehama Department of Social Services, and other affiliated individuals was contained in one or more of those files. This information included individuals' names, dates of birth, mailing addresses, Social Security numbers, driver's license numbers, and information related to services received from County of Tehama Department of Social Services.

On Nov. 17, 2022, the County of Tehama began mailing letters to individuals whose information may have been involved in the incident. The County of Tehama is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or driver's license numbers were involved. The County of Tehama also has established a dedicated, toll-free incident response line to answer questions that individuals may have. If individuals have any questions about this incident or believe their information may have been involved, they should call 855-926-1376, Monday through Friday, between 6:00 a.m. and 3:30 p.m., Pacific Time.

To date, the County of Tehama has not received any reports of fraud related to this incident. However, the County of Tehama recommends that individuals whose information may have been involved remain vigilant to the possibility of fraud by reviewing their financial account statements and immediately reporting any suspicious activity to their financial institution.

The County of Tehama deeply regrets any inconvenience or concern this may cause. To help prevent a similar incident from occurring in the future, the County of Tehama has implemented enhanced monitoring and alerting software.

SOURCE: County of Tehama, California

County of Tehama, Calif., Identifies and Addresses Data Security Incident

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages

CISA says Federal Civilian Executive Branch systems were compromised through a Log4Shell vulnerability in an unpatched VMware Horizon server.

An unpatched VMware Horizon server allowed an Iranian government-sponsored APT group to use the Log4Shell vulnerability to not only breach the US Federal Civilian Executive Branch (FCEB) systems, but also deploy XMRing cryptominer malware for good measure.

FCEB is the arm of the federal government that includes the Executive Office of the President, Cabinet Secretaries, and other executive branch departments.

A new update from the Cybersecurity and Infrastructure Security Agency (CISA) said that along with the FBI, the agencies determined the Iranian-backed threat group was able to move laterally to the domain controller, steal credentials, and deploy Ngrok reverse proxies to maintain persistence in the FCEB systems. The attack occurred from mid-June through mid-July, CISA said.

"CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities," CISA's breach alert explained. "If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Iranian APT Actors Breach US Government Network

Researchers find current data protections strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defense initiatives.

Organizations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyberattacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security staffs are stalled on getting defenses up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organizations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime. 

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyberattack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyberattack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that Colm Keegan, senior consultant for data protection solutions at Dell Technologies, says will likely continue. 

"The growth and increased distribution of data across edge, core data center and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data," Keegan explains.

On the protection front, most organizations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defense that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

**Data Protection Strategies Face Headwinds**

One of the primary reasons data protection strategies are failing is the lack of visibility of where that data resides and what it is — a problem exacerbated by the rapid, ongoing adoption of cloud-native apps and containers. More than three-quarters of survey respondents said there is a lack of common data protection solutions for these newer technologies.

"Seventy-two percent said they are unable to keep up with what their developers are doing in the cloud — it’s basically a blind spot for them," Keegan says.  

Claude Mandy, chief evangelist of data security at Symmetry Systems, a provider of hybrid cloud data security solutions, agrees that a lack of visibility is the primary reason current data-protection strategies fail.

"Organizations simply do not know what data they have, where it is, let alone how it is protected," he says. "Unfortunately, a lot of the data-protection failures are preventable by simply knowing the answers to these questions."

He adds that the problem is worsened by the constant change of data within an organization. From his perspective, the sheer scale and complexity of millions of individual data objects across thousands of data stored in multiple clouds, multiplied by a seemingly infinite combination of roles and permissions for thousands of user and machine identities, would be challenging for chief information security officers (CISOs) to secure even if they were static. They're not, so the situation is even more challenging.

To boot, in a lot of cases, organizations are using multiple data security tools for different silos of information, with no overarching integration between them.

"The billions of objects form over months or years, and change constantly," Mandy says. "This is further exacerbated through continuous data flows, privilege creep, data sprawl, and organizational churn, resulting in \[visibility\] to data that is far from ideal."

**Zero-Trust Implementation Lags, Despite Interest**

Zero trust is growing in popularity in enterprise security because not trusting users by default works well to reduce risk. Indeed, virtually all the GDPI respondents indicated they intend to implement zero trust into their environments at some point.

However, actual deployment is not happening at a rapid pace — as mentioned, only 12% of respondents indicated they have fully deployed at zero-trust architecture into their environments. According to researchers, the main problem is a critical shortfall in IT skills, particularly as it relates to cyber recovery and data protection.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions, but just 65 cybersecurity professionals are in the workforce for every 100 available jobs, a recent study shows.

"If you don’t have cybersecurity professionals on staff, it’s virtually impossible to make progress on deploying a zero-trust framework, unless, of course, you rely on partners to help you get there," Keegan says. "Now consider the demand for these resources in the market. Like supply chain constraints, demand is high, and the supply is low."

Patrick Tiquet, vice president of security and architecture at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, says that zero-trust management can be challenging even with staff on board.

"Implementation of \[zero trust\] is currently a common data-protection strategy," he explains. "However, for \[zero trust\] to be effective, access and roles must first be configured correctly."

This means ensuring the right people have access to the right data and resources within the zero-trust architecture. Roles must be implemented that are adequately scoped to protect the data that role can access — and correctly configuring access to data just one time ("set it and forget it," in other words) is not enough.

"The organization must maintain and manage data access through the lifecycle of the data, and as the organization grows," Tiquet adds. "Organizations must make sure that, as teams grow and change, the access given to a specific role is still appropriate."

**Vendor Consolidation on the To-Do List**

Keegan says it’s likely there will be some retooling at organizations in terms of platforms — many survey respondents (85%) said they believe they would see a benefit through reducing the number of data protection vendors they work with.

"The research tends to support this sentiment," he adds. "For example, those using a single data protection vendor had far fewer incidents of data loss than those using multiple vendors."

Likewise, the cost of data loss incidents resulting from a cyber attack was approximately 34% higher for those organizations working with multiple data protection vendors than those using a single vendor, according to the survey.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics software-as-a-service (SaaS) company, says the current spate of M&A and consolidation in the cybersecurity market speaks to those drivers — but warns that vendors trying to be all things to all security problems has its own downsides.

"The larger tech firms get, the less ability they have to innovate and solve problems leading to opportunities for new vendors to step in with new solutions," he explains. "It's \[a cycle\] we see of M&A frenzy and stagnation, then new companies enter to innovate — and more M&A."

Keegan, meanwhile, says he is hearing calls in the analyst community that organizations need to consider shifting their investments from cybersecurity prevention to resiliency.

"This means accepting the inevitability that security breaches will occur," he notes. "Moreover, companies need to have a plan that enables them to recover their critical data and business applications in a timely manner to meet their service level objectives."

Zero-Trust Initiatives Stall, as Cyberattack Costs Rocket to $1M per Incident

The socially engineered campaign used a legitimate domain to send phishing emails to large swaths of university targets.

Cyberattackers have targeted students at national educational institutions in the US with a sophisticated phishing campaign that impersonated Instagram. The unusual aspect of the gambit is that they used a valid domain in an effort to steal credentials, bypassing both Microsoft 365 and Exchange email protections in the process.  

The socially engineered attack, which has targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an "unusual login" on their account, according to a blog post published on Nov. 17 by Armorblox Research Team.

The login lure is nothing new for phishers. But attackers also sent the messages from a valid email domain, making it much harder for both users and email-scanning technology to flag messages as fraudulent, the researchers said.

"Traditional security training advises looking at email domains before responding for any clear signs of fraud," they explained in the post. "However, in this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain's validity."

As phishing has been around so long, attackers know that most people who use email are on to them and thus familiar with how to spot fraudulent messages. This has forced threat actors to get more creative in their tactics to try to fool users into thinking phishing emails are legitimate.

Moreover, those of university age who use Instagram would likely be among the savviest of internet users, having grown up using the technology — which may be why attackers in this campaign in particular were so careful to appear authentic.

Whatever the reason, the campaign's combination of spoofing, brand impersonation, and a legitimate domain allowed attackers to send messages that successfully passed through not only Office 365 and Exchange protections, but also DKIM, DMARC, and SPF alignment email authentication checks, the researchers said.

"Upon further analysis from the Armorblox Research Team, the sender domain received a reputable score of "trustworthy" and no infections in the past 12 months of the domain's 41 months of existence," they wrote in the post.

**"Unusual Login" Lure**

Researchers at Armorblox said the attacks started with an email with the subject line "We Noticed an Unusual Login, \[user handle\]," using a common tactic to instill a sense a urgency in the recipient to get them to read the email and take action.

The body of the email impersonated the Instagram brand, and appeared to be come from the social media platform's support team, with the sender's name, Instagram profile, and email address — which was the perfectly palatable "\[email protected\]" — all appearing legitimate, they said.

The message let the user know that an unrecognized device from a specific location and machine with a specific operating system — in the case of an example shared by Amorblox, Budapest and Windows, respectively — had logged in to their account.

"This targeted email attack was socially engineered, containing information specific to the recipient — like his or her Instagram user handle — in order to instill a level of trust that this email was a legitimate email communication from Instagram," the researchers wrote.

Attackers aimed for recipients to click on a link asking them to "secure" their login details included at the bottom of the email, which lead to a fake landing page that threat actors created to exfiltrate user credentials. If someone got that far, the landing page to which the link redirects, like the email, also mimicked a legitimate Instagram page, the researchers said.

"The information within this fake landing page provides the victims a level of detail to both corroborate the details within the email and also increase the sense of urgency to take action and click the call-to-action button, 'This Wasn’t Me,'" the researchers said.

If users take the bait and click to "verify" their accounts, they're directed to a second fake landing page that also impersonates Instagram credibly and are prompted to change account credentials on the premise that someone may already have stolen them.

Ironically, of course, it's the actual page itself that will be doing the stealing if the user logs in with new credentials, the researchers said.

**Avoiding Compromise and Credential Theft**

As threat actors get more sophisticated in how they craft phishing emails, so, too, must enterprises and their users in terms of detecting them.

Since the Instagram phishing campaign managed to bypass native email protections, researchers suggested that organizations should augment built-in email security with layers that take a materially different approach to threat detection. To help them find a solution, they can use trusted research from firms such as Gartner and others on which options are the best for their particular business.

Employees also should be advised or even trained to watch out for social engineering cues that are becoming more common in phishing campaigns rather than quickly execute the requested actions received in email messages, which our brains have been trained to do, the researchers said.

"Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email," they wrote.

Additionally, the researchers said, employing multifactor authentication and password-management best practices across both personal and business accounts can help avoid account compromise if an attacker does get ahold of a user's credentials through phishing.

Source

DARKReading