According to the FBI and Internet Crime Complaint Center, 25% of ransomware complaints involve healthcare providers.

While ransomware groups have not spared any industry, attackers have put the healthcare sector at the top of their preferred targets. The surge in hospitals falling victim to breaches has raised concerns among regulators and government officials who have moved to push through new policies and legislation.

CommonSpirit, one of the largest nonprofit healthcare systems in the US, posted a privacy breach notice on Dec. 1, warning that 623,774 patient records were exposed after a breach on Sept. 16. The nationwide network of 140 hospitals and over 1,000 care facilities in 21 states confirmed that ransomware attackers accessed the patient records, but said there is currently no evidence that personal information was misused. The potentially affected patients were those treated at CommonSpirit’s Franciscan Medical Group and Franciscan Health in Washington. The four hospitals are now known as Virginia Mason Franciscan Health, a CommonSpirit affiliate.

The current spike builds on last year's 35% increase in overall attacks on healthcare providers compared with 2020, according to Critical Insight, a managed detection and response (MDR) service provider. According to Critical Insight, cyberattacks on healthcare providers affected 45 million individuals last year, compared with 34 million in 2020 and 14 million in 2018.

In October, the FBI Internet Crime Complaint Center (ICA) reported that among 16 critical infrastructures, the healthcare and public health sector accounts for 25% of ransomware complaints. The US Department of Health and Human Services (HHS) in April issued a warning about Hive, an aggressive ransomware group that has targeted healthcare organizations.

The HHS Health Sector Cybersecurity Coordination Center (HC3) noted that Hive is known to have been in operation since June 2021, and "in that time has been very aggressive in targeting the US health sector."

Another recent hacker group to emerge that is targeting healthcare providers with ransomware is Daixin Team. In October, HHS joined the Cybersecurity and Infrastructure Agency (CISA) and the FBI with an advisory warning that Daixin Team is actively pursuing healthcare providers with ransomware that uses Babuk Locker, source code that encrypts files in VMware EXSi servers.

Daixin Team's ransomware encrypts healthcare providers' electronic health records, diagnostics, imaging, and intranet services, according to the advisory. The group has also exfiltrated personally identifiable information (PII) and patient health information (PHI) and has extorted ransoms by threatening to release that data.

**Impact of Ransomware on Healthcare**

During the Disruptive Innovators CIO Forum in New York earlier this month, a conference focused on emerging technology for the healthcare industry, a panel discussion addressed the surge in ransomware. "Ransomware is now probably the No. 1 security issue for most healthcare organizations today," said Christopher Kunney, SVP of digital innovation at Divurgent, an IT advisory firm for healthcare organizations.

Kunney, one of the panelists, warned ransomware will remain a growing threat in healthcare "as we expand the footprint outside the four walls of the hospital and we look at things like virtual care, and other technologies that can now sit on top of our network infrastructure."

Saket Modi, who moderated the panel and is co-founder and CEO of Safe Security, noted that one of the first known deaths attributed to ransomware, a newborn in Alabama, occurred last year. "A ransomware attack is no longer just financial and reputational; it can have an actual impact to the life of people," Modi said. Besides the risk of data exfiltration, ransomware attacks are a risk to the delivery of patient care, especially when attackers access systems responsible for keeping patients alive.

"We have to realize that cybersecurity isn't just about data security; it's also a matter of life and death," added Michael Archuleta, CIO of Mt. San Rafael Hospital and Clinics in Trinidad, Colo.

Noting that COVID forced healthcare providers to accelerate their digital transformation efforts in recent years, many organizations haven't adequately addressed the security risks associated with the implementation technology and systems that are now accessible.

"We're living in the digital age of healthcare, and we need to start incorporating initiatives technology outcomes that better enhance our overall experience and better enhancing patient outcomes, but also keep secure the entire organization moving forward," Archuleta said.

**Healthcare Cybersecurity Act of 2022**

Looking to stem the mounting attacks, Rep. Jason Crow (D-CO) sponsored the Healthcare Cybersecurity Act. The bill, introduced in September, would require CISA to collaborate with HHS to improve cybersecurity in the healthcare industry.

According to the bill's summary, CISA and HHS would provide resources "including cyber-threat indicators and appropriate defense measures, available to federal and nonfederal entities that receive information through HHS programs."

The bill also calls for CISA to provide cybersecurity training and remediation strategies to those who own or provide health care services. Archuleta, the CIO of Mt. San Rafael Hospital and Clinics, said that 91% of targeted ransomware attacks came from phishing emails directed at employees, many of whom haven't received adequate training. "We are not focusing on developing a human firewall within our organization," he said.

Meanwhile, Senator Mark Warner (D-VA) published a policy options white paper that details existing cybersecurity threats and potential responses from the federal government. The paper draws on Warner's staff and cybersecurity experts' research and a broad set of options for the federal government to collaborate with healthcare providers to improve their cyber protection capabilities and a blueprint for recovering from attacks.

"The healthcare sector is uniquely vulnerable to cyberattacks, and the transition to better cybersecurity has been painfully slow and inadequate," Warner said in a statement. "The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities."

Healthcare Providers and Hospitals Under Ransomware's Siege

This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.

Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:

1.  **Protection:** When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
2.  **Detection:** Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
3.  **Response:** The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
4.  **Automation:** Next they'll focus on making everyone's life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.

You may have seen or experienced this kind of four stage evolution yourself. But there's a much rarer _fifth stage_ that is reached much later in a CISO's career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to _their_ territory ... they become restless. They get tired of waiting for their enemies to strike.

The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.

**Leaving the Comfort Zone**

The demarcation point is traditionally where everything becomes "somebody else's problem." If anything breaks or gets hacked, it isn't on the company's dime.

At least, that's how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company's bank, or on utility providers might as well be an attack on your turf.

Most importantly, social engineering and fraud ignore internal demarcations entirely! They don't respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees' social media to gain leverage, they won't hesitate.

But what can be done? Your tools, your monitoring ... absolutely everything you've built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?

Part of the proactivity that comes with stage five of a CISO's career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.

Now you're in what Tom Petty once called "The Great Wide Open." The bad news is that your activities are more exposed out here. The good news? You aren't alone.

**Resources for Fraud Prevention Beyond the Demarcation**

In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.

But there are some newer kids on the block that can help you on your hunt. PortSwigger's BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.

But those are all solutions on the technical side, and fraud isn't always technical. To hit fraudsters where it hurts, you need to embrace the human element.

**A Global Defense Effort**

One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human's entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.

Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there's a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.

**What Do You Do When You Catch Something?**

All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?

When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you've done everything above board and with their permission, this isn't a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.

Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.

When CISOs Are Ready to Hunt

It's time companies build a multilayered approach to cybersecurity.

As global cyberattacks continue to become more sophisticated, so should corporations' risk mitigation strategies. Of these high-stakes attacks, financial motivation is the most common reason for cybercriminals to target businesses, with the IBM "Cost of a Data Breach" report finding that the average breach in 2022 cost organizations up to $4.35 million in damages. With consequences this detrimental to business, it's critical that companies build a multilayered approach to cybersecurity with a number of experts involved to ensure effective prevention, detection, and response to cyber threats.

To create the most effective cyber-risk prevention and recovery team, companies must leverage financial and technology talent to collaborate on prevention strategies. While cybersecurity professionals focus on the who, what, where, and how of a potential breach, accountants can monitor the potential impacts to a corporation's funds and controls to determine priority functions and vulnerable financial business data that need safeguarding. This is typically done most effectively by forensic accountants who are trained in auditing and investigating risk factors within the finances of individuals or businesses. When these two roles find synergy, they can combat even the most complex of corporate cybercrimes.

Here are some of the ways these professionals can effectively work together to prevent and recover from highly intelligent attacks on financial data.

**Prevention**

Proper prevention of financial cybercrimes takes a diversified skill set, tapping into financial and IT specialties to create the strongest possible defenses against breaches. For cyber professionals, this includes identifying and closing gaps in internal controls and technologies, and implementing the proper safeguards — from two-factor authentication programs to file encryptions and more. Meanwhile, forensic accountants are well-versed on corporate finances and have the ability to detect the misappropriation of funds before losses are incurred.

Cyber professionals are also invaluable assets to financial teams in alerting them to new threats as the digital landscape changes so that proper preventative measures can be implemented. For example, there is a new trend of hackers using Meta business accounts as an entry point to breach financial information. This typically involves the stealing of customer credit card and bank information when they make transactions through the social media platform.

Obviously, suffering from an attack of this kind can lead to a damaged reputation, monetary consequences, and a loss of consumer trust. Establishing open lines of communication between cyber professionals and those in charge of monitoring business transactions can mean that forensic accountants know what threats they need to be wary of and can make business decisions that are in the best interest of their clients and customers. Also, it can ensure quicker detection of odd transactional activity for early intervention.

Instituting safeguards to proactively defend financial information — and consistently reviewing and updating them — can help to keep corporate funds safe in an era where sophisticated cybercriminals can steal financial information at the click of a key.

**Recovery**

Even the best laid plans can fail, especially when the enemy continues to get smarter and stealthier as technology evolves. That's the case when it comes to cybercrime, so planning to fail is just as important as working to avoid failure.

Collaboration between cybersecurity professionals and forensic accountants can ensure that swift, immediate defenses are deployed when an attack is executed and that the damage to a business's financial bottom line is as minimal as possible.

In the event of a breach, these professionals must work together to block the attacker and protect as much data and capital as they can. For example, a seasoned forensic accountant brings experience and knowledge of the many forms of corporate fraud, as well as the necessary steps to employ investigative techniques to spot trends and outliers in large data sets as they develop. Immediately upon noticing suspicious activity, they can alert their company's cyber team to quickly employ a variety of techniques to close the digital path to systems while they investigate.

While losses are not ideal, they are difficult to avoid once a cybercrime is effectively executed, even if it was caught and stopped quickly. Post-incident, it is the task of forensic accountants to calculate potential losses, assess and disclose accounting requirements, and assist the cyber team with evidence collection for insurance claim purposes.

Generally, forensic accountants and cybersecurity professionals have the same goal: to safeguard important information. When they use their unique skill sets to collaborate effectively, a corporation has the best chance of evading the consequences of a devastating cyberattack.

Why Cyber Pros and Forensic Accountants Should Work Together to Mitigate Security Risk

Will the bottom falling out of the cryptocurrency market have a profound impact on cybercriminal tactics and business models? Experts weigh in on what to expect.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cybersecurity world is, how will this rapid decline of cryptocurrency valuations change the cybercrime economy?

Throughout the most recent crypto boom, and even before then, cybercriminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cybercriminal enterprises.

Even so, according to cybersecurity experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

**Shifting Crypto Trends & Tactics in 2022**

Regardless of crypto values, cybercriminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetize their attacks, says Helen Short, cyber-threat intelligence analyst for Accenture, who points to the use by some ransomware groups taking advantage of yield farming within decentralized finance (DeFi), as an example.

"The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid," she explains. "The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it."

Her analysis has shown that threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. She says that in many ways, the downturn in crypto values has increased the risk appetite of cybercriminals and is spurring them into more investment fraud and cryptocurrency scams.

"Threat actors are also playing on people’s desperation to recoup their losses," she says.

While some consumers who have lost their wallet value may be desperate, others have simply lost their interest and aren't watching their accounts as closely, which is driving another trend, says Brittany Allen, trust and safety architect and fraud researcher at Sift.

"Plummeting crypto prices have led to consumers paying less attention to their crypto wallets than they were early this year and in 2021, and fraudsters noticed," Allen says. "This has led to a 79% rise in crypto account takeover attacks."

By point of example, she explains that her team discovered a new type of crypto cash-out scam this year on Telegram and Dark Web forums, where account takeover fraudsters teamed up to target the crypto market during the crash.

"In this scheme, cybercriminals use stolen wallets, bank accounts, or crypto exchange accounts to move or launder illicitly obtained funds. Fraudster A will advertise their access to stolen funds on Telegram, then find another fraudster who specializes in crypto account takeover and KYC (know your customer identity verification) bypass methods," she says. "Once Fraudster B offers access to stolen wallets or crypto exchanges, Fraudster A sends the stolen funds to Fraudster B’s accounts, where they funnel the money out and split the profits. Each party takes a risk trusting the other, but if successful, they stand to make tens of thousands of dollars each."

This is in line with another shift in cybercriminal tactics in 2022 that Short says she's witnessed. It's not necessarily a response to cryptocurrency devaluation, but it is a business model shift to maximize revenue.

"We're seeing threat actors partnering together to facilitate an attack, rather than paying each other for their specialist services. This reduces the overall cost of the attack as the agreement is a set cut of the proceeds," she says.

**Ransomware Is Here to Stay**

One point that cybersecurity pundits are almost unanimous on is that even with a ton of cryptocurrency volatility, ransomware isn't going anywhere. There was a slight downturn in ransomware activity in 2022, but according to Aamil Karimi, threat intelligence analyst at Optiv, that's more attributable to other variables like the war in Ukraine. 

There was some significant regrouping of ransomware cartels that were more likely to result in the decline of activity than anything else, and he says cryptocurrency will still be a favored extortion demand for a long time.

"It’s likely cryptocurrency will still be the payment of choice demanded in extortionary incidents. As of right now, it’s the safest medium for cybercriminals to conduct transactions," Karimi says. "I don’t estimate any slowdown in cybercriminal or extortionary activity."

Bob Rudis, vice president of data science for GreyNoise Intelligence, agrees. There are simply too many soft ransomware targets ripe for attack for criminals to ignore, Rudis says. And it's not as if they lose any money with lower values of the currency since they are the ones setting the ransom, and they're likely going to convert it into tangible funds before further volatility impacts the total.

"Attackers care not if they receive one or a hundred units of a given cryptocurrency when asking for, say, $100,000 USD," Rudis says. "They have the means, markets, and processes to convert any ill-gotten crypto gains into something more tangible, and will likely always be one step ahead of law enforcement and market regulators." 

In spite of headline stories about authorities using crypto mechanisms to hurt adversaries financially, Rudis says there are "still real law enforcement hurdles to curb that flow," which is why he believes cryptocurrency will still be heavily used for cybercriminal money laundering for some time to come.

Not everyone sees it the same way, though. Short of Accenture points out that law enforcement this year has increasingly taken a real bite out of the crooks' bottom line through claw-back transactions, seizures, and more.

"Law enforcement took aggressive measures in 2022, including fund seizures, sanctions, and high-profile arrests," she says. "It is becoming harder to launder and cash out illicit funds, resulting in the trend of threat actors exchanging ‘dirty cash’ for other services as they cannot get the illicit funds out."

Ryan Kovar, distinguished strategist and leader of Splunk's SURGe research team, also points out that perhaps the cybercrime impact of the crypto crash of 2022 will have less to do with a potential future divestment of cryptocurrency in cybercriminal enterprises than it will with changes in the crypto market's perceived anonymity.

“Ransomware gangs are going to move away from cryptocurrency not because of financial instability, though that’s a factor, but more due to the traceability," Kovar says. "Ultimately, crypto is not really anonymous."

He adds, "If you’re a criminal who lives in a country that supports, sponsors, or doesn’t care about cybercrime, then you’re probably not getting prosecuted easily unless you really tick people off.” 

**Evolution to Expect in 2023**

Experts also believe that increased law enforcement friction will likely influence an evolution in cybercriminal operations around other types of attacks beyond ransomware. Especially proven ones that already don't depend on cryptocurrency, like business email compromise (BEC).

"The FBI's annual IC3 report \[PDF\] shows business email compromise (BEC) to be top of the list when it comes to attackers banking fiat coin. Advanced technology that mimics writing, speech, and even live video of humans is now almost trivial to use and will evolve rapidly in quality," GreyNoise's Rudis says. "Ransomware groups are, first and foremost, businesses, and it would seem logical to assume they'd apply their technical skills to conduct more advanced BEC schemes as well. 

In the meantime, attackers will also be likely to keep advancing technology to stay a step ahead of the authorities with regard to traceability and laundering.

"Attackers will become more sophisticated, breaking the sequence of blockchain transactions to try and obfuscate their illicit funds," Short says. "We will likely see a professionalization in cryptocurrency mixers, such as Tornado cash, with threat actors offering fast and high value 'cash out as-a-service' offerings."

She believes that in 2023, this could drive up the value of personally identifiable information (PII), as it will further push the demand for account takeovers to create mule accounts for cashing out on the back end of various scams.

"It is likely that cybercriminals will continue to convert to stable assets to secure value," she says, "and we will see an increase in threat actors using more privacy focused cryptocurrencies that are harder for law enforcement to trace."

Will the Crypto Crash Impact Cybersecurity in 2023? Maybe.

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

Security teams are considering how to get the most out of user entity behavioral analytics by taking advantage of its strengths and augmenting its limitations.

Rogue insiders and external attackers have become a growing concern in enterprise business applications.

External attackers leverage stolen credentials to impersonate an insider and connect to applications, while at the same time insiders are not sufficiently monitored in SaaS and home-grown applications. This poses a risk from employees and admins who might misuse and engage in malicious activities.

Detection solutions for users, networks and devices are based on two main technologies: rules and patterns that define illegal or malicious behavior; and statistical volumetric/frequency methods based on averages and standard deviations of activities, such as the number of logins or number of emails.

These technologies are often referred to as user entity behavioral analytics (UEBA). They set baselines for average, standard deviation, median, and other statistical metrics, and then detect abnormal values using these baselines.

**Users Don't Always Follow Rules**

Doron Hendler, co-founder and CEO of RevealSecurity, says rules and UEBA have been effective due to major commonalities in the network, device, and user access layers: The market by and large uses a limited set of network protocols and a handful of operating systems.

"However, when it comes to the application layer, UEBA has failed due to the vast dissimilarities between applications," he says.

Hendler explains that over a decade ago, the security market adopted statistical analysis to augment rule-based solutions to provide more accurate detection for the infrastructure and access layers.

"However, UEBA failed to deliver as promised to dramatically increase accuracy and reduce false positive alerts due to a fundamentally mistaken assumption: that user behavior can be characterized by statistical quantities, such as the average daily number of activities," he says.

He argues this mistaken assumption is built into UEBA, which characterizes a user by an average of activities. "In reality though, people don't have average behaviors, and it is thus futile to try and characterize human behavior with quantities such as 'average', 'standard deviation', or 'median' of a single activity," he says.

**UEBA Only Works With the Right Data**

David Swift, principal security strategist at Netenrich, says too many companies go into UEBA without changing their thinking about how security event management should work.

"Before ever talking to a vendor, a customer should identify the most important data to the business — these will indicate log data needed — and define the use cases that would constitute a threat, which define the individual indicators and triggers used to build content," he says. Then they must build models that correlate multiple events and multiple correlations for positive confirmation.

"UEBA only works with the right data," Swift adds. "Most failed implementations never pulled in identity data, or key applications. Without identity, there is no 'user' in UEBA. Without application events, it's still solving the same old problem — malware detection."

From his perspective, UEBA is highly successful when a company-critical application and IAM data are included in the deployment.

"When a new business-critical application is analyzed for anomalies, the value to the business when we find insiders and compromised accounts is high," he explains. "When UEBA is used as better malware detection and new data sources aren't used, it's destined to fail."

Relative to false positives, which UEBA is supposed to help reduce, Swift adds that anomaly-based rules were never meant to have zero false positives.

"Threat chains were always meant to combine multiple indicators into a model with low false positives," he explains. "It's always been about models that link multiple indicators together, if we're going to reduce false positives." He adds that when done well, threat chains do yield a low (roughly 3%) false-positive rate.

**Use Cases for UEBA**

Mike Parkin, senior technical engineer at Vulcan Cyber, says that UEBA can be successful in cases where the user's behavior is very consistent.

For example, with call center personnel, who work from specific locations at specific times, changes in their behavior are obvious.

"On the other hand, people who work in the field, such as salespeople visiting customers, are much more difficult to predict," he says.

Although he says he doesn't think the assumption of individuals possessing "average behaviors" is entirely mistaken, the margin of error for people's behavior is "very, very" broad.

He notes some characteristics, such as typing cadence, can be very distinct, but work patterns, including locations and resource access, can be much more variable. "Keeping UEBA applications focused on the kind of behaviors they can accurately predict will make them more effective, as will the applications themselves improving their analytics to better predict a broader range of behaviors," he adds.

From Swift's perspective, there is no "average" — there is only learned behavior and anomalous behavior.

"People are creatures of habit," he says. "Learning what's unique about a user or a machine isn't hard."

In database terms, this means building a second database outside of the events. SQL statements like "select from where unique" identify normal events; then they must be counted and summed up.

"It's pretty simple to build behavior profiles, and they do work," Swift says. "Peer anomalies — you did something others like you don't do — are a bit less cut and dry, and many are snowflakes. But even with peer groups like title and department, most fall within the norms."

Parkin points out not every UEBA application is created equal and there is a lot of variation in effectiveness between them, even within the same application as it looks at different aspects of behavior.

"Overall, \[UEBA\] can be a valuable addition to the stack, but it's not a silver bullet that can magically identify every threat," he says.

How to Get the Most out of UEBA

Inaccurate information from data brokers can damage careers and reputations. It's time for US privacy laws to change how law enforcement and legal agencies obtain and act on data.

"Predictive policing" sounds like something from the plot of the movie _Minority Report_. However, it's a very real practice that relies heavily on data collected and disseminated by two of the largest data brokers in the United States — RELX and Thomson Reuters.

When we talk about big data, we tend to focus on companies such asAmazon, Equifax, Experian, Google, and Meta (formerly known as Facebook). These are mostly companies that commercialize data for marketing efforts, business decisions, product insights, and financial reasons. RELX and Thomson Reuters operate a little differently. These data giants broker data access, analytics tools, news, and research to libraries, scientists, large corporations, law enforcement, and other government agencies.

They are sometimes referred to as "law enforcement data brokers" due to the breadth of information they make available to legal and law enforcement agencies. Unfortunately, this is also a major point of contention with the public.

**What Do Law Enforcement Data Brokers Do?**

Law enforcement data brokers have used technology to expand the scope of public surveillance far beyond traditional surveillance means. While RELX and Thomson Reuters are secretive about their data-collection resources, there are many obvious information veins, including court records, news collections, research studies, and any information you make public that they feel is valuable.

It's not just the massive amount of data they have on every one of us that's a problem, it's also how they analyze this data to make human risk predictions. The information they combine uses past activities, legal records, personal associations, and even ZIP codes to determine the risk that a person will break the law or conduct illegal activity. It's effectively high-tech profiling, and often perpetuates systemic racism.

These data brokers also provide vast amounts of information to the US Immigration and Customs Enforcement (ICE) Agency, which it then uses to target immigrants. This has led to a collective public outrage that has produced petitions, lawsuits, and increased interest in how law enforcement and the government obtain and use data.

**Law Enforcement Has Found a Workaround to Data Privacy Laws**

Many of us are aware that we, as Americans, have a right to privacy. And there are laws that prohibit law enforcement and government agencies from gathering and using our data under most circumstances. However, these laws say nothing about them buying this data access from third parties.

Since the government isn't collecting and processing this data itself, these agencies can skirt federal privacy laws, operating in a legal gray area.

While we all deserve to live in a safe environment, we also deserve to not have our privacy violated and data used to inform legal opinions about our potential for certain actions.

**The Data They're Using Isn't Always Accurate**

It's unsettling to imagine that information being used to assess the risk you pose isn't necessarily accurate. It's not just related to law enforcement targeting; it's also related to any legal decisions. Custody decisions, civil suit outcomes, insurance decisions, and even hiring decisions can all be influenced by the RELX-owned LexisNexis system, which gathers and aggregates data.

Unfortunately, there's little recourse for someone who was unfairly treated due to a data-based risk assessment because people are rarely privy to the way these decisions are made. So, a corporate HR manager or Family Court judge could be operating off bad or incomplete data when making decisions that could effectively change lives.

RELX and Thomson Reuters have disclaimers freeing them from liability for inaccurate data, which means your information could be mixed in with someone else's, causing serious repercussions in the wrong circumstances.

In 2016, a man named David Alan Smith successfully sued LexisNexis Screening Solutions when the company provided his prospective employer with an inaccurate background check. LexisNexis failed to make sure that Smith's middle name was the same across all the data, resulting in the reporting of a criminal history that was not his. Smith's potential employer withdrew its job offer based on this report, showing just how significantly bad data can impact someone's life.

Fortunately, the courts held LexisNexis accountable for this gross negligence, but this is not always the case.

**How Can We Stop This Misuse of Data?**

Because privacy laws are still young and poorly structured in the US, the best recourse is to be knowledgeable and vocal. There are online petitions and organizations that are working to change how law enforcement and legal agencies obtain and act on data.

Hopefully, with enough public support, we can push legislators to act. Every person has a right to be in control of their own data. Any entity that threatens that right should be held accountable, and protections need to be put in place to prevent it from continuing to happen.

The Threat of Predictive Policing to Data Privacy and Personal Liberty

A variety of initiatives — such as memory-safe languages and software bills of materials — promise more secure applications, but sustained improvements will require that vendors do much better, researchers agree.

Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.

At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers. 

The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.

"Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?" he says. "You've stripped away those protections and defenses."

As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.

**The Software Supply Chain's Gaping Holes Persist

Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.

Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.

This increasingly cloudy infrastructure makes users' human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.

"The unfortunate truth is that no matter what is happening in the enterprise and how well you lock it down and secure it, there is opportunity to attack the users," he says. "With ransomware and malware, phishing and scams, even if the back end is secure, they can take advantage of the user."

****Cyberthreats Against Applications Only Loom Larger**

To see an example of how little progress cybersecurity has made in the past three decades, companies do not have to look further than phishing. The social engineering technique has been around for almost as long as email, yet the vast majority of companies (83%) have suffered a successful email-based phishing attack in 2022. Phishing easily leads to credential harvesting and then to compromises of Web applications and cloud infrastructure.

The simple technique can bypass multiple layers of application security and give attackers access to sensitive data, systems, and networks, Daniel Cuthbert, global head of cyber security research at Banco Santander, said at this month's Black Hat Europe security conference.

"You should be able to click on something and not have it push a reverse shell out to somebody else," he lamented. "Is it that hard to ask?"

Attackers are also focusing on targeting applications in ways that get by many of the security controls that are operating at the edge of the network.

At the Black Hat Asia conference in May, researchers outlined ways to sneak attacks past web application firewalls (WAFs) to deliver malicious payloads to otherwise-protected applications and their databases. In December, cybersecurity firm Claroty demonstrated more general attacks using JSON to bypass five major WAFs, including those of Amazon Web Services and Cloudflare. In the same month, a pair of researchers used a vulnerable version of Spring Boot to bypass Akamai's WAF.

Companies have to be more tactical about how they rely on WAFs, says Akamai's Lauro. So-called "virtual patching" — when the WAF is used to block the exploit of vulnerabilities that are not yet, or cannot yet be, patched — is an important capability. Yet, too many companies use WAFs to protect poorly designed applications, he says.

"You need to identify how that vulnerability could be attacked from the Internet, and virtual patches helps there, but once you are inside the network, the first thing I'm going to do as an attacker is look for some of these zero-days and use them to move laterally," he says.

**Future AppSec Requires Innovation**

Efforts to protect the fundamental components of software by securing the software supply chain will be a key source of innovation in the near future. These advances take time to implement and are not silver bullets, but they can result in far more robust software development and end product, experts say.

Providing developers more information about the components they import into their own software through systems like Scorecard, for example, has significant security benefits. Scorecard checks a variety of software project attributes, such as whether there are binary code included in the software, have dangerous development workflows, or has signed releases. Just that information can determine whether a project is vulnerable with 78% accuracy, according to the Open Software Security Foundation (OpenSSF).

Sigstore, which allows each software component to be signed, is another technology that will help developers understand and secure their supply chains, says John Speed Meyers, principal security scientist at Chainguard, a software security firm.

"A key building block for preventing software supply chain compromises is the widespread use of digital signatures," he says. "This helps reduce the chance of software supply chain compromises and reduce the blast radius when they do happen."

**Companies Can Make Cyber-Secure Application Choices**

While those advances in the software development process can result in more secure software, the choice of language can make a significant difference as well. Memory-safe languages can all but eliminate pernicious classes of software flaws, such as buffer overflows and use-after-free vulnerabilities. 

Google, for example, found that the use of memory-safe languages, such as Java and Rust, rather than C and C++ resulted in lowering the number of vulnerabilities from 223 to 85 over three years.

Companies need to give developers more support and leeway in selecting secure tools and frameworks, not just focus on productivity and features, says Sonatype's Fox.

"There is a new reality that companies need to wake up to and deal with, and that is that the developers at the end of the day are the ones that have to make these changes, and the organizations need to recognize their problems and support them," he says. "Developers are finding their own tools, and they know that's a problem, but they are not getting the support from the company, so even in a world where developers want to do the right thing, their companies are holding them back."

At the executive level, companies also need to be using their buying power to focus on holding their vendors accountable for security of their products, Banco Santander's Cuthbert said during his Black Hat Europe keynote.

"When we look at buying product, and we look at buying software, the reality is that we have zero input to make sure that those vendors, those products are secure," he said. "We just don't have that power and we don't have meaningful influence."

Internet AppSec Remains Abysmal & Requires Sustained Action in 2023

A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.

A high-severity security vulnerability in the Kyverno admission controller for container images could allow malicious actors to import a raft of nefarious code into cloud production environments.

The Kyverno admission controller offers a signature-verification mechanism designed to ensure that only signed, validated container images are being pulled into a given Kubernetes cluster. This can ward off any number of bad outcomes, given that boobytrapped container images can contain payloads as varied as cryptominers, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more.

However, the bug (CVE-2022-47633) can be exploited to subvert that mechanism. "The vulnerability enables an attacker … to inject unsigned images into the protected cluster, bypassing the image verification policy," explained researchers at ARMO, in a blog post on Dec. 21. The stakes are high: The attacker can effectively take control of a victim’s pod and use all of its assets and credentials, including the service account token to access the API server, they warned.

"The vulnerability enables a complete bypass of image signature verification. In the case of a Kubernetes cluster, this gives an attack a wide range of targets. Any workload can mount cluster secrets and data volumes," Ben Hirschberg, CTO and co-founder of ARMO, tells Dark Reading. "This means the attacker can inject code that can steal data and credentials from the Kubernetes cluster of the victim. This also enables the attacker to inject his/her own code and use the CPU of the victim for things like cryptocurrency mining."

**Inside the Bug: Subverting the Container Admission Controller**

When a new workload, defined via an image with a tag, is requested from a Kubernetes API server, the API server asks the Kyverno admission controller to validate the new workload. To determine whether a workload can be admitted to the cluster, the admission controller requests the image manifest and a signature from the container registry.

If they check out, the image gets the green light, and the container runtime starts a new workload based on said image.

The vulnerability arises because the controller's signature validation process downloads the image manifest twice — but only verifies a signature for one of the downloads, according to the advisory.

Thus, the attack looks like this: An administrator is social-engineered into pulling a container image from a malicious registry or proxy. When the image is first imported, the malicious registry returns a valid, benign, signed image to the admission controller. So far, so good.

However, then the admission controller requests the manifest of the signed image for a second time, to get the digest for mutation — i.e., to update the container's human-readable tag. This time, no signing validation occurs, allowing the malicious registry to return a different, unsigned and malicious image, which is ultimately the one that is spun up and run.

"This is a classic example of a \[time-of-check-to-time-of-use\] TOCTOU problem that allows the attacker to pull a bait-and-switch," according to ARMO's analysis. "Since the image manifest which will eventually be used is not the same as the one which was verified, this enables the attacker to trick the client."

The vulnerability was introduced in version 1.8.3 and was fixed in version 1.8.5; Kyverno users should update as soon as possible. The patch ensures that the same image hash is used to change the workload specification as was used to verify the signature.

This specific vulnerability affects only Kubernetes with Kyverno, but other image signature verification tools need to take care not to be vulnerable to the same method, Hirschberg warned.

**Social Engineering a Malicious Container Attack**

To carry out a real-world attack, threat actors can use either compromised accounts on existing registries to host malicious images, or they can establish their own private container registry and then set about convincing an admin to trust it.

From a practical standpoint, "creating a malicious registry for an experienced attacker is not a challenge," Hirschberg says. "An attacker can take any open source registry software, make some minor modifications to make the attack work, and run it in the cloud under a custom domain."

The next step is to convince an admin to trust the malicious container, which is also not that difficult. Container images from third parties are often used to spin up ready-made applications, in much the same way that app developers source prebuilt code blocks from open repositories like npm — the idea is to not have to reinvent the wheel for common functions and utilities.

Hirschberg notes that only a fraction of Kubernetes users have strictures on where they can pull container workloads from, so cloud admins are not likely to be immediately on their guard when it comes to using third-party registries — particularly if they have image signature verification in place.

"The attacker could go phishing and publish in multiple forums a notification that there is a new version of software XYZ, and here are the Kubernetes YAML or Helm to run it," he explains. "Since some people feel protected by image signature verification, their guard would be down and would not be afraid to run the image."

**Container Security: A Rising Concern**

Containers are a good target for cybercriminals because they mostly run in the cloud with access to plenty of computational resources, which are precious and expensive, Hirschberg points out — so, this enables attackers to steal computational resources and data, while also going unnoticed for a relatively long period of time.

"We don’t have exact statistics, but it is very clear that with the wide adoption of containers, this is becoming a more prevalent issue," he says. "Security teams are learning how to handle them, and Kubernetes in general. I don't think that it is a true 'blind spot,' but container security teams are still learning the whole environment with many neglected areas."

With the adoption of image signature verification still in its early stages, admission controllers represent one of those potentially neglected areas. But they're also part of a broader conversation about supply chain software security, that should be put in the spotlight.

"The SolarWinds attack showed the world how sensitive this issue is when it comes to trusting the security of external code," Hirschberg says. "Kyverno is among the first security tools to implement signature validation, and with new features can come new bugs. Hopefully, this finding makes this a more secure mechanism and will help the industry to overcome the problem of verifying software in Kubernetes."

Source

DARKReading