Prolific online scammer and social media influencer 'Hushpuppi' sentenced for bank cyber heists, BEC campaigns, money laundering, and more.

A Nigerian man has been sentenced to US federal prison for 11 years for committing various cybercrimes and using the proceeds to fund a luxurious lifestyle — one documented in detail on his popular Instagram account with the handle "Ray Hushpuppi." 

The Department of Justice said in a statement the man, whose government name is Ramon Olorunwa Abbas, stole money through an array of cybercrimes, including online bank robberies and business email compromise (BEC). Abbas was also found guilty of running a huge money-laundering operation. In just one 18-month period, Abbas admitted to laundering more than $300 million, the DOJ noted. 

    

A Hushpuppi fan page on Instagram.

"Ramon Abbas, a.k.a. 'Hushpuppi,' targeted both American and international victims, becoming one of the most prolific money launderers in the world," Don Alway, the assistant director in charge of the FBI's Los Angeles Field Office said in the DOJ announcement. "Abbas leveraged his social media platforms — where he amassed a considerable following — to gain notoriety and to brag about the immense wealth he acquired by conducting business email compromise scams, online bank heists and other cyber-enabled fraud that financially ruined scores of victims and provided assistance to the North Korean regime."

One notable ostentatious purchase that made frequent appearances on the now abandoned Hushpuppi Instagram account was a Richard Mille RM11-03 watch, which Abbas had paid $230,000 for with funds he scammed from an unsuspecting business owner. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Instagram Star Gets 11 Years for Cybercrimes Used to Fund His Lavish Lifestyle

There's real value in having a better perspective around future regulation and compliance requirements.

Business leaders must move to a deeper understanding of regulation and compliance requirements for their industry. These frequently complicated and confusing laws are too often viewed only through the negative lens of the avoidance of punishment. But there's real value to be found in these rules as they can facilitate the creation of a new "prescriptive framework" that helps a company more clearly understand where it sits in terms of risk — and the protection of its data and brand reputation.

**The Importance of a Prescriptive Framework for Cybersecurity**

Executives, and even board members, have a responsibility to demand and contribute to the creation of the right prescriptive framework in collaboration with the chief information security officer (CISO). This framework needs to provide transparency, identify security gaps, and use company-appropriate metrics. And the data in that framework must be easily digestible and acted upon by non-security experts in the evaluation and approval of proposals around cybersecurity.

PCI DSS (Payment Card Industry Data Security Standard) for retail companies and FFIEC CAT (Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool) in the financial services space are well-known cybersecurity frameworks that can serve as the basis of developing one at your company. Both measure a large set of security controls (authentication, data security, and vulnerability prioritization) that help to lower organizational risk posture and give companies an understanding of how solid their security policy really is.

A CISO can benefit by using these kinds of industry standards and tools to create a framework that is thorough and can be understood by executives who are non-security experts. This way, it can "prescriptively" guide the way that security gaps and vulnerabilities are not only identified but addressed within an appropriate business context.

**Factors in Selecting the Right Cybersecurity Risk Framework**

The big question for a company is: How do we select and use the right existing cybersecurity framework to inform the creation of our own guidelines? Three main variables guide this choice: the size and maturity of the organization, issues of relevance to the industry, and an understanding of the company's internal business processes.

**1\. Company Size**

Larger companies will often already have well-articulated requirements for mandatory adherence to several types of regulatory controls. And public companies must file reports to comply with financial regulations, such as those required by the Securities and Exchange Commission for public mergers and acquisitions or private equity acquisitions. Both of these sources will contain a certain amount of cybersecurity intelligence for audits that are valuable input sources for your framework.

For smaller companies, IT and security teams are lean and processes are more limited simply because of the maturity and resources of the organization. This often results in overlapping regulatory responsibilities — for example, a CISO with responsibility for both security and compliance policy. Overlaps can be advantageous in mapping out organizational processes — since there are fewer stakeholders from which to collect the policy information and a less bureaucratic and onerous approval process.

**2\. Industry Relevance**

Security control issues have different weights of importance depending on what's critical in the specific industry. In retail, a cybersecurity framework such as the PCI DSS does an excellent job articulating the issues with many common security controls that are needed to protect valuable customer data. However, PCI DSS may not work well in an industry like manufacturing,where the enterprise may reside entirely on-premises with little to no access to an external network. In this case, security issues revolve around protecting critical internal IP, and a more vertical agnostic guideline such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CFS) may be a better place to start.

**3\. Business Processes**

Too often, companies think about cybersecurity only from the perspective of outside forces. They forget to think about the vulnerabilities that can be caused by their own everyday internal processes. An understanding of how data is stored, processed, or transmitted inside the business provides greater clarity about which security controls and measurements are needed at different stages of the data life cycle.

Large organizations will have well-codified internal processes. Smaller companies may have never articulated their business processes, which may have grown organically (and unattended) over time. If cybersecurity is an issue (and it is), then it's time to go to your IT lead or CISO to create an initial mapping of your processes.

**Cybersecurity and the True Fiduciary**

At first glance, some executives might think that asking for a usable cybersecurity compliance framework is pushing cybersecurity concerns too far. But how is this different from expecting a chief financial officer to provide a balance sheet, profit and loss statement, and robust analyses of potential acquisitions? It's not. Both security frameworks and financial analysis should be based on industry-recognized and accepted models for data that are useful and actionable by non-expert fiduciaries and management. Today, both security and financial information should be considered of equal value and importance in executive and board decisions.

For CISOs, executives, and board members alike, it's time to look at regulations as friends, not foes, in the evolution of cybersecurity preparedness.

It's Time to See Cybersecurity Regulation as a Friend, Not a Foe

The classroom-based curriculum addresses the cybersecurity workforce gap with free training labs and virtual cyberattack environments to hone the skills of the next generation of talent.

Kids in grades K-12 will soon have a no-cost virtual environment in which to beef up their cybersecurity skills, thanks to the expansion of the Cybersecurity and Infrastructure Security Agency’s Cyber.org Range.

The program, developed in conjunction with the Cyber Innovation Center (CIC), is a classroom-based effort that's meant to act as a workforce development engine, providing high school students especially the opportunity to experience and defend against realistic cyberattacks in a virtual, safe environment. They can learn about the other side too, performing pen testing and red teaming activities.

The teacher-led "Cybersecurity Course" curriculum includes access to a range of free resources and online labs that are designed to prepare students for the CompTIA Security+ Exam. Security+ incorporates best practices in hands-on troubleshooting and practical security problem-solving skills, offering a springboard into medium-level cybersecurity jobs.

Such initiatives will be critical as organizations strive to fill hundreds of thousands of open cybersecurity positions, according to CISA director Jen Easterly.

"We all need to come together to invest and make sure that we are building that diverse and capable cybersecurity pipeline to defend our nation. There's a lot more work to do to reach those 52 million students, those 3 million educators all across our country, but I think we're starting today," she said during a launch event on Monday.

The Cyber.org Range is going to be available nationwide starting next year after its pilot phase through the end of 2022. Initially funded by the State of Louisiana, the nationwide expansion is due to a CISA grant.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber.org Range Offers Cybersecurity Job Paths for K-12 Students

My year as a venture capital CISO-in-residence.

The CISO role has evolved dramatically over the past decade, maturing from security officer to impactful business leader who, increasingly, is a part of their organization's C-suite. In light of the considerable impact security risks have on business objectives, this is a welcome transformation. Encouraging employees to go beyond their day-to-day and view security as a priority, making allies of users and business managers and providing the organization with tangible value, is extremely rewarding.

However, for many chief information security officers, the operational, real-time, and often strenuous aspects of the role haven't changed, despite this evolution. Being a CISO can be a lonely job, as employees know that if you approach them, you're likely going to be adding to their workload — whether by requesting that they learn more about a specific risk or asking for their help in mitigating it. Employees may see CISOs as causing friction within the organization, while CISOs today strive to become enablers — not obstructers. CISO burnout is real; having to juggle business expectations, customer needs, shifting workflows, new vulnerabilities, and incident-response 24/7 can become grueling over time.

The shifting role of the CISO has not gone unnoticed by other players in the tech industry, including startup founders and venture capital firms that view CISOs' expertise as a leverageable commodity in the competitive startup landscape. After years of perpetual threat mitigation, CISOs may be keen to explore alternative career opportunities down the line, pivoting away from the operational aspects of the CISO role.

These factors, as well as my passion for assisting vendors with optimizing their approach to CISOs, greatly influenced my 2021 decision to join the cybersecurity-focused venture capital firm YL Ventures as their CISO-in-residence.

**The CISO's Vantage Point**

Being a VC CISO-in-residence provides both a strategic and a behind-the-scenes vantage point into the startup environment. Shifting from a 24/7 incident-response role to a more holistic guidance position complements a CISO's breadth of knowledge and allows them to use their insights and experience to build new security products, rather than managing or mitigating risk. At YL Ventures, which invests at the earliest stages of a cybersecurity startup, I work with founders who are in the most crucial phases of their startup journey, and this is one of the most enjoyable and challenging aspects of my position.

My responsibility centers around participating in ideation sessions with a new generation of cybersecurity founders, holding weekly sessions with them on product strategy, and sharing my expertise as part of the YL Ventures team through personal branding opportunities. My close involvement in the startup process allows me to take an active part in building my dream solutions for pain points that have plagued the industry for years — and which have affected (and frustrated) me personally, in my job as an operational CISO.

Working closely with the Israeli cybersecurity industry is an exceptional opportunity to be part of the cradle of cybersecurity innovation. Israeli entrepreneurs are the Ivy League of young cybersecurity professionals, and embedding myself in their passion and drive makes me a better CISO. Before joining YL Ventures, I was under the impression that VCs dealt primarily in ideas. Learning that the firm bets on the team, not just the idea, was surprising, but also helped define my role in the process. I take an active part in the due diligence activities that are integral to deciding which startup to fund. This poses a challenge, as an idea may be exactly what the CISO ordered — everything you've dreamed about as an operational cyber professional — but the team may not stack up to expectations. And for the company, that factor would prevail.

Such exposure to nascent technologies and investment strategies rounds out my decades of security experience in an new way and opens up possibilities for angel investing, personal branding opportunities, and exposure to a global network of security professionals that has immense professional value going forward. In my experience, many CISOs harbor ambitions of becoming entrepreneurs, and guiding startup founders as a CISO-in-residence can be a crash course in entrepreneurship and understanding what it takes to launch your own startups and become a CEO.

I've had the opportunity to learn about more than just the technical product aspects during my time as CISO-in-residence so far. My role provides me with insights on team building, funding strategies, what investors look for in founders, and why the co-founder dynamic is important. For entrepreneurs, having a seasoned CISO at their disposal to bounce ideas off of has a real impact on their product-market fit strategy, as the CISO represents the customer — and these conversations are crucial at their early stage. Saving the world one incident at a time has its glamour, but stepping behind the curtain and helping stack the building blocks of future solutions as a VC CISO-in-residence is a unique and rewarding experience.

The Shifting Role of the CISO

AppSec and Cybersecurity veteran will leverage his strong institutional experience as demand for crowdsourced cybersecurity solutions grows.

**SAN FRANCISCO, Nov. 8, 2022 /PRNewswire/ —** Bugcrowd, the leader in crowdsourced cybersecurity, today announced the appointment of Dave Gerry as Chief Executive Officer (CEO). As CEO, Gerry will oversee operations, drive growth and profitability, and manage the company's overall strategy. This appointment follows another year of rapid growth for the company, which has experienced record customer adoption of its crowdsourced cybersecurity solutions and represents the next step in Bugcrowd's global expansion strategy. Bugcrowd partners with hundreds of clients including: CISA/Department of Homeland Security, BigCommerce, Monash University, TX Group, and Comcast.

"Security organizations are facing an incredible challenge securing their companies in the digital era," said Gerry. "Now, more than ever, there is a need for continuous, real-time vulnerability insights across today's expanding digital attack surface. Bugcrowd has pioneered crowdsourced security through a platform-powered approach that connects the untapped talent of the global security community into an organization's security strategy in a trusted, efficient way. Our innovation is second to none in the cybersecurity industry and I'm excited to lead the company in its next growth stage."

Gerry is a highly regarded technology executive with a proven track record of leadership at several high-growth companies in the AppSec space. Most recently, Gerry served as Chief Operating Officer at Bugcrowd. Prior to Bugcrowd, Gerry was the Chief Revenue Officer and Head of Global Operations of WhiteHat Security which was first acquired by NTT and most recently by Synopsys. Previously, he held key growth-driving positions in sales, marketing, and business development at Veracode and Sumo Logic.

"From our inception, the mission of the Bugcrowd platform has been to connect the latent potential of the good-faith hacker community with cybersecurity's unmet demands—unlocking an army of allies to outsmart an army of adversaries," said Casey Ellis, Founder, Chairperson, and CTO. "In 2022 the need for this has never been more obvious. As the Board considered the best CEO to lead Bugcrowd's coming season of acceleration and innovation, Dave's track record of operational excellence, deep cybersecurity experience, go-to-market and partnership prowess, and profound enthusiasm for the space our company pioneered all shone through. Personally, I'm thrilled to welcome him to the CEO role, and very excited to partner with him in continuing to level the cybersecurity playing field."

"After considering and interviewing several candidates for the job, it became obvious Dave is the clear choice to lead Bugcrowd," said Mike Jennings, Venture Partner, Rally Ventures. "In addition to the knowledge that Dave has gathered since joining Bugcrowd, he brings strong institutional experience in cybersecurity making him a natural fit for the CEO role. He is a proven leader with over a decade of experience in the AppSec market, and his familiarity with Bugcrowd allows him to seamlessly assume the new responsibilities of the position. We are confident that he is well-positioned to lead the team in accelerating Bugcrowd's growth strategy moving forward."

Gerry will help Bugcrowd continue its momentum after recently announcing the appointment of Robert Taccini as Chief Financial Officer. To learn more about how some of the biggest brands in the world rely on Bugcrowd, visit www.bugcrowd.com/customers.

"Bugcrowd" is a trademark of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Names David Gerry Chief Executive Officer

Retailers and hospitality companies expect to battle credential harvesting, phishing, bots, and various malware variants.

For companies in the retail and hospitality sector, the holiday shopping season represents their busiest time of year, both for sales and fighting cybercrime threats.

This year is no different, with companies in the sector anticipating that phishing, fraud, credential harvesting, and the ever-evolving malware landscape will cast a shadow over their security posture in the coming months, according to a report published by Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) this week.

The 2022 RH-ISAC Holiday Season Threat Trends Summary report polled analysts and members of the industry group about what their security focus is this season — which is defined as the time between Oct. 1 and Dec. 31, when people tend to do their online shopping for holidays that are celebrated in much of the world — as well as what they experienced in the previous 2020 and 2021 holiday seasons. RH-ISAC associate member Flashpoint also provided research and data for the report.

While many threats plaguing the sector have remained consistent over the years, others are evolving rapidly as threat actors develop new malware and exploit fresh vulnerabilities, posing new issues and requiring both reinforcement and change in defense tactics with each season.

**Phishing and Credential Theft**

Retailers cited recurring threats as their biggest worries this year, with phishing — which the organizations noted is a year-round concern — a significant worry that remains consistent. In 2020, nearly 20% of retailers said phishing was the most frequently shared threat among their member exchange, Slack, and the core member listserv boards, while the number was 16% in 2021, according to the report.

Indeed, the holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities, organizations noted.

Of more concern than phishing, however, is what is often a result of that threat activity: credential harvesting, which 42% and 37% say was the most-shared threat in 2020 and 2021, respectively. Retailers also worry about a rise by threat actors in the use  of info-stealers that harvest customer data purchase don hacker forums, as well as customer account takeover that typically ramps up over the holidays.

Other types of fraud involving gift cards and loyalty cards — with the former allowing threat actors to remain anonymous and thus difficult to track while shopping — will be a focus this year, as well as fraud related to returning items that were not purchased legitimately.

**Evolving Malware Landscape**

The report outlined year-over-year changes between 2020 and 2021 in retail threats linked to malware, bots, and vulnerabilities — results that demonstrate just how quickly this threat landscape in particular can evolve.

Some of these threats, such as QakBot, Emotet, Agent Tesla, and Dridex — remain a constant worry. However, others — such as Log4Shell — emerge quickly and predictably, forcing organizations to pivot in terms of defense, researchers found.

Bots in particular have risen in profile in terms of their impact on online retailers, especially over the past two years, as individuals who otherwise participate in no criminal activity began exploring ways to earn additional income as resellers of stolen information on threat actor forums, according to the report.

"These 'side hustles' support an already thriving ecosystem wherein actors have been scalping high-demand products to sell at high markups," according to the report. "The use of automation to support this activity causes significant negative side effects on the back end and can even lead to DDoS-like disruptions."

Year-over-year changes in malware and bot activity reflect how quickly this threat landscape in particular can change. For example, in 2020, the Emotet banking Trojan and its loader were the top malware threats shared by retailers — 15% and 8%, respectively — while the remote access trojan (RAT) AgentTesla earned 4% of overall mentions.

In 2021, however, AgentTesla rose to greater prominence, with 16% of mentions by retailers, while Emotet virtually disappeared from message boards, respondents said. Moreover, the now infamous Log4j debacle emerged as a threat, with 16% of mentions by retail and hospitality companies.

Retailers say they expect the most prevalent malware and bot activity this holiday season to come from QakBot, Emotet, Agent Tesla, and Dridex, according to the report.

Changes in threat activity so far this year include an increase in imposter websites, and emerging phishing attempts that are either product-focused or impersonated executives. The latter reflects a rise in socially engineered attacks that aimed to harvest credentials and bypass multifactor authentication, retailers say.

**Retail and Hospitality Defenses**

Because of the diversity of the threats the retail and hospitality sector expects to see during the holiday shopping season, the defense tactics they plan to adopt this year also are varied and must encompass both a macro and micro approach to understanding their enemies, they reported.

"Members reported focusing on understanding very specific tactics fraudsters and threat actors are using across kill chains to enhance detection and mitigation efforts," according to the report. "Understanding broad trends across the threat landscape and how they work within member environments has enabled analysts to create more effective alerting, detection, and mitigation efforts."

One tactic they are adopting is to work closely with their respective customer service departments, in part by providing customer service representatives with threat training. They also are maintaining brand protection services to help take down malicious imposter sites, as well as instituting internal fraud working groups to counter threats.

Staffing-wise, retailers and hospitality vendors cite consistency as key, with the need to ensure that those working directly to spot threats have the appropriate experience and knowledge to respond. The companies say they could implement change freezes, staffing adjustments, or other operational changes to prepare for the season, including an improvement in endpoint detection and red team operations to validate threat concerns and highlight areas for improvement, according to the report.

Among the tools and practices the companies find particularly helpful for shoring up security over the holidays: leading vendor threat intelligence platforms and cyber threat intelligence feeds; RH-ISAC community resources and sharing platforms; updated policies and plans; and partnerships with leading cybersecurity associations and nonprofit organizations for additional threat research context.

Retail Sector Prepares for Annual Holiday Cybercrime Onslaught

Call on security industry to collaborate on a standard framework to close the gap on the human element in cybersecurity.

**AUSTIN, Texas and LONDON, Nov. 8, 2022 /PRNewswire/ —** Living Security and CybSafe, today announced a new Human Risk Management Maturity Model, to serve as a standard across the cybersecurity industry including: practitioners, analysts, vendors, and thought leaders to measure the impact of human behavior on an organization's risk.

While several frameworks and maturity models exist to measure cybersecurity risk, including the National Institutes of Standard and Technology (NIST), the Cyber Defense Matrix and the FAIR methodology for IT frameworks, none are specifically designated to quantify the specific risk that human behavior creates inside organizations. The proposed Human Risk Management Maturity Model will give practitioners guidance on how to evolve into the next phase of cybersecurity to measure and change human behaviors. In doing so, organizations are able to both reduce cyber risk and empower employees, creating true cultural change inside organizations and across industries.

"The human factor is the last frontier of cybersecurity. We've focused for decades on technologies and systems, but have consistently siloed our approach to the single most important element of any enterprise security plan, the people themselves. We at Living Security believe it is time for a paradigm shift," said Ashley Rose, CEO and co-founder of Living Security. "Launching this model is our way to start a ripple that grows. This is a collective journey to continue the disruption and leverage behavioral data to effectively manage and mitigate human cybersecurity risk and create a safer world."

"There is no doubt that now, more than ever, society needs the security community to take an even more intelligent approach to managing human risk," said Oz Alashe, CEO and Founder of CybSafe. "And so as security professionals we need to come together to continue to fuel curiosity and understanding that helps us be more effective at managing the risk within our organizations. This can't be done by any one team, vendor, or group unilaterally. It's a collective effort and at CybSafe we're excited to play our part."

Eighty-two percent of breaches currently involve the human element, yet a majority of cybersecurity funding is still focused on technological interventions. We invite everyone; analysts, vendors, practitioners, and thought leaders to collectively participate in creating a model that truly helps companies of all sizes embark on the journey of human risk management.

To read and comment on the proposed Human Risk Management Risk Maturity Model go to https://humanriskmanagement.com/human-risk-management-maturity-model**.**

**About Living Security**

Living Security's mission is to transform human risk to drive dramatic improvement in human behaviors, organizational security culture, and infosec program effectiveness. With our Human Risk Management platform, Living Security engages each employee with innovative and relevant context and content, while simultaneously providing the ability for leadership to identify, report on and directly mitigate the risk brought on by human behavior. Living Security is trusted by security-minded organizations like MasterCard, Verizon, MassMutual, Biogen, AmerisourceBergen, Hewlett Packard, and Target. Learn more at www.livingsecurity.com.

**About CybSafe**

CybSafe is cloud-based software that reduces organizational risk by improving people's security decisions and behaviors. Our platform educates, nudges and provides real-time, tailored cyber assistance for users so that they can be secure in their daily digital lives. It's human risk software that helps security professionals target specific security behaviors. It also provides security behavior, culture and risk reporting metrics that allow you to pre-empt security problems. CybSafe is underpinned by a data-led model of human behavior and leverages SebDB, the world's most comprehensive security behavior database. It's designed for a modern workforce and a hybrid working environment. Learn more about CybSafe at www.cybsafe.com.

Living Security and CybSafe Propose the First Human Risk Management Maturity Model

Administrators and security teams who have lost visibility into their own networks can use DNS telemetry to home in on anomalous traffic.

**Question: How can administrators use DNS telemetry to complement NetFlow data in detecting and stopping threats?**

**David Ratner, CEO, Hyas:** For many years, DevSecOps teams relied heavily on flow data (the information collected by NetFlow and similar technology) to glean insight into events occurring within their networks. However, flow data's usefulness has waned with the shift to the cloud and increased network complexity.

Monitoring network traffic is the new big data problem. You either sample a smaller amount of flow data or incur the high costs of receiving a more comprehensive set. But even with all of the data, detecting subtle anomalous incidents (perhaps involving just one or a handful of devices and relatively low-volume traffic) that indicate malicious activity is still like looking for a needle in a haystack.

Administrators and security teams can regain visibility into their own networks with DNS telemetry. It is is easier and cheaper to monitor than flow data and can identify unknown, anomalous, or malicious domains based on threat intelligence data. These services can alert DevSecOps administrators and provide information on exactly where to look to investigate the incident. If necessary, administrators can access the corresponding flow data to get additional actionable information about the event, identify if the event is innocuous or malicious, and stop nefarious activity in its tracks. DNS telemetry solves the big data problem by letting teams more quickly and efficiently zero in on the areas that need attention.

An easy way to visualize the problem is to imagine staking out all the payphones in a neighborhood to intercept calls related to criminal activity. Actively watching each payphone and monitoring the content of each call made from each payphone would be incredibly tedious. However, in this analogy, DNS monitoring would notify you that a certain payphone made a call, when it made it, and who it called. With this information, you can then query flow data to find out additional pertinent information, like if the person on the other end picked up the call and how long they spoke.

A real-world scenario might occur like this: Your DNS monitoring system notices multiple devices making calls to a domain flagged as anomalous and potentially malicious. Even though this particular domain has never been used before in an attack, it is unusual, anomalous, and requires additional and immediate investigation. This triggers an alert, prompting administrators to query flow data for those particular devices and the specific communication with that domain. With that data, you can quickly determine if malicious activity is actually happening and, if it is, you can block the communication, cutting the malware off from its C2 infrastructure and stopping the attack before major damage is done. On the other hand, there may have been some legitimate reason for anomalous traffic, and it isn’t actually nefarious — maybe the device is simply reaching out to a new server for updates. Either way, now you know for sure.

How Does DNS Telemetry Help Detect and Stop Threats?

Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.

Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.

The release of CBA in Azure AD, announced during last month's Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It's a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.

Further, this week, Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.

**Meeting Federal Standards**

CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden's 2021 Executive Order (14028) on Improving the Nation's Cybersecurity.

The executive order directs all federal government agencies and those it does business with to move to zero trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).

OMB's memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.

SMS phishing attacks, also called "smishing," are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. "Smishing has turned increasingly into a meaningful attack vector; I see it all the time," says Andrew Shikiar, executive director of the FIDO Alliance.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio's broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.

Experts anticipate such attacks will rise next year. "I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year," Shikiar says.

**Moving From ADFS to Azure AD**

Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president's executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.

Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization's public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. "What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they're supporting that natively," says Derek Hanson, VP of solutions architecture and standards at Yubico.

"This removes the last major blocker for those of you who want to move all of your identities to the cloud," said Joy Chik, president of Microsoft's identity and network access division, during a session at the company's Ignite conference.

Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. "ADFS has become a primary attack vector," she said.

Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.

"I really don't know of any organizations that are not using ADFS," Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. "I think they will likely make the migration within the next two years," he says.

**Fulfilling the Government Mandates**

During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD. "Certificate-based authentication is critical for customers in regulated industries," Chik said. But she added, "This includes US federal agencies, which must deploy phishing resistant MFA to comply with White House executive order on cyber security."

Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards. "From what I understand, Microsoft needs Azure to stay ahead of the FedGov game or risk being further being overtaken by Google, AWS and others," Simmons explains. "So, this would be necessary to demonstrate said compliance and fully integrated support."

Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure Active Directory and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.

"With Entra, they are making a significant investment in multi-cloud administrative security," Simmons adds. "Multicloud is key because they realize the world doesn't end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn't enough for some organizations, especially when it comes to the US government and defense."

**Bringing Azure AD CBA Support to Mobile Devices**

Microsoft's release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico's YubiKey. Microsoft's director of identity security Alex Weinert announced the release in a brief blog post.

"With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," Weinert wrote.

Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.

"CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt," said Yubico solutions architect Erik Parkkonen in a blog post. Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft's latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Microsoft's Certificate-Based Authentication Enables Phishing-Resistant MFA

In the nearly two years since the company discovered the cyber intrusion, SolarWinds has fundamentally rearchitected its development environment to make it much harder to compromise, CISO Tim Brown tells Dark Reading.

The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software company's alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.

If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide "other equitable relief" for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.

SolarWinds disclosed the SEC's potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called "Wells Notice" from the SEC noting that the regulator's enforcement staff had made a preliminary decision to recommend the enforcement action. A Wells Notice basically notifies a respondent about charges that a securities regulator intends to bring against a respondent, so the latter has an opportunity to prepare a response.

SolarWinds maintained that its "disclosures, public statements, controls, and procedures were appropriate." The company noted that it would prepare a response to the SEC enforcement staff's position on the matter.

The breach into SolarWinds' systems wasn't discovered until late 2020, when Mandiant found that its red-team tools had been pilfered in the attack.

**Class-Action Settlement**

Separately, but in the same filing, SolarWinds said it had agreed to pay $26 million to settle claims in a class action lawsuit filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the company's applicable liability insurance.

The disclosures in the 8-K Form come nearly two years after SolarWinds reported that attackers — later identified as Russian threat group Nobelium — had breached the build environment of the company's Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the company's customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobelium's victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.

**SolarWinds Executes a Complete Rebuild**

SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the company's new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.

In a recent conversation with Dark Reading, SolarWinds CISO Tim Brown describes the new development environment as one where software is developed in three parallel builds: a developer pipeline, a staging pipeline, and a production pipeline. 

"There's no one person that has access to all of those pipeline builds," Brown says. "Before we release, what we do is we do a comparison between the builds and make sure that the comparison matches." The goal in having three separate builds is to ensure that any unexpected changes to code — malicious or otherwise — don't get carried over to the next phase of the software development life cycle. 

"If you wanted to affect one build, you would not have the ability to affect the next build," he says. "You need collusion amongst people in order to affect that build again."

Another critical component of SolarWinds' new secure-by-design approach is what Brown calls ephemeral operations — where there are no long-lived environments for attackers to compromise. Under the approach, resources are spun up on demand and destroyed when the task to which they have been assigned is completed so attacks have no opportunity to establish a presence on it.

**"Assume" a Breach**

As part of the overall security enhancement process, SolarWinds has also implemented hardware token-based multifactor authentication for all IT and development staff and deployed mechanisms for recording, logging, and auditing everything that happens during software development, Brown says. After the breach, the company in addition has adopted an "assumed breach" mentality of which red-team exercises and penetration testing are an essential component.

"I'm in there trying to break into my build system all the time," Brown says. "For example, could I make a change in development that would end up in staging or end up in production?" 

The red team looks at every component and service within SolarWinds' build system, making sure that the configuration of those components are good and, in some cases, the infrastructure surrounding those components is secure as well, he says.

"It took six months of shutting down new feature development and focusing on security alone" to get to a more secure environment, Brown says. The first release SolarWinds put out with new features was between eight and nine months after breach discovery, he says. He describes the work that SolarWinds has put in to bolster software security as a "heavy lift" but one that he thinks has paid off for the company. 

"They were just major investments to get ourselves right \[and\] reduce as much risk as possible in the whole cycle," says Brown, who also recently shared key lessons his company learned from the 2020 attack.

Source

DARKReading